From 1b47ea7c3f48066cd2b77c64e3c1351a56be42d3 Mon Sep 17 00:00:00 2001
From: Adam Crosser <45573557+AdamCrosser@users.noreply.github.com>
Date: Sat, 24 Jun 2023 17:25:54 -0500
Subject: [PATCH] Update Nuclei Detection Templates for National Vulnerability
Database Correlation (#7490)
* Update Confluence Version
* Added Application Category
* Updated Grafana Template
* Updated WordPress Template
* Update grafana-detect.yaml
* Update jenkins-detect.yaml
* Update Jira Detection Template
* Update Tomcat Template
* Update Atlassian Crowd Template
* misc update
* workflow fix
---------
Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
---
http/exposed-panels/atlassian-crowd-panel.yaml | 13 +++++++++++--
http/exposed-panels/grafana-detect.yaml | 16 ++++++++++++----
http/technologies/apache/tomcat-detect.yaml | 5 ++++-
http/technologies/jenkins-detect.yaml | 12 ++++++++++--
.../jira-detect.yaml | 11 ++++++-----
http/technologies/wordpress-detect.yaml | 5 ++++-
workflows/jira-workflow.yaml | 2 +-
7 files changed, 48 insertions(+), 16 deletions(-)
rename http/{exposed-panels => technologies}/jira-detect.yaml (80%)
diff --git a/http/exposed-panels/atlassian-crowd-panel.yaml b/http/exposed-panels/atlassian-crowd-panel.yaml
index 9ff7221536..10eeb1b28d 100644
--- a/http/exposed-panels/atlassian-crowd-panel.yaml
+++ b/http/exposed-panels/atlassian-crowd-panel.yaml
@@ -2,7 +2,7 @@ id: atlassian-crowd-panel
info:
name: Atlassian Crowd Login Panel
- author: organiccrap
+ author: organiccrap,AdamCrosser
severity: info
description: An Atlassian Crowd login panel was discovered.
reference:
@@ -12,6 +12,9 @@ info:
tags: panel,atlassian
metadata:
max-request: 1
+ vendor: atlassian
+ product: crowd
+ category: sso
http:
- method: GET
@@ -24,4 +27,10 @@ http:
-
Atlassian Crowd - Login
part: body
-# Enhanced by mp on 2022/03/20
+ extractors:
+ - type: regex
+ name: version
+ group: 1
+ regex:
+ - 'value="Version: ([\d.]+)'
+ part: body
diff --git a/http/exposed-panels/grafana-detect.yaml b/http/exposed-panels/grafana-detect.yaml
index 8aa2c08ff4..488fdd1555 100644
--- a/http/exposed-panels/grafana-detect.yaml
+++ b/http/exposed-panels/grafana-detect.yaml
@@ -2,7 +2,7 @@ id: grafana-detect
info:
name: Grafana Login Panel - Detect
- author: organiccrap
+ author: organiccrap,AdamCrosser
severity: info
description: Grafana login panel was detected.
classification:
@@ -12,22 +12,30 @@ info:
metadata:
max-request: 1
shodan-query: title:"Grafana"
- tags: panel,grafana
+ vendor: grafana
+ product: grafana
+ category: devops
+ tags: panel,grafana,detect
http:
- method: GET
path:
- "{{BaseURL}}/login"
+
matchers:
- type: word
+ part: body
words:
- "Grafana"
- part: body
+
extractors:
- type: regex
+ name: version
part: body
group: 1
regex:
- '\"version\"\:\"([0-9.]+)\"}'
-# Enhanced by md on 2022/11/16
+ - type: kval
+ kval:
+ - version
diff --git a/http/technologies/apache/tomcat-detect.yaml b/http/technologies/apache/tomcat-detect.yaml
index f447e2c415..8ba2822eb9 100644
--- a/http/technologies/apache/tomcat-detect.yaml
+++ b/http/technologies/apache/tomcat-detect.yaml
@@ -2,12 +2,14 @@ id: tomcat-detect
info:
name: Tomcat Detection
- author: philippedelteil,dhiyaneshDk
+ author: philippedelteil,dhiyaneshDk,AdamCrosser
severity: info
description: If an Tomcat instance is deployed on the target URL, when we send a request for a non existent resource we receive a Tomcat error page with version.
metadata:
max-request: 3
shodan-query: title:"Apache Tomcat"
+ vendor: apache
+ product: tomcat
tags: tech,tomcat,apache
http:
@@ -33,6 +35,7 @@ http:
extractors:
- type: regex
+ name: version
group: 1
regex:
- '(?i)Apache Tomcat.*([0-9]\.[0-9]+\.[0-9]+)'
diff --git a/http/technologies/jenkins-detect.yaml b/http/technologies/jenkins-detect.yaml
index 2f795da533..6832efe6c1 100644
--- a/http/technologies/jenkins-detect.yaml
+++ b/http/technologies/jenkins-detect.yaml
@@ -2,7 +2,7 @@ id: jenkins-detect
info:
name: Jenkins Detection
- author: philippdelteil,daffainfo,c-sh0
+ author: philippdelteil,daffainfo,c-sh0,AdamCrosser
severity: info
reference:
- https://www.jenkins.io/doc/book/using/remote-access-api/#RemoteaccessAPI-DetectingJenkinsversion
@@ -11,7 +11,10 @@ info:
metadata:
max-request: 2
shodan-query: http.favicon.hash:81586312
- tags: tech,jenkins
+ vendor: jenkins
+ product: jenkins
+ category: devops
+ tags: tech,jenkins,detect
http:
- method: GET
@@ -36,5 +39,10 @@ http:
extractors:
- type: kval
+ name: version
kval:
- x_jenkins
+
+ - type: kval
+ kval:
+ - version
diff --git a/http/exposed-panels/jira-detect.yaml b/http/technologies/jira-detect.yaml
similarity index 80%
rename from http/exposed-panels/jira-detect.yaml
rename to http/technologies/jira-detect.yaml
index f107baaf14..38b430bbc7 100644
--- a/http/exposed-panels/jira-detect.yaml
+++ b/http/technologies/jira-detect.yaml
@@ -1,17 +1,20 @@
id: jira-detect
info:
- name: Jira Login Panel - Detect
- author: pdteam,philippedelteil
+ name: Jira Detect
+ author: pdteam,philippedelteil,AdamCrosser
severity: info
description: Jira login panel was detected.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
- tags: panel,jira
+ tags: tech,panel,jira,atlassian
metadata:
max-request: 3
+ vendor: atlassian
+ product: jira
+ category: productivity
http:
- method: GET
@@ -34,5 +37,3 @@ http:
group: 1
regex:
- 'title="JiraVersion" value="([0-9.]+)'
-
-# Enhanced by md on 2022/11/21
diff --git a/http/technologies/wordpress-detect.yaml b/http/technologies/wordpress-detect.yaml
index 7e0d692b9b..8f881fac5c 100644
--- a/http/technologies/wordpress-detect.yaml
+++ b/http/technologies/wordpress-detect.yaml
@@ -2,12 +2,15 @@ id: wordpress-detect
info:
name: WordPress Detect
- author: pdteam,daffainfo,ricardomaia,topscoder
+ author: pdteam,daffainfo,ricardomaia,topscoder,AdamCrosser
severity: info
metadata:
max-request: 4
verified: true
shodan-query: http.component:"WordPress"
+ vendor: wordpress
+ product: wordpress
+ category: cms
tags: tech,wordpress,cms,wp
http:
diff --git a/workflows/jira-workflow.yaml b/workflows/jira-workflow.yaml
index 1d7db71f7f..5e184dcfcd 100644
--- a/workflows/jira-workflow.yaml
+++ b/workflows/jira-workflow.yaml
@@ -6,6 +6,6 @@ info:
description: A simple workflow that runs all Jira related nuclei templates on a given target.
workflows:
- - template: http/exposed-panels/jira-detect.yaml
+ - template: http/technologies/jira-detect.yaml
subtemplates:
- tags: jira
\ No newline at end of file