daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin' into dynamic_attributes

patch-1
forgedhallpass 2021-08-26 15:04:14 +03:00
parent 110f9c9ddd f34e048f73
commit a4250b8f2f
29 changed files with 1257 additions and 761 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 624 | pikpikcu | 243 | cves | 631 | info | 592 | http | 1785 |
| panel | 222 | dhiyaneshdk | 240 | vulnerabilities | 281 | high | 504 | file | 46 |
| xss | 221 | pdteam | 196 | exposed-panels | 225 | medium | 398 | network | 38 |
| exposure | 212 | daffainfo | 160 | exposures | 182 | critical | 230 | dns | 11 |
| wordpress | 203 | geeknik | 149 | technologies | 160 | low | 161 | | |
| lfi | 203 | dwisiswant0 | 131 | misconfiguration | 125 | | | | |
| rce | 189 | gy741 | 71 | takeovers | 71 | | | | |
| cve | 632 | dhiyaneshdk | 245 | cves | 640 | info | 603 | http | 1807 |
| panel | 232 | pikpikcu | 244 | vulnerabilities | 283 | high | 510 | file | 46 |
| xss | 224 | pdteam | 198 | exposed-panels | 231 | medium | 402 | network | 38 |
| exposure | 214 | daffainfo | 164 | exposures | 184 | critical | 232 | dns | 11 |
| lfi | 207 | geeknik | 149 | technologies | 163 | low | 160 | | |
| wordpress | 203 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
| rce | 189 | gy741 | 72 | takeovers | 71 | | | | |
| cve2020 | 157 | madrobot | 62 | default-logins | 51 | | | | |
| wp-plugin | 136 | princechaddha | 53 | file | 46 | | | | |
| cve2021 | 103 | pussycat0x | 42 | workflows | 35 | | | | |
| wp-plugin | 136 | princechaddha | 54 | file | 46 | | | | |
| tech | 105 | pussycat0x | 44 | workflows | 35 | | | | |
**146 directories, 1940 files**.
**146 directories, 1962 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

1416
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

18
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 624 | pikpikcu | 243 | cves | 631 | info | 592 | http | 1785 |
| panel | 222 | dhiyaneshdk | 240 | vulnerabilities | 281 | high | 504 | file | 46 |
| xss | 221 | pdteam | 196 | exposed-panels | 225 | medium | 398 | network | 38 |
| exposure | 212 | daffainfo | 160 | exposures | 182 | critical | 230 | dns | 11 |
| wordpress | 203 | geeknik | 149 | technologies | 160 | low | 161 | | |
| lfi | 203 | dwisiswant0 | 131 | misconfiguration | 125 | | | | |
| rce | 189 | gy741 | 71 | takeovers | 71 | | | | |
| cve | 632 | dhiyaneshdk | 245 | cves | 640 | info | 603 | http | 1807 |
| panel | 232 | pikpikcu | 244 | vulnerabilities | 283 | high | 510 | file | 46 |
| xss | 224 | pdteam | 198 | exposed-panels | 231 | medium | 402 | network | 38 |
| exposure | 214 | daffainfo | 164 | exposures | 184 | critical | 232 | dns | 11 |
| lfi | 207 | geeknik | 149 | technologies | 163 | low | 160 | | |
| wordpress | 203 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
| rce | 189 | gy741 | 72 | takeovers | 71 | | | | |
| cve2020 | 157 | madrobot | 62 | default-logins | 51 | | | | |
| wp-plugin | 136 | princechaddha | 53 | file | 46 | | | | |
| cve2021 | 103 | pussycat0x | 42 | workflows | 35 | | | | |
| wp-plugin | 136 | princechaddha | 54 | file | 46 | | | | |
| tech | 105 | pussycat0x | 44 | workflows | 35 | | | | |

27
cves/2010/CVE-2010-1306.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1306
info:
name: Joomla! Component Picasa 2.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12058
- https://www.cvedetails.com/cve/CVE-2010-1306
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-1954.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1954
info:
name: Joomla! Component iNetLanka Multiple root 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) component 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12287
- https://www.cvedetails.com/cve/CVE-2010-1954
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_multiroot&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

33
cves/2018/CVE-2018-12095.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2018-12095
info:
name: OEcms 3.1 - Cross-Site Scripting
author: LogicalHunter
severity: medium
description: A Reflected Cross-Site Scripting web vulnerability has been discovered in the OEcms v3.1 web-application. The vulnerability is located in the mod parameter of info.php.
reference:
- https://www.exploit-db.com/exploits/44895
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12095
- https://cxsecurity.com/issue/WLB-2018060092
tags: cve,cve2018,xss
requests:
- method: GET
path:
- '{{BaseURL}}/cms/info.php?mod=list%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

2
cves/2019/CVE-2019-15501.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2019-15501
info:
name: LSoft ListServ - XSS
author: Borna Nematzadeh
author: LogicalHunter
severity: medium
reference:
- https://www.exploit-db.com/exploits/47302

2
cves/2019/CVE-2019-8937.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2019-8937
info:
name: HotelDruid 2.3.0 - XSS
author: Borna Nematzadeh
author: LogicalHunter
severity: medium
refrense: https://www.exploit-db.com/exploits/46429
tags: cve,cve2019,xss,hoteldruid

29
cves/2021/CVE-2021-26086.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2021-26086
info:
name: Jira Limited Local File Read
author: cocxanh
severity: medium
description: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint.
reference:
- https://jira.atlassian.com/browse/JRASERVER-72695
- https://nvd.nist.gov/vuln/detail/CVE-2021-26086
tags: cve,cve2021,jira,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/s/{{randstr}}/_/;/WEB-INF/web.xml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<web-app"
- "</web-app>"
part: body
condition: and

15
cves/2021/CVE-2021-38751.yaml
View File

@ -17,18 +17,21 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}/login/showlogin"
- "{{BaseURL}}"
headers:
Host: "{{randstr}}.tld"
matchers-condition: and
matchers:
- type: regex
regex:
- (EXPONENT\.(?:(?:J(?:QUERY|S)_UR|URL_FUL)|YUI2_UR)L=")?https?://{{randstr}}\.tld
- type: word
words:
- '{{randstr}}.tld'
- 'EXPONENT.PATH'
- 'EXPONENT.URL'
part: body
condition: and
- type: status
status:
- 200
- 200

2
dns/can-i-take-over-dns.yaml
View File

@ -1,4 +1,4 @@
id: can-i-take-over-dns
id: can-i-take-over-dns-fingerprint
info:
name: Can I Take Over DNS - Fingerprint

32
exposed-panels/epson-unauthorized-access-detect.yaml Normal file
View File

@ -0,0 +1,32 @@
id: epson-unauthorized-access-detect
info:
name: Epson Printer
author: pussycat0x
severity: medium
reference: https://www.exploit-db.com/ghdb/6922
tags: iot,printer,panel,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/PRESENTATION/EPSONCONNECT"
matchers-condition: and
matchers:
- type: word
words:
- "Epson Connect"
- "/IMAGE/EPSONLOGO.PNG"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- "<title>([A-Z-0-9]+) Series</title>"

25
exposed-panels/epson-web-control-detect.yaml Normal file
View File

@ -0,0 +1,25 @@
id: epson-web-control-detect
info:
name: Epson Printer
author: pussycat0x
severity: info
reference: https://www.exploit-db.com/ghdb/6873
tags: iot,printer,panel,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/home"
matchers-condition: and
matchers:
- type: word
words:
- "Epson Web Control"
- "Basic Control"
- "Advanced"
condition: and
- type: status
status:
- 200

23
exposed-panels/honeywell-web-controller.yaml Normal file
View File

@ -0,0 +1,23 @@
id: honeywell-web-controller
info:
name: Honeywell XL Web Controller
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7130
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}/standard/default.php'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Honeywell XL Web Controller</title>'
- type: status
status:
- 200

23
exposed-panels/ibm-note-login.yaml Normal file
View File

@ -0,0 +1,23 @@
id: ibm-note-login
info:
name: IBM iNotes Login
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7122
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/names.nsf'
matchers-condition: and
matchers:
- type: word
words:
- '<title>IBM iNotes Login</title>'
- type: status
status:
- 200

31
exposed-panels/lacie-panel.yaml Normal file
View File

@ -0,0 +1,31 @@
id: lacie-panel
info:
name: LaCie Login Panel
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7118
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/dashboard/'
matchers-condition: and
matchers:
- type: word
words:
- 'id_LaCie'
part: body
- type: regex
regex:
- '(?m)<title>([a-zA-Z0-9&#; ]|)+Dashboard<\/title>$'
part: body
- type: status
status:
- 200

22
exposed-panels/web-service-panel.yaml Normal file
View File

@ -0,0 +1,22 @@
id: web-service-panel
info:
name: WEB SERVICE Panel
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7116
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- '<title>WEB SERVICE</title>'
- type: status
status:
- 200

30
exposures/files/axis-happyaxis.yaml Normal file
View File

@ -0,0 +1,30 @@
id: axis-happyaxis
info:
name: Axis Happyaxis Exposure
author: dogasantos
severity: info
tags: axis,axis2,middleware,exposure,apache
requests:
- method: GET
path:
- "{{BaseURL}}/axis2/axis2-web/HappyAxis.jsp"
- "{{BaseURL}}/axis/happyaxis.jsp"
- "{{BaseURL}}/axis2-web/HappyAxis.jsp"
- "{{BaseURL}}/happyaxis.jsp"
matchers-condition: and
matchers:
- type: word
words:
- "Axis Happiness Page"
- "Axis2 Happiness Page"
- "Examining Application Server"
- "Examining Version Service"
- "Examining System Properties"
condition: or
- type: status
status:
- 200

33
exposures/files/glpi-status-ldap-domain-disclosure.yaml Normal file
View File

@ -0,0 +1,33 @@
id: glpi-status-domain-disclosure
info:
name: GLPI Status Domain Disclosure
author: dogasantos
severity: info
tags: glpi,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/status.php"
- "{{BaseURL}}/glpi/status.php"
- "{{BaseURL}}/glpi2/status.php"
matchers-condition: and
matchers:
- type: word
words:
- "GLPI_"
- "LDAP server"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|([a-zA-Z0-9]+(\.[a-zA-Z0-9]{2,3}){1,2}))'

25
exposures/files/glpi-telemetry-disclosure.yaml Normal file
View File

@ -0,0 +1,25 @@
id: glpi-telemetry-disclosure
info:
name: GLPI Telemetry Disclosure
author: dogasantos
severity: info
tags: glpi,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/ajax/telemetry.php"
- "{{BaseURL}}/glpi/ajax/telemetry.php"
matchers-condition: and
matchers:
- type: word
words:
- '"uuid":'
- '"glpi":'
condition: and
- type: status
status:
- 200

8
network/ftp-default-credentials.yaml
View File

@ -1,9 +1,9 @@
id: ftp-default-credentials
info:
name: FTP Service with default credentials
name: FTP Service with anonymous Login
author: pussycat0x
severity: low
severity: info
tags: network,ftp,default-login
network:
@ -17,4 +17,6 @@ network:
matchers:
- type: word
words:
- "230"
- "230"
- "Anonymous user logged in"
condition: and

31
technologies/apache-axis-detect.yaml Normal file
View File

@ -0,0 +1,31 @@
id: apache-axis-detect
info:
name: apache-axis-detect
author: dogasantos
severity: info
description: Axis and Axis2 detection
tags: tech,axis2,middleware,apache
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/axis2/"
- "{{BaseURL}}/axis/"
matchers-condition: and
matchers:
- type: word
words:
- "Validate"
- "Welcome"
- "Axis"
- "deployed"
- "installation"
- "Admin"
condition: and
- type: status
status:
- 200

27
technologies/glpi-cms-detect.yaml Normal file
View File

@ -0,0 +1,27 @@
id: glpi-cms-detect
info:
name: GLPI Cms Detection
author: dogasantos
severity: info
tags: glpi,cms,php
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/glpi/"
- "{{BaseURL}}/glpi2/"
matchers-condition: and
matchers:
- type: word
words:
- "CFG_GLPI"
- "_glpi_csrf_token"
- "GLPI Copyright"
condition: and
- type: status
status:
- 200

23
technologies/synology-web-station.yaml Normal file
View File

@ -0,0 +1,23 @@
id: synology-web-station
info:
name: Synology Web Station
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7125
tags: tech
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Hello! Welcome to Synology Web Station!</title>'
- type: status
status:
- 200

22
vulnerabilities/generic/basic-cors.yaml
View File

@ -1,22 +0,0 @@
id: basic-cors-misconfig
info:
name: Basic CORS misconfiguration
author: nadino
severity: info
tags: cors,generic
requests:
- method: GET
path:
- "{{BaseURL}}"
headers:
Origin: https://evil.com
matchers:
- type: word
words:
- "Access-Control-Allow-Origin: https://evil.com"
- "Access-Control-Allow-Credentials: true"
condition: and
part: header

66
vulnerabilities/generic/cors-misconfig.yaml Normal file
View File

@ -0,0 +1,66 @@
id: cors-misconfig
info:
name: Basic CORS misconfiguration
author: nadino,G4L1T0,convisoappsec,pdteam
severity: info
reference: https://portswigger.net/web-security/cors
tags: cors,generic
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
GET / HTTP/1.1
Host: {{Hostname}}
Origin: {{randstr}}.com
- |
GET / HTTP/1.1
Host: {{Hostname}}
Origin: null
# - |
# GET / HTTP/1.1
# Host: {{Hostname}}
# Origin: {{randstr}}.{{Hostname}}
#
# - |
# GET / HTTP/1.1
# Host: {{Hostname}}
# Origin: {{Hostname}}{{randstr}}
# TO DO for future as currently {{Hostname}} is not supported in matchers
matchers-condition: or
matchers:
- type: dsl
name: arbitrary-origin
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.com')"
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and
- type: dsl
name: null-origin
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: null')"
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and
- type: dsl
name: wildcard-acac
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: *')"
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and
- type: dsl
name: wildcard-no-acac
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: *')"
- "!contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and

2
vulnerabilities/other/bitrix-open-redirect.yaml
View File

@ -21,7 +21,7 @@ requests:
- '{{BaseURL}}/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://example.com'
- '{{BaseURL}}bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
matchers-condition: and

2
vulnerabilities/wordpress/wordpress-woocommerce-sqli.yaml
View File

@ -21,6 +21,8 @@ requests:
words:
- 'sqli-test'
- 'attribute_counts'
- 'price_range'
- 'term'
condition: and
- type: word