From 1b47ea7c3f48066cd2b77c64e3c1351a56be42d3 Mon Sep 17 00:00:00 2001 From: Adam Crosser <45573557+AdamCrosser@users.noreply.github.com> Date: Sat, 24 Jun 2023 17:25:54 -0500 Subject: [PATCH] Update Nuclei Detection Templates for National Vulnerability Database Correlation (#7490) * Update Confluence Version * Added Application Category * Updated Grafana Template * Updated WordPress Template * Update grafana-detect.yaml * Update jenkins-detect.yaml * Update Jira Detection Template * Update Tomcat Template * Update Atlassian Crowd Template * misc update * workflow fix --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> --- http/exposed-panels/atlassian-crowd-panel.yaml | 13 +++++++++++-- http/exposed-panels/grafana-detect.yaml | 16 ++++++++++++---- http/technologies/apache/tomcat-detect.yaml | 5 ++++- http/technologies/jenkins-detect.yaml | 12 ++++++++++-- .../jira-detect.yaml | 11 ++++++----- http/technologies/wordpress-detect.yaml | 5 ++++- workflows/jira-workflow.yaml | 2 +- 7 files changed, 48 insertions(+), 16 deletions(-) rename http/{exposed-panels => technologies}/jira-detect.yaml (80%) diff --git a/http/exposed-panels/atlassian-crowd-panel.yaml b/http/exposed-panels/atlassian-crowd-panel.yaml index 9ff7221536..10eeb1b28d 100644 --- a/http/exposed-panels/atlassian-crowd-panel.yaml +++ b/http/exposed-panels/atlassian-crowd-panel.yaml @@ -2,7 +2,7 @@ id: atlassian-crowd-panel info: name: Atlassian Crowd Login Panel - author: organiccrap + author: organiccrap,AdamCrosser severity: info description: An Atlassian Crowd login panel was discovered. reference: @@ -12,6 +12,9 @@ info: tags: panel,atlassian metadata: max-request: 1 + vendor: atlassian + product: crowd + category: sso http: - method: GET @@ -24,4 +27,10 @@ http: - Atlassian Crowd - Login part: body -# Enhanced by mp on 2022/03/20 + extractors: + - type: regex + name: version + group: 1 + regex: + - 'value="Version: ([\d.]+)' + part: body diff --git a/http/exposed-panels/grafana-detect.yaml b/http/exposed-panels/grafana-detect.yaml index 8aa2c08ff4..488fdd1555 100644 --- a/http/exposed-panels/grafana-detect.yaml +++ b/http/exposed-panels/grafana-detect.yaml @@ -2,7 +2,7 @@ id: grafana-detect info: name: Grafana Login Panel - Detect - author: organiccrap + author: organiccrap,AdamCrosser severity: info description: Grafana login panel was detected. classification: @@ -12,22 +12,30 @@ info: metadata: max-request: 1 shodan-query: title:"Grafana" - tags: panel,grafana + vendor: grafana + product: grafana + category: devops + tags: panel,grafana,detect http: - method: GET path: - "{{BaseURL}}/login" + matchers: - type: word + part: body words: - "Grafana" - part: body + extractors: - type: regex + name: version part: body group: 1 regex: - '\"version\"\:\"([0-9.]+)\"}' -# Enhanced by md on 2022/11/16 + - type: kval + kval: + - version diff --git a/http/technologies/apache/tomcat-detect.yaml b/http/technologies/apache/tomcat-detect.yaml index f447e2c415..8ba2822eb9 100644 --- a/http/technologies/apache/tomcat-detect.yaml +++ b/http/technologies/apache/tomcat-detect.yaml @@ -2,12 +2,14 @@ id: tomcat-detect info: name: Tomcat Detection - author: philippedelteil,dhiyaneshDk + author: philippedelteil,dhiyaneshDk,AdamCrosser severity: info description: If an Tomcat instance is deployed on the target URL, when we send a request for a non existent resource we receive a Tomcat error page with version. metadata: max-request: 3 shodan-query: title:"Apache Tomcat" + vendor: apache + product: tomcat tags: tech,tomcat,apache http: @@ -33,6 +35,7 @@ http: extractors: - type: regex + name: version group: 1 regex: - '(?i)Apache Tomcat.*([0-9]\.[0-9]+\.[0-9]+)' diff --git a/http/technologies/jenkins-detect.yaml b/http/technologies/jenkins-detect.yaml index 2f795da533..6832efe6c1 100644 --- a/http/technologies/jenkins-detect.yaml +++ b/http/technologies/jenkins-detect.yaml @@ -2,7 +2,7 @@ id: jenkins-detect info: name: Jenkins Detection - author: philippdelteil,daffainfo,c-sh0 + author: philippdelteil,daffainfo,c-sh0,AdamCrosser severity: info reference: - https://www.jenkins.io/doc/book/using/remote-access-api/#RemoteaccessAPI-DetectingJenkinsversion @@ -11,7 +11,10 @@ info: metadata: max-request: 2 shodan-query: http.favicon.hash:81586312 - tags: tech,jenkins + vendor: jenkins + product: jenkins + category: devops + tags: tech,jenkins,detect http: - method: GET @@ -36,5 +39,10 @@ http: extractors: - type: kval + name: version kval: - x_jenkins + + - type: kval + kval: + - version diff --git a/http/exposed-panels/jira-detect.yaml b/http/technologies/jira-detect.yaml similarity index 80% rename from http/exposed-panels/jira-detect.yaml rename to http/technologies/jira-detect.yaml index f107baaf14..38b430bbc7 100644 --- a/http/exposed-panels/jira-detect.yaml +++ b/http/technologies/jira-detect.yaml @@ -1,17 +1,20 @@ id: jira-detect info: - name: Jira Login Panel - Detect - author: pdteam,philippedelteil + name: Jira Detect + author: pdteam,philippedelteil,AdamCrosser severity: info description: Jira login panel was detected. classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N cvss-score: 0.0 cwe-id: CWE-200 - tags: panel,jira + tags: tech,panel,jira,atlassian metadata: max-request: 3 + vendor: atlassian + product: jira + category: productivity http: - method: GET @@ -34,5 +37,3 @@ http: group: 1 regex: - 'title="JiraVersion" value="([0-9.]+)' - -# Enhanced by md on 2022/11/21 diff --git a/http/technologies/wordpress-detect.yaml b/http/technologies/wordpress-detect.yaml index 7e0d692b9b..8f881fac5c 100644 --- a/http/technologies/wordpress-detect.yaml +++ b/http/technologies/wordpress-detect.yaml @@ -2,12 +2,15 @@ id: wordpress-detect info: name: WordPress Detect - author: pdteam,daffainfo,ricardomaia,topscoder + author: pdteam,daffainfo,ricardomaia,topscoder,AdamCrosser severity: info metadata: max-request: 4 verified: true shodan-query: http.component:"WordPress" + vendor: wordpress + product: wordpress + category: cms tags: tech,wordpress,cms,wp http: diff --git a/workflows/jira-workflow.yaml b/workflows/jira-workflow.yaml index 1d7db71f7f..5e184dcfcd 100644 --- a/workflows/jira-workflow.yaml +++ b/workflows/jira-workflow.yaml @@ -6,6 +6,6 @@ info: description: A simple workflow that runs all Jira related nuclei templates on a given target. workflows: - - template: http/exposed-panels/jira-detect.yaml + - template: http/technologies/jira-detect.yaml subtemplates: - tags: jira \ No newline at end of file