daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Dashboard Content Enhancements (#4456) 

Dashboard Content Enhancements
patch-1
MostInterestingBotInTheWorld 2022-05-20 17:38:52 -04:00 committed by GitHub
parent 386b86878c
commit 809e87987c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
25 changed files with 164 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cves/2022/CVE-2022-0346.yaml
View File

@ -6,6 +6,8 @@ info:
severity: high
description: |
The plugin does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.
classification:
cve-id: CVE-2022-0346
reference:
- https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6
- https://wordpress.org/plugins/www-xml-sitemap-generator-org/

10
cves/2022/CVE-2022-1040.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-1040
info:
name: Sophos Firewall - RCE
name: Sophos Firewall <=18.5 MR3 - Remote Code Execution
author: For3stCo1d
severity: critical
description: |
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
Sophos Firewall version v18.5 MR3 and older contains an authentication bypass vulnerability in the User Portal and Webadmin which could allow a remote attacker to execute code.
reference:
- https://github.com/killvxk/CVE-2022-1040
- https://github.com/CronUp/Vulnerabilidades/blob/main/CVE-2022-1040_checker
@ -17,9 +17,9 @@ info:
cve-id: CVE-2022-1040
cwe-id: CWE-287
metadata:
shodan-query: http.title:"Sophos"
verified: true
tags: cve,cve2022,sophos,firewall,auth-bypass
shodan-query: http.title:"Sophos"
tags: cve,cve2022,sophos,firewall,auth-bypass,rce
requests:
- method: POST
@ -44,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/19

8
cves/2022/CVE-2022-1388.yaml
View File

@ -5,9 +5,7 @@ info:
author: dwisiswant0,Ph33r
severity: critical
description: |
This F5 BIG-IP vulnerability can allow an unauthenticated attacker
with network access to the BIG-IP system through the management
port and/or self IP addresses to execute arbitrary system commands.
F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, may allow undisclosed requests to bypass iControl REST authentication.
reference:
- https://twitter.com/GossiTheDog/status/1523566937414193153
- https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
@ -19,8 +17,8 @@ info:
cve-id: CVE-2022-1388
cwe-id: CWE-306
metadata:
verified: true
shodan-query: http.title:"BIG-IP&reg;-+Redirect" +"Server"
verified: "true"
tags: f5,bigip,cve,cve2022,rce,mirai
variables:
@ -64,3 +62,5 @@ requests:
- "commandResult"
- "8831-2202-EVC"
condition: and
# Enhanced by mp on 2022/05/19

11
cves/2022/CVE-2022-22954.yaml
View File

@ -1,14 +1,16 @@
id: CVE-2022-22954
info:
name: VMware Workspace ONE Access - Freemarker SSTI
name: VMware Workspace ONE Access - Server-Side Template Injection
author: sherlocksecurity
severity: critical
description: An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw.
description: |
VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager.
reference:
- https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011
- https://www.vmware.com/security/advisories/VMSA-2022-0011.html
- http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-22954
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -26,9 +28,12 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Authorization context is not valid"
- type: status
status:
- 400
- 400
# Enhanced by mp on 2022/05/19

7
cves/2022/CVE-2022-22963.yaml
View File

@ -1,17 +1,18 @@
id: CVE-2022-22963
info:
name: Spring Cloud Function SPEL RCE
name: Spring Cloud - Remote Code Execution
author: Mr-xn,Adam Crosser
severity: critical
description: |
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions are susceptible to remote code execution vulnerabilities. When using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
reference:
- https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f
- https://github.com/cckuailong/spring-cloud-function-SpEL-RCE
- https://tanzu.vmware.com/security/cve-2022-22963
- https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/
- https://github.com/vulhub/vulhub/tree/scf-spel/spring/spring-cloud-function-spel-injection
- https://nvd.nist.gov/vuln/detail/CVE-2022-22963
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -41,3 +42,5 @@ requests:
- type: status
status:
- 500
# Enhanced by mp on 2022/05/19

22
cves/2022/CVE-2022-22965.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2022-22965
info:
name: Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell)
name: Spring Framework - Remote Code Execution
author: justmumu,arall,dhiyaneshDK,akincibor
severity: critical
description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
@ -11,12 +11,13 @@ info:
- https://twitter.com/RandoriAttack/status/1509298490106593283
- https://mp.weixin.qq.com/s/kgw-O4Hsd9r2vfme3Y2Ynw
- https://twitter.com/_0xf4n9x_/status/1509935429365100546
remediation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+.
- https://nvd.nist.gov/vuln/detail/cve-2022-22965
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-22965
cwe-id: CWE-94
remediation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+.
tags: cve,cve2022,rce,spring,injection,oast,intrusive
requests:
@ -24,19 +25,6 @@ requests:
path:
- "{{BaseURL}}/?class.module.classLoader.resources.context.configFile=https://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx"
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: Java"
case-insensitive: true
- method: POST
path:
- "{{BaseURL}}"
@ -58,4 +46,6 @@ requests:
part: interactsh_request
words:
- "User-Agent: Java"
case-insensitive: true
case-insensitive: true
# Enhanced by mp on 2022/05/19

13
cves/2022/CVE-2022-26148.yaml
View File

@ -1,14 +1,15 @@
id: CVE-2022-26148
info:
name: Grafana Zabbix Integration - Credential Disclosure
name: Grafana & Zabbix Integration - Credential Disclosure
author: Geekby
severity: critical
description: An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
description: |
Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-26148
- https://2k8.org/post-319.html
- https://security.netapp.com/advisory/ntap-20220425-0005/
- https://nvd.nist.gov/vuln/detail/CVE-2022-26148
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -16,7 +17,7 @@ info:
metadata:
fofa-query: app="Grafana"
shodan-query: title:"Grafana"
tags: cve,cve2022,grafana,zabbix
tags: cve,cve2022,grafana,zabbix,exposure
requests:
- method: GET
@ -50,4 +51,6 @@ requests:
regex:
- '"password":"(.*?)"'
- '"username":"(.*?)"'
- '"url":"([a-z:/0-9.]+)\/api_jsonrpc\.php'
- '"url":"([a-z:/0-9.]+)\/api_jsonrpc\.php'
# Enhanced by mp on 2022/05/19

7
cves/2022/CVE-2022-26352.yaml
View File

@ -1,13 +1,14 @@
id: CVE-2022-26352
info:
name: DotCMS Arbitrary File Upload
name: DotCMS - Arbitrary File Upload
author: h1ei1
severity: critical
description: There is an arbitrary file upload vulnerability in the /api/content/ path of the DotCMS management system, and attackers can upload malicious Trojans to obtain server permissions.
description: DotCMS management system contains an arbitrary file upload vulnerability via the /api/content/ path which can allow attackers to upload malicious Trojans to obtain server permissions.
reference:
- https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/
- https://github.com/h1ei1/POC/tree/main/CVE-2022-26352
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26352
classification:
cve-id: CVE-2022-26352
tags: cve,cve2022,rce,dotcms
@ -39,3 +40,5 @@ requests:
- 'contains(body_2, "CVE-2022-26352")'
- 'status_code_2 == 200'
condition: and
# Enhanced by mp on 2022/05/19

4
cves/2022/CVE-2022-29303.yaml
View File

@ -10,9 +10,11 @@ info:
- https://www.exploit-db.com/exploits/50940
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29303
- https://drive.google.com/drive/folders/1tGr-WExbpfvhRg31XCoaZOFLWyt3r60g?usp=sharing
classification:
cve-id: CVE-2022-29303
metadata:
verified: true
shodan-query: http.html:"SolarView Compact"
verified: "true"
tags: cve,cve2022,rce,injection
variables:

11
cves/2022/CVE-2022-29464.yaml
View File

@ -1,15 +1,16 @@
id: CVE-2022-29464
info:
name: WSO2 Management - Unrestricted Arbitrary File Upload & Remote Code Execution
name: WSO2 Management - Arbitrary File Upload & Remote Code Execution
author: luci,dhiyaneshDk
severity: critical
description: Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
description: |
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
reference:
- https://shanesec.github.io/2022/04/21/Wso2-Vul-Analysis-cve-2022-29464/
- https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
- https://nvd.nist.gov/vuln/detail/CVE-2022-29464
- https://github.com/hakivvi/CVE-2022-29464
- https://nvd.nist.gov/vuln/detail/CVE-2022-29464
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -42,4 +43,6 @@ requests:
matchers:
- type: dsl
dsl:
- "contains(body_2, 'WSO2-RCE-CVE-2022-29464')"
- "contains(body_2, 'WSO2-RCE-CVE-2022-29464')"
# Enhanced by mp on 2022/05/19

8
cves/2022/CVE-2022-30525.yaml
View File

@ -1,16 +1,16 @@
id: CVE-2022-30525
info:
name: Zyxel Firewall - Unauthenticated RCE
name: Zyxel Firewall - OS Command Injection
author: h1ei1,prajiteshsingh
severity: critical
description: |
The vulnerability affects Zyxel firewalls that support Zero Touch Provisioning (ZTP), including the ATP Series, VPN Series, and USG FLEX Series (including USG20-VPN and USG20W-VPN), allowing an unauthenticated remote attacker to target the affected device as nobody Execute arbitrary code as a user on.
An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
reference:
- https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
- https://github.com/rapid7/metasploit-framework/pull/16563
- https://nvd.nist.gov/vuln/detail/CVE-2022-30525
- https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
- https://nvd.nist.gov/vuln/detail/CVE-2022-30525
classification:
cve-id: CVE-2022-30525
metadata:
@ -36,3 +36,5 @@ requests:
- type: status
status:
- 500
# Enhanced by mp on 2022/05/19

16
exposures/configs/laravel-env.yaml
View File

@ -1,12 +1,19 @@
id: laravel-env
info:
name: Laravel .env file accessible
name: Laravel - Sensitive Information Disclosure
author: pxmme1337,dwisiswant0,geeknik,emenalf,adrianmf
severity: critical
description: Laravel uses the .env file to store sensitive information like database credentials and tokens. It should not be publicly accessible.
severity: high
description: |
A Laravel .env file was discovered, which stores sensitive information like database credentials and tokens. It should not be publicly accessible.
reference:
- https://laravel.com/docs/master/configuration#environment-configuration
- https://stackoverflow.com/questions/38331397/how-to-protect-env-file-in-laravel
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
cwe-id: CWE-522
tags: config,exposure,laravel
requests:
@ -37,6 +44,7 @@ requests:
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "(?mi)^APP_(NAME|ENV|KEY|DEBUG|URL|PASSWORD)="
- "(?mi)^DB_(HOST|PASSWORD|DATABASE)="
@ -45,3 +53,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/19

5
exposures/configs/phpinfo.yaml
View File

@ -3,6 +3,10 @@ id: phpinfo-files
info:
name: phpinfo Disclosure
author: pdteam,daffainfo,meme-lord,dhiyaneshDK
description: |
A "PHP Info" page was found. The output of the phpinfo() command can reveal detailed PHP environment information.
remediation: |
Remove PHP Info pages from publicly accessible sites, or restrict access to authorized users only.
severity: low
tags: config,exposure,phpinfo
@ -32,6 +36,7 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "PHP Extension"
- "PHP Version"

7
file/electron/node-integration-enabled.yaml
View File

@ -1,14 +1,15 @@
id: node-integration-enabled
info:
name: Node Integration Enabled
name: Electron Applications - Cross-Site Scripting & Remote Code Execution
author: me9187
severity: critical
description: |
Electron Applications is susceptible to remote code execution by way of cross-site scripting via nodeIntegration by calling require('child_process').exec('COMMAND');.
reference:
- https://blog.yeswehack.com/yeswerhackers/exploitation/pentesting-electron-applications/
- https://book.hacktricks.xyz/pentesting/pentesting-web/xss-to-rce-electron-desktop-apps
tags: electron,file,nodejs
# nodeIntegration in Electron Applications means you can turn XSS into RCE by calling require('child_process').exec('COMMAND');
file:
- extensions:
@ -19,3 +20,5 @@ file:
- type: word
words:
- "nodeIntegration: true"
# Enhanced by mp on 2022/05/19

23
fuzzing/wordpress-weak-credentials.yaml
View File

@ -1,9 +1,18 @@
id: wordpress-weak-credentials
info:
name: WordPress Weak Credentials
name: WordPress - Weak Credentials
author: evolutionsec
severity: critical
description: |
Weak WordPress Credentials were discovered.
reference:
- https://www.wpwhitesecurity.com/strong-wordpress-passwords-wpscan/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.8
cve-id:
cwe-id: CWE-522
tags: wordpress,default-login,fuzz
requests:
@ -22,16 +31,20 @@ requests:
passwords: helpers/wordlists/wp-passwords.txt
threads: 50
attack: clusterbomb
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 302
- type: word
part: header
words:
- '/wp-admin'
- 'wordpress_logged_in'
condition: and
part: header
- type: status
status:
- 302
# Enhanced by mp on 2022/05/19

18
iot/qvisdvr-deserialization-rce.yaml
View File

@ -4,8 +4,15 @@ info:
name: QVISDVR JSF Deserialization - Remote Code Execution
author: me9187
severity: critical
description: |
QVISDVR Java-Deserialization was discovered, which could allow remote code execution.
reference:
- https://twitter.com/Me9187/status/1414606876575162373
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id:
cwe-id: CWE-77
tags: qvisdvr,rce,deserialization,jsf,iot
requests:
@ -33,11 +40,14 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
part: interactsh_protocol
words:
- http
- http
- type: status
status:
- 500
# Enhanced by mp on 2022/05/19

3
misconfiguration/http-missing-security-headers.yaml
View File

@ -4,7 +4,8 @@ info:
name: HTTP Missing Security Headers
author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki,forgedhallpass
severity: info
description: It searches for missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
description: |
This template searches for missing HTTP security headers. The impact of these missing headers can vary.
tags: misconfig,generic
requests:

14
misconfiguration/jupyter-ipython-unauth.yaml
View File

@ -1,11 +1,15 @@
id: jupyter-ipython-unauth
info:
name: Jupyter ipython Unauth
name: Jupyter ipython - Authorization Bypass
author: pentest_swissky
severity: critical
description: Unauthenticated access to Jupyter instance
tags: unauth
description: Jupyter was able to be accessed without authentication.
classification:
cvss-score: 10.0
cvss-metrics: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cwe-id: CWE-288
tags: unauth,jupyter
requests:
- method: GET
@ -21,4 +25,6 @@ requests:
words:
- ipython/static/components
- ipython/kernelspecs
part: body
part: body
# Enhanced by mp on 2022/05/20

7
misconfiguration/kubernetes/kubernetes-pods.yaml
View File

@ -1,11 +1,12 @@
id: kubernetes-pods-api
info:
name: Kubernetes Pods API
name: Kubernetes Pods - API Discovery & Remote Code Execution
author: ilovebinbash,geeknik,0xtavian
severity: critical
description: When the service port is available, anyone can execute commands inside the container. See https://github.com/officialhocc/Kubernetes-Kubelet-RCE for inspiration.
description: A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container.
reference:
- https://github.com/officialhocc/Kubernetes-Kubelet-RCE
- https://blog.binaryedge.io/2018/12/06/kubernetes-being-hijacked-worldwide/
tags: k8,unauth,kubernetes,devops
@ -29,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/20

6
misconfiguration/laravel-debug-enabled.yaml
View File

@ -4,7 +4,10 @@ info:
name: Laravel Debug Enabled
author: notsoevilweasel
severity: medium
description: Laravel with APP_DEBUG set to true is prone to show verbose errors.
description: |
Laravel with APP_DEBUG set to true is prone to show verbose errors.
remediation: |
Disable Laravel's debug mode by setting APP_DEBUG to false.
tags: debug,laravel,misconfig
requests:
@ -15,6 +18,7 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- can_execute_commands

5
misconfiguration/misconfigured-docker.yaml
View File

@ -1,9 +1,10 @@
id: misconfigured-docker
info:
name: Misconfigured Docker on Default Port
name: Docker Container - Misconfiguration Exposure
author: dhiyaneshDK
severity: critical
description: A Docker container misconfiguration was discovered. The Docker daemon can listen for Docker Engine API requests via three different types of Socket - unix, tcp, and fd. With tcp enabled, the default setup provides un-encrypted and un-authenticated direct access to the Docker daemon. It is conventional to use port 2375 for un-encrypted, and port 2376 for encrypted communication with the daemon.
reference:
- https://madhuakula.com/content/attacking-and-auditing-docker-containers-using-opensource/attacking-docker-containers/misconfiguration.html
tags: docker,unauth,devops
@ -25,3 +26,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/20

8
misconfiguration/springboot/springboot-heapdump.yaml
View File

@ -1,10 +1,12 @@
id: springboot-heapdump
info:
name: Detect Springboot Heapdump Actuator
name: Spring Boot Actuator - Heap Dump Detection
author: that_juan_,dwisiswant0,wdahlenb
severity: critical
description: Environment variables and HTTP requests can be found in the HPROF
description: A Spring Boot Actuator heap dump was detected. A heap dump is a snapshot of JVM memory, which could expose environment variables and HTTP requests.
reference:
- https://github.com/pyn3rd/Spring-Boot-Vulnerability
tags: springboot,exposure
requests:
@ -28,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/20

6
misconfiguration/unauthenticated-nacos-access.yaml
View File

@ -1,11 +1,13 @@
id: unauthenticated-nacos-access
info:
name: Unauthenticated Nacos access v1.x
name: Nacos 1.x - Authentication Bypass
author: taielab,pikpikcu
severity: critical
description: "Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data."
reference:
- https://github.com/alibaba/nacos/issues/4593
- https://nacos.io/en-us/docs/auth.html
tags: nacos,unauth
requests:
@ -34,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/20

6
ssl/deprecated-tls.yaml
View File

@ -1,11 +1,15 @@
id: deprecated-tls
info:
name: Deprecated TLS Detection (inferior to TLS 1.2)
name: Deprecated TLS Detection (TLS 1.1 or SSLv3)
author: righettod
severity: info
reference:
- https://ssl-config.mozilla.org/#config=intermediate
description: |
Both TLS 1.1 and SSLv3 are deprecated in favor of stronger encryption.
remediation: |
Update the web server's TLS configuration to disable TLS 1.1 and SSLv3.
metadata:
shodan-query: ssl.version:sslv2 ssl.version:sslv3 ssl.version:tlsv1 ssl.version:tlsv1.1
tags: ssl

12
vulnerabilities/laravel/laravel-ignition-xss.yaml
View File

@ -4,6 +4,10 @@ info:
name: Laravel Ignition XSS
author: 0x_Akoko
severity: medium
description: |
Laravel's Ignition contains a cross-site scripting vulnerability when debug mode is enabled.
remediation: |
Disable Laravel's debug mode by setting APP_DEBUG to false.
reference:
- https://www.acunetix.com/vulnerabilities/web/laravel-ignition-reflected-cross-site-scripting/
- https://github.com/facade/ignition/issues/273
@ -21,11 +25,11 @@ requests:
words:
- "Undefined index: --><svg onload=alert(document.domain)> in file"
- type: status
status:
- 500
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 500