Seperate technologies and exposed-panels templates (#3424)

* Edit magmi workflow

* Add some workflow template + edit some template

* Changing some templates

* minor update

* workflow matcher fixes

* tech update

Co-authored-by: sandeep <sandeep@projectdiscovery.io>

cves/2017/CVE-2017-12149.yaml

@@ -9,7 +9,7 @@ info:
     - https://nvd.nist.gov/vuln/detail/CVE-2017-12149
     - https://chowdera.com/2020/12/20201229190934023w.html
     - https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149
-  tags: cve,cve2017,java,rce,deserialization
+  tags: cve,cve2017,jboss,java,rce,deserialization
   classification:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.80

cves/2017/CVE-2017-9841.yaml

@@ -1,7 +1,7 @@
 id: CVE-2017-9841
 
 info:
-  name: CVE-2017-9841
+  name: PHPUnit < 4.8.28 and 5.x - 5.63 Arbitrary Code Execution
   author: Random_Robbie,pikpikcu
   severity: critical
   description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI

exposed-panels/acemanager-login.yaml

@@ -6,7 +6,7 @@ info:
   severity: info
   metadata:
     fofa-dork: 'app="ACEmanager"'
-  tags: login,tech,acemanager
+  tags: panel,login,tech,acemanager
 
 requests:
   - method: GET

exposed-panels/argocd-login.yaml

@@ -0,0 +1,26 @@
+id: argocd-detect
+
+info:
+  name: Argo CD Login Panel
+  author: Adam Crosser,daffainfo
+  severity: info
+  description: Argo CD is a tool which will read your environment configuration (written either as a helm chart, kustomize files, jsonnet or plain yaml files) from your git repository and apply it to your Kubernetes namespaces.
+  metadata:
+    shodan-query: http.title:"Argo CD"
+  tags: panel,argocd
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/login"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Argo CD</title>'
+
+      - type: status
+        status:
+          - 200

exposed-panels/avantfax-panel.yaml

@@ -1,10 +1,12 @@
-id: avantfax-detect
+id: avantfax-panel
 
 info:
-  name: AvantFAX Detect
-  author: pikpikcu
+  name: AvantFAX Login Panel
+  author: pikpikcu,daffainfo
   severity: info
-  tags: tech,avantfax
+  metadata:
+    shodan-query: http.title:"AvantFAX - Login"
+  tags: panel,avantfax
 
 requests:
   - method: GET
@@ -13,7 +15,6 @@ requests:
 
     matchers-condition: and
     matchers:
-
       - type: word
         part: body
         words:

exposed-panels/aviatrix-panel.yaml

@@ -1,12 +1,12 @@
-id: aviatrix-detect
+id: aviatrix-panel
 
 info:
-  name: Aviatrix Detect
-  author: pikpikcu,philippedelteil
+  name: Aviatrix Panel Login
+  author: pikpikcu,philippedelteil,daffainfo
   severity: info
-  tags: tech,aviatrix
   metadata:
-    shodan-query: http.title:"AviatrixController", http.title:"Aviatrix Cloud Controller"
+    shodan-query: http.title:"Aviatrix Cloud Controller"
+  tags: panel,aviatrix
 
 requests:
   - method: GET

exposed-panels/bedita-panel.yaml

@@ -1,22 +1,29 @@
-id: bedita-detect
+id: bedita-panel
 
 info:
-  name: BEdita detect
-  author: pikpikcu
+  name: BEdita Panel Login
+  author: pikpikcu,daffainfo
   severity: info
-  tags: tech,bedita
+  metadata:
+    shodan-query: http.title:"BEdita"
+  tags: panel,bedita
 
 requests:
   - method: GET
     path:
       - "{{BaseURL}}"
 
+    matchers-condition: and
     matchers:
       - type: regex
         part: body
         regex:
           - 'BEdita(.*)</a><br>'
 
+      - type: status
+        status:
+          - 200
+
     extractors:
       - type: regex
         part: body

exposed-panels/bolt-cms-panel.yaml

@@ -1,19 +1,19 @@
-id: bolt-cms-detect
+id: bolt-cms-panel
 
 info:
-  name: bolt CMS detect
-  author: cyllective
+  name: bolt CMS Login Panel
+  author: cyllective,daffainfo
   severity: info
-  description: Detects bolt CMS
-  tags: tech,bolt,cms
-  reference:
-    - https://github.com/bolt/bolt
+  description: Bolt is a simple CMS written in PHP. It is based on Silex and Symfony components, uses Twig and either SQLite, MySQL or PostgreSQL.
+  reference: https://github.com/bolt/bolt
+  tags: panel,bolt,cms
 
 requests:
   - method: GET
     path:
       - "{{BaseURL}}/bolt/login"
 
+    matchers-condition: and
     matchers:
       - type: word
         part: body
@@ -30,4 +30,8 @@ requests:
           - '<script src="/assets/bolt.js"></script>'
           - 'Bolt requires JavaScript to function properly and continuing without it might corrupt or erase data.'
           - 'Bolt » Login'
-          - 'Cookies are required to log on to Bolt. Please allow cookies.'
+          - 'Cookies are required to log on to Bolt. Please allow cookies.'
+
+      - type: status
+        status:
+          - 200

exposed-panels/bookstack-panel.yaml

@@ -1,11 +1,13 @@
-id: bookstack-detect
+id: bookstack-panel
 
 info:
-  name: BookStack detect
-  author: cyllective
+  name: BookStack Panel Login
+  author: cyllective,daffainfo
   severity: info
-  description: Detects BookStack
-  tags: tech,bookstack
+  description: A platform to create documentation/wiki content built with PHP & Laravel
+  metadata:
+    shodan-query: http.title:"BookStack"
+  tags: panel,bookstack
   reference: https://github.com/BookStackApp/BookStack
 
 requests:
@@ -22,6 +24,15 @@ requests:
           - '<title>BookStack</title>'
           - '<span class="logo-text">BookStack</span>'
 
+      - type: word
+        part: header
+        words:
+          - 'Set-Cookie: bookstack_session'
+
+      - type: status
+        status:
+          - 200
+
     extractors:
       - type: regex
         part: body

exposed-panels/cacti-panel.yaml

@@ -1,7 +1,8 @@
-id: cacti-detect
+id: cacti-panel
+
 info:
-  name: Detect Cacti
-  author: geeknik
+  name: Cacti Login Panel
+  author: geeknik,daffainfo
   description: Cacti is a complete network graphing solution -- https://www.cacti.net/
   severity: info
   tags: tech,cacti
@@ -12,15 +13,17 @@ requests:
       - "{{BaseURL}}"
       - "{{BaseURL}}/cacti/"
 
+    stop-at-first-match: true
     matchers-condition: and
     matchers:
       - type: status
         status:
           - 200
+
       - type: word
         part: body
         words:
-          - "Login to Cacti"
+          - "<title>Login to Cacti</title>"
           - "The Cacti Group"
         condition: and
 
@@ -30,7 +33,8 @@ requests:
           - Cacti+
 
     extractors:
-      - type: kval
-        part: header
-        kval:
-          - Set_Cookie
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "<div class='versionInfo'>Version (.*) |"

exposed-panels/centreon-panel.yaml

@@ -0,0 +1,34 @@
+id: centreon-panel
+
+info:
+  name: Centreon Login Panel
+  author: pikpikcu,daffainfo
+  severity: info
+  metadata:
+    shodan-query: http.title:"Centreon"
+  tags: panel,centreon
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/centreon/index.php"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        condition: or
+        words:
+          - '<title>Centreon - IT & Network Monitoring</title>'
+          - '<input name="centreon_token" type="hidden"'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - 'v. (.*)'

exposures/logs/jboss-seam-debug-page.yaml

@@ -5,7 +5,7 @@ info:
   author: dhiyaneshDK
   severity: medium
   reference: https://github.com/jaeles-project/jaeles-signatures/blob/master/common/jboss-seam-debug-page.yaml
-  tags: logs,exposure
+  tags: jboss,logs,exposure
 
 requests:
   - method: GET

technologies/argocd-detect.yaml

@@ -1,19 +0,0 @@
-id: argocd-detect
-
-info:
-  name: Argo CD Detect
-  author: Adam Crosser
-  severity: info
-  description: Detects the Argo CD website console
-  tags: tech,argocd
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}"
-
-    matchers:
-      - type: word
-        part: body
-        words:
-          - '<title>Argo CD'

technologies/bigbluebutton-detect.yaml

@@ -4,6 +4,8 @@ info:
   name: BigBlueButton Detect
   author: pikpikcu
   severity: info
+  metadata:
+    shodan-query: http.title:"BigBlueButton"
   tags: tech,bigbluebutton
 
 requests:
@@ -13,7 +15,6 @@ requests:
 
     matchers-condition: and
     matchers:
-
       - type: word
         part: body
         words:

technologies/fortinet-detect.yaml

@@ -1,23 +1,22 @@
-id: centreon-detect
+id: fortinet-detect
 
 info:
-  name: Centreon Detect
-  author: pikpikcu
+  name: Fortinet detected
+  author: pikpikcu,daffainfo
   severity: info
-  tags: tech,centreon
+  tags: tech,jboss
 
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/centreon/index.php"
+      - "{{BaseURL}}"
 
     matchers-condition: and
     matchers:
-
       - type: word
         part: body
         words:
-          - "<title>Centreon - IT & Network Monitoring</title>"
+          - '<title tiles:fragment="title">FORTINET LOGIN</title>'
 
       - type: status
         status:

technologies/jboss-detect.yaml

@@ -0,0 +1,21 @@
+id: jboss-detect
+
+info:
+  name: JBoss detected
+  author: daffainfo
+  severity: info
+  tags: tech,jboss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>Welcome to JBoss AS</title>"
+          - "<title>Welcome to JBoss Application Server"
+          - "JBoss EAP 7"
+        condition: or

technologies/tech-detect.yaml

@@ -1115,13 +1115,6 @@ requests:
         condition: or
         part: body
 
-      - type: regex
-        name: drupal-commerce
-        regex:
-          - <[^>]+(?:id="block[_-]commerce[_-]cart[_-]cart|class="commerce[_-]product[_-]field)
-        condition: or
-        part: body
-
       - type: regex
         name: sympa
         regex:
@@ -2113,13 +2106,14 @@ requests:
 
       - type: regex
         name: drupal
+        part: all
         regex:
           - <(?:link|style)[^>]+"/sites/(?:default|all)/(?:themes|modules)/
+          - <[^>]+(?:id="block[_-]commerce[_-]cart[_-]cart|class="commerce[_-]product[_-]field)
           - "X-Drupal"
           - "x-drupal"
           - "X-Generator: Drupal"
         condition: or
-        part: all
 
       - type: regex
         name: webxpay

workflows/drupal-workflow.yaml

@@ -0,0 +1,13 @@
+id: drupal-workflow
+
+info:
+  name: Wordpress Security Checks
+  author: daffainfo
+  description: A simple workflow that runs all drupal related nuclei templates on a given target.
+
+workflows:
+  - template: technologies/tech-detect.yaml
+    matchers:
+      - name: drupal
+        subtemplates:
+          - tags: drupal

workflows/fortinet-workflow.yaml

@@ -0,0 +1,11 @@
+id: fortiner-workflow
+
+info:
+  name: Fortinet Security Checks
+  author: daffainfo
+  description: A simple workflow that runs all fortinet related nuclei templates on a given target.
+
+workflows:
+  - template: technologies/fortinet-detect.yaml
+    subtemplates:
+      - tags: fortinet

workflows/jboss-workflow.yaml

@@ -0,0 +1,11 @@
+id: jboss-workflow
+
+info:
+  name: JBoss Security Checks
+  author: daffainfo
+  description: A simple workflow that runs all JBoss related nuclei templates on a given target.
+
+workflows:
+  - template: technologies/jboss-detect.yaml
+    subtemplates:
+      - tags: jboss

workflows/laravel-workflow.yaml

@@ -0,0 +1,13 @@
+id: laravel-workflow
+
+info:
+  name: Laravel Security Checks
+  author: daffainfo
+  description: A simple workflow that runs all Laravel related nuclei templates on a given target.
+
+workflows:
+  - template: technologies/tech-detect.yaml
+    matchers:
+      - name: laravel
+        subtemplates:
+          - tags: laravel

workflows/microsoft-exchange-workflow.yaml

@@ -0,0 +1,12 @@
+id: microsoft-exchange-workflow
+
+info:
+  name: Microsoft Exchange Security Checks
+  author: daffainfo
+  description: A simple workflow that runs all Microsoft Exchange related nuclei templates on a given target.
+
+workflows:
+
+  - template: technologies/microsoft/microsoft-exchange-server-detect.yaml
+    subtemplates:
+      - tags: exchange

workflows/symfony-workflow.yaml

@@ -0,0 +1,12 @@
+id: symfony-workflow
+info:
+  name: Symfony Security Checks
+  author: daffainfo
+  description: A simple workflow that runs all Symfony related nuclei templates on a given target.
+
+workflows:
+  - template: technologies/tech-detect.yaml
+    matchers:
+      - name: symfony
+        subtemplates:
+          - tags: symfony

workflows/yii-workflow.yaml

@@ -0,0 +1,13 @@
+id: yii-workflow
+
+info:
+  name: Yii Security Checks
+  author: daffainfo
+  description: A simple workflow that runs all Yii related nuclei templates on a given target.
+
+workflows:
+  - template: technologies/tech-detect.yaml
+    matchers:
+      - name: yii
+        subtemplates:
+          - tags: yii