commit
63b01dcaaa
|
@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
|
|||
|
||||
| Templates | Counts | Templates | Counts | Templates | Counts |
|
||||
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
|
||||
| cves | 291 | vulnerabilities | 133 | exposed-panels | 120 |
|
||||
| takeovers | 67 | exposures | 78 | technologies | 63 |
|
||||
| misconfiguration | 55 | workflows | 30 | miscellaneous | 20 |
|
||||
| cves | 290 | vulnerabilities | 133 | exposed-panels | 121 |
|
||||
| takeovers | 67 | exposures | 79 | technologies | 64 |
|
||||
| misconfiguration | 56 | workflows | 30 | miscellaneous | 20 |
|
||||
| default-logins | 24 | exposed-tokens | 0 | dns | 8 |
|
||||
| fuzzing | 8 | helpers | 7 | iot | 11 |
|
||||
|
||||
**101 directories, 991 files**.
|
||||
**101 directories, 994 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
|
@ -4,6 +4,10 @@ info:
|
|||
author: CasperGN
|
||||
severity: medium
|
||||
tags: cve,cve2005
|
||||
description: Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696.
|
||||
reference: |
|
||||
- http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
|
||||
- https://www.exploit-db.com/exploits/39495
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Apache Struts2 S2-001 RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character.
|
||||
reference: https://www.guildhab.top/?p=2326
|
||||
tags: cve,cve2007,apache,rce,struts
|
||||
|
||||
|
|
|
@ -4,6 +4,8 @@ info:
|
|||
name: AppServ Open Project 2.5.10 and earlier XSS
|
||||
author: unstabl3
|
||||
severity: medium
|
||||
description: Cross-site scripting (XSS) vulnerability in index.php in AppServ Open Project 2.5.10 and earlier allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter.
|
||||
reference: https://exchange.xforce.ibmcloud.com/vulnerabilities/42546
|
||||
tags: cve,cve2008,xss
|
||||
|
||||
requests:
|
||||
|
|
|
@ -3,6 +3,8 @@ info:
|
|||
name: CMSimple 3.1 - Local File Inclusion
|
||||
author: pussycat0x
|
||||
severity: high
|
||||
description: |
|
||||
Directory traversal vulnerability in cmsimple/cms.php in CMSimple 3.1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number.
|
||||
reference: https://www.exploit-db.com/exploits/5700
|
||||
tags: cve,cve2008,lfi
|
||||
requests:
|
||||
|
|
|
@ -4,7 +4,10 @@ info:
|
|||
name: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
reference: https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861
|
||||
description: Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
|
||||
reference: |
|
||||
- https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861
|
||||
- http://www.adobe.com/support/security/bulletins/apsb10-18.html
|
||||
tags: cve,cve2010,coldfusion,lfi
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,10 +4,11 @@ info:
|
|||
name: Majordomo2 - SMTP/HTTP Directory Traversal
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted email and (2) cgi-bin/mj_wwwusr in the web interface.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/16103
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2011-0063
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2011-0049
|
||||
- http://www.kb.cert.org/vuls/id/363726
|
||||
tags: cve,cve2011,majordomo2,lfi
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Apache Struts2 S2-008 RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
|
||||
reference: https://blog.csdn.net/weixin_43416469/article/details/113850545
|
||||
tags: cve,cve2012,apache,rce,struts
|
||||
|
||||
|
|
|
@ -4,7 +4,8 @@ info:
|
|||
name: Apache Struts2 S2-012 RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-1965
|
||||
description: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
|
||||
reference: http://struts.apache.org/development/2.x/docs/s2-012.html
|
||||
tags: cve,cve2013,apache,rce,struts
|
||||
|
||||
requests:
|
||||
|
|
|
@ -5,6 +5,7 @@ info:
|
|||
author: exploitation & @dwisiswant0
|
||||
severity: critical
|
||||
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
|
||||
reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html
|
||||
tags: cve,cve2013,rce,struts,apache
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,7 +4,11 @@ info:
|
|||
name: ElasticSearch v1.1.1/1.2 RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
reference: https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120
|
||||
description: |
|
||||
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
|
||||
reference: |
|
||||
- https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120
|
||||
- https://www.elastic.co/blog/logstash-1-4-3-released
|
||||
tags: cve,cve2014,elastic,rce
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,7 +4,12 @@ info:
|
|||
author: princechaddha
|
||||
severity: high
|
||||
description: The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
|
||||
reference: https://www.cvedetails.com/cve/CVE-2014-3704/
|
||||
reference: |
|
||||
- https://www.drupal.org/SA-CORE-2014-005
|
||||
- http://www.exploit-db.com/exploits/34984
|
||||
- http://www.exploit-db.com/exploits/34992
|
||||
- http://www.exploit-db.com/exploits/34993
|
||||
- http://www.exploit-db.com/exploits/35150
|
||||
tags: cve,cve2014,drupal,sqli
|
||||
|
||||
requests:
|
||||
|
|
|
@ -5,6 +5,9 @@ info:
|
|||
author: pentest_swissky
|
||||
severity: high
|
||||
description: Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications
|
||||
reference: |
|
||||
- http://www.kb.cert.org/vuls/id/252743
|
||||
- http://www.us-cert.gov/ncas/alerts/TA14-268A
|
||||
tags: cve,cve2014,rce
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,7 +4,10 @@ info:
|
|||
name: ElasticSearch 1.4.0/1.4.2 RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
reference: https://blog.csdn.net/JiangBuLiu/article/details/94457980
|
||||
description: The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
|
||||
reference: |
|
||||
- https://blog.csdn.net/JiangBuLiu/article/details/94457980
|
||||
- http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/
|
||||
tags: cve,cve2015,elastic,rce
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,7 +4,10 @@ info:
|
|||
name: Eclipse Jetty Remote Leakage
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2015-2080
|
||||
reference: |
|
||||
- https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
|
||||
- https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
|
||||
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
|
||||
description: |
|
||||
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: pdteam
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2015-3337
|
||||
reference: https://www.exploit-db.com/exploits/37054/
|
||||
tags: cve,cve2015,elastic,lfi
|
||||
|
||||
requests:
|
||||
|
|
|
@ -3,6 +3,7 @@ info:
|
|||
name: Wordpress 4.6 Remote Code Execution
|
||||
author: princechaddha
|
||||
severity: high
|
||||
description: The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
|
||||
reference: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
|
||||
tags: wordpress,cve,cve2016,rce
|
||||
|
||||
|
|
|
@ -4,7 +4,11 @@ info:
|
|||
name: Apache S2-032 Struts RCE
|
||||
author: dhiyaneshDK
|
||||
severity: high
|
||||
reference: https://cwiki.apache.org/confluence/display/WW/S2-032
|
||||
description: |
|
||||
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
|
||||
reference: |
|
||||
- https://cwiki.apache.org/confluence/display/WW/S2-032
|
||||
- https://struts.apache.org/docs/s2-032.html
|
||||
tags: cve,cve2016,struts,rce,apache
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Trend Micro Threat Discovery Appliance Auth Bypass via Directory Traversal
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a DoS.
|
||||
reference: https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4
|
||||
tags: cve,cve2016,lfi
|
||||
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2020-1147
|
||||
|
||||
info:
|
||||
name: RCE at SharePoint Server (.NET Framework & Visual Studio) detection
|
||||
author: dwisiswant0
|
||||
description: A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'.
|
||||
severity: critical
|
||||
tags: cve,cve2020,sharepoint,iis,rce
|
||||
reference: |
|
||||
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
|
||||
- https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/_layouts/15/listform.aspx?PageType=1&ListId=%7B13371337-1337-1337-1337-133713371337%7D"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "List does not exist"
|
||||
- "It may have been deleted by another user"
|
||||
part: body
|
||||
condition: and
|
||||
- type: word
|
||||
words:
|
||||
- "Microsoft-IIS"
|
||||
- "X-SharePointHealthScore"
|
||||
- "SharePointError"
|
||||
- "SPRequestGuid"
|
||||
- "MicrosoftSharePointTeamServices"
|
||||
condition: or
|
||||
part: header
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: CVE-2021-24146
|
||||
|
||||
info:
|
||||
name: Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
|
||||
description: Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.
|
||||
author: random_robbie
|
||||
severity: high
|
||||
reference: https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc
|
||||
tags: wordpress,wp-plugin,cve,cve2021
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "mec-events"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,31 +0,0 @@
|
|||
id: CVE-2021-28480
|
||||
|
||||
info:
|
||||
name: Microsoft Exchange Server Remote Code Execution detection
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: CVE-2021-28480 & CVE-2021-28481 received a CVSS score of 9.8 which is remarkably high. Both of these have 'Network' as attack vector, which means the attack can be executed remotely and the exploit might potentially be wormable.
|
||||
tags: cve,cve2021,rce,exchange
|
||||
reference: |
|
||||
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28480
|
||||
- https://khonggianmang.vn/check-proxynotfound/en
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /ews/exchange.asmx HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Authorization: NTLM TlRMTVNTUAABAAAABoIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAMAA=
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "NTLM .+"
|
||||
part: header
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "contains(tolower(all_headers), 'www-authenticate') && status_code == 401"
|
|
@ -0,0 +1,27 @@
|
|||
id: grav-cms-detect
|
||||
|
||||
info:
|
||||
name: Grav CMS Detect
|
||||
author: cyllective
|
||||
severity: info
|
||||
description: Detects Grav CMS
|
||||
tags: tech,grav,cms
|
||||
references: https://github.com/getgrav/grav
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'Set-Cookie: grav-site-'
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<meta name="generator" content="GravCMS" />'
|
|
@ -30,6 +30,7 @@ workflows:
|
|||
- template: cves/2020/CVE-2020-14092.yaml
|
||||
- template: cves/2020/CVE-2020-35951.yaml
|
||||
- template: cves/2020/CVE-2020-35489.yaml
|
||||
- template: cves/2021/CVE-2021-24146.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-auth-bypass-wptimecapsule.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml
|
||||
|
|
Loading…
Reference in New Issue