daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix formatting and verified

patch-1
Dhiyaneshwaran 2023-12-07 11:42:31 +05:30
parent af62c25766
commit 76b64df7a7
15 changed files with 261 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
cloud-enumeration/cloud-enum-aws-app.yaml
View File

@ -1,30 +0,0 @@
id: cloud-enum-aws-app
info:
name: Cloud Enumeration - AWS Apps
author: initstring
severity: info
description: Searches for AWS apps (WorkDocs, WorkMail, Connect, etc.)
reference: tba
tags: cloud,aws
self-contained: true
variables:
baseDNS: "awsapps.com"
http:
- raw:
- |
GET https://{{wordlist}}.{{baseDNS}} HTTP/1.1
Host: {{wordlist}}.{{baseDNS}}
redirects: false
attack: batteringram
threads: 10
matchers:
- type: status
name: "Registered AWS App"
condition: or
status:
- 200
- 302

32
cloud-enumeration/cloud-enum-aws-s3-bucket.yaml
View File

@ -1,32 +0,0 @@
id: cloud-enum-aws-s3-bucket
info:
name: Cloud Enumeration - AWS S3 Buckets
author: initstring
severity: info
description: Searches for open and protected buckets in AWS S3
reference: tba
tags: cloud,aws
self-contained: true
variables:
baseDNS: "s3.amazonaws.com"
http:
- raw:
- |
GET http://{{wordlist}}.{{baseDNS}} HTTP/1.1
Host: {{wordlist}}.{{baseDNS}}
redirects: false
attack: batteringram
threads: 10
matchers:
- type: status
name: "Open AWS S3 Bucket"
status:
- 200
- type: status
name: "Protected AWS S3 Bucket"
status:
- 403

28
cloud-enumeration/cloud-enum-azure-db.yaml
View File

@ -1,28 +0,0 @@
id: cloud-enum-azure-db
info:
name: Cloud Enumeration - Azure Databases
author: initstring
severity: info
description: Searches for Azure databases via their registered DNS names
reference: tba
tags: cloud,azure
self-contained: true
variables:
baseDNS: "database.windows.net"
dns:
- name: "{{wordlist}}.{{baseDNS}}"
type: A
class: inet
recursion: true
attack: batteringram
#threads: 10 # TODO: uncomment when functionality implemented
matchers:
- type: word
part: answer
words:
# The response must contain an A record
- "IN\tA"

30
cloud-enumeration/cloud-enum-azure-website.yaml
View File

@ -1,30 +0,0 @@
id: cloud-enum-azure-website
info:
name: Cloud Enumeration - Azure Websites
author: initstring
severity: info
description: Searches for Azure websites that are registered and responding
reference: tba
tags: cloud,azure
self-contained: true
variables:
baseDNS: "azurewebsites.net"
http:
- raw:
- |
GET https://{{wordlist}}.{{baseDNS}} HTTP/1.1
Host: {{wordlist}}.{{baseDNS}}
redirects: false
attack: batteringram
threads: 10
matchers:
- type: status
name: "Available Azure Website"
condition: or
status:
- 200
- 302

35
cloud-enumeration/cloud-enum-gcp-app-engine.yaml
View File

@ -1,35 +0,0 @@
id: cloud-enum-gcp-app-engine
info:
name: Cloud Enumeration - GCP App Engine (Appspot)
author: initstring
severity: info
description: Searches for App Engine Apps in GCP
reference: tba
tags: cloud,gcp
self-contained: true
variables:
baseDNS: "appspot.com"
loginRedirect: "accounts.google.com"
http:
- raw:
- |
GET https://{{wordlist}}.{{baseDNS}} HTTP/1.1
Host: {{wordlist}}.{{baseDNS}}
redirects: false
attack: batteringram
threads: 10
matchers:
- type: status
name: "Open GCP App Engine App"
status:
- 200
- type: dsl
name: "Protected GCP App Engine App"
condition: and
dsl:
- "status_code==302"
- contains(location, "login")

28
cloud-enumeration/cloud-enum-gcp-firebase-app.yaml
View File

@ -1,28 +0,0 @@
id: cloud-enum-gcp-firebase-app
info:
name: Cloud Enumeration - GCP Firebase Apps
author: initstring
severity: info
description: Searches for Firebase Apps in GCP
reference: tba
tags: cloud,gcp
self-contained: true
variables:
baseDNS: "firebaseapp.com"
http:
- raw:
- |
GET https://{{wordlist}}.{{baseDNS}} HTTP/1.1
Host: {{wordlist}}.{{baseDNS}}
redirects: false
attack: batteringram
threads: 10
matchers:
- type: status
name: "Open GCP Firebase App"
status:
- 200

36
cloud/enum/aws-app-enum.yaml Normal file
View File

@ -0,0 +1,36 @@
id: aws-app-enum
info:
name: AWS Apps - Cloud Enumeration
author: initstring
severity: info
description: |
Searches for AWS apps (WorkDocs, WorkMail, Connect, etc.)
metadata:
verified: true
max-request: 1
tags: cloud,cloud-enum,aws
self-contained: true
variables:
BaseDNS: "awsapps.com"
http:
- raw:
- |
GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1
Host: {{wordlist}}.{{BaseDNS}}
redirects: false
attack: batteringram
threads: 10
matchers:
- type: status
name: "Registered AWS App"
status:
- 200
- 302
condition: or

40
cloud/enum/aws-s3-bucket-enum.yaml Normal file
View File

@ -0,0 +1,40 @@
id: aws-s3-bucket-enum
info:
name: AWS S3 Buckets - Cloud Enumeration
author: initstring
severity: info
description: |
Searches for open and protected buckets in AWS S3
metadata:
verified: true
max-request: 1
tags: cloud,cloud-enum,aws
self-contained: true
variables:
BaseDNS: "s3.amazonaws.com"
http:
- raw:
- |
GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1
Host: {{wordlist}}.{{BaseDNS}}
redirects: false
attack: batteringram
threads: 10
matchers-condition: or
matchers:
- type: status
name: "Open AWS S3 Bucket"
status:
- 200
- type: status
name: "Protected AWS S3 Bucket"
status:
- 403

31
cloud/enum/azure-db-enum.yaml Normal file
View File

@ -0,0 +1,31 @@
id: azure-db-enum
info:
name: Azure Databases - Cloud Enumeration
author: initstring
severity: info
description: |
Searches for Azure databases via their registered DNS names
metadata:
verified: true
max-request: 1
tags: cloud,cloud-enum,azure
self-contained: true
variables:
BaseDNS: "database.windows.net"
dns:
- name: "{{wordlist}}.{{BaseDNS}}"
type: A
class: inet
recursion: true
attack: batteringram
matchers:
- type: word
part: answer
words:
- "IN\tA"

25
cloud-enumeration/cloud-enum-azure-vm.yaml → cloud/enum/azure-vm-cloud-enum.yaml
View File

@ -1,18 +1,20 @@
id: cloud-enum-azure-vm id: azure-vm-cloud-enum
info: info:
name: Cloud Enumeration - Azure Virtual Machines name: Azure Virtual Machines - Cloud Enumeration
author: initstring author: initstring
severity: info severity: info
description: Searches for Azure virtual machines via their registered DNS names description: |
reference: tba Searches for Azure virtual machines via their registered DNS names.
tags: cloud,azure metadata:
verified: true
tags: cloud,cloud-enum,azure
self-contained: true self-contained: true
variables: variables:
baseDNS: "cloudapp.azure.com" BaseDNS: "cloudapp.azure.com"
regionName: regionname:
- eastasia - eastasia
- southeastasia - southeastasia
- centralus - centralus
@ -47,15 +49,16 @@ variables:
- southafricawest - southafricawest
dns: dns:
- name: "{{wordlist}}.{{regionName}}.{{baseDNS}}" - name: "{{wordlist}}.{{regionname}}.{{BaseDNS}}"
type: A type: A
class: inet class: inet
recursion: true recursion: true
#attack: batteringram # TODO: uncomment when functionality implemented
#threads: 10 # TODO: uncomment when functionality implemented attack: batteringram
matchers: matchers:
- type: word - type: word
part: answer part: answer
words: words:
# The response must contain an A record
- "IN\tA" - "IN\tA"

35
cloud/enum/azure-website-enum.yaml Normal file
View File

@ -0,0 +1,35 @@
id: azure-website-enum
info:
name: Azure Websites - Cloud Enumeration
author: initstring
severity: info
description: |
Searches for Azure websites that are registered and responding.
metadata:
verified: true
tags: cloud,azure
self-contained: true
variables:
BaseDNS: "azurewebsites.net"
http:
- raw:
- |
GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1
Host: {{wordlist}}.{{BaseDNS}}
redirects: false
attack: batteringram
threads: 10
matchers:
- type: status
name: "Available Azure Website"
status:
- 200
- 302
condition: or

41
cloud/enum/gcp-app-engine-enum.yaml Normal file
View File

@ -0,0 +1,41 @@
id: gcp-app-engine-enum
info:
name: GCP App Engine (Appspot) - Cloud Enumeration
author: initstring
severity: info
description: |
Searches for App Engine Apps in GCP.
metadata:
verified: true
tags: cloud,cloud-enum,gcp
self-contained: true
variables:
BaseDNS: "appspot.com"
loginRedirect: "accounts.google.com"
http:
- raw:
- |
GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1
Host: {{wordlist}}.{{BaseDNS}}
redirects: false
attack: batteringram
threads: 10
matchers:
- type: dsl
name: "Open GCP App Engine App"
dsl:
- "status_code==200"
- type: dsl
name: "Protected GCP App Engine App"
dsl:
- "status_code==302"
- contains(location, "login")
condition: and

22
cloud-enumeration/cloud-enum-gcp-bucket.yaml → cloud/enum/gcp-bucket-enum.yaml
View File

@ -1,31 +1,37 @@
id: cloud-enum-gcp-bucket id: gcp-bucket-enum
info: info:
name: Cloud Enumeration - GCP Buckets name: GCP Buckets - Cloud Enumeration
author: initstring author: initstring
severity: info severity: info
description: Searches for open and protected buckets in GCP description: |
reference: tba Searches for open and protected buckets in GCP.
tags: cloud,gcp metadata:
verified: true
tags: cloud,cloud-enum,gcp
self-contained: true self-contained: true
variables: variables:
baseDNS: "storage.googleapis.com" BaseDNS: "storage.googleapis.com"
http: http:
- raw: - raw:
- | - |
GET http://{{wordlist}}.{{baseDNS}} HTTP/1.1 GET http://{{wordlist}}.{{BaseDNS}} HTTP/1.1
Host: {{wordlist}}.{{baseDNS}} Host: {{wordlist}}.{{BaseDNS}}
redirects: false redirects: false
attack: batteringram attack: batteringram
threads: 10 threads: 10
matchers: matchers:
- type: status - type: status
name: "Open GCP Bucket" name: "Open GCP Bucket"
status: status:
- 200 - 200
- type: status - type: status
name: "Protected GCP Bucket" name: "Protected GCP Bucket"
status: status:

33
cloud/enum/gcp-firebase-app-enum.yaml Normal file
View File

@ -0,0 +1,33 @@
id: gcp-firebase-app-enum
info:
name: GCP Firebase Apps - Cloud Enumeration
author: initstring
severity: info
description: |
Searches for Firebase Apps in GCP.
metadata:
verified: true
tags: cloud,cloud-enum,gcp
self-contained: true
variables:
BaseDNS: "firebaseapp.com"
http:
- raw:
- |
GET https://{{wordlist}}.{{BaseDNS}} HTTP/1.1
Host: {{wordlist}}.{{BaseDNS}}
redirects: false
attack: batteringram
threads: 10
matchers:
- type: status
name: "Open GCP Firebase App"
status:
- 200

25
cloud-enumeration/cloud-enum-gcp-firebase-rtdb.yaml → cloud/enum/gcp-firebase-rtdb-enum.yaml
View File

@ -1,39 +1,48 @@
id: cloud-enum-gcp-firebase-rtdb id: gcp-firebase-rtdb-enum
info: info:
name: Cloud Enumeration - GCP Firebase Realtime Database name: GCP Firebase Realtime Database - Cloud Enumeration
author: initstring author: initstring
severity: info severity: info
description: Searches for Firebase Realtime Databases in GCP description: |
reference: tba Searches for Firebase Realtime Databases in GCP.
tags: cloud,gcp metadata:
verified: true
tags: cloud,cloud-enum,gcp
self-contained: true self-contained: true
variables: variables:
baseDNS: "firebaseio.com" BaseDNS: "firebaseio.com"
http: http:
- raw: - raw:
- | - |
GET https://{{wordlist}}.{{baseDNS}}/.json HTTP/1.1 GET https://{{wordlist}}.{{BaseDNS}}/.json HTTP/1.1
Host: {{wordlist}}.{{baseDNS}} Host: {{wordlist}}.{{BaseDNS}}
redirects: false redirects: false
attack: batteringram attack: batteringram
threads: 10 threads: 10
matchers-condition: or
matchers: matchers:
- type: status - type: status
name: "Open GCP Firebase RTDB" name: "Open GCP Firebase RTDB"
status: status:
- 200 - 200
- type: status - type: status
name: "Protected GCP Firebase RTDB" name: "Protected GCP Firebase RTDB"
status: status:
- 401 - 401
- type: status - type: status
name: "Payment GCP on Google Firebase RTDB" name: "Payment GCP on Google Firebase RTDB"
status: status:
- 402 - 402
- type: status - type: status
name: "Deactivated GCP Firebase RTDB" name: "Deactivated GCP Firebase RTDB"
status: status: