daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Massive template checks addition 🎉 🎉

patch-1
team-projectdiscovery 2021-01-10 18:41:25 +05:30
parent 664a6f3b04
commit a90d047991
43 changed files with 851 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
default-logins/activemq/activemq-default-login.yaml Normal file
View File

@ -0,0 +1,22 @@
id: activemq-default-login
info:
name: Apache ActiveMQ Default Credentials
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/admin/'
headers:
Authorization: "Basic YWRtaW46YWRtaW4="
matchers:
- type: word
words:
- 'Welcome to the Apache ActiveMQ Console of <b>'
- '<h2>Broker</h2>'
condition: and
# We could add a request condition block to only send this request if the
# site response URL had activeMQ broker stuff in the source.

19
default-logins/ambari-default-credentials.yaml Executable file
View File

@ -0,0 +1,19 @@
id: ambari-default-credentials
info:
name: Apache Ambari Default Credentials
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name'
headers:
Authorization: "Basic YWRtaW46YWRtaW4="
matchers:
- type: word
words:
- '"Users" : {'
- 'AMBARI.'
condition: and

20
default-logins/ofbiz-default-credentials.yaml Executable file
View File

@ -0,0 +1,20 @@
id: ofbiz-default-credentials
info:
name: Apache OfBiz Default Credentials
author: Ice3man
severity: medium
requests:
- method: POST
path:
- '{{BaseURL}}/control/login'
headers:
Content-Type: application/x-www-form-urlencoded
body: USERNAME=admin&PASSWORD=ofbiz&FTOKEN=&JavaScriptEnabled=Y
matchers:
- type: word
words:
- "ofbiz-pagination-template"
- "<span>Powered by OFBiz</span>"
condition: and

22
default-logins/zabbix-default-credentials.yaml Executable file
View File

@ -0,0 +1,22 @@
id: zabbix-default-credentials
info:
name: Zabbix Default Credentials
author: Ice3man
severity: critical
requests:
- method: POST
path:
- '{{BaseURL}}/index.php'
headers:
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- X-Requested-With: XMLHttpRequest
body: name=Admin&password=zabbix&autologin=1&enter=Sign+in
matchers-condition: and
matchers:
- type: word
words:
- "zabbix.php?action=dashboard.view"
- type: status
status: 302

17
exposed-panels/active-admin-exposure.yaml Executable file
View File

@ -0,0 +1,17 @@
id: active-admin-exposure
info:
name: ActiveAdmin Admin Dasboard Exposure
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/admin/login'
matchers:
- type: word
words:
- "active_admin_content"
- "active_admin-"
condition: and

17
exposed-panels/activemq-panel.yaml Executable file
View File

@ -0,0 +1,17 @@
id: activemq-panel
info:
name: Apache ActiveMQ Exposure
author: Ice3man
severity: info
requests:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: word
words:
- '<h2>Welcome to the Apache ActiveMQ!</h2>'
- '<title>Apache ActiveMQ</title>'
condition: and

125
exposed-panels/adminer-exposure.yaml Executable file
View File

@ -0,0 +1,125 @@
id: adminer-exposure
info:
name: Adminer Exposure
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/adminer-4.7.0.php'
- '{{BaseURL}}/adminer-4.6.0-mysql-en.php'
- '{{BaseURL}}/adminer/adminer.php'
- '{{BaseURL}}/adminer-4.6.0-en.php'
- '{{BaseURL}}/adminer-4.6.2-mysql.php'
- '{{BaseURL}}/adminer-4.6.1-mysql.php'
- '{{BaseURL}}/adminer-4.7.2.php'
- '{{BaseURL}}/adminer-4.0.1/'
- '{{BaseURL}}/adminer-4.6.3-mysql-en.php'
- '{{BaseURL}}/adminer-4.3.1-mysql-en.php'
- '{{BaseURL}}/adminer-3.3.1/'
- '{{BaseURL}}/adminer-3.6.1/'
- '{{BaseURL}}/adminer-4.6.2.php'
- '{{BaseURL}}/adminer-4.0.3.php'
- '{{BaseURL}}/adminer-4.3.0.php'
- '{{BaseURL}}/adminer-4.6.1.php'
- '{{BaseURL}}/adminer-4.2.5-en.php'
- '{{BaseURL}}/data/adminer.php'
- '{{BaseURL}}/adminer/index.php'
- '{{BaseURL}}/adminer-4.2.0.php'
- '{{BaseURL}}/adminer-4.5.0-mysql.php'
- '{{BaseURL}}/admin/adminer.php'
- '{{BaseURL}}/adminer-4.7.2-mysql.php'
- '{{BaseURL}}/adminer-4.2.2/'
- '{{BaseURL}}/adminer-4.5.0.php'
- '{{BaseURL}}/adminer-3.6.0/'
- '{{BaseURL}}/webadminer.php'
- '{{BaseURL}}/adminer-4.0.3/'
- '{{BaseURL}}/adminer-4.1.0.php'
- '{{BaseURL}}/adminer-3.3.2/'
- '{{BaseURL}}/adminer-4.6.2-en.php'
- '{{BaseURL}}/adminer-4.7.1-mysql.php'
- '{{BaseURL}}/public/adminer.php'
- '{{BaseURL}}/adminer-4.1.0/'
- '{{BaseURL}}/adminer-4.5.0-en.php'
- '{{BaseURL}}/adminer-4.2.4/'
- '{{BaseURL}}/adminer-4.6.2-mysql-en.php'
- '{{BaseURL}}/adminer.php'
- '{{BaseURL}}/adminer-4.7.0-mysql-en.php'
- '{{BaseURL}}/adminer-4.4.0-mysql.php'
- '{{BaseURL}}/adminer-4.3.1.php'
- '{{BaseURL}}/adminer-4.6.0-mysql.php'
- '{{BaseURL}}/adminer-4.2.3/'
- '{{BaseURL}}/_adminer.php'
- '{{BaseURL}}/adminer-3.3.3/'
- '{{BaseURL}}/adminer-3.3.0/'
- '{{BaseURL}}/php/adminer.php'
- '{{BaseURL}}/adminer-3.1.0/'
- '{{BaseURL}}/adminer-4.6.3-mysql.php'
- '{{BaseURL}}/adminer-4.7.2-mysql-en.php'
- '{{BaseURL}}/adminer-4.4.0-en.php'
- '{{BaseURL}}/publicadminer.php'
- '{{BaseURL}}/adminer1.php'
- '{{BaseURL}}/adminer-4.7.3-mysql.php'
- '{{BaseURL}}/adminer-4.6.3-en.php'
- '{{BaseURL}}/adminer-4.2.5-mysql-en.php'
- '{{BaseURL}}/adminer-3.0.0/'
- '{{BaseURL}}/adminer-3.5.0/'
- '{{BaseURL}}/adminer-3.6.4/'
- '{{BaseURL}}/adminer-4.7.3-mysql-en.php'
- '{{BaseURL}}/adminer-3.2.2/'
- '{{BaseURL}}/adminer-3.0.1/'
- '{{BaseURL}}/tools/adminer.php'
- '{{BaseURL}}/adminer-4.7.1.php'
- '{{BaseURL}}/adminer-4.0.3-mysql.php'
- '{{BaseURL}}/adminer-4.2.5-mysql.php'
- '{{BaseURL}}/adminer-3.5.1/'
- '{{BaseURL}}/adminer-3.6.3/'
- '{{BaseURL}}/adminer-4.3.0-mysql-en.php'
- '{{BaseURL}}/web/adminer.php'
- '{{BaseURL}}/adminer-3.2.1/'
- '{{BaseURL}}/adminer/'
- '{{BaseURL}}/adminer-4.6.2-cs.php'
- '{{BaseURL}}/adminer-4.2.0-mysql.php'
- '{{BaseURL}}/adminer-4.5.0-mysql-en.php'
- '{{BaseURL}}/adminer-4.3.1-mysql.php'
- '{{BaseURL}}/adminer-4.1.0-mysql.php'
- '{{BaseURL}}/adminer-4.7.1-mysql-en.php'
- '{{BaseURL}}/adminer-4.3.1-en.php'
- '{{BaseURL}}/adminer-4.7.0-en.php'
- '{{BaseURL}}/adminer-4.6.1-mysql-en.php'
- '{{BaseURL}}/adminer-4.7.2-en.php'
- '{{BaseURL}}/adminer-4.2.0/'
- '{{BaseURL}}/adminer-3.6.2/'
- '{{BaseURL}}/adminer-4.4.0-mysql-en.php'
- '{{BaseURL}}/toolsadminer.php'
- '{{BaseURL}}/adminer-3.7.0/'
- '{{BaseURL}}/adminer-4.2.5.php'
- '{{BaseURL}}/adminer-3.2.0/'
- '{{BaseURL}}/adminer-4.4.0.php'
- '{{BaseURL}}/adminer-4.7.3.php'
- '{{BaseURL}}/adminer-4.3.0-en.php'
- '{{BaseURL}}/adminer-4.6.3.php'
- '{{BaseURL}}/adminer-4.0.2/'
- '{{BaseURL}}/wp-content/plugins/adminer/adminer.php'
- '{{BaseURL}}/adminer-3.4.0/'
- '{{BaseURL}}/adminer-4.0.0/'
- '{{BaseURL}}/adminer-4.7.1-en.php'
- '{{BaseURL}}/adminer-4.3.0-mysql.php'
- '{{BaseURL}}/adminer-4.2.1/'
- '{{BaseURL}}/adminer-4.6.0.php'
- '{{BaseURL}}/adminer-3.7.1/'
- '{{BaseURL}}/adminadminer.php'
- '{{BaseURL}}/adminer-3.3.4/'
- '{{BaseURL}}/adminer-4.6.1-en.php'
- '{{BaseURL}}/adminer-4.7.3-en.php'
- '{{BaseURL}}/adminer-4.7.0-mysql.php'
matchers-condition: and
matchers:
- type: word
words:
- "Login - Adminer"
- type: status
status:
- 200

18
exposed-panels/airflow-exposure.yaml Executable file
View File

@ -0,0 +1,18 @@
id: airflow-exposure
info:
name: Apache Airflow Exposure / Unauthenticated Access
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/'
- '{{BaseURL}}/admin/'
matchers:
- type: word
words:
- '<title>Airflow - DAGs</title>'
- '<a href="https://github.com/apache/airflow">'
condition: and

17
exposed-panels/ambari-exposure.yaml Normal file
View File

@ -0,0 +1,17 @@
id: ambari-exposure
info:
name: Apache Ambari Exposure / Unauthenticated Access
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: word
words:
- '<title>Ambari</title>'
- 'href="http://www.apache.org/licenses/LICENSE-2.0"'
condition: and

17
exposed-panels/ansible-tower-exposure.yaml Normal file
View File

@ -0,0 +1,17 @@
id: ansible-tower-exposure
info:
name: Ansible Tower Exposure
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: word
words:
- "<title>Ansible Tower</title>"
- "ansible-main-menu"
condition: and

18
exposed-panels/couchdb-exposure.yaml Executable file
View File

@ -0,0 +1,18 @@
id: couchdb-exposure
info:
name: Apache CouchDB Exposure
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/_all_dbs'
matchers:
- type: word
words:
- CouchDB/
- Erlang OTP/
part: header
condition: and

15
exposed-panels/couchdb-fauxton.yaml Executable file
View File

@ -0,0 +1,15 @@
id: couchdb-fauxton
info:
name: Apache CouchDB Fauxton Exposure
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: word
words:
- '<title>Project Fauxton</title>'

17
exposed-panels/django-admin-panel.yaml Normal file
View File

@ -0,0 +1,17 @@
id: django-admin-panel
info:
name: Python Django Admin Panel
author: Ice3man
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}/admin/login/?next=/admin/"
matchers:
- type: word
words:
- "<a href=\"/admin/\">Django administration</a>"
condition: and
part: body

17
exposed-panels/druid-console-exposure.yaml Executable file
View File

@ -0,0 +1,17 @@
id: druid-console-exposure
info:
name: Alibaba Druid Console Exposure
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: word
words:
- 'src="/druid.js"'
- 'href="/druid.css"'
condition: and

15
exposed-panels/exposed-pagespeed-global-admin.yaml Executable file
View File

@ -0,0 +1,15 @@
id: exposed-pagespeed-global-admin
info:
name: Apache PageSpeed Global Admin Dashboard Exposure
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/pagespeed_admin/'
matchers:
- type: word
words:
- "<b>Pagespeed Admin</b>"

17
exposed-panels/exposed-webalizer.yaml Normal file
View File

@ -0,0 +1,17 @@
id: exposed-webalizer
info:
name: Publicly exposed Webalizer Interface
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/webalizer/'
matchers:
- type: word
words:
- "Webalizer Version"
- "Usage statistics for"
condition: and

15
exposed-panels/flink-exposure.yaml Executable file
View File

@ -0,0 +1,15 @@
id: flink-exposure
info:
name: Apache Flink Exposure
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: word
words:
- '<title>Apache Flink Web Dashboard</title>'

15
exposed-panels/hadoop-exposure.yaml Executable file
View File

@ -0,0 +1,15 @@
id: hadoop-exposure
info:
name: Apache Hadoop Exposure
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/dfshealth.html'
matchers:
- type: word
words:
- '<div class="navbar-brand">Hadoop</div>'

15
exposed-panels/kafka-connect-ui.yaml Executable file
View File

@ -0,0 +1,15 @@
id: kafka-connect-ui
info:
name: Apache Kafka Connect UI Exposure
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: word
words:
- '<title>Kafka Connect UI</title>'

16
exposed-panels/kafka-monitoring.yaml Executable file
View File

@ -0,0 +1,16 @@
id: kafka-monitoring
info:
name: Apache Kafka Monitor Exposure
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: word
words:
- '>KafkaMonitor</a>'
- '>Kafka Monitor GUI</h1>'

15
exposed-panels/kafka-topics-ui.yaml Executable file
View File

@ -0,0 +1,15 @@
id: kafka-topics-ui
info:
name: Apache Kafka Topics UI Exposure
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: word
words:
- '<title>Kafka Topics UI - Browse Kafka Data</title>'

15
exposed-panels/kubernetes-dashboard.yaml Normal file
View File

@ -0,0 +1,15 @@
id: kubernetes-dashboard
info:
name: Kubernetes Console Exposure
author: Ice3man
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}/"
matchers:
- type: word
words:
- "Kubernetes Dashboard</title>"

15
exposed-panels/rocketmq-console-exposure.yaml Executable file
View File

@ -0,0 +1,15 @@
id: rocketmq-console-exposure
info:
name: Apache RocketMQ Console Exposure
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: word
words:
- "<title>RocketMq-console-ng</title>"

17
exposed-panels/selenoid-ui-exposure.yaml Executable file
View File

@ -0,0 +1,17 @@
id: selenoid-ui-exposure
info:
name: Selenoid UI Dashboard Exposure
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/admin/login'
matchers:
- type: word
words:
- "<title>Selenoid UI</title>"
- "/manifest.json"
condition: and

20
exposed-panels/setup-page-exposure.yaml Executable file
View File

@ -0,0 +1,20 @@
id: setup-page-exposure
info:
name: Zenphoto Setup Page Exposure
author: Ice3man
severity: medium
description: Misconfiguration on Zenphoto version < 1.5.X which lead to sensitive information disclosure
requests:
- method: GET
path:
- '{{BaseURL}}/zp-core/setup/index.php'
- '{{BaseURL}}/zp/zp-core/setup/index.php'
- '{{BaseURL}}/gallery/zp-core/setup/index.php'
- '{{BaseURL}}/zenphoto/zp-core/setup/index.php'
matchers:
- type: word
words:
- Welcome to Zenphoto! This page will set up Zenphoto
part: body

15
exposed-panels/solr-exposure.yaml Executable file
View File

@ -0,0 +1,15 @@
id: solr-exposure
info:
name: Apache Solr Exposure
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/solr/'
matchers:
- type: word
words:
- "<title>Solr Admin</title>"

18
exposed-panels/yarn-manager-exposure.yaml Executable file
View File

@ -0,0 +1,18 @@
id: yarn-manager-exposure
info:
name: Apache Yarn ResourceManager Exposure / Unauthenticated Access
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/cluster/cluster'
matchers:
- type: word
words:
- 'hadoop'
- 'resourcemanager'
- 'logged in as: dr.who'
condition: and

17
exposed-panels/zipkin-exposure.yaml Executable file
View File

@ -0,0 +1,17 @@
id: zipkin-exposure
info:
name: Zipkin Exposure
author: Ice3man
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}/zipkin/"
matchers:
- type: word
part: body
words:
- "webpackJsonpzipkin-lens"

17
exposures/configs/airflow-configuration-exposure.yaml Executable file
View File

@ -0,0 +1,17 @@
id: airflow-configuration-exposure
info:
name: Apache Airflow Configuration Exposure
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/airflow.cfg'
matchers:
- type: word
words:
- '[core]'
- '[api]'
condition: and

17
exposures/configs/amazon-docker-config-disclosure.yaml Executable file
View File

@ -0,0 +1,17 @@
id: amazon-docker-config-disclosure
info:
name: Dockerrun AWS Configuration Exposure
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/Dockerrun.aws.json'
matchers:
- type: word
words:
- 'AWSEBDockerrunVersion'
- 'containerDefinitions'
condition: and

17
exposures/configs/ansible-config-disclosure.yaml Executable file
View File

@ -0,0 +1,17 @@
id: ansible-config-disclosure
info:
name: Ansible Configuration Exposure
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/ansible.cfg'
matchers:
- type: word
words:
- '[defaults]'
- '[inventory]'
condition: and

20
exposures/configs/opcache-status-exposure.yaml Normal file
View File

@ -0,0 +1,20 @@
id: opcache-status-exposure
info:
name: OPcache Status Exposure
author: Ice3man
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}/opcache-status/"
- "{{BaseURL}}/php-opcache-status/"
- "{{BaseURL}}/opcache-status/opcache.php"
matchers:
- type: word
words:
- "<th>opcache_enabled</th>"
- "<th>opcache_hit_rate</th>"
condition: and
part: body

17
exposures/configs/perl-status.yaml Executable file
View File

@ -0,0 +1,17 @@
id: perl-status
info:
name: Apache mod_perl Status Page Exposure
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/perl-status'
matchers:
- type: word
words:
- "<title>Apache2::Status"
- "Perl version"
condition: and

18
exposures/configs/rails-database-config.yaml Normal file
View File

@ -0,0 +1,18 @@
id: rails-database-config
info:
name: Ruby-on-Rails Database Configuration Exposure
author: Ice3man
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}/config/database.yml"
matchers:
- type: word
words:
- "adapter:"
- "database:"
condition: and
part: body

18
exposures/configs/symfony-database-config.yaml Executable file
View File

@ -0,0 +1,18 @@
id: symfony-database-config
info:
name: Symfony Database Configuration Exposure
author: Ice3man
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/config/databases.yml"
matchers:
- type: word
words:
- "class:"
- "param:"
condition: and
part: body

18
exposures/configs/symfony-profiler.yaml Normal file
View File

@ -0,0 +1,18 @@
id: symfony-profiler
info:
name: Symfony Profiler
author: ice3man
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/_profiler/empty/search/results?limit=10"
matchers:
- type: word
words:
- "<title>Symfony Profiler</title>"
- "symfony/profiler/"
condition: and
part: body

18
exposures/logs/rails-debug-mode.yaml Normal file
View File

@ -0,0 +1,18 @@
id: rails-debug-mode
info:
name: Rails Debug Mode Enabled
author: ice3man
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}/1238a92f573a48e58d356c42ca2c9610"
matchers:
- type: word
words:
- "Rails.root:"
- "Action Controller: Exception caught"
condition: and
part: body

17
exposures/logs/struts-debug-mode.yaml Normal file
View File

@ -0,0 +1,17 @@
id: struts-debug-mode
info:
name: Apache Struts setup in Debug-Mode
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/'
matchers:
- type: word
words:
- "<debug>"
- "<struts.actionMapping>"
condition: and

17
misconfiguration/airflow-api-exposure.yaml Executable file
View File

@ -0,0 +1,17 @@
id: airflow-api-exposure
info:
name: Apache Airflow API Exposure / Unauthenticated Access
author: Ice3man
severity: medium
requests:
- method: GET
path:
- '{{BaseURL}}/api/experimental/latest_runs'
matchers:
- type: word
words:
- '"dag_run_url":'
- '{"items":['
condition: and

17
misconfiguration/hadoop-unauth.yaml Normal file
View File

@ -0,0 +1,17 @@
id: hadoop-unauth
info:
name: Apache Hadoop Unauth
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/ws/v1/cluster/info'
matchers:
- type: word
words:
- 'hadoopVersion'
- 'resourceManagerVersionBuiltOn'
condition: and

20
vulnerabilities/other/acme-xss.yaml Executable file
View File

@ -0,0 +1,20 @@
id: acme-xss
info:
name: ACME / Let's Encrypt Reflected XSS
author: Ice3man
severity: low
requests:
- method: GET
path:
- '{{BaseURL}}/.well-known/acme-challenge/%3C%3fxml%20version=%221.0%22%3f%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert%28document.domain%26%23x29%3B%3C/x:script%3E'
matchers:
- type: word
words:
- "<?xml version=\"1.0\"?><x:script xmlns:x=\"http://www.w3.org/1999/xhtml\">alert(document.domain&#x29;</x:script>"
- type: word
words:
- "/xml"
- "/html"
matchers-condition: and

15
vulnerabilities/other/aspnuke-openredirect.yaml Normal file
View File

@ -0,0 +1,15 @@
id: aspnuke-openredirect
info:
name: ASP-Nuke Open Redirect
author: Ice3man
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}/gotoURL.asp?url=google.com&id=43569"
matchers:
- type: regex
part: body
regex:
- '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?google\.com(?:\s*)$'

19
vulnerabilities/other/yarn-resourcemanager-rce.yaml Executable file
View File

@ -0,0 +1,19 @@
id: yarn-resourcemanager-rce
info:
name: Apache Yarn ResourceManager RCE
author: Ice3man
severity: low
requests:
- method: POST
path:
- '{{BaseURL}}/ws/v1/cluster/apps/new-application'
matchers:
- type: word
words:
- 'application-id'
- type: status
status:
- 200
matchers-condition: and