daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revert "Merge branch 'main' into updated-tags" 

This reverts commit d3c7d73554.
patch-1
Ritik Chaddha 2024-01-25 16:52:45 +05:30
parent d3c7d73554
commit 129fae0047
2768 changed files with 15050 additions and 38614 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.DS_Store vendored
View File

Binary file not shown.

14
.github/ISSUE_TEMPLATE/config.yml vendored Normal file
View File

@ -0,0 +1,14 @@
blank_issues_enabled: false
contact_links:
- name: Ask an question / advise on using nuclei-templates
url: https://github.com/projectdiscovery/nuclei-templates/discussions/categories/q-a
about: Ask a question or request support for using nuclei-templates
- name: Share idea / feature to discuss for nuclei-templates
url: https://github.com/projectdiscovery/nuclei-templates/discussions/categories/ideas
about: Share idea / feature to discuss for nuclei-templates
- name: Connect with PD Team & Community (Discord)
url: https://discord.gg/projectdiscovery
about: Connect with PD Team & Community for direct communication

21
.github/ISSUE_TEMPLATE/false-negative.md vendored Normal file
View File

@ -0,0 +1,21 @@
---
name: False Negative
about: 'Issue for template missing valid/expected result.'
labels: 'false-negative'
---
<!-- ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION. -->
### Nuclei Version:
<!-- You can find current version of nuclei with "nuclei -version" -->
### Template file:
<!-- Template producing false-negative results, for example: "http/cves/XX/XX.yaml" -->
### Command to reproduce:
<!-- Please include the command to replicate the behavior so fix can be applied asap. -->
<!-- if host information can not be shared publicly, please reach out to us on discord server in DM -->

24
.github/ISSUE_TEMPLATE/false-positive.md vendored Normal file
View File

@ -0,0 +1,24 @@
---
name: False Positive
about: 'Issue for template producing invalid/unexpected result.'
labels: 'false-positive'
---
<!-- ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION. -->
### Nuclei Version:
<!-- You can find current version of nuclei with "nuclei -version" -->
### Template file:
<!-- Template producing false-positive results, for example: "http/cves/XX/XX.yaml" -->
### Command to reproduce:
<!-- Please include the command to replicate the behavior so fix can be applied asap. -->
<!-- if host information can not be shared publicly, please reach out to us on discord server in DM -->
### Anything else:
<!-- Links? References? Screnshots? Anything that will give us more context about the issue that you are encountering! -->

18
.github/ISSUE_TEMPLATE/feature_request.md vendored Normal file
View File

@ -0,0 +1,18 @@
---
name: Feature request
about: Request feature to implement in this project
labels: 'Type: Enhancement'
---
<!--
1. Please make sure to provide a detailed description with all the relevant information that might be required to start working on this feature.
2. In case you are not sure about your request or whether the particular feature is already supported or not, please start a discussion instead.
3. GitHub Discussion: https://github.com/projectdiscovery/nuclei-templates/discussions/categories/ideas
4. Join our discord server at https://discord.gg/projectdiscovery to discuss the idea on the #nuclei-templates channel.
-->
### Please describe your feature request:
<!-- A clear and concise description of feature to implement -->
### Describe the use case of this feature:
<!-- A clear and concise description of the feature request's motivation and the use-cases in which it could be useful. -->

21
.github/ISSUE_TEMPLATE/issue-report.md vendored Normal file
View File

@ -0,0 +1,21 @@
---
name: Issue report
about: "Issue to report invalid template"
labels: 'Type: Bug'
---
<!--
1. Please search to see if an issue already exists for the bug you encountered.
2. For support requests, FAQs or "How to" questions, please use the GitHub Discussions section instead - https://github.com/projectdiscovery/nuclei-templates/discussions or
3. Join our discord server at https://discord.gg/projectdiscovery and post the question on the #nuclei-templates channel.
-->
<!-- ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION. -->
### Issue description:
<!-- A concise description of what you're experiencing. -->
### Anything else:
<!-- Links? References? Screnshots? Anything that will give us more context about the issue that you are encountering! -->

17
.github/ISSUE_TEMPLATE/new-template.md vendored Normal file
View File

@ -0,0 +1,17 @@
---
name: Template Request
about: 'request for new template to be created.'
labels: 'new-template'
---
<!-- ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION. -->
### Template for?
<!-- Name the CVE / Vulnerability / Exploit / Misconfiguration / Technology -->
### Details:
<!-- Required information to create a nuclei template such as exploit link / source / reference / vulnerable setup / search query / demo host -->

23
.github/ISSUE_TEMPLATE/submit-template.md vendored Normal file
View File

@ -0,0 +1,23 @@
---
name: Template Contribution
about: Contributing nuclei template using GitHub Issue
labels: 'nuclei-template'
---
### Template Information:
<!-- Include basic information of the template including reference -->
<!-- Templates without any reference mostly likely to take more time for review/validation -->
### Nuclei Template:
<!-- Include nuclei template in between code block shared below -->
```yaml
```
<!-- Include template results if available or redacted valid response snippet of valid match -->
<!-- Example response help us to update the matchers as unique as possible to avoid possible false-positive results. -->

30
.github/auto_assign.yml vendored Normal file
View File

@ -0,0 +1,30 @@
# Set to true to add reviewers to pull requests
addReviewers: false
# Set to true to add assignees to pull requests
addAssignees: false
# A list of reviewers to be added to pull requests (GitHub user name)
reviewers:
- ritikchaddha
- pussycat0x
- DhiyaneshGeek
# A number of reviewers added to the pull request
# Set 0 to add all the reviewers (default: 0)
numberOfReviewers: 1
# A list of assignees, overrides reviewers if set
assignees:
- pussycat0x
- ritikchaddha
- DhiyaneshGeek
# A number of assignees to add to the pull request
# Set to 0 to add all of the assignees.
# Uses numberOfReviewers if unset.
numberOfAssignees: 1
# A list of keywords to be skipped the process that add reviewers if pull requests include it
# skipKeywords:
# - wip

19
.github/dependabot.yml vendored Normal file
View File

@ -0,0 +1,19 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
target-branch: "main"
commit-message:
prefix: "chore"
include: "scope"
labels:
- "Type: Maintenance"

20
README 2.md → .github/scripts/README.tmpl vendored
View File

@ -1,4 +1,4 @@
f"""
<h1 align="center">
Nuclei Templates
@ -38,22 +38,9 @@ An overview of the nuclei template project, including statistics on unique tags,
<tr>
<td>
## Nuclei Templates Top 10 statistics
{get_top10()}
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2296 | dhiyaneshdk | 1123 | http | 6913 | info | 3337 | file | 312 |
| panel | 1038 | dwisiswant0 | 801 | file | 312 | high | 1458 | dns | 18 |
| wordpress | 938 | daffainfo | 788 | workflows | 191 | medium | 1439 | | |
| xss | 848 | pikpikcu | 353 | network | 131 | critical | 919 | | |
| exposure | 844 | pussycat0x | 307 | ssl | 27 | low | 248 | | |
| wp-plugin | 812 | ritikchaddha | 298 | javascript | 21 | unknown | 34 | | |
| osint | 677 | pdteam | 286 | dns | 17 | | | | |
| tech | 649 | ricardomaia | 229 | headless | 11 | | | | |
| lfi | 619 | geeknik | 224 | code | 3 | | | | |
| edb | 598 | theamanrawat | 221 | cves.json | 1 | | | | |
**534 directories, 7902 files**.
**{command("tree", -2, None)}**.
</td>
</tr>
@ -94,3 +81,4 @@ Additionally, you may follow us on [Twitter](https://twitter.com/pdnuclei) to be
Thanks again for your contribution and keeping this community vibrant. :heart:
"""

139
.github/scripts/assign_tasks.py vendored Normal file
View File

@ -0,0 +1,139 @@
import requests
import sys
import json
# GitHub credentials
password = sys.argv[3]
repo_owner = "projectdiscovery"
repo_name = "nuclei-templates"
pr_user_list = ["DhiyaneshGeek", "pussycat0x", "ritikchaddha"]
issue_user_list = ["princechaddha", "DhiyaneshGeek", "pussycat0x", "ritikchaddha"]
headers = {'Authorization': f'Bearer {password}',
'Accept': 'application/vnd.github+json',
'X-GitHub-Api-Version': '2022-11-28'}
def get_issue_assignee(issue_number):
issue_url = f"https://api.github.com/repos/{repo_owner}/{repo_name}/issues?per_page=2"
response = requests.get(issue_url, headers=headers)
if response.status_code == 200:
issue_data = response.json()[1]
assignee = issue_data["assignee"]["login"] if issue_data["assignee"] else "None"
return assignee
else:
print(f"Failed to fetch assignee for issue #{issue_number}")
return None
def assign_issue_or_pr(user, issue_number):
url = f"https://api.github.com/repos/{repo_owner}/{repo_name}/issues/{issue_number}/assignees"
data = { "assignees": [user] }
response = requests.post(url, headers=headers, data=json.dumps(data))
if response.status_code == 201:
print(f"Assigned issue #{issue_number} to {user}")
else:
print(f"Failed to assign issue #{issue_number} to {user}. Status code: {response.status_code}")
def get_pr_assignee_and_reviewer(pull_request_number):
pull_url = f'https://api.github.com/repos/{repo_owner}/{repo_name}/pulls?per_page=2'
response = requests.get(pull_url, headers=headers)
if response.status_code == 200:
pull_request_data = response.json()[1]
assignee = pull_request_data['assignee']['login'] if pull_request_data['assignee'] else None
reviewers = [reviewer['login'] for reviewer in pull_request_data['requested_reviewers']]
return assignee, reviewers
else:
print(f"Failed to retrieve pull request #{pull_request_number}. Response: {response.text}")
return None, None
def get_pr_author(pull_request_number):
pull_url = f'https://api.github.com/repos/{repo_owner}/{repo_name}/pulls/{pull_request_number}'
response = requests.get(pull_url, headers=headers)
if response.status_code == 200:
pull_request_data = response.json()
author = pull_request_data['user']['login']
return author
else:
print(f"Failed to retrieve pull request #{pull_request_number}. Response: {response.text}")
return None
def review_pr(user, pull_request_number):
url = f'https://api.github.com/repos/{repo_owner}/{repo_name}/pulls/{pull_request_number}/requested_reviewers'
data = { 'reviewers': [user] }
response = requests.post(url, headers=headers, data=json.dumps(data))
if response.status_code == 201:
print(f"Review request for pull request #{pull_request_number} sent to {user} successfully.")
else:
print(f"Failed to send review request for pull request #{pull_request_number}. Response: {response.text}")
def main():
if len(sys.argv) != 4:
print("Usage: python assign_tasks.py <issue_number> <pr_or_issue> <token>")
sys.exit(1)
issue_number = int(sys.argv[1])
type_ = sys.argv[2]
if type_ == 'pr':
assignee, reviewers = get_pr_assignee_and_reviewer(issue_number - 1)
author = get_pr_author(issue_number)
if reviewers:
try:
index = pr_user_list.index(reviewers[0])
try:
reviewer = pr_user_list[index + 1]
except:
reviewer = pr_user_list[0]
if reviewer == author:
reviewer = pr_user_list(pr_user_list.index(reviewer) + 1)
review_pr(reviewer, issue_number)
else:
review_pr(reviewer, issue_number)
except Exception as e:
reviewer = pr_user_list[0]
review_pr(reviewer, issue_number)
else:
for user in pr_user_list:
if (user != author):
reviewer = user
review_pr(reviewer, issue_number)
break
if assignee:
try:
index = pr_user_list.index(assignee)
if (pr_user_list[index + 1] == reviewer):
assign_issue_or_pr(pr_user_list[index + 2], issue_number)
else:
assign_issue_or_pr(pr_user_list[index + 1], issue_number)
except Exception as e:
if (pr_user_list[0] == reviewer):
assign_issue_or_pr(pr_user_list[1], issue_number)
else:
assign_issue_or_pr(pr_user_list[0], issue_number)
else:
if (pr_user_list[0] == reviewer):
assign_issue_or_pr(pr_user_list[1], issue_number)
else:
assign_issue_or_pr(pr_user_list[0], issue_number)
elif type_ == 'issue':
assignee = get_issue_assignee(issue_number-1)
if assignee:
try:
index = issue_user_list.index(assignee)
assign_issue_or_pr(issue_user_list[index + 1], issue_number)
except Exception as e:
assign_issue_or_pr(issue_user_list[0], issue_number)
else:
assign_issue_or_pr(issue_user_list[0], issue_number)
main()

23
.github/scripts/update-readme.py vendored Normal file
View File

@ -0,0 +1,23 @@
#!/usr/bin/env python3
import glob
import subprocess
def countTpl(path):
return len(glob.glob(path + "/*.*"))
def command(args, start=None, end=None):
return "\n".join(subprocess.run(args, text=True, capture_output=True).stdout.split("\n")[start:end])[:-1]
def get_top10():
HEADER = "## Nuclei Templates Top 10 statistics\n\n"
TOP10 = command(["cat", "TOP-10.md"])
return HEADER + TOP10 if len(TOP10) > 0 else ""
if __name__ == "__main__":
version = command(["git", "describe", "--tags", "--abbrev=0"])
template = eval(open(".github/scripts/README.tmpl", "r").read())
print(template)
f = open("README.md", "w")
f.write(template)
f.close()

10
.github/scripts/wordpress-plugins-update-requirements.txt vendored Normal file
View File

@ -0,0 +1,10 @@
beautifulsoup4==4.11.1
bs4==0.0.1
certifi==2023.7.22
charset-normalizer==2.1.1
idna==3.4
Markdown==3.4.1
requests==2.28.1
soupsieve==2.3.2.post1
termcolor==2.1.1
urllib3==1.26.13

185
.github/scripts/wordpress-plugins-update.py vendored Normal file
View File

@ -0,0 +1,185 @@
#!/usr/bin/env python3
'''
This script reads the URL https://wordpress.org/plugins/browse/popular/ until page 10, extract each plugin name and namespace,
then in http://plugins.svn.wordpress.org/ website, looks for the "Stable tag" inside the readme.txt and extract the last version
number from trunk branch. Finally generates a template and a payload file with last version number to be used during scan that
compares the detect version with the payload version.
The generated template also includes the tags top-100 and top-200 allowing filtering.
e.g.
nuclei -t http/technologies/wordpress/plugins -tags top-100 -u https://www.example.com
'''
__author__ = "ricardomaia"
from time import sleep
from bs4 import BeautifulSoup
import requests
import re
from markdown import markdown
import os
from termcolor import colored, cprint
# Regex to extract the name of th plugin from the URL
regex = r"https://wordpress.org/plugins/(\w.+)/"
ranking = 1
# Top 200 Wordpress Plugins
for page_number in range(1, 11):
html = requests.get(url=f"https://wordpress.org/plugins/browse/popular/page/{page_number}", headers={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Accept-Language": "en-US,en;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Connection": "keep-alive",
"Upgrade-Insecure-Requests": "1",
"Cache-Control": "max-age=0",
"Pragma": "no-cache",
}).content
# Parse HTML
soup = BeautifulSoup(html, 'html.parser')
results = soup.find(id="main")
articles = results.find_all("article", class_="plugin-card")
# Setting the top tag
top_tag = "top-100,top-200" if page_number <= 5 else "top-200"
# Get each plugin in the page
for article in articles:
full_title = article.find("h3", class_="entry-title").get_text()
regex_remove_quotes = r"[\"`:]"
subst_remove_quotes = "'"
title = re.sub(regex_remove_quotes, subst_remove_quotes, full_title)
link = article.find("a").get("href")
name = re.search(regex, link).group(1)
cprint(f"Title: {title}", "cyan")
cprint(f"Link: {link}", "yellow")
cprint(f"Name: {name} - Ranking: {ranking}", "green")
print(f"Page Number: {page_number}")
print(f"Top Tag: {top_tag}")
print(f"http://plugins.svn.wordpress.org/{name}/trunk/readme.txt")
ranking += 1
sleep(0.2)
# Get the readme.txt file from SVN
readme = requests.get(
url=f"http://plugins.svn.wordpress.org/{name}/trunk/readme.txt",
headers={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7,es;q=0.6",
"Cache-Control": "no-cache",
"Connection": "keep-alive",
"Host": "plugins.svn.wordpress.org",
"Pragma": "no-cache",
"Upgrade-Insecure-Requests": "1",
"Referer": "http://plugins.svn.wordpress.org/{name}/trunk/"}).content
# Extract the plugin version
try:
version = re.search(r"(?i)Stable.tag:\s+([\w.]+)",
readme.decode("utf-8")).group(1)
except:
version = "N/A"
# Extract the plugin description
try:
description_markdown = re.search(
r"(?i)==.Description.==\W+\n?(.*)", readme.decode("utf-8")).group(1)
html = markdown(description_markdown)
full_description = BeautifulSoup(html, 'html.parser').get_text()
regex_max_length = r"(\b.{80}\b)"
subst_max_lenght = "\\g<1>\\n "
description = re.sub(
regex_max_length, subst_max_lenght, full_description, 0, re.MULTILINE)
except:
description = "N/A"
print(f"Version: {version}")
print(f"Description: {description}")
# Write the plugin template to file
template = f'''id: wordpress-{name}
info:
name: {title} Detection
author: ricardomaia
severity: info
reference:
- https://wordpress.org/plugins/{name}/
metadata:
plugin_namespace: {name}
wpscan: https://wpscan.com/plugin/{name}
tags: tech,wordpress,wp-plugin,{top_tag}
http:
- method: GET
path:
- "{{{{BaseURL}}}}/wp-content/plugins/{name}/readme.txt"
payloads:
last_version: helpers/wordpress/plugins/{name}.txt
extractors:
- type: regex
part: body
internal: true
name: internal_detected_version
group: 1
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
- type: regex
part: body
name: detected_version
group: 1
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
matchers-condition: or
matchers:
- type: dsl
name: "outdated_version"
dsl:
- compare_versions(internal_detected_version, concat("< ", last_version))
- type: regex
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
'''
work_dir = os.getcwd()
print(f"Current working directory: {work_dir}")
helper_dir = f"{work_dir}/helpers/wordpress/plugins"
template_dir = f"{work_dir}/http/technologies/wordpress/plugins"
if not os.path.exists(helper_dir):
os.makedirs(helper_dir)
if not os.path.exists(template_dir):
os.makedirs(template_dir)
helper_path = f"helpers/wordpress/plugins/{name}.txt"
version_file = open(helper_path, "w")
version_file.write(version)
version_file.close()
template_path = f"http/technologies/wordpress/plugins/{name}.yaml"
template_file = open(template_path, "w") # Dev environment
template_file.write(template)
template_file.close()
print("--------------------------------------------")
print("\n")

108
.github/scripts/yaml2json.go vendored Normal file
View File

@ -0,0 +1,108 @@
package main
import (
"encoding/json"
"fmt"
"io/ioutil"
"os"
"path/filepath"
"strings"
"gopkg.in/yaml.v3"
)
type Classification struct {
CVSSScore string `yaml:"cvss-score,omitempty"`
}
type Info struct {
Name string `yaml:"name"`
Severity string `yaml:"severity"`
Description string `yaml:"description"`
Classification Classification `yaml:"classification,omitempty"`
}
type Data struct {
ID string `yaml:"id"`
Info Info `yaml:"info"`
FilePath string `json:"file_path"`
}
func main() {
if len(os.Args) != 3 {
fmt.Println("Usage: go run main.go <directory1[,directory2,...]> <output_file>")
os.Exit(1)
}
input := os.Args[1]
outputFile := os.Args[2]
var directories []string
// Check if the input contains a comma
if strings.Contains(input, ",") {
directories = strings.Split(input, ",")
} else {
directories = []string{input}
}
var data []Data
for _, directory := range directories {
fmt.Println("Generating data for", directory)
err := filepath.Walk(directory, func(path string, info os.FileInfo, err error) error {
if err != nil {
fmt.Printf("Error accessing path %s: %v\n", path, err)
return err
}
if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
yamlFile, err := ioutil.ReadFile(path)
if err != nil {
fmt.Printf("Error reading YAML file %s: %v\n", path, err)
return err
}
var d Data
err = yaml.Unmarshal(yamlFile, &d)
if err != nil {
fmt.Printf("Error unmarshalling YAML file %s: %v\n", path, err)
return err
}
if d.Info.Classification.CVSSScore == "" {
d.Info.Classification.CVSSScore = "N/A"
}
if d.Info.Classification == (Classification{}) {
d.Info.Classification.CVSSScore = "N/A"
}
fpath := strings.Replace(path, "/home/runner/work/nuclei-templates/nuclei-templates/", "", 1)
d.FilePath = fpath
data = append(data, d)
}
return nil
})
if err != nil {
fmt.Printf("Error reading directory: %v\n", err)
os.Exit(1)
}
}
var jsonData []byte
for _, d := range data {
temp, err := json.Marshal(d)
if err != nil {
fmt.Printf("Error marshalling JSON: %v\n", err)
os.Exit(1)
}
jsonData = append(jsonData, temp...)
jsonData = append(jsonData, byte('\n'))
}
err := ioutil.WriteFile(outputFile, jsonData, 0644)
if err != nil {
fmt.Printf("Error writing JSON data to file: %v\n", err)
os.Exit(1)
}
fmt.Println("JSON data written to", outputFile)
}

31
.github/workflows/autoassign.yml vendored Normal file
View File

@ -0,0 +1,31 @@
name: 🤖 issue/pr assignment
on:
pull_request:
types: [opened]
branches:
- main
issues:
types: [opened]
jobs:
build:
permissions: write-all
runs-on: ubuntu-latest
env:
ASSIGN_TASK_TOKEN: ${{ secrets.PDTEAMX_PAT }} # github personal token
steps:
- name: checkout repo content
uses: actions/checkout@v4 # checkout the repository content
- name: setup python
uses: actions/setup-python@v5
with:
python-version: '3.10' # install the python version needed
- name: install python packages
run: |
pip install requests
- name: execute python script on pr
if: ${{ github.event_name == 'pull_request' }}
run: python .github/scripts/assign_tasks.py ${{ github.event.pull_request.number }} pr ${{ secrets.GITHUB_TOKEN }}
- name: execute python script on issue opened
if: ${{ github.event_name == 'issues' }}
run: python .github/scripts/assign_tasks.py ${{ github.event.issue.number }} issue ${{ secrets.GITHUB_TOKEN }}

22
.github/workflows/cache-purge.yml vendored Normal file
View File

@ -0,0 +1,22 @@
name: 🗑️ Cache Purge
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
deploy:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
# Wait for 5 minutes
- name: Wait for 2 minutes
run: sleep 120
- name: Purge cache
uses: jakejarvis/cloudflare-purge-action@master
env:
CLOUDFLARE_ZONE: ${{ secrets.CLOUDFLARE_ZONE }}
CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_TOKEN }}

45
.github/workflows/cve2json.yml vendored Normal file
View File

@ -0,0 +1,45 @@
name: 📝 CVE JSON Metadata
on:
push:
branches:
- main
paths:
- '*/cves/**'
workflow_dispatch: # allows manual triggering of the workflow
jobs:
cve2json:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@master
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.19
- name: Run YAML2JSON
id: cves
run: |
go env -w GO111MODULE=off
go get gopkg.in/yaml.v3
go run .github/scripts/yaml2json.go $GITHUB_WORKSPACE/http/cves/,$GITHUB_WORKSPACE/network/cves/ cves.json
md5sum cves.json | cut -d' ' -f1 > cves.json-checksum.txt
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.cves.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add cves.json cves.json-checksum.txt
git commit -m "Auto Generated cves.json [$(date)] :robot:" -a
- name: Push changes
if: steps.cves.outputs.CHANGES > 0
run: |
git pull --rebase
git push origin ${{ github.ref }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

43
.github/workflows/new-templates.yml vendored Normal file
View File

@ -0,0 +1,43 @@
name: 🥳 New Template List
on:
push:
branches:
- main
paths:
- '**.yaml'
workflow_dispatch:
jobs:
templates:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@master
with:
token: ${{ secrets.GITHUB_TOKEN }}
persist-credentials: false
fetch-depth: 0
- name: Generate new template list
id: new-additions
run: |
git pull
git diff --name-only --diff-filter=A $(git tag | tail -n 1) @ . | grep .yaml | tee .new-additions
- name: Commit files
run: |
git config --local user.email "bot@projectdiscovery.io"
git config --local user.name "[PDBot]"
git add .new-additions -f
git commit --allow-empty -m "Auto Generated New Template Addition List [$(date)] :robot:" -a
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}
- name: Trigger Remote Workflow with curl
run: |
curl -i -s -k -X 'POST' -H 'Host: api.github.com' -H "Authorization: token ${{ secrets.GTOKEN }}" --data-binary $'{\"ref\":\"main\"}' 'https://api.github.com/repos/projectdiscovery/early-templates/actions/workflows/reposync.yml/dispatches'

47
.github/workflows/readme-update.yml vendored Normal file
View File

@ -0,0 +1,47 @@
name: 📝 Readme Update
on:
workflow_run:
workflows: ["🗒 Templates Stats"]
types:
- completed
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- name: Install tree
run: sudo apt-get install tree -y
- name: Check out code
uses: actions/checkout@master
with:
persist-credentials: false
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.8"
- name: Update README
id: readme-update
run: |
python .github/scripts/update-readme.py
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.readme-update.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit -m "Auto README Update [$(date)] :robot:" -a
- name: Push changes
if: steps.readme-update.outputs.CHANGES > 0
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}

19
.github/workflows/syntax-checking.yml vendored Normal file
View File

@ -0,0 +1,19 @@
name: ❄️ YAML Lint
on:
pull_request:
paths:
- '**.yaml'
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Yamllint
uses: karancode/yamllint-github-action@v2.1.1
with:
yamllint_config_filepath: .yamllint
yamllint_strict: false
yamllint_comment: true

49
.github/workflows/template-checksum.yml vendored Normal file
View File

@ -0,0 +1,49 @@
name: 📝 Template Checksum
on:
push:
branches:
- main
paths:
- '**.yaml'
workflow_dispatch: # allows manual triggering of the workflow
jobs:
checksum:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.21.x
- name: install checksum generator
run: |
go install -v github.com/projectdiscovery/nuclei/v3/cmd/generate-checksum@dev
- name: generate checksum
id: checksum
run: |
generate-checksum /home/runner/work/nuclei-templates/nuclei-templates/ templates-checksum.txt
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.checksum.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add templates-checksum.txt
git commit -am "Auto Generated Templates Checksum [$(date)] :robot:"
- name: Push changes
if: steps.checksum.outputs.CHANGES > 0
run: |
git pull --rebase
git push origin ${{ github.ref }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

31
.github/workflows/template-db-indexer.yml vendored Normal file
View File

@ -0,0 +1,31 @@
name: 📑 Template-DB Indexer
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
index:
runs-on: ubuntu-latest-16-cores
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.21.x
- name: Installing Indexer
run: |
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
git clone https://github.com/projectdiscovery/nucleish-api.git
cd nucleish-api/cmd/generate-index/
go install
- name: Generate Index
env:
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
run: |
generate-index -mode templates

51
.github/workflows/template-sign.yml vendored Normal file
View File

@ -0,0 +1,51 @@
name: ☑️ Template Sign
on:
push:
branches:
- main
paths:
- '**.yaml'
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.21.x
- name: nuclei install
run: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@dev
- name: Template Sign
id: sign
run: |
nuclei -lfa -duc -sign -t /home/runner/work/nuclei-templates/nuclei-templates
nuclei -lfa -duc -t /home/runner/work/nuclei-templates/nuclei-templates
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
env:
NUCLEI_USER_CERTIFICATE: ${{ secrets.NUCLEI_USER_CERTIFICATE }}
NUCLEI_USER_PRIVATE_KEY: ${{ secrets.NUCLEI_USER_PRIVATE_KEY }}
- name: Commit files
if: steps.sign.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add cves.json cves.json-checksum.txt
git commit -m "Auto Template Signing [$(date)] :robot:" -a
- name: Push changes
if: steps.sign.outputs.CHANGES > 0
run: |
git pull --rebase
git push origin ${{ github.ref }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

29
.github/workflows/template-validate.yml vendored Normal file
View File

@ -0,0 +1,29 @@
name: 🛠 Template Validate
on:
pull_request:
paths:
- '**.yaml'
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.21.x
- name: nuclei install
run: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
- name: Template Validation
run: |
cp -r ${{ github.workspace }} $HOME
nuclei -duc -validate -allow-local-file-access -et /home/runner/nuclei-templates/config/.git -et /home/runner/nuclei-templates/config
nuclei -duc -validate -w ./workflows -allow-local-file-access -et /home/runner/nuclei-templates/config/.git -et /home/runner/nuclei-templates/config

46
.github/workflows/templateman.yml vendored Normal file
View File

@ -0,0 +1,46 @@
name: 🤖 TemplateMan
on:
workflow_dispatch:
jobs:
templateman:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.21.x
- name: Install TemplateMan CLI Client
run: |
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
git clone https://github.com/projectdiscovery/templateman.git
cd templateman/templateman-cli/cmd/tmc
go install
- name: Run TemplateMan
id: tmc
run: |
echo /home/runner/work/nuclei-templates/nuclei-templates | tmc -mr -e
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.tmc.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit --allow-empty -m "TemplateMan Update [$(date)] :robot:" -a
- name: Push changes
if: steps.tmc.outputs.CHANGES > 0
run: |
git pull --rebase
git push origin ${{ github.ref }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

58
.github/workflows/templates-stats.yml vendored Normal file
View File

@ -0,0 +1,58 @@
name: 🗒 Templates Stats
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.19
- name: Installing Template Stats
run: |
go install github.com/projectdiscovery/templates-stats@main
shell: bash
- name: Markdown Stats
run: |
templates-stats -output TEMPLATES-STATS.md -path /home/runner/work/nuclei-templates/nuclei-templates/
shell: bash
- name: JSON Stats
run: |
templates-stats -output TEMPLATES-STATS.json -json -path /home/runner/work/nuclei-templates/nuclei-templates/
shell: bash
- name: Top 10 Stats
run: |
templates-stats -output TOP-10.md -top 10 -path /home/runner/work/nuclei-templates/nuclei-templates/
shell: bash
- name: Get statistical changes
id: stats
run: git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.stats.outputs.CHANGES > 0
run: |
git add TEMPLATES-STATS.*
git add TOP-10.md
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit -m "Auto Generated Templates Stats [$(date)] :robot:" -a
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}

58
.github/workflows/templates-sync.yml vendored Normal file
View File

@ -0,0 +1,58 @@
name: Sync Repositories Workflow
on:
push:
paths:
- '.new-additions'
- 'http/cves/2015/CVE-2015-2794.yaml'
- 'http/cves/2023/CVE-2023-42343.yaml'
- 'http/cves/2023/CVE-2023-46574.yaml'
- 'http/exposures/docker-daemon-exposed.yaml'
- 'http/token-spray/api-openai.yaml'
- 'http/vulnerabilities/ruijie/ruijie-nmc-sync-rce.yaml'
- 'http/vulnerabilities/ruijie/ruijie-rg-eg-web-mis-rce.yaml'
- 'http/vulnerabilities/yonyou/yonyou-ksoa-dept-sqli.yaml'
- 'cloud/enum/aws-app-enum.yaml'
- 'cloud/enum/aws-s3-bucket-enum.yaml'
- 'cloud/enum/azure-db-enum.yaml'
- 'cloud/enum/azure-vm-cloud-enum.yaml'
- 'cloud/enum/azure-website-enum.yaml'
- 'cloud/enum/gcp-app-engine-enum.yaml'
- 'cloud/enum/gcp-bucket-enum.yaml'
- 'cloud/enum/gcp-firebase-app-enum.yaml'
- 'cloud/enum/gcp-firebase-rtdb-enum.yaml'
- 'http/cves/2023/CVE-2023-41109.yaml'
- 'network/misconfig/erlang-daemon.yaml'
- 'code/cves/2019/CVE-2019-14287.yaml'
- 'code/cves/2021/CVE-2021-3156.yaml'
- 'http/cves/2020/CVE-2020-12124.yaml'
- 'http/cves/2023/CVE-2023-50968.yaml'
- 'http/cves/2023/CVE-2023-51467.yaml'
- 'http/misconfiguration/cookies-without-httponly.yaml'
- 'http/misconfiguration/php/php-composer-binary.yaml'
- 'http/vulnerabilities/dahua/dahua-icc-backdoor-user.yaml'
- 'http/cves/2023/CVE-2023-44353.yaml'
- 'http/technologies/cisco-asa-detect.yaml'
- 'http/vulnerabilities/dlink/dlink-netgear-xss.yaml'
- 'http/exposed-panels/goodjob-dashboard.yaml'
- 'http/exposed-panels/onlyoffice-login-panel.yaml'
- 'http/cves/2023/CVE-2023-6379.yaml'
- 'http/misconfiguration/apache/apache-server-status.yaml'
- 'http/osint/piratebay.yaml'
- 'javascript/network/smb/smb-anonymous-access.yaml'
- 'javascript/network/smb/smb-shares.yaml'
- 'javascript/network/smb/smb-signing-not-required.yaml'
- 'javascript/network/smb/smb2-capabilities.yaml'
- 'http/cves/2023/CVE-2023-6623.yaml'
- 'http/cves/2024/CVE-2024-0352.yaml'
- 'http/default-logins/camunda/camunda-default-login.yaml'
- 'http/cves/2023/CVE-2023-50917.yaml'
- 'http/misconfiguration/cookies-without-httponly-secure.yaml'
- 'http/vulnerabilities/wanhu/wanhuoa-downloadservlet-lfi.yaml'
workflow_dispatch:
jobs:
triggerRemoteWorkflow:
runs-on: ubuntu-latest
steps:
- name: Trigger Remote Workflow with curl
run: |
curl -i -s -k -X 'POST' -H 'Host: api.github.com' -H "Authorization: token ${{ secrets.GTOKEN }}" --data-binary $'{\"ref\":\"main\"}' 'https://api.github.com/repos/projectdiscovery/early-templates/actions/workflows/reposync.yml/dispatches'

43
.github/workflows/wordpress-plugins-update.yml vendored Normal file
View File

@ -0,0 +1,43 @@
name: ✨ WordPress Plugins - Update
on:
workflow_dispatch:
jobs:
Update:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
fetch-depth: 0 # otherwise, you will failed to push refs to dest repo
- name: Install Python3
uses: actions/setup-python@v5
with:
python-version: "3.10"
- run: |
python -m pip install --upgrade pip
pip install -r .github/scripts/wordpress-plugins-update-requirements.txt
- name: Update Templates
id: update-templates
run: |
python3 .github/scripts/wordpress-plugins-update.py
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.update-templates.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add --all
git commit -m "Auto WordPress Plugins Update [$(date)] :robot:"
- name: Push changes
if: steps.update-templates.outputs.CHANGES > 0
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}

6
.gitignore vendored Normal file
View File

@ -0,0 +1,6 @@
.idea/
.DS_Store
local/
.checksum
.new-additions
*.txt

141
.new-additions
View File

@ -1,97 +1,44 @@
code/privilege-escalation/linux/binary/privesc-aa-exec.yaml
code/privilege-escalation/linux/binary/privesc-ash.yaml
code/privilege-escalation/linux/binary/privesc-awk.yaml
code/privilege-escalation/linux/binary/privesc-bash.yaml
code/privilege-escalation/linux/binary/privesc-cdist.yaml
code/privilege-escalation/linux/binary/privesc-choom.yaml
code/privilege-escalation/linux/binary/privesc-cpulimit.yaml
code/privilege-escalation/linux/binary/privesc-csh.yaml
code/privilege-escalation/linux/binary/privesc-csvtool.yaml
code/privilege-escalation/linux/binary/privesc-dash.yaml
code/privilege-escalation/linux/binary/privesc-dc.yaml
code/privilege-escalation/linux/binary/privesc-distcc.yaml
code/privilege-escalation/linux/binary/privesc-elvish.yaml
code/privilege-escalation/linux/binary/privesc-enscript.yaml
code/privilege-escalation/linux/binary/privesc-env.yaml
code/privilege-escalation/linux/binary/privesc-expect.yaml
code/privilege-escalation/linux/binary/privesc-find.yaml
code/privilege-escalation/linux/binary/privesc-fish.yaml
code/privilege-escalation/linux/binary/privesc-flock.yaml
code/privilege-escalation/linux/binary/privesc-gawk.yaml
code/privilege-escalation/linux/binary/privesc-grc.yaml
code/privilege-escalation/linux/binary/privesc-ionice.yaml
code/privilege-escalation/linux/binary/privesc-julia.yaml
code/privilege-escalation/linux/binary/privesc-lftp.yaml
code/privilege-escalation/linux/binary/privesc-ltrace.yaml
code/privilege-escalation/linux/binary/privesc-lua.yaml
code/privilege-escalation/linux/binary/privesc-mawk.yaml
code/privilege-escalation/linux/binary/privesc-multitime.yaml
code/privilege-escalation/linux/binary/privesc-mysql.yaml
code/privilege-escalation/linux/binary/privesc-nawk.yaml
code/privilege-escalation/linux/binary/privesc-nice.yaml
code/privilege-escalation/linux/binary/privesc-node.yaml
code/privilege-escalation/linux/binary/privesc-nsenter.yaml
code/privilege-escalation/linux/binary/privesc-perl.yaml
code/privilege-escalation/linux/binary/privesc-pexec.yaml
code/privilege-escalation/linux/binary/privesc-php.yaml
code/privilege-escalation/linux/binary/privesc-posh.yaml
code/privilege-escalation/linux/binary/privesc-python.yaml
code/privilege-escalation/linux/binary/privesc-rake.yaml
code/privilege-escalation/linux/binary/privesc-rc.yaml
code/privilege-escalation/linux/binary/privesc-rlwrap.yaml
code/privilege-escalation/linux/binary/privesc-rpm.yaml
code/privilege-escalation/linux/binary/privesc-rpmdb.yaml
code/privilege-escalation/linux/binary/privesc-rpmverify.yaml
code/privilege-escalation/linux/binary/privesc-ruby.yaml
code/privilege-escalation/linux/binary/privesc-run-parts.yaml
code/privilege-escalation/linux/binary/privesc-sash.yaml
code/privilege-escalation/linux/binary/privesc-slsh.yaml
code/privilege-escalation/linux/binary/privesc-socat.yaml
code/privilege-escalation/linux/binary/privesc-softlimit.yaml
code/privilege-escalation/linux/binary/privesc-sqlite3.yaml
code/privilege-escalation/linux/binary/privesc-ssh-agent.yaml
code/privilege-escalation/linux/binary/privesc-sshpass.yaml
code/privilege-escalation/linux/binary/privesc-stdbuf.yaml
code/privilege-escalation/linux/binary/privesc-strace.yaml
code/privilege-escalation/linux/binary/privesc-tar.yaml
code/privilege-escalation/linux/binary/privesc-tcsh.yaml
code/privilege-escalation/linux/binary/privesc-time.yaml
code/privilege-escalation/linux/binary/privesc-timeout.yaml
code/privilege-escalation/linux/binary/privesc-tmate.yaml
code/privilege-escalation/linux/binary/privesc-torify.yaml
code/privilege-escalation/linux/binary/privesc-torsocks.yaml
code/privilege-escalation/linux/binary/privesc-unshare.yaml
code/privilege-escalation/linux/binary/privesc-vi.yaml
code/privilege-escalation/linux/binary/privesc-view.yaml
code/privilege-escalation/linux/binary/privesc-vim.yaml
code/privilege-escalation/linux/binary/privesc-xargs.yaml
code/privilege-escalation/linux/binary/privesc-xdg-user-dir.yaml
code/privilege-escalation/linux/binary/privesc-yash.yaml
code/privilege-escalation/linux/binary/privesc-zsh.yaml
code/privilege-escalation/linux/rw-shadow.yaml
code/privilege-escalation/linux/rw-sudoers.yaml
code/privilege-escalation/linux/sudo-nopasswd.yaml
code/privilege-escalation/linux/writable-etc-passwd.yaml
dns/dns-rebinding.yaml
http/cves/2018/CVE-2018-10942.yaml
http/cves/2023/CVE-2023-22527.yaml
http/cves/2023/CVE-2023-27639.yaml
http/cves/2023/CVE-2023-27640.yaml
http/cves/2023/CVE-2023-47211.yaml
http/cves/2023/CVE-2023-48023.yaml
http/cves/2023/CVE-2023-6023.yaml
http/cves/2023/CVE-2023-6875.yaml
http/cves/2024/CVE-2024-0204.yaml
http/default-logins/node-red/nodered-default-login.yaml
http/default-logins/powershell/powershell-default-login.yaml
http/exposed-panels/autoset-detect.yaml
http/exposed-panels/compalex-detect.yaml
http/exposed-panels/doris-panel.yaml
http/exposures/configs/vbulletin-path-disclosure.yaml
http/exposures/logs/go-pprof-debug.yaml
http/miscellaneous/defacement-detect.yaml
http/misconfiguration/doris-dashboard.yaml
http/vulnerabilities/apache/apache-nifi-rce.yaml
http/vulnerabilities/juniper/junos-xss.yaml
http/vulnerabilities/prestashop/prestashop-blocktestimonial-file-upload.yaml
http/vulnerabilities/vbulletin/vbulletin-backdoor.yaml
cloud/enum/aws-app-enum.yaml
cloud/enum/aws-s3-bucket-enum.yaml
cloud/enum/azure-db-enum.yaml
cloud/enum/azure-vm-cloud-enum.yaml
cloud/enum/azure-website-enum.yaml
cloud/enum/gcp-app-engine-enum.yaml
cloud/enum/gcp-bucket-enum.yaml
cloud/enum/gcp-firebase-app-enum.yaml
cloud/enum/gcp-firebase-rtdb-enum.yaml
code/cves/2019/CVE-2019-14287.yaml
code/cves/2021/CVE-2021-3156.yaml
http/cves/2015/CVE-2015-2794.yaml
http/cves/2020/CVE-2020-12124.yaml
http/cves/2023/CVE-2023-41109.yaml
http/cves/2023/CVE-2023-42343.yaml
http/cves/2023/CVE-2023-44353.yaml
http/cves/2023/CVE-2023-46574.yaml
http/cves/2023/CVE-2023-50917.yaml
http/cves/2023/CVE-2023-50968.yaml
http/cves/2023/CVE-2023-51467.yaml
http/cves/2023/CVE-2023-6379.yaml
http/cves/2023/CVE-2023-6623.yaml
http/cves/2024/CVE-2024-0352.yaml
http/default-logins/camunda/camunda-default-login.yaml
http/exposed-panels/goodjob-dashboard.yaml
http/exposed-panels/onlyoffice-login-panel.yaml
http/exposures/docker-daemon-exposed.yaml
http/misconfiguration/apache/apache-server-status.yaml
http/misconfiguration/cookies-without-httponly-secure.yaml
http/misconfiguration/php/php-composer-binary.yaml
http/osint/piratebay.yaml
http/technologies/cisco-asa-detect.yaml
http/token-spray/api-openai.yaml
http/vulnerabilities/dahua/dahua-icc-backdoor-user.yaml
http/vulnerabilities/dlink/dlink-netgear-xss.yaml
http/vulnerabilities/ruijie/ruijie-nmc-sync-rce.yaml
http/vulnerabilities/ruijie/ruijie-rg-eg-web-mis-rce.yaml
http/vulnerabilities/wanhu/wanhuoa-downloadservlet-lfi.yaml
http/vulnerabilities/yonyou/yonyou-ksoa-dept-sqli.yaml
javascript/network/smb/smb-anonymous-access.yaml
javascript/network/smb/smb-shares.yaml
javascript/network/smb/smb-signing-not-required.yaml
javascript/network/smb/smb2-capabilities.yaml
network/misconfig/erlang-daemon.yaml

31
.nuclei-ignore Normal file
View File

@ -0,0 +1,31 @@
# ==| Nuclei Templates Ignore list |==
# ====================================
#
# This is default list of tags and files to excluded from default nuclei scan.
# More details - https://nuclei.projectdiscovery.io/nuclei/get-started/#template-exclusion
#
# ============ DO NOT EDIT ============
# Automatically updated by nuclei on execution from nuclei-templates
# User changes should be in nuclei config file
# ============ DO NOT EDIT ============
# tags is a list of tags to ignore execution for
# unless asked for by the user.
tags:
- "fuzz"
- "dos"
# The following templates have been excluded because they have weak matchers and may generate FP results.
# Please feel free to create PR if you can update the templates with strict matchers.
# files is a list of files to ignore template execution
# unless asked for by the user.
files:
- http/cves/2006/CVE-2006-1681.yaml
- http/cves/2019/CVE-2019-14696.yaml
- http/cves/2020/CVE-2020-2036.yaml
- http/cves/2020/CVE-2020-28351.yaml
- http/vulnerabilities/oracle/oracle-ebs-xss.yaml
- http/cves/2021/CVE-2021-28164.yaml

10
.pre-commit-config.yml Normal file
View File

@ -0,0 +1,10 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v2.3.0
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/adrienverge/yamllint.git
rev: v1.17.0
hooks:
- id: yamllint

26
.yamllint Normal file
View File

@ -0,0 +1,26 @@
---
extends: default
ignore: |
.pre-commit-config.yml
.github/
.git/
*.yml
rules:
document-start: disable
comments-indentation: disable
line-length: disable
new-lines: disable
new-line-at-end-of-file: disable
truthy: disable
comments:
require-starting-space: true
ignore-shebangs: true
min-spaces-from-content: 1
empty-lines:
max: 5
braces:
forbid: true
brackets:
forbid: true

76
CODE_OF_CONDUCT 2.md
View File

@ -1,76 +0,0 @@
# Contributor Covenant Code of Conduct
## Our Pledge
In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to making participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, sex characteristics, gender identity and expression,
level of experience, education, socio-economic status, nationality, personal
appearance, race, religion, or sexual identity and orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment
include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
* The use of sexualized language or imagery and unwelcome sexual attention or
advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic
address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable
behavior and are expected to take appropriate and fair corrective action in
response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct, or to ban temporarily or
permanently any contributor for other behaviors that they deem inappropriate,
threatening, offensive, or harmful.
## Scope
This Code of Conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community. Examples of
representing a project or community include using an official project e-mail
address, posting via an official social media account, or acting as an appointed
representative at an online or offline event. Representation of a project may be
further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team at contact@projectdiscovery.io. All
complaints will be reviewed and investigated and will result in a response that
is deemed necessary and appropriate to the circumstances. The project team is
obligated to maintain confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good
faith may face temporary or permanent repercussions as determined by other
members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see
https://www.contributor-covenant.org/faq

100
CONTRIBUTING 2.md
View File

@ -1,100 +0,0 @@
# Template Contribution Guidelines
This documentation contains a set of guidelines to help you during the contribution process.
We are happy to welcome all the contributions from anyone willing to **improve/add** new **templates** to this project.
Thank you for helping out and remember, **no contribution is too small.**
# Submitting Nuclei Templates 👩‍💻👨‍💻
Below you will find the process and workflow used to review and merge your changes.
## Step 1 : Find existing templates
- Take a look at the [Existing Templates](https://github.com/projectdiscovery/nuclei-templates) before creating new one.
- Take a look at Existing Templates in [GitHub Issues](https://github.com/projectdiscovery/nuclei-templates/issues) and [Pull Request](https://github.com/projectdiscovery/nuclei-templates/pulls) section to avoid duplicate work.
- Take a look at [Templates](https://nuclei.projectdiscovery.io/templating-guide/) and [Matchers](https://github.com/projectdiscovery/nuclei-templates/wiki/Unique-Template-Matchers) Guideline for creating new template.
## Step 2 : Fork the Project
- Fork this Repository. This will create a Local Copy of this Repository on your Github Profile. Keep a reference to the original project in `upstream` remote.
<img width="928" alt="template-fork" src="https://user-images.githubusercontent.com/8293321/124467966-2afde200-ddb6-11eb-835f-8f8fc2fabedb.png">
```sh
git clone https://github.com/<your-username>/nuclei-templates
cd nuclei-templates
git remote add upstream https://github.com/projectdiscovery/nuclei-templates
```
- If you have already forked the project, update your copy before working.
```sh
git remote update
git checkout main
git rebase upstream/main
```
## Step 3 : Create your Template Branch
Create a new branch. Use its name to identify the issue your addressing.
```sh
# It will create a new branch with name template_branch_name and switch to that branch
git checkout -b template_branch_name
```
## Step 4 : Create Template and Commit
- Create your template.
- Add all the files/folders needed.
- After you've made changes or completed template creation, add changes to the branch you've just created by:
```sh
# To add all new files to branch template_branch_name
git add .
```
- To commit, give a descriptive message for the convenience of the reviewer by:
```sh
# This message get associated with all files you have changed
git commit -m "Added/Fixed/Updated XXX Template"
```
**NOTE**:
- A Pull Request should have only one unique template to make it simple for review.
- Multiple templates for same technology can be grouped into single Pull Request.
## Step 5 : Push Your Changes
- Now you are ready to push your template to the remote (forked) repository.
- When your work is ready and complies with the project conventions, upload your changes to your fork:
```sh
# To push your work to your remote repository
git push -u origin template_branch_name
```
## Step 6 : Pull Request
- Fire up your favorite browser, navigate to your GitHub repository, then click on the New pull request button within the Pull requests tab. Provide a meaningful name and description to your pull request, that describes the purpose of the template.
- Voila! Your Pull Request has been submitted. It will be reviewed and merged by the moderators, if it complies with project standards, otherwise a feedback will be provided.🥳
## Need more help?🤔
You can refer to the following articles of Git and GitHub basics. In case you are stuck, feel free to contact the Project Mentors and Community by joining [PD Community](https://discord.gg/projectdiscovery) Discord server.
- [Forking a Repo](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
- [Cloning a Repo](https://help.github.com/en/desktop/contributing-to-projects/creating-an-issue-or-pull-request)
- [How to create a Pull Request](https://opensource.com/article/19/7/create-pull-request-github)
- [Getting started with Git and GitHub](https://towardsdatascience.com/getting-started-with-git-and-github-6fcd0f2d4ac6)
- [Learn GitHub from Scratch](https://lab.github.com/githubtraining/introduction-to-github)
## Tip from us😇
- **Nuclei** outcomes are only as excellent as **template matchers💡**
- Declare at least two matchers to reduce false positive
- Avoid matching words reflected in the URL to reduce false positive
- Avoid short word that could be encountered anywhere

21
LICENSE 2.md
View File

@ -1,21 +0,0 @@
MIT License
Copyright (c) 2020 ProjectDiscovery, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

28
PULL_REQUEST_TEMPLATE 2.md
View File

@ -1,28 +0,0 @@
### Template / PR Information
<!-- Explains the information and/or motivation for update or/ creating this templates -->
<!-- Please include any reference to your template if available -->
- Fixed CVE-2020-XXX / Added CVE-2020-XXX / Updated CVE-2020-XXX
- References:
### Template Validation
I've validated this template locally?
- [ ] YES
- [ ] NO
#### Additional Details (leave it blank if not applicable)
<!-- Include Shodan / Fofa / Google Query / Docker / Screenshots if available -->
<!-- Include HTTP/TCP/DNS Matched response data snippet if available -->
<!-- Please do NOT include vulnerable host information in pull requests -->
<!-- None of the prerequisites are obligatory; they are merely intended to speed the review process. -->
### Additional References:
- [Nuclei Template Creation Guideline](https://nuclei.projectdiscovery.io/templating-guide/)
- [Nuclei Template Matcher Guideline](https://github.com/projectdiscovery/nuclei-templates/wiki/Unique-Template-Matchers)
- [Nuclei Template Contribution Guideline](https://github.com/projectdiscovery/nuclei-templates/blob/master/CONTRIBUTING.md)
- [PD-Community Discord server](https://discord.gg/projectdiscovery)

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2318 | dhiyaneshdk | 1135 | http | 6947 | info | 3351 | file | 312 |
| panel | 1040 | dwisiswant0 | 801 | file | 312 | high | 1471 | dns | 20 |
| wordpress | 941 | daffainfo | 789 | workflows | 191 | medium | 1445 | | |
| xss | 851 | pikpikcu | 353 | network | 132 | critical | 933 | | |
| exposure | 850 | pussycat0x | 313 | ssl | 27 | low | 251 | | |
| wp-plugin | 815 | ritikchaddha | 298 | javascript | 25 | unknown | 34 | | |
| osint | 678 | pdteam | 286 | dns | 17 | | | | |
| tech | 650 | ricardomaia | 229 | headless | 11 | | | | |
| lfi | 622 | geeknik | 225 | cloud | 9 | | | | |
| edb | 598 | theamanrawat | 221 | code | 5 | | | | |
| cve | 2296 | dhiyaneshdk | 1123 | http | 6913 | info | 3337 | file | 312 |
| panel | 1038 | dwisiswant0 | 801 | file | 312 | high | 1458 | dns | 18 |
| wordpress | 938 | daffainfo | 788 | workflows | 191 | medium | 1439 | | |
| xss | 848 | pikpikcu | 353 | network | 131 | critical | 919 | | |
| exposure | 844 | pussycat0x | 307 | ssl | 27 | low | 248 | | |
| wp-plugin | 812 | ritikchaddha | 298 | javascript | 21 | unknown | 34 | | |
| osint | 677 | pdteam | 286 | dns | 17 | | | | |
| tech | 649 | ricardomaia | 229 | headless | 11 | | | | |
| lfi | 619 | geeknik | 224 | code | 3 | | | | |
| edb | 598 | theamanrawat | 221 | cves.json | 1 | | | | |
**545 directories, 7957 files**.
**534 directories, 7902 files**.
</td>
</tr>

96
README_KR 2.md
View File

@ -1,96 +0,0 @@
<h1 align="center">
Nuclei 템플릿
</h1>
<h4 align="center">커뮤니티에서 엄선한, 애플리케이션 보안 취약점을 찾기 위한 Nuclei 엔진용 템플릿 목록</h4>
<p align="center">
<a href="https://github.com/projectdiscovery/nuclei-templates/issues"><img src="https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat"></a>
<a href="https://github.com/projectdiscovery/nuclei-templates/releases"><img src="https://img.shields.io/github/release/projectdiscovery/nuclei-templates"></a>
<a href="https://twitter.com/pdnuclei"><img src="https://img.shields.io/twitter/follow/pdnuclei.svg?logo=twitter"></a>
<a href="https://discord.gg/projectdiscovery"><img src="https://img.shields.io/discord/695645237418131507.svg?logo=discord"></a>
</p>
<p align="center">
<a href="https://nuclei.projectdiscovery.io/templating-guide/">가이드 문서</a>
<a href="#-contributions">기여</a>
<a href="#-discussion">논의</a>
<a href="#-community">커뮤니티</a>
<a href="https://nuclei.projectdiscovery.io/faq/templates/">FAQs</a>
<a href="https://discord.gg/projectdiscovery">디스코드</a>
</p>
<p align="center">
<a href="https://github.com/projectdiscovery/nuclei-templates/blob/master/README.md">English</a>
<a href="https://github.com/projectdiscovery/nuclei-templates/blob/master/README_KR.md">한국어</a>
</p>
----
템플릿은 실제 스캐닝 엔진을 동작하게 하는 [nuclei scanner](https://github.com/projectdiscovery/nuclei)의 핵심입니다.
이 저장소는 우리 팀에서 제공하거나, 커뮤니티에서 기여한 다양한 템플릿들을 저장하고 보관합니다.
템플릿 목록을 증가시키기 위해서 **pull requests** 나 [Github issues](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=submit-template.md&title=%5Bnuclei-template%5D+) 를 통해 기여해주시기를 부탁드립니다.
## Nuclei 템플릿 개요
고유 태그, 작성자, 디렉토리, 심각도, 템플릿 종류에 대한 통계를 포함하고 있는 nuclei 템플릿의 개요입니다. 아래 표는 각 지표의 상위 10개 항목을 나타내고 있습니다. 더 자세한 정보는 [이곳](TEMPLATES-STATS.md)에서 확인 가능하고, [JSON](TEMPLATES-STATS.json) 형식으로도 확인 가능합니다.
<table>
<tr>
<td>
## Nuclei 템플릿 통계 Top 10
| 태그 | 개수 | 작성자 | 개수 | 디렉토리 | 개수 | 심각도 | 개수 | 종류 | 개수 |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1325 | daffainfo | 629 | cves | 1306 | info | 1398 | http | 3644 |
| panel | 604 | dhiyaneshdk | 509 | exposed-panels | 613 | high | 955 | file | 76 |
| lfi | 490 | pikpikcu | 322 | vulnerabilities | 506 | medium | 784 | network | 50 |
| xss | 451 | pdteam | 269 | technologies | 273 | critical | 445 | dns | 17 |
| wordpress | 409 | geeknik | 187 | exposures | 254 | low | 211 | | |
| exposure | 360 | dwisiswant0 | 169 | token-spray | 230 | unknown | 7 | | |
| cve2021 | 324 | 0x_akoko | 157 | misconfiguration | 210 | | | | |
| rce | 319 | princechaddha | 149 | workflows | 187 | | | | |
| wp-plugin | 304 | pussycat0x | 130 | default-logins | 102 | | | | |
| tech | 286 | gy741 | 126 | file | 76 | | | | |
**286개 디렉토리, 4012개 파일**.
</td>
</tr>
</table>
📖 문서
-----
새 템플릿이나 사용자 정의 템플릿을 빌드하기 위한 자세한 문서는 https://nuclei.projectdiscovery.io 에서 확인할 수 있습니다. 작업 방식의 이해를 돕기 위한 템플릿들도 있습니다.
💪 기여
-----
Nuclei 템플릿은 커뮤니티의 기여로 동작합니다.
[템플릿 기여](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=submit-template.md&title=%5Bnuclei-template%5D+), [기능 요청](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=feature_request.md&title=%5BFeature%5D+), [버그 제보](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=bug_report.md&title=%5BBug%5D+)는 언제든지 환영합니다.
![Alt](https://repobeats.axiom.co/api/embed/55ee65543bb9a0f9c797626c4e66d472a517d17c.svg "Repobeats analytics image")
💬 논의
-----
같이 이야기하고 싶은 질문, 의문 혹은 아이디어가 있으신가요?
[Github discussions](https://github.com/projectdiscovery/nuclei-templates/discussions) 에서 자유롭게 시작할 수 있습니다.
👨‍💻 커뮤니티
-----
프로젝트 관리자와 직접 논의하고 보안과 자동화 관련 사항을 다른 사람과 공유하기 위해 [Discord Community](https://discord.gg/projectdiscovery) 에 참여하는 것을 환영합니다. 추가로 Nuclei 에 대한 모든 정보를 업데이트 하기 위해 [트위터](https://twitter.com/pdnuclei) 팔로우를 할 수 있습니다.
<p align="center">
<a href="https://github.com/projectdiscovery/nuclei-templates/graphs/contributors">
<img src="https://contrib.rocks/image?repo=projectdiscovery/nuclei-templates&max=300">
</a>
</p>
여러분의 기여와 커뮤니티의 활성화를 위한 노력에 다시한번 감사드립니다.
:heart:

1
TEMPLATES-STATS 2.json
View File

File diff suppressed because one or more lines are too long

4909
TEMPLATES-STATS 2.md
View File

File diff suppressed because it is too large Load Diff

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

9741
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

12
TOP-10 2.md
View File

@ -1,12 +0,0 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2296 | dhiyaneshdk | 1123 | http | 6913 | info | 3337 | file | 312 |
| panel | 1038 | dwisiswant0 | 801 | file | 312 | high | 1458 | dns | 18 |
| wordpress | 938 | daffainfo | 788 | workflows | 191 | medium | 1439 | | |
| xss | 848 | pikpikcu | 353 | network | 131 | critical | 919 | | |
| exposure | 844 | pussycat0x | 307 | ssl | 27 | low | 248 | | |
| wp-plugin | 812 | ritikchaddha | 298 | javascript | 21 | unknown | 34 | | |
| osint | 677 | pdteam | 286 | dns | 17 | | | | |
| tech | 649 | ricardomaia | 229 | headless | 11 | | | | |
| lfi | 619 | geeknik | 224 | code | 3 | | | | |
| edb | 598 | theamanrawat | 221 | cves.json | 1 | | | | |

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2318 | dhiyaneshdk | 1135 | http | 6947 | info | 3351 | file | 312 |
| panel | 1040 | dwisiswant0 | 801 | file | 312 | high | 1471 | dns | 20 |
| wordpress | 941 | daffainfo | 789 | workflows | 191 | medium | 1445 | | |
| xss | 851 | pikpikcu | 353 | network | 132 | critical | 933 | | |
| exposure | 850 | pussycat0x | 313 | ssl | 27 | low | 251 | | |
| wp-plugin | 815 | ritikchaddha | 298 | javascript | 25 | unknown | 34 | | |
| osint | 678 | pdteam | 286 | dns | 17 | | | | |
| tech | 650 | ricardomaia | 229 | headless | 11 | | | | |
| lfi | 622 | geeknik | 225 | cloud | 9 | | | | |
| edb | 598 | theamanrawat | 221 | code | 5 | | | | |
| cve | 2296 | dhiyaneshdk | 1123 | http | 6913 | info | 3337 | file | 312 |
| panel | 1038 | dwisiswant0 | 801 | file | 312 | high | 1458 | dns | 18 |
| wordpress | 938 | daffainfo | 788 | workflows | 191 | medium | 1439 | | |
| xss | 848 | pikpikcu | 353 | network | 131 | critical | 919 | | |
| exposure | 844 | pussycat0x | 307 | ssl | 27 | low | 248 | | |
| wp-plugin | 812 | ritikchaddha | 298 | javascript | 21 | unknown | 34 | | |
| osint | 677 | pdteam | 286 | dns | 17 | | | | |
| tech | 649 | ricardomaia | 229 | headless | 11 | | | | |
| lfi | 619 | geeknik | 224 | code | 3 | | | | |
| edb | 598 | theamanrawat | 221 | cves.json | 1 | | | | |

5
cloud/enum/azure-vm-cloud-enum.yaml
View File

@ -8,8 +8,7 @@ info:
Searches for Azure virtual machines via their registered DNS names.
metadata:
verified: true
tags: cloud,enum,cloud-enum,azure,fuzz
tags: cloud,enum,cloud-enum,azure
self-contained: true
@ -63,4 +62,4 @@ dns:
part: answer
words:
- "IN\tA"
# digest: 4b0a00483046022100f91b6621181f8a7317c1ffc179ec2b81e33c8dd0dd28cc4871b13ffbb794ce84022100e7424a97fab1f6b745d735e7dad8f13b08ad36732b24216ae2826611af634318:922c64590222798bb761d5b6d8e72950
# digest: 4b0a004830460221008d223bfdb3585e335e8282ca206945a6f7704dab4a2899d3410229bf0db7132d022100b9de9af2b393a559575b67a5b25b6334fe8cddd1ceed5059ee634dc3b0292d50:922c64590222798bb761d5b6d8e72950

2
cloud/enum/azure-website-enum.yaml
View File

@ -33,4 +33,4 @@ http:
- 200
- 302
condition: or
# digest: 4a0a0047304502204e87fb6ea9b294616dce1e74e429d8a83672921a242d1b3421a0c553eba83894022100bf53c3468808e2316f9194022db3618093873de428109de1984d0664f6bc89ee:922c64590222798bb761d5b6d8e72950
# digest: 490a00463044022001ff1a4cff9e33f3817df1e824a00e35f76c6f8e22cd34e3616e452978dc46f702200913c7710eba2b3df98325a1bb7da86b55cde6d4a3d7199a7d952f1f7988a3fa:922c64590222798bb761d5b6d8e72950

2
cloud/enum/gcp-app-engine-enum.yaml
View File

@ -39,4 +39,4 @@ http:
- "status_code==302"
- contains(location, "login")
condition: and
# digest: 490a00463044022017250b6b9f7ccf30e614e7bfb992e2e9ec13fd27556137cf4b13dc2f2a8c70b602200e352bbaebbd9dfbced84b3f9dff65c9d1b3dac47a0eec812b738a987931a14c:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402204edc5a3fc90ff80b8397219e37a716d5b582c9821dbb0edda2c52c585aa241ca022067b0c7178f7f345975f765bdd56afc967505028e459ed113c8fbd450a1dcb76a:922c64590222798bb761d5b6d8e72950

2
cloud/enum/gcp-bucket-enum.yaml
View File

@ -36,4 +36,4 @@ http:
name: "Protected GCP Bucket"
status:
- 403
# digest: 4b0a00483046022100baff7bb9e12a115a59a755c8188c3544cc8497dc3a17860023486de9f4992def02210096b193c8507208f3d30cd9fc716d4be46cd9acb83418f2fa62f0d10ce305d026:922c64590222798bb761d5b6d8e72950
# digest: 490a004630440220549241cfe0dbdadf24bcbdabd6cbf8e82a45bea577710e8409da53f3bdef37d202203bab8b09dea7b68aafc32f8214b331ee6dc4dbe85c0e7a34693b8062dec6fb6a:922c64590222798bb761d5b6d8e72950

2
cloud/enum/gcp-firebase-app-enum.yaml
View File

@ -31,4 +31,4 @@ http:
name: "Open GCP Firebase App"
status:
- 200
# digest: 4a0a00473045022065f44c35d042a0e98f90303a7f4181c0644c2e2fb8c7344c42d13104f89a454a022100cf17441e1fdb9ae05d7bdfca68f98abf3a4794b4d24e8ec69083e6323e96c39f:922c64590222798bb761d5b6d8e72950
# digest: 490a004630440220721a516d58d71b3c20990c97c22986fd212caafa366f2641bdb4fe9df0a53f9802205ecd4bfcda0808d5002e9d1194e0ec0f4d2b2f2140170c0df4ffb11372a6470f:922c64590222798bb761d5b6d8e72950

2
cloud/enum/gcp-firebase-rtdb-enum.yaml
View File

@ -47,4 +47,4 @@ http:
name: "Deactivated GCP Firebase RTDB"
status:
- 423
# digest: 490a0046304402207b555ae31d639c4a2fa71c2988103f8eb74cd24ca8b3304e33059facb0c9275f02203b74c0ab6645d3c30970046284fffbea86b75f0bcf40192f6021b2297b616b7d:922c64590222798bb761d5b6d8e72950
# digest: 490a0046304402200dcb47ae02c77c619eea0d95a6ab7dc9f2be071cea09abee3a7ab748b11e561c022034956ced05346f9cfcc9d425d92fa1242c979572e8ae02030496597f64ccfe82:922c64590222798bb761d5b6d8e72950

8
code/cves/2023/CVE-2023-49105.yaml
View File

@ -15,11 +15,13 @@ info:
cvss-score: 9.8
cve-id: CVE-2023-49105
cwe-id: CWE-287
cpe: cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*
epss-score: 0.00091
epss-percentile: 0.38353
cpe: cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*
metadata:
max-request: 2
verified: true
max-request: 1
vendor: owncloud
product: owncloud
shodan-query: title:"owncloud"
tags: cve,cve2023,code,owncloud,auth-bypass
@ -84,4 +86,4 @@ http:
- type: dsl
dsl:
- '"Username => "+ username'
# digest: 4a0a00473045022100f1395fdef2764cce1bd751a6a94c3f89afc0fb10d9437288388d31d6460a983002203d431b3492fa8d2501b3387ae3cf0f975385c21f7ac74d2deafcf878645c6f45:922c64590222798bb761d5b6d8e72950
# digest: 4a0a00473045022100f17bb3bb403b74c4e84e6190df79bf767df834017742b4b95607de42a3d948bb02205f2f1de3f09d31920d6bf102ba93c1ad271809327b5997d8d58e9f97f2886c11:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-aa-exec.yaml
View File

@ -1,48 +0,0 @@
id: privesc-aa-exec
info:
name: aa-exec - Privilege Escalation
author: daffainfo
severity: high
description: |
aa-exec is used to launch a program confined by the specified profile and or namespace.
reference:
- https://gtfobins.github.io/gtfobins/aa-exec/
metadata:
verified: true
tags: code,linux,aa-exec,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
aa-exec whoami
- engine:
- sh
- bash
source: |
sudo aa-exec whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a00463044022052655e82a2302e3930061a3e1ca4ea0c65ab553c1a688654c29f9f50eecb29690220468307131c8570d5c7c58b629e5cb7c069c1078dea98d211b619b0a9de1f6f69:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-ash.yaml
View File

@ -1,48 +0,0 @@
id: privesc-ash
info:
name: Ash - Privilege Escalation
author: daffainfo
severity: high
description: |
Ash allows the value of a variable to be set at the same time it is marked read only by writing readonly name=value With no arguments
reference:
- https://gtfobins.github.io/gtfobins/ash/
metadata:
verified: true
tags: code,linux,ash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
ash -c 'whoami'
- engine:
- sh
- bash
source: |
sudo ash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100d25c9dd1ce2eab3a962a4071a9f7500f59466848425225cd4047cc3115acbe37022061461b964e2bc7a9985a89d47c03136a8cb815900a1ba2038fbb8d073b88737b:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-awk.yaml
View File

@ -1,48 +0,0 @@
id: privesc-awk
info:
name: awk - Privilege Escalation
author: daffainfo
severity: high
description: |
AWK is a domain-specific language designed for text processing and typically used as a data extraction and reporting tool. Like sed and grep, it is a filter, and is a standard feature of most Unix-like operating systems.
reference:
- https://gtfobins.github.io/gtfobins/awk/
metadata:
verified: true
tags: code,linux,awk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
awk 'BEGIN {system("whoami")}'
- engine:
- sh
- bash
source: |
sudo awk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502207cfdd41f99f02f347c5b0128ff351ced0e1c8e89e428d60a150c3c0c4f4074a70221008929ee587f0b3ab78860124591c0b22afad37bb9de4f3220dadc7a4fe8865717:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-bash.yaml
View File

@ -1,48 +0,0 @@
id: privesc-bash
info:
name: Bash - Privilege Escalation
author: daffainfo
severity: high
description: |
Bash is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. The shell's name is an acronym for Bourne Again Shell, a pun on the name of the Bourne shell that it replaces and the notion of being born again.
reference:
- https://gtfobins.github.io/gtfobins/bash/
metadata:
verified: true
tags: code,linux,bash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
bash -c 'whoami'
- engine:
- sh
- bash
source: |
sudo bash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100b7f18627e0f3bbce9603130789596a844773fb76cdf73efdd2aa6073f8dad7eb02200510ef23d0f787a00e1701e1ad09999cf61f7bfcd43981de1be530439984302d:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-cdist.yaml
View File

@ -1,48 +0,0 @@
id: privesc-cdist
info:
name: Cdist - Privilege Escalation
author: daffainfo
severity: high
description: |
cdist is a free software configuration management tool for Unix-like systems. It manages nodes over SSH using the Bourne Shell, and does not require any additional software to be installed on target nodes.
reference:
- https://gtfobins.github.io/gtfobins/cdist/
metadata:
verified: true
tags: code,linux,cdist,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
cdist shell -s whoami
- engine:
- sh
- bash
source: |
sudo cdist shell -s whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100afe727ba45ca0c542cf2d85169a2be57d6e94550933ab38dcea2dc7a3bd9eb32022100e6d9677f8dc6af52f782bf0411ad39256b42baeae17ad41d2cb78f617de9a96c:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-choom.yaml
View File

@ -1,48 +0,0 @@
id: privesc-choom
info:
name: choom - Privilege Escalation
author: daffainfo
severity: high
description: |
choom is a command-line utility in Linux that allows users to change the memory limits of a process. It can be used for privilege escalation by manipulating the memory limits of a process to gain elevated privileges.
reference:
- https://gtfobins.github.io/gtfobins/choom/
metadata:
verified: true
tags: code,linux,choom,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
choom -n 0 whoami
- engine:
- sh
- bash
source: |
sudo choom -n 0 whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100fc1a34cafa1e9c85f010f1aa08836c998e0f4e513055f17bfb43da6db708baa202200ec15a67896e438ec1b28022758c36b7989839fa08ede457ff86aa9c0d8c03f8:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-cpulimit.yaml
View File

@ -1,48 +0,0 @@
id: privesc-cpulimit
info:
name: CPUlimit - Privilege Escalation
author: daffainfo
severity: high
description: |
cpulimit is a command-line utility in Linux that allows users to limit the CPU usage of a process. It can be used to control and limit the CPU usage of a specific process, which can be helpful in various scenarios such as preventing a process from consuming excessive CPU resources.
reference:
- https://gtfobins.github.io/gtfobins/cpulimit/
metadata:
verified: true
tags: code,linux,cpulimit,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
cpulimit -l 100 -f whoami
- engine:
- sh
- bash
source: |
sudo cpulimit -l 100 -f whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402207e255b9140d3cd0efd52da82f2f4afeb244db042c2f993abb08f8859759f18030220164d73b076aabb9806d19260cc6b408cc718d4417c1cae85d5e6cc7928cb3348:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-csh.yaml
View File

@ -1,48 +0,0 @@
id: privesc-csh
info:
name: csh - Privilege Escalation
author: daffainfo
severity: high
description: |
csh stands for C Shell, which is a Unix shell with C-like syntax. It is a command-line interpreter that provides a command-line interface for Unix-like operating systems. It has features similar to other Unix shells such as bash and sh, but with a different syntax and set of features.
reference:
- https://gtfobins.github.io/gtfobins/csh/
metadata:
verified: true
tags: code,linux,csh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
csh -c 'whoami'
- engine:
- sh
- bash
source: |
sudo csh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a00463044022073087d98db072057b1d437680410e93f4001fafa2b317ee2b2222b096888298402205cf5ea8bf97355a4045d3ad9e358df8cdf008972984d331749da3b24cdd81112:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-csvtool.yaml
View File

@ -1,48 +0,0 @@
id: privesc-csvtool
info:
name: csvtool - Privilege Escalation
author: daffainfo
severity: high
description: |
csvtool is a command-line utility in Unix-like operating systems that provides various tools for working with CSV (Comma-Separated Values) files. It can be used to manipulate, process, and analyze CSV data from the command line, making it a useful tool for tasks such as data extraction, transformation, and loading.
reference:
- https://gtfobins.github.io/gtfobins/csvtool/
metadata:
verified: true
tags: code,linux,csvtool,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
csvtool call 'whoami;false' /etc/passwd
- engine:
- sh
- bash
source: |
sudo csvtool call 'whoami;false' /etc/passwd
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450221008f61aeee9c793f162145ff039cb690183408260ff73c1fa21d70cb446f268e0c022019369ba062fbcd462b62d4f372eb206a9f971cc2c9e892cbeaf8db6657748214:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-dash.yaml
View File

@ -1,48 +0,0 @@
id: privesc-dash
info:
name: Dash - Privilege Escalation
author: daffainfo
severity: high
description: |
dash is a POSIX-compliant shell that is commonly used as the default system shell on Debian-based systems. It is designed to be a lightweight and fast shell, suitable for scripting and system administration tasks. It aims to be compatible with the POSIX standard for shells, providing a minimalistic and efficient environment for running shell scripts.
reference:
- https://gtfobins.github.io/gtfobins/dash/
metadata:
verified: true
tags: code,linux,dash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
dash -c 'whoami'
- engine:
- sh
- bash
source: |
sudo dash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502206693d6df56591ca0de940a5ff0c655c2e36744fd82fb12906d55eaab0705cb5802210099aa3cc19e3d2124e7e010ba08e62fd0fb803c2cbdaa933835208f2c46a4168e:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-dc.yaml
View File

@ -1,48 +0,0 @@
id: privesc-dc
info:
name: dc - Privilege Escalation
author: daffainfo
severity: high
description: |
dc is a command-line calculator in Unix and Unix-like operating systems. It uses reverse Polish notation (RPN) and provides a simple and efficient way to perform arithmetic operations from the command line. It can be used for basic and advanced mathematical calculations, making it a handy tool for scripting and quick calculations in the terminal.
reference:
- https://gtfobins.github.io/gtfobins/dc/
metadata:
verified: true
tags: code,linux,dc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
dc -e '!whoami'
- engine:
- sh
- bash
source: |
sudo dc -e '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402205ac8f96adceec1df1bfc74a6cee80bb9be8da55b59bd0d39a2962903d92744e602204525b6c022a9b041ab95f3cc04c0d94db22968d66e1977221c13f4923e20cccd:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-distcc.yaml
View File

@ -1,48 +0,0 @@
id: privesc-distcc
info:
name: distcc - Privilege Escalation
author: daffainfo
severity: high
description: |
distcc is a distributed compilation tool for C, C++, and Objective-C. It allows a user to distribute compilation of these languages across several machines on a network, which can significantly speed up the compilation process for large projects.
reference:
- https://gtfobins.github.io/gtfobins/distcc/
metadata:
verified: true
tags: code,linux,distcc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
distcc whoami
- engine:
- sh
- bash
source: |
sudo distcc whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402205ba3e54f4b95e19c1661de38e4b1fc44d192293ddfc358839ce83bb50f2f310b02201c16dafa2e5fbab09c2d6cb3fd330dbe9c2f815ed63bb432a4314a1c8d66acaa:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-elvish.yaml
View File

@ -1,48 +0,0 @@
id: privesc-elvish
info:
name: elvish - Privilege Escalation
author: daffainfo
severity: high
description: |
elvish is a Unix shell that emphasizes expressiveness and extensibility. It aims to provide a more user-friendly and programmable shell experience, with features such as a powerful scripting language, a rich set of data types, and a clean and consistent syntax.
reference:
- https://gtfobins.github.io/gtfobins/elvish/
metadata:
verified: true
tags: code,linux,elvish,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
elvish -c 'whoami'
- engine:
- sh
- bash
source: |
sudo elvish -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022006ef5df54c4af5c94d5a8116e6729d5f02092d18272e0679ab271be1237406ae022100dede2ce3e800f4da16d6b7495bc2ce6f6b1aaf30870ec0900b1c4f0fcff8e3e2:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-enscript.yaml
View File

@ -1,48 +0,0 @@
id: privesc-enscript
info:
name: enscript - Privilege Escalation
author: daffainfo
severity: high
description: |
enscript is a command-line tool used for converting text files to PostScript format for printing. It provides various options for formatting and manipulating the output, making it a useful tool for generating high-quality printed documents from text files.
reference:
- https://gtfobins.github.io/gtfobins/enscript/
metadata:
verified: true
tags: code,linux,enscript,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
enscript /dev/null -qo /dev/null -I 'whoami >&2'
- engine:
- sh
- bash
source: |
sudo enscript /dev/null -qo /dev/null -I 'whoami >&2'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100cd92c4051987599289f054963d4a8bef07e76dde6a71fc5369dfb8d7bd7d6de502203d17432adfb10310d44a7665cd1039f3ed412c9724b10499074976a8abe39a41:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-env.yaml
View File

@ -1,48 +0,0 @@
id: privesc-env
info:
name: env - Privilege Escalation
author: daffainfo
severity: high
description: |
In Linux, the env command is used to display or modify the environment variables for a command. It can be used to set environment variables for a specific command or to print the current environment variables.
reference:
- https://gtfobins.github.io/gtfobins/env/
metadata:
verified: true
tags: code,linux,env,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
expect -c 'spawn whoami;interact'
- engine:
- sh
- bash
source: |
sudo expect -c 'spawn whoami;interact'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022060c647f36eb03856e0eaf016f8c04e4bf4100be1884abc528dbadb7d377272500221008e50317abae9efa259ad2a682bc304062fccb32782430543cb1aa2a6c34b32b4:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-expect.yaml
View File

@ -1,48 +0,0 @@
id: privesc-expect
info:
name: expect - Privilege Escalation
author: daffainfo
severity: high
description: |
expect is a Unix scripting and testing utility that automates interactive applications such as telnet, ftp, passwd, fsck, rlogin, tip, and more. It uses scripts to control interactive applications, making it useful for automating tasks that involve user input.
reference:
- https://gtfobins.github.io/gtfobins/expect/
metadata:
verified: true
tags: code,linux,expect,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
expect -c 'spawn whoami;interact'
- engine:
- sh
- bash
source: |
sudo expect -c 'spawn whoami;interact'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100a073cb82c1a879f2dcb9365115bf48040e82ca681024d4ffc00c3fe1069eadea02207a1d5377c689cba96b0c4af6d23866def098d684efedee083f2443b480ac11d4:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-find.yaml
View File

@ -1,48 +0,0 @@
id: privesc-find
info:
name: find - Privilege Escalation
author: daffainfo
severity: high
description: |
The find command in Linux is used to search for files and directories in a directory hierarchy based on various criteria such as name, type, size, and permissions. It is a powerful tool for locating files and performing operations on them, such as executing commands or applying changes.
reference:
- https://gtfobins.github.io/gtfobins/find/
metadata:
verified: true
tags: code,linux,find,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
find . -exec whoami \; -quit
- engine:
- sh
- bash
source: |
sudo find . -exec whoami \; -quit
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a0048304602210088a9e54d22ecaf73f27add5afc616c28d2bae731b36d30b54c1b22a8336842f4022100d0d9b84c518dad57a1d1d9e47f4fb936b0432d75bab077f44feeb0af407cdac5:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-fish.yaml
View File

@ -1,48 +0,0 @@
id: privesc-fish
info:
name: fish - Privilege Escalation
author: daffainfo
severity: high
description: |
fish is a user-friendly command-line shell for Unix-like operating systems. It provides features such as syntax highlighting, autosuggestions, and a built-in scripting language. Fish aims to be easy to use and learn, making it a popular choice for both interactive shell usage and scripting.
reference:
- https://gtfobins.github.io/gtfobins/fish/
metadata:
verified: true
tags: code,linux,fish,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
fish -c 'whoami'
- engine:
- sh
- bash
source: |
sudo fish -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100b8c37d7d92e15ddf46da724d5b6fc80370b17ad700869f5db2d2773c92fc971c02207927e8db3a6c8d4f5c7ae5d350feee388a6966bfa029f15fdde4a71b1be75bf0:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-flock.yaml
View File

@ -1,48 +0,0 @@
id: privesc-flock
info:
name: Flock - Privilege Escalation
author: daffainfo
severity: high
description: |
flock is a command-line utility in Unix-like operating systems that is used to manage file locks. It can be used to synchronize access to a file among multiple processes, preventing conflicts and ensuring data integrity. Additionally, flock can be used in shell scripts to control access to critical sections of code.
reference:
- https://gtfobins.github.io/gtfobins/flock/
metadata:
verified: true
tags: code,linux,flock,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
flock -u / whoami
- engine:
- sh
- bash
source: |
sudo flock -u / whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100eaf218a03c71c87c400be7cf0c1a081838f0f82fb83278cd47bb1d442dc806f7022100a9c552cfce0ef36e1b5667fbe535aaf721f8bccb6b7128b9bf15ae5aadfb36f2:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-gawk.yaml
View File

@ -1,48 +0,0 @@
id: privesc-gawk
info:
name: gawk - Privilege Escalation
author: daffainfo
severity: high
description: |
gawk is the GNU implementation of the AWK programming language. It is a powerful text processing tool that allows for pattern scanning and processing of text files. gawk is commonly used for data extraction, reporting, and manipulation tasks in shell scripts and command-line environments.
reference:
- https://gtfobins.github.io/gtfobins/gawk/
metadata:
verified: true
tags: code,linux,gawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
gawk 'BEGIN {system("whoami")}'
- engine:
- sh
- bash
source: |
sudo gawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022020f4d974f3c1c91fc22770c9ddc902e1730f238b504ebe4841afce2655b8787e0221008b88f06c877c3cd9a6f631fb933703d0e8cc518cd43814b1d3c4c38cd2e72c3b:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-grc.yaml
View File

@ -1,48 +0,0 @@
id: privesc-grc
info:
name: grc - Privilege Escalation
author: daffainfo
severity: high
description: |
grc is a command-line utility that enhances the output of other commands with color and style. It is commonly used to improve the readability of command output by adding color highlighting and formatting. grc can be configured to work with various commands and is often used to make log files and command output easier to interpret.
reference:
- https://gtfobins.github.io/gtfobins/grc/
metadata:
verified: true
tags: code,linux,grc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
grc --pty whoami
- engine:
- sh
- bash
source: |
sudo grc --pty whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502203f113d23698935598ff0d77fdf51bf1ca11d3a69f5dc82268a9529bc4da4e3340221008386bd8523a073f3ecf134d4cb0034246089b5f32e4eda4f2fb7e7c847c63978:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-ionice.yaml
View File

@ -1,48 +0,0 @@
id: privesc-ionice
info:
name: ionice - Privilege Escalation
author: daffainfo
severity: high
description: |
ionice is a command-line utility in Linux that is used to set or get the I/O scheduling class and priority for a program. It allows users to control the I/O priority of a process, which can be useful for managing system resources and improving overall system performance.
reference:
- https://gtfobins.github.io/gtfobins/ionice/
metadata:
verified: true
tags: code,linux,ionice,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
ionice whoami
- engine:
- sh
- bash
source: |
sudo ionice whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402200dc051f60cfa8b06d03cf29eb136b6d42a7ba17cc2e495bd74567b4d43085d1c0220092a4e9e5c1be7c995fa058be2330cede3897eac1aa048b8a16150dc601dfdfa:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-julia.yaml
View File

@ -1,48 +0,0 @@
id: privesc-julia
info:
name: Julia - Privilege Escalation
author: daffainfo
severity: high
description: |
Julia is a high-level, high-performance programming language for technical computing. It is designed for numerical and scientific computing, but it is also used for general-purpose programming. Julia is known for its speed and ease of use, and it has a growing community of users and developers.
reference:
- https://gtfobins.github.io/gtfobins/julia/
metadata:
verified: true
tags: code,linux,julia,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
julia -e 'run(`whoami`)'
- engine:
- sh
- bash
source: |
sudo julia -e 'run(`whoami`)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a00463044022008cde511c19f2e81af9ea724afbfb70af2b46b90969efa5dd93fc95214e0fe5602200da4093ad99901bf9d7c8d6dc7c222dce24b38ec0de355c37560a48fc5d87e91:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-lftp.yaml
View File

@ -1,48 +0,0 @@
id: privesc-lftp
info:
name: lftp - Privilege Escalation
author: daffainfo
severity: high
description: |
lftp is a command-line file transfer program for Unix-like systems. It supports various protocols such as FTP, HTTP, SFTP, and FISH, and provides a range of features for file transfer and mirroring. lftp is known for its reliability and scriptability, making it a popular choice for automated file transfer tasks.
reference:
- https://gtfobins.github.io/gtfobins/lftp/
metadata:
verified: true
tags: code,linux,lftp,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
lftp -c '!whoami'
- engine:
- sh
- bash
source: |
sudo lftp -c '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a004830460221009a7ba137fdf1380d4bc9afe57a3ffa1ecee7a9bbcfb87d7ad307800668bfe4d5022100ed4696a4fea878b8f4cf733026f909ba49c989c54800817c36e8f32e7815c821:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-ltrace.yaml
View File

@ -1,48 +0,0 @@
id: privesc-ltrace
info:
name: ltrace - Privilege Escalation
author: daffainfo
severity: high
description: |
ltrace is a debugging utility in Linux that is used to intercept and record dynamic library calls made by a process. It can be used to trace the library calls made by a program, which is helpful for debugging and understanding its behavior.
reference:
- https://gtfobins.github.io/gtfobins/ltrace/
metadata:
verified: true
tags: code,linux,ltrace,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
ltrace -b -L whoami
- engine:
- sh
- bash
source: |
sudo ltrace -b -L whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100a452f6736abe6bbadb861e870601d904d7439ccddb99b99c9813c60890cf6454022100ce8f36f3a3960ccacd29196c18c151075811bca88c4609b018d44611e7da91f4:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-lua.yaml
View File

@ -1,48 +0,0 @@
id: privesc-lua
info:
name: lua - Privilege Escalation
author: daffainfo
severity: high
description: |
Lua is a powerful, efficient, lightweight, embeddable scripting language. It is often used as a scripting language for game development and other applications that require a customizable and extensible scripting interface. Lua is known for its simplicity, speed, and ease of integration with other languages and systems.
reference:
- https://gtfobins.github.io/gtfobins/lua/
metadata:
verified: true
tags: code,linux,lua,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
lua -e 'os.execute("whoami")'
- engine:
- sh
- bash
source: |
sudo lua -e 'os.execute("whoami")'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100fe88d4daba0948f777be6dfe5e85dc1896f8b55009e3cac210034ad321c3e82d02203840fbc951223967db8270b7c5337cb8c464b58b62a5f8563d3d9e48c4804ead:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-mawk.yaml
View File

@ -1,48 +0,0 @@
id: privesc-mawk
info:
name: mawk - Privilege Escalation
author: daffainfo
severity: high
description: |
mawk is an efficient and fast implementation of the AWK programming language. It is designed to be smaller and faster than the original AWK implementation, making it suitable for large data processing tasks. mawk is commonly used for text processing and pattern scanning in shell scripts and command-line environments.
reference:
- https://gtfobins.github.io/gtfobins/mawk/
metadata:
verified: true
tags: code,linux,mawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
mawk 'BEGIN {system("whoami")}'
- engine:
- sh
- bash
source: |
sudo mawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402200f2fc2cb7ee4195d6ba84734e5816cd6344c1027d789617f593fd573a882798d0220456bbb1bff1ee4887264d39670a7bafd2d3e6e5714ac616b65454e26490b1c50:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-multitime.yaml
View File

@ -1,48 +0,0 @@
id: privesc-multitime
info:
name: Multitime - Privilege Escalation
author: daffainfo
severity: high
description: |
multitime is a command-line utility that allows for the timing and execution of commands multiple times. It is often used for benchmarking and performance testing of commands and scripts, providing a convenient way to measure the execution time of a given task.
reference:
- https://gtfobins.github.io/gtfobins/multitime/
metadata:
verified: true
tags: code,linux,multitime,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
multitime whoami
- engine:
- sh
- bash
source: |
sudo multitime whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100d690fd1752fe80fe6c5d74dd217f1faa159c22b9a1139640caef077da0ca162802201b52fef3e20b018125ed2898a41ee118a709b666e1be56843798f64ad03c4d01:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-mysql.yaml
View File

@ -1,48 +0,0 @@
id: privesc-mysql
info:
name: MySQL - Privilege Escalation
author: daffainfo
severity: high
description: |
MySQL is an open-source relational database management system (RDBMS) that uses structured query language (SQL) for managing and manipulating data. It is widely used for web applications and is known for its reliability, ease of use, and performance. MySQL is a popular choice for database-driven applications and is supported on various platforms.
reference:
- https://gtfobins.github.io/gtfobins/mysql/
metadata:
verified: true
tags: code,linux,mysql,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
mysql -e '\! whoami'
- engine:
- sh
- bash
source: |
sudo mysql -e '\! whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4b0a00483046022100ab3c58233daf1cde6a71b666f1ad59b29abb8f36ac9d2caf325d3ef30dbb7d63022100ee4ec42f3059b0d1e07f5e7b6132d20f247b66f95e28d4cf74587040d390df0b:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-nawk.yaml
View File

@ -1,48 +0,0 @@
id: privesc-nawk
info:
name: nawk - Privilege Escalation
author: daffainfo
severity: high
description: |
nawk is an implementation of the AWK programming language. It is a text-processing language that is commonly used for pattern scanning and processing of text files. nawk provides powerful features for data extraction, reporting, and manipulation, making it a valuable tool for text processing tasks in shell scripts and command-line environments.
reference:
- https://gtfobins.github.io/gtfobins/nawk/
metadata:
verified: true
tags: code,linux,nawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
nawk 'BEGIN {system("whoami")}'
- engine:
- sh
- bash
source: |
sudo nawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100c455bfbade2717cae09e5e1ad5d3f3f32f100dabe62e9ed83960ea513ec0c9190220455786daaf6e8b9213b6921268602b555e67d35000aa1bd4bca08006d233f58e:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-nice.yaml
View File

@ -1,48 +0,0 @@
id: privesc-nice
info:
name: Nice - Privilege Escalation
author: daffainfo
severity: high
description: |
In Unix-like operating systems, the nice command is used to execute a program with a modified scheduling priority. It allows users to start a process with a specified priority level, which can influence the allocation of CPU resources. This can be useful for managing system resources and controlling the impact of a process on system performance.
reference:
- https://gtfobins.github.io/gtfobins/nice/
metadata:
verified: true
tags: code,linux,nice,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
nice whoami
- engine:
- sh
- bash
source: |
sudo nice whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502206658814909d649229bdbe08eca7e6695d1fb07bf9cc2b42e87052ada4c56e87b02210098cecf5578ad70645f6f11e5cabe566e9d602b2f528f764bab48200bd9fc32af:922c64590222798bb761d5b6d8e72950

55
code/privilege-escalation/linux/binary/privesc-node.yaml
View File

@ -1,55 +0,0 @@
id: privesc-node
info:
name: Node - Privilege Escalation
author: daffainfo
severity: high
description: |
Node.js is a popular open-source, cross-platform JavaScript runtime environment that executes JavaScript code outside of a web browser. It is commonly used for building scalable network applications and is known for its event-driven, non-blocking I/O model. Node.js is widely used for server-side scripting and has a large ecosystem of libraries and frameworks.
reference:
- https://gtfobins.github.io/gtfobins/node/
metadata:
verified: true
tags: code,linux,node,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
- engine:
- sh
- bash
source: |
sudo node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
- engine:
- sh
- bash
source: |
node -e 'process.setuid(0); require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or
# digest: 4a0a00473045022100dcb589afe5b82d4c95a8a103942bdfa4ffdeca24be83816bda1013e2efdb0648022067f67aba51dd433b67493daa6970d379d08bf8c91351375fac26c6c2a54f0999:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-nsenter.yaml
View File

@ -1,48 +0,0 @@
id: privesc-nsenter
info:
name: Nsenter - Privilege Escalation
author: daffainfo
severity: high
description: |
nsenter is a command-line utility in Linux that allows a user to enter into an existing namespace. It is commonly used for troubleshooting and managing namespaces in containerized environments. By using nsenter, users can enter into a specific namespace and execute commands within that namespace, which can be helpful for various system administration tasks.
reference:
- https://gtfobins.github.io/gtfobins/nsenter/
metadata:
verified: true
tags: code,linux,nsenter,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
nsenter whoami
- engine:
- sh
- bash
source: |
sudo nsenter whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100bcc2702e046210af31cecc2bc6d6f6f17d55deba9283429ecbaa37b2da7ad3d6022076555f0b6ddfef5630de6165278458fec5a6dfd9dbe33a25ccac7d35827df83f:922c64590222798bb761d5b6d8e72950

55
code/privilege-escalation/linux/binary/privesc-perl.yaml
View File

@ -1,55 +0,0 @@
id: privesc-perl
info:
name: Perl - Privilege Escalation
author: daffainfo
severity: high
description: |
Perl is a high-level, general-purpose programming language known for its powerful text processing capabilities. It is often used for system administration, web development, and network programming. Perl's syntax and features make it well-suited for tasks such as parsing and manipulating text, making it a popular choice for various scripting and automation tasks.
reference:
- https://gtfobins.github.io/gtfobins/perl/
metadata:
verified: true
tags: code,linux,perl,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
perl -e 'exec "whoami";'
- engine:
- sh
- bash
source: |
sudo perl -e 'exec "whoami";'
- engine:
- sh
- bash
source: |
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "whoami";'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or
# digest: 490a0046304402200a093cb0aa2ec75dfb33f02dc087b501b5f6187d60468a6c67db3cddffc095d30220078ba7495f4c1a33103ce617214ba05d89845fd6941672e576ab45a8a1cb89d8:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-pexec.yaml
View File

@ -1,48 +0,0 @@
id: privesc-pexec
info:
name: pexec - Privilege Escalation
author: daffainfo
severity: high
description: |
The term "pexec" typically refers to the "privileged execution" of a command or program.
reference: |
https://gtfobins.github.io/gtfobins/pexec/
metadata:
verified: true
tags: code,linux,pexec,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
pexec whoami
- engine:
- sh
- bash
source: |
sudo pexec whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100c000c6aff21897526283edb9a61a091f4bf4f35f40ba88d17a5be43abca4078802200947b42987bab5740cbae7af869fa6f069e877273bd74f31eb6fc52700de08c0:922c64590222798bb761d5b6d8e72950

55
code/privilege-escalation/linux/binary/privesc-php.yaml
View File

@ -1,55 +0,0 @@
id: privesc-php
info:
name: PHP - Privilege Escalation
author: daffainfo
severity: high
description: |
PHP is a popular server-side scripting language that is widely used for web development. It is known for its ease of use, flexibility, and broad support for web frameworks and content management systems. PHP is commonly used to create dynamic web pages, process form data, manage sessions, and interact with databases.
reference:
- https://gtfobins.github.io/gtfobins/php/
metadata:
verified: true
tags: code,linux,php,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
php -r 'system("whoami");'
- engine:
- sh
- bash
source: |
sudo php -r 'system("whoami");'
- engine:
- sh
- bash
source: |
php -r "posix_setuid(0); system("whoami");"
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or
# digest: 4b0a00483046022100a2811ec94d726526a0710b6e046ee5f70bc02c6157d3f5e8d01149b0355c021d022100c4be4f37e14acf2f6798474a6e96d2d4c9179e1bf72dddeb6def304c006d2839:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-posh.yaml
View File

@ -1,48 +0,0 @@
id: privesc-posh
info:
name: posh - Privilege Escalation
author: daffainfo
severity: high
description: |
"posh" typically refers to the "Policy-compliant Ordinary SHell," which is a restricted shell designed to provide a limited set of commands and features for users with restricted access. It is often used in environments where users require limited functionality and access to system resources.
reference:
- https://gtfobins.github.io/gtfobins/posh/
metadata:
verified: true
tags: code,linux,posh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
posh -c 'whoami'
- engine:
- sh
- bash
source: |
sudo posh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402202ccc69f1fcf287f4fec214024209ac72716454f2cf716fdc0793cbca8c0d3929022078a753c35cd96d3bec81ce9d3701450bb0d3e91edc06bbb531b961e240965014:922c64590222798bb761d5b6d8e72950

55
code/privilege-escalation/linux/binary/privesc-python.yaml
View File

@ -1,55 +0,0 @@
id: privesc-python
info:
name: PHP - Privilege Escalation
author: daffainfo
severity: high
description: |
Python is a high-level, general-purpose programming language known for its readability and simplicity. It is widely used for web development, scientific computing, artificial intelligence, and system automation. Python's versatility, extensive standard library, and large community make it a popular choice for a wide range of applications.
reference:
- https://gtfobins.github.io/gtfobins/python/
metadata:
verified: true
tags: code,linux,php,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
python -c 'import os; os.system("whoami")'
- engine:
- sh
- bash
source: |
sudo python -c 'import os; os.system("whoami")'
- engine:
- sh
- bash
source: |
python -c 'import os; os.setuid(0); os.system("whoami")'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or
# digest: 4b0a00483046022100dd52f3cccbdc07d60cadac29decf11d1227996a161f41918275422c8076e5398022100bb97bda70a37f3f30a579fa0cc157826af2f11edd9bd7aab0da65e3dabfbba6c:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-rake.yaml
View File

@ -1,48 +0,0 @@
id: privesc-rake
info:
name: Rake - Privilege Escalation
author: daffainfo
severity: high
description: |
Rake is a build automation tool written in Ruby. It is similar to Make, Ant, or MSBuild, but uses a Ruby syntax. Rake is often used for automating tasks in software development, such as building, testing, and deploying applications.
reference:
- https://gtfobins.github.io/gtfobins/rake/
metadata:
verified: true
tags: code,linux,rake,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rake -p '`whoami 1>&0`'
- engine:
- sh
- bash
source: |
sudo rake -p '`whoami 1>&0`'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402200749958e9afd9829c1f67a0ccc3dc94d28bc49715a8335644e76b91eab470a0f02205f3c3d21b41c81dd7e52a8716b05f8e688af8afd0b203aff9e0d89850fe800e8:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-rc.yaml
View File

@ -1,48 +0,0 @@
id: privesc-rc
info:
name: RC - Privilege Escalation
author: daffainfo
severity: high
description: |
the rc command is a shell command interpreter that is used to execute commands and scripts. It is commonly used for scripting and automation tasks, and it provides a set of built-in commands and features for interacting with the system.
reference:
- https://gtfobins.github.io/gtfobins/rc/
metadata:
verified: true
tags: code,linux,rc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rc -c 'whoami'
- engine:
- sh
- bash
source: |
sudo rc -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a00473045022100ddc05de2641a181def4a9885d521a3060f68cbffdd0bac50e77315bd7e454bdd022025d8281ce109511fd7daa67dc3d51337c4dc4086cf0e084656e9143fb87170e0:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-rlwrap.yaml
View File

@ -1,48 +0,0 @@
id: privesc-rlwrap
info:
name: rlwrap - Privilege Escalation
author: daffainfo
severity: high
description: |
rlwrap is a utility that provides readline functionality to commands that lack it, allowing for command-line editing and history capabilities. It is commonly used to enhance the user experience when working with command-line tools that do not have built-in readline support.
reference:
- https://gtfobins.github.io/gtfobins/rlwrap/
metadata:
verified: true
tags: code,linux,rlwrap,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rlwrap whoami
- engine:
- sh
- bash
source: |
sudo rlwrap whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502200ca88583b60e012b980e0043f04126ac3b05a5583b20efda37538715a768ecb7022100f29a6760712b6791f1bb45ce5e7d6b1b5fc92f267e3ffc99497fb0eaa7dca258:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-rpm.yaml
View File

@ -1,48 +0,0 @@
id: privesc-rpm
info:
name: rpm - Privilege Escalation
author: daffainfo
severity: high
description: |
rpm stands for "Red Hat Package Manager." It is a command-line package management utility used in Red Hat-based Linux distributions to install, update, and manage software packages. rpm is also used to query package information, verify package integrity, and perform various administrative tasks related to software packages.
reference:
- https://gtfobins.github.io/gtfobins/rpm/
metadata:
verified: true
tags: code,linux,rpm,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rpm --pipe 'whoami 0<&1'
- engine:
- sh
- bash
source: |
sudo rpm --pipe 'whoami 0<&1'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450220528464c28b189da3511e6757b61dcb7f6fba8a90515f2b337edcdb7aee9f5d7d022100b4c40f9809265bb79ffc65b504aa4074521a1b1e5a50f3d7a1dd91530b8dfed7:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-rpmdb.yaml
View File

@ -1,48 +0,0 @@
id: privesc-rpmdb
info:
name: rpmdb - Privilege Escalation
author: daffainfo
severity: high
description: |
The rpmdb is the database used by the RPM Package Manager to store metadata about installed packages on a Linux system. It is used to track information about installed packages, including their files, dependencies, and other attributes. The rpmdb is a critical component of package management on RPM-based Linux distributions.
reference:
- https://gtfobins.github.io/gtfobins/rpmdb/
metadata:
verified: true
tags: code,linux,rpmdb,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rpmdb --eval '%(whoami 1>&2)'
- engine:
- sh
- bash
source: |
sudo rpmdb --eval '%(whoami 1>&2)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 490a0046304402205c6ed2d663dbda0003dc3b0315103fb62ce649fc9771b88d15e9003c0093f6c402207181b174440db32afaaecb0c106c6ecafcb7605d20272b86c7055b7c96988b08:922c64590222798bb761d5b6d8e72950

48
code/privilege-escalation/linux/binary/privesc-rpmverify.yaml
View File

@ -1,48 +0,0 @@
id: privesc-rpmverify
info:
name: rpmverify - Privilege Escalation
author: daffainfo
severity: high
description: |
The rpmverify command is used to verify the integrity and authenticity of installed RPM packages on a Linux system. It checks the files in the installed packages against the information stored in the RPM database to detect any modifications or discrepancies. This helps ensure the security and stability of the system by identifying any unauthorized changes to the installed packages.
reference:
- https://gtfobins.github.io/gtfobins/rpmverify/
metadata:
verified: true
tags: code,linux,rpmverify,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
rpmverify --eval '%(whoami 1>&2)'
- engine:
- sh
- bash
source: |
sudo rpmverify --eval '%(whoami 1>&2)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a004730450220749059b8ec0e7d457d03ced81b4b48b3d69580b77a6e0c1198dcd2534727d4ed022100eb51a489cfa87f8689a639d6b921964d9e4a0b2b8e6aee5869361c52f4c71796:922c64590222798bb761d5b6d8e72950

55
code/privilege-escalation/linux/binary/privesc-ruby.yaml
View File

@ -1,55 +0,0 @@
id: privesc-ruby
info:
name: Ruby - Privilege Escalation
author: daffainfo
severity: high
description: |
Ruby is a dynamic, open-source programming language known for its simplicity and productivity. It is often used for web development, scripting, and software development. Ruby's elegant syntax and focus on developer happiness have made it a popular choice for building web applications and other software projects.
reference:
- https://gtfobins.github.io/gtfobins/ruby/
metadata:
verified: true
tags: code,linux,ruby,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
ruby -e 'exec "whoami"'
- engine:
- sh
- bash
source: |
sudo ruby -e 'exec "whoami"'
- engine:
- sh
- bash
source: |
ruby -e 'Process::Sys.setuid(0); exec "whoami"'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or
# digest: 4a0a0047304502200d04ad6da824e3e4f8d827df453f11e89847545580da1379ad50187f92ce04fd022100889cc924bcb70907e887d989a704b2619b0fe0c144d7977a67fa607bcaf34645:922c64590222798bb761d5b6d8e72950

47
code/privilege-escalation/linux/binary/privesc-run-parts.yaml
View File

@ -1,47 +0,0 @@
id: privesc-run-parts
info:
name: run-parts - Privilege Escalation
author: daffainfo
severity: high
description: |
The run-parts command in Linux is used to run all the executable files in a directory. It is commonly used for running scripts or commands located in a specific directory, such as system maintenance scripts in /etc/cron.daily. The run-parts command provides a convenient way to execute multiple scripts or commands in a batch manner.
reference: https://gtfobins.github.io/gtfobins/run-parts/
metadata:
verified: true
tags: code,linux,run-parts,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
run-parts --new-session --regex 'whoami' /bin
- engine:
- sh
- bash
source: |
sudo run-parts --new-session --regex 'whoami' /bin
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or
# digest: 4a0a0047304502205d85cde00b6bfc479c2841da6603a84f6f418b3ef381bdc29990827138c2908c022100a9c341fc7f3a062b19e258bb7e86b1450073d7c9a907a50ef8794594c1af4374:922c64590222798bb761d5b6d8e72950

Some files were not shown because too many files have changed in this diff Show More