diff --git a/default-logins/activemq/activemq-default-login.yaml b/default-logins/activemq/activemq-default-login.yaml new file mode 100644 index 0000000000..c6546895c8 --- /dev/null +++ b/default-logins/activemq/activemq-default-login.yaml @@ -0,0 +1,22 @@ +id: activemq-default-login + +info: + name: Apache ActiveMQ Default Credentials + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/admin/' + headers: + Authorization: "Basic YWRtaW46YWRtaW4=" + matchers: + - type: word + words: + - 'Welcome to the Apache ActiveMQ Console of ' + - '

Broker

' + condition: and + + # We could add a request condition block to only send this request if the + # site response URL had activeMQ broker stuff in the source. diff --git a/default-logins/ambari-default-credentials.yaml b/default-logins/ambari-default-credentials.yaml new file mode 100755 index 0000000000..fe461837dd --- /dev/null +++ b/default-logins/ambari-default-credentials.yaml @@ -0,0 +1,19 @@ +id: ambari-default-credentials + +info: + name: Apache Ambari Default Credentials + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name' + headers: + Authorization: "Basic YWRtaW46YWRtaW4=" + matchers: + - type: word + words: + - '"Users" : {' + - 'AMBARI.' + condition: and \ No newline at end of file diff --git a/default-logins/ofbiz-default-credentials.yaml b/default-logins/ofbiz-default-credentials.yaml new file mode 100755 index 0000000000..8f9d9c1374 --- /dev/null +++ b/default-logins/ofbiz-default-credentials.yaml @@ -0,0 +1,20 @@ +id: ofbiz-default-credentials + +info: + name: Apache OfBiz Default Credentials + author: Ice3man + severity: medium + +requests: + - method: POST + path: + - '{{BaseURL}}/control/login' + headers: + Content-Type: application/x-www-form-urlencoded + body: USERNAME=admin&PASSWORD=ofbiz&FTOKEN=&JavaScriptEnabled=Y + matchers: + - type: word + words: + - "ofbiz-pagination-template" + - "Powered by OFBiz" + condition: and \ No newline at end of file diff --git a/default-logins/zabbix-default-credentials.yaml b/default-logins/zabbix-default-credentials.yaml new file mode 100755 index 0000000000..5202d88398 --- /dev/null +++ b/default-logins/zabbix-default-credentials.yaml @@ -0,0 +1,22 @@ +id: zabbix-default-credentials + +info: + name: Zabbix Default Credentials + author: Ice3man + severity: critical + +requests: + - method: POST + path: + - '{{BaseURL}}/index.php' + headers: + - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + - X-Requested-With: XMLHttpRequest + body: name=Admin&password=zabbix&autologin=1&enter=Sign+in + matchers-condition: and + matchers: + - type: word + words: + - "zabbix.php?action=dashboard.view" + - type: status + status: 302 \ No newline at end of file diff --git a/exposed-panels/active-admin-exposure.yaml b/exposed-panels/active-admin-exposure.yaml new file mode 100755 index 0000000000..0654ef10c2 --- /dev/null +++ b/exposed-panels/active-admin-exposure.yaml @@ -0,0 +1,17 @@ +id: active-admin-exposure + +info: + name: ActiveAdmin Admin Dasboard Exposure + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/admin/login' + matchers: + - type: word + words: + - "active_admin_content" + - "active_admin-" + condition: and \ No newline at end of file diff --git a/exposed-panels/activemq-panel.yaml b/exposed-panels/activemq-panel.yaml new file mode 100755 index 0000000000..9265ab0e96 --- /dev/null +++ b/exposed-panels/activemq-panel.yaml @@ -0,0 +1,17 @@ +id: activemq-panel + +info: + name: Apache ActiveMQ Exposure + author: Ice3man + severity: info + +requests: + - method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - '

Welcome to the Apache ActiveMQ!

' + - 'Apache ActiveMQ' + condition: and \ No newline at end of file diff --git a/exposed-panels/adminer-exposure.yaml b/exposed-panels/adminer-exposure.yaml new file mode 100755 index 0000000000..1e0a0e3326 --- /dev/null +++ b/exposed-panels/adminer-exposure.yaml @@ -0,0 +1,125 @@ +id: adminer-exposure + +info: + name: Adminer Exposure + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/adminer-4.7.0.php' + - '{{BaseURL}}/adminer-4.6.0-mysql-en.php' + - '{{BaseURL}}/adminer/adminer.php' + - '{{BaseURL}}/adminer-4.6.0-en.php' + - '{{BaseURL}}/adminer-4.6.2-mysql.php' + - '{{BaseURL}}/adminer-4.6.1-mysql.php' + - '{{BaseURL}}/adminer-4.7.2.php' + - '{{BaseURL}}/adminer-4.0.1/' + - '{{BaseURL}}/adminer-4.6.3-mysql-en.php' + - '{{BaseURL}}/adminer-4.3.1-mysql-en.php' + - '{{BaseURL}}/adminer-3.3.1/' + - '{{BaseURL}}/adminer-3.6.1/' + - '{{BaseURL}}/adminer-4.6.2.php' + - '{{BaseURL}}/adminer-4.0.3.php' + - '{{BaseURL}}/adminer-4.3.0.php' + - '{{BaseURL}}/adminer-4.6.1.php' + - '{{BaseURL}}/adminer-4.2.5-en.php' + - '{{BaseURL}}/data/adminer.php' + - '{{BaseURL}}/adminer/index.php' + - '{{BaseURL}}/adminer-4.2.0.php' + - '{{BaseURL}}/adminer-4.5.0-mysql.php' + - '{{BaseURL}}/admin/adminer.php' + - '{{BaseURL}}/adminer-4.7.2-mysql.php' + - '{{BaseURL}}/adminer-4.2.2/' + - '{{BaseURL}}/adminer-4.5.0.php' + - '{{BaseURL}}/adminer-3.6.0/' + - '{{BaseURL}}/webadminer.php' + - '{{BaseURL}}/adminer-4.0.3/' + - '{{BaseURL}}/adminer-4.1.0.php' + - '{{BaseURL}}/adminer-3.3.2/' + - '{{BaseURL}}/adminer-4.6.2-en.php' + - '{{BaseURL}}/adminer-4.7.1-mysql.php' + - '{{BaseURL}}/public/adminer.php' + - '{{BaseURL}}/adminer-4.1.0/' + - '{{BaseURL}}/adminer-4.5.0-en.php' + - '{{BaseURL}}/adminer-4.2.4/' + - '{{BaseURL}}/adminer-4.6.2-mysql-en.php' + - '{{BaseURL}}/adminer.php' + - '{{BaseURL}}/adminer-4.7.0-mysql-en.php' + - '{{BaseURL}}/adminer-4.4.0-mysql.php' + - '{{BaseURL}}/adminer-4.3.1.php' + - '{{BaseURL}}/adminer-4.6.0-mysql.php' + - '{{BaseURL}}/adminer-4.2.3/' + - '{{BaseURL}}/_adminer.php' + - '{{BaseURL}}/adminer-3.3.3/' + - '{{BaseURL}}/adminer-3.3.0/' + - '{{BaseURL}}/php/adminer.php' + - '{{BaseURL}}/adminer-3.1.0/' + - '{{BaseURL}}/adminer-4.6.3-mysql.php' + - '{{BaseURL}}/adminer-4.7.2-mysql-en.php' + - '{{BaseURL}}/adminer-4.4.0-en.php' + - '{{BaseURL}}/publicadminer.php' + - '{{BaseURL}}/adminer1.php' + - '{{BaseURL}}/adminer-4.7.3-mysql.php' + - '{{BaseURL}}/adminer-4.6.3-en.php' + - '{{BaseURL}}/adminer-4.2.5-mysql-en.php' + - '{{BaseURL}}/adminer-3.0.0/' + - '{{BaseURL}}/adminer-3.5.0/' + - '{{BaseURL}}/adminer-3.6.4/' + - '{{BaseURL}}/adminer-4.7.3-mysql-en.php' + - '{{BaseURL}}/adminer-3.2.2/' + - '{{BaseURL}}/adminer-3.0.1/' + - '{{BaseURL}}/tools/adminer.php' + - '{{BaseURL}}/adminer-4.7.1.php' + - '{{BaseURL}}/adminer-4.0.3-mysql.php' + - '{{BaseURL}}/adminer-4.2.5-mysql.php' + - '{{BaseURL}}/adminer-3.5.1/' + - '{{BaseURL}}/adminer-3.6.3/' + - '{{BaseURL}}/adminer-4.3.0-mysql-en.php' + - '{{BaseURL}}/web/adminer.php' + - '{{BaseURL}}/adminer-3.2.1/' + - '{{BaseURL}}/adminer/' + - '{{BaseURL}}/adminer-4.6.2-cs.php' + - '{{BaseURL}}/adminer-4.2.0-mysql.php' + - '{{BaseURL}}/adminer-4.5.0-mysql-en.php' + - '{{BaseURL}}/adminer-4.3.1-mysql.php' + - '{{BaseURL}}/adminer-4.1.0-mysql.php' + - '{{BaseURL}}/adminer-4.7.1-mysql-en.php' + - '{{BaseURL}}/adminer-4.3.1-en.php' + - '{{BaseURL}}/adminer-4.7.0-en.php' + - '{{BaseURL}}/adminer-4.6.1-mysql-en.php' + - '{{BaseURL}}/adminer-4.7.2-en.php' + - '{{BaseURL}}/adminer-4.2.0/' + - '{{BaseURL}}/adminer-3.6.2/' + - '{{BaseURL}}/adminer-4.4.0-mysql-en.php' + - '{{BaseURL}}/toolsadminer.php' + - '{{BaseURL}}/adminer-3.7.0/' + - '{{BaseURL}}/adminer-4.2.5.php' + - '{{BaseURL}}/adminer-3.2.0/' + - '{{BaseURL}}/adminer-4.4.0.php' + - '{{BaseURL}}/adminer-4.7.3.php' + - '{{BaseURL}}/adminer-4.3.0-en.php' + - '{{BaseURL}}/adminer-4.6.3.php' + - '{{BaseURL}}/adminer-4.0.2/' + - '{{BaseURL}}/wp-content/plugins/adminer/adminer.php' + - '{{BaseURL}}/adminer-3.4.0/' + - '{{BaseURL}}/adminer-4.0.0/' + - '{{BaseURL}}/adminer-4.7.1-en.php' + - '{{BaseURL}}/adminer-4.3.0-mysql.php' + - '{{BaseURL}}/adminer-4.2.1/' + - '{{BaseURL}}/adminer-4.6.0.php' + - '{{BaseURL}}/adminer-3.7.1/' + - '{{BaseURL}}/adminadminer.php' + - '{{BaseURL}}/adminer-3.3.4/' + - '{{BaseURL}}/adminer-4.6.1-en.php' + - '{{BaseURL}}/adminer-4.7.3-en.php' + - '{{BaseURL}}/adminer-4.7.0-mysql.php' + matchers-condition: and + matchers: + - type: word + words: + - "Login - Adminer" + - type: status + status: + - 200 diff --git a/exposed-panels/airflow-exposure.yaml b/exposed-panels/airflow-exposure.yaml new file mode 100755 index 0000000000..b02e422796 --- /dev/null +++ b/exposed-panels/airflow-exposure.yaml @@ -0,0 +1,18 @@ +id: airflow-exposure + +info: + name: Apache Airflow Exposure / Unauthenticated Access + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/' + - '{{BaseURL}}/admin/' + matchers: + - type: word + words: + - 'Airflow - DAGs' + - '' + condition: and \ No newline at end of file diff --git a/exposed-panels/ambari-exposure.yaml b/exposed-panels/ambari-exposure.yaml new file mode 100644 index 0000000000..b44f058832 --- /dev/null +++ b/exposed-panels/ambari-exposure.yaml @@ -0,0 +1,17 @@ +id: ambari-exposure + +info: + name: Apache Ambari Exposure / Unauthenticated Access + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - 'Ambari' + - 'href="http://www.apache.org/licenses/LICENSE-2.0"' + condition: and \ No newline at end of file diff --git a/exposed-panels/ansible-tower-exposure.yaml b/exposed-panels/ansible-tower-exposure.yaml new file mode 100644 index 0000000000..11de49fcfc --- /dev/null +++ b/exposed-panels/ansible-tower-exposure.yaml @@ -0,0 +1,17 @@ +id: ansible-tower-exposure + +info: + name: Ansible Tower Exposure + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - "Ansible Tower" + - "ansible-main-menu" + condition: and \ No newline at end of file diff --git a/exposed-panels/couchdb-exposure.yaml b/exposed-panels/couchdb-exposure.yaml new file mode 100755 index 0000000000..68942ed1f2 --- /dev/null +++ b/exposed-panels/couchdb-exposure.yaml @@ -0,0 +1,18 @@ +id: couchdb-exposure + +info: + name: Apache CouchDB Exposure + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/_all_dbs' + matchers: + - type: word + words: + - CouchDB/ + - Erlang OTP/ + part: header + condition: and \ No newline at end of file diff --git a/exposed-panels/couchdb-fauxton.yaml b/exposed-panels/couchdb-fauxton.yaml new file mode 100755 index 0000000000..f5d9d52103 --- /dev/null +++ b/exposed-panels/couchdb-fauxton.yaml @@ -0,0 +1,15 @@ +id: couchdb-fauxton + +info: + name: Apache CouchDB Fauxton Exposure + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - 'Project Fauxton' \ No newline at end of file diff --git a/exposed-panels/django-admin-panel.yaml b/exposed-panels/django-admin-panel.yaml new file mode 100644 index 0000000000..30dc04e6c4 --- /dev/null +++ b/exposed-panels/django-admin-panel.yaml @@ -0,0 +1,17 @@ +id: django-admin-panel + +info: + name: Python Django Admin Panel + author: Ice3man + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/admin/login/?next=/admin/" + matchers: + - type: word + words: + - "Django administration" + condition: and + part: body \ No newline at end of file diff --git a/exposed-panels/druid-console-exposure.yaml b/exposed-panels/druid-console-exposure.yaml new file mode 100755 index 0000000000..fd70fd8bf0 --- /dev/null +++ b/exposed-panels/druid-console-exposure.yaml @@ -0,0 +1,17 @@ +id: druid-console-exposure + +info: + name: Alibaba Druid Console Exposure + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - 'src="/druid.js"' + - 'href="/druid.css"' + condition: and \ No newline at end of file diff --git a/exposed-panels/exposed-pagespeed-global-admin.yaml b/exposed-panels/exposed-pagespeed-global-admin.yaml new file mode 100755 index 0000000000..568072f374 --- /dev/null +++ b/exposed-panels/exposed-pagespeed-global-admin.yaml @@ -0,0 +1,15 @@ +id: exposed-pagespeed-global-admin + +info: + name: Apache PageSpeed Global Admin Dashboard Exposure + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/pagespeed_admin/' + matchers: + - type: word + words: + - "Pagespeed Admin" \ No newline at end of file diff --git a/exposed-panels/exposed-webalizer.yaml b/exposed-panels/exposed-webalizer.yaml new file mode 100644 index 0000000000..21f33ad15a --- /dev/null +++ b/exposed-panels/exposed-webalizer.yaml @@ -0,0 +1,17 @@ +id: exposed-webalizer + +info: + name: Publicly exposed Webalizer Interface + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/webalizer/' + matchers: + - type: word + words: + - "Webalizer Version" + - "Usage statistics for" + condition: and \ No newline at end of file diff --git a/exposed-panels/flink-exposure.yaml b/exposed-panels/flink-exposure.yaml new file mode 100755 index 0000000000..155c090b58 --- /dev/null +++ b/exposed-panels/flink-exposure.yaml @@ -0,0 +1,15 @@ +id: flink-exposure + +info: + name: Apache Flink Exposure + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - 'Apache Flink Web Dashboard' \ No newline at end of file diff --git a/exposed-panels/hadoop-exposure.yaml b/exposed-panels/hadoop-exposure.yaml new file mode 100755 index 0000000000..efefde4127 --- /dev/null +++ b/exposed-panels/hadoop-exposure.yaml @@ -0,0 +1,15 @@ +id: hadoop-exposure + +info: + name: Apache Hadoop Exposure + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/dfshealth.html' + matchers: + - type: word + words: + - '
Hadoop
' \ No newline at end of file diff --git a/exposed-panels/kafka-connect-ui.yaml b/exposed-panels/kafka-connect-ui.yaml new file mode 100755 index 0000000000..973910c087 --- /dev/null +++ b/exposed-panels/kafka-connect-ui.yaml @@ -0,0 +1,15 @@ +id: kafka-connect-ui + +info: + name: Apache Kafka Connect UI Exposure + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - 'Kafka Connect UI' \ No newline at end of file diff --git a/exposed-panels/kafka-monitoring.yaml b/exposed-panels/kafka-monitoring.yaml new file mode 100755 index 0000000000..c6d4183b66 --- /dev/null +++ b/exposed-panels/kafka-monitoring.yaml @@ -0,0 +1,16 @@ +id: kafka-monitoring + +info: + name: Apache Kafka Monitor Exposure + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - '>KafkaMonitor' + - '>Kafka Monitor GUI' \ No newline at end of file diff --git a/exposed-panels/kafka-topics-ui.yaml b/exposed-panels/kafka-topics-ui.yaml new file mode 100755 index 0000000000..8e4a823e28 --- /dev/null +++ b/exposed-panels/kafka-topics-ui.yaml @@ -0,0 +1,15 @@ +id: kafka-topics-ui + +info: + name: Apache Kafka Topics UI Exposure + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - 'Kafka Topics UI - Browse Kafka Data' \ No newline at end of file diff --git a/exposed-panels/kubernetes-dashboard.yaml b/exposed-panels/kubernetes-dashboard.yaml new file mode 100644 index 0000000000..b50e6d4155 --- /dev/null +++ b/exposed-panels/kubernetes-dashboard.yaml @@ -0,0 +1,15 @@ +id: kubernetes-dashboard + +info: + name: Kubernetes Console Exposure + author: Ice3man + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/" + matchers: + - type: word + words: + - "Kubernetes Dashboard" \ No newline at end of file diff --git a/exposed-panels/rocketmq-console-exposure.yaml b/exposed-panels/rocketmq-console-exposure.yaml new file mode 100755 index 0000000000..26c5fe99bc --- /dev/null +++ b/exposed-panels/rocketmq-console-exposure.yaml @@ -0,0 +1,15 @@ +id: rocketmq-console-exposure + +info: + name: Apache RocketMQ Console Exposure + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - "RocketMq-console-ng" \ No newline at end of file diff --git a/exposed-panels/selenoid-ui-exposure.yaml b/exposed-panels/selenoid-ui-exposure.yaml new file mode 100755 index 0000000000..4742cd906d --- /dev/null +++ b/exposed-panels/selenoid-ui-exposure.yaml @@ -0,0 +1,17 @@ +id: selenoid-ui-exposure + +info: + name: Selenoid UI Dashboard Exposure + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/admin/login' + matchers: + - type: word + words: + - "Selenoid UI" + - "/manifest.json" + condition: and \ No newline at end of file diff --git a/exposed-panels/setup-page-exposure.yaml b/exposed-panels/setup-page-exposure.yaml new file mode 100755 index 0000000000..a2903098fe --- /dev/null +++ b/exposed-panels/setup-page-exposure.yaml @@ -0,0 +1,20 @@ +id: setup-page-exposure + +info: + name: Zenphoto Setup Page Exposure + author: Ice3man + severity: medium + description: Misconfiguration on Zenphoto version < 1.5.X which lead to sensitive information disclosure + +requests: + - method: GET + path: + - '{{BaseURL}}/zp-core/setup/index.php' + - '{{BaseURL}}/zp/zp-core/setup/index.php' + - '{{BaseURL}}/gallery/zp-core/setup/index.php' + - '{{BaseURL}}/zenphoto/zp-core/setup/index.php' + matchers: + - type: word + words: + - Welcome to Zenphoto! This page will set up Zenphoto + part: body \ No newline at end of file diff --git a/exposed-panels/solr-exposure.yaml b/exposed-panels/solr-exposure.yaml new file mode 100755 index 0000000000..21f878068d --- /dev/null +++ b/exposed-panels/solr-exposure.yaml @@ -0,0 +1,15 @@ +id: solr-exposure + +info: + name: Apache Solr Exposure + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/solr/' + matchers: + - type: word + words: + - "Solr Admin" \ No newline at end of file diff --git a/exposed-panels/yarn-manager-exposure.yaml b/exposed-panels/yarn-manager-exposure.yaml new file mode 100755 index 0000000000..bb17c90f1d --- /dev/null +++ b/exposed-panels/yarn-manager-exposure.yaml @@ -0,0 +1,18 @@ +id: yarn-manager-exposure + +info: + name: Apache Yarn ResourceManager Exposure / Unauthenticated Access + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/cluster/cluster' + matchers: + - type: word + words: + - 'hadoop' + - 'resourcemanager' + - 'logged in as: dr.who' + condition: and \ No newline at end of file diff --git a/exposed-panels/zipkin-exposure.yaml b/exposed-panels/zipkin-exposure.yaml new file mode 100755 index 0000000000..4a0e2b1646 --- /dev/null +++ b/exposed-panels/zipkin-exposure.yaml @@ -0,0 +1,17 @@ +id: zipkin-exposure + +info: + name: Zipkin Exposure + author: Ice3man + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/" + - "{{BaseURL}}/zipkin/" + matchers: + - type: word + part: body + words: + - "webpackJsonpzipkin-lens" \ No newline at end of file diff --git a/exposures/configs/airflow-configuration-exposure.yaml b/exposures/configs/airflow-configuration-exposure.yaml new file mode 100755 index 0000000000..6bbb2fe2ce --- /dev/null +++ b/exposures/configs/airflow-configuration-exposure.yaml @@ -0,0 +1,17 @@ +id: airflow-configuration-exposure + +info: + name: Apache Airflow Configuration Exposure + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/airflow.cfg' + matchers: + - type: word + words: + - '[core]' + - '[api]' + condition: and \ No newline at end of file diff --git a/exposures/configs/amazon-docker-config-disclosure.yaml b/exposures/configs/amazon-docker-config-disclosure.yaml new file mode 100755 index 0000000000..3dc66d5530 --- /dev/null +++ b/exposures/configs/amazon-docker-config-disclosure.yaml @@ -0,0 +1,17 @@ +id: amazon-docker-config-disclosure + +info: + name: Dockerrun AWS Configuration Exposure + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/Dockerrun.aws.json' + matchers: + - type: word + words: + - 'AWSEBDockerrunVersion' + - 'containerDefinitions' + condition: and \ No newline at end of file diff --git a/exposures/configs/ansible-config-disclosure.yaml b/exposures/configs/ansible-config-disclosure.yaml new file mode 100755 index 0000000000..a07e675fbb --- /dev/null +++ b/exposures/configs/ansible-config-disclosure.yaml @@ -0,0 +1,17 @@ +id: ansible-config-disclosure + +info: + name: Ansible Configuration Exposure + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/ansible.cfg' + matchers: + - type: word + words: + - '[defaults]' + - '[inventory]' + condition: and \ No newline at end of file diff --git a/exposures/configs/opcache-status-exposure.yaml b/exposures/configs/opcache-status-exposure.yaml new file mode 100644 index 0000000000..26b0fd5a75 --- /dev/null +++ b/exposures/configs/opcache-status-exposure.yaml @@ -0,0 +1,20 @@ +id: opcache-status-exposure + +info: + name: OPcache Status Exposure + author: Ice3man + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/opcache-status/" + - "{{BaseURL}}/php-opcache-status/" + - "{{BaseURL}}/opcache-status/opcache.php" + matchers: + - type: word + words: + - "opcache_enabled" + - "opcache_hit_rate" + condition: and + part: body \ No newline at end of file diff --git a/exposures/configs/perl-status.yaml b/exposures/configs/perl-status.yaml new file mode 100755 index 0000000000..6e65332db7 --- /dev/null +++ b/exposures/configs/perl-status.yaml @@ -0,0 +1,17 @@ +id: perl-status + +info: + name: Apache mod_perl Status Page Exposure + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/perl-status' + matchers: + - type: word + words: + - "Apache2::Status" + - "Perl version" + condition: and \ No newline at end of file diff --git a/exposures/configs/rails-database-config.yaml b/exposures/configs/rails-database-config.yaml new file mode 100644 index 0000000000..4461c3b86b --- /dev/null +++ b/exposures/configs/rails-database-config.yaml @@ -0,0 +1,18 @@ +id: rails-database-config + +info: + name: Ruby-on-Rails Database Configuration Exposure + author: Ice3man + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/config/database.yml" + matchers: + - type: word + words: + - "adapter:" + - "database:" + condition: and + part: body \ No newline at end of file diff --git a/exposures/configs/symfony-database-config.yaml b/exposures/configs/symfony-database-config.yaml new file mode 100755 index 0000000000..b116547087 --- /dev/null +++ b/exposures/configs/symfony-database-config.yaml @@ -0,0 +1,18 @@ +id: symfony-database-config + +info: + name: Symfony Database Configuration Exposure + author: Ice3man + severity: high + +requests: + - method: GET + path: + - "{{BaseURL}}/config/databases.yml" + matchers: + - type: word + words: + - "class:" + - "param:" + condition: and + part: body \ No newline at end of file diff --git a/exposures/configs/symfony-profiler.yaml b/exposures/configs/symfony-profiler.yaml new file mode 100644 index 0000000000..6b7b9d5810 --- /dev/null +++ b/exposures/configs/symfony-profiler.yaml @@ -0,0 +1,18 @@ +id: symfony-profiler + +info: + name: Symfony Profiler + author: ice3man + severity: high + +requests: + - method: GET + path: + - "{{BaseURL}}/_profiler/empty/search/results?limit=10" + matchers: + - type: word + words: + - "<title>Symfony Profiler" + - "symfony/profiler/" + condition: and + part: body \ No newline at end of file diff --git a/exposures/logs/rails-debug-mode.yaml b/exposures/logs/rails-debug-mode.yaml new file mode 100644 index 0000000000..f696b5ce6c --- /dev/null +++ b/exposures/logs/rails-debug-mode.yaml @@ -0,0 +1,18 @@ +id: rails-debug-mode + +info: + name: Rails Debug Mode Enabled + author: ice3man + severity: medium + +requests: + - method: GET + path: + - "{{BaseURL}}/1238a92f573a48e58d356c42ca2c9610" + matchers: + - type: word + words: + - "Rails.root:" + - "Action Controller: Exception caught" + condition: and + part: body \ No newline at end of file diff --git a/exposures/logs/struts-debug-mode.yaml b/exposures/logs/struts-debug-mode.yaml new file mode 100644 index 0000000000..0ec3c41f8e --- /dev/null +++ b/exposures/logs/struts-debug-mode.yaml @@ -0,0 +1,17 @@ +id: struts-debug-mode + +info: + name: Apache Struts setup in Debug-Mode + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/' + matchers: + - type: word + words: + - "" + - "" + condition: and \ No newline at end of file diff --git a/misconfiguration/airflow-api-exposure.yaml b/misconfiguration/airflow-api-exposure.yaml new file mode 100755 index 0000000000..0efc1b2c65 --- /dev/null +++ b/misconfiguration/airflow-api-exposure.yaml @@ -0,0 +1,17 @@ +id: airflow-api-exposure + +info: + name: Apache Airflow API Exposure / Unauthenticated Access + author: Ice3man + severity: medium + +requests: + - method: GET + path: + - '{{BaseURL}}/api/experimental/latest_runs' + matchers: + - type: word + words: + - '"dag_run_url":' + - '{"items":[' + condition: and \ No newline at end of file diff --git a/misconfiguration/hadoop-unauth.yaml b/misconfiguration/hadoop-unauth.yaml new file mode 100644 index 0000000000..825453b763 --- /dev/null +++ b/misconfiguration/hadoop-unauth.yaml @@ -0,0 +1,17 @@ +id: hadoop-unauth + +info: + name: Apache Hadoop Unauth + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/ws/v1/cluster/info' + matchers: + - type: word + words: + - 'hadoopVersion' + - 'resourceManagerVersionBuiltOn' + condition: and \ No newline at end of file diff --git a/vulnerabilities/other/acme-xss.yaml b/vulnerabilities/other/acme-xss.yaml new file mode 100755 index 0000000000..5a5e4e8ef5 --- /dev/null +++ b/vulnerabilities/other/acme-xss.yaml @@ -0,0 +1,20 @@ +id: acme-xss + +info: + name: ACME / Let's Encrypt Reflected XSS + author: Ice3man + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/.well-known/acme-challenge/%3C%3fxml%20version=%221.0%22%3f%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert%28document.domain%26%23x29%3B%3C/x:script%3E' + matchers: + - type: word + words: + - "alert(document.domain)" + - type: word + words: + - "/xml" + - "/html" + matchers-condition: and \ No newline at end of file diff --git a/vulnerabilities/other/aspnuke-openredirect.yaml b/vulnerabilities/other/aspnuke-openredirect.yaml new file mode 100644 index 0000000000..cef9244755 --- /dev/null +++ b/vulnerabilities/other/aspnuke-openredirect.yaml @@ -0,0 +1,15 @@ +id: aspnuke-openredirect +info: + name: ASP-Nuke Open Redirect + author: Ice3man + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/gotoURL.asp?url=google.com&id=43569" + matchers: + - type: regex + part: body + regex: + - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?google\.com(?:\s*)$' \ No newline at end of file diff --git a/vulnerabilities/other/yarn-resourcemanager-rce.yaml b/vulnerabilities/other/yarn-resourcemanager-rce.yaml new file mode 100755 index 0000000000..ddc7fc4c4c --- /dev/null +++ b/vulnerabilities/other/yarn-resourcemanager-rce.yaml @@ -0,0 +1,19 @@ +id: yarn-resourcemanager-rce + +info: + name: Apache Yarn ResourceManager RCE + author: Ice3man + severity: low + +requests: + - method: POST + path: + - '{{BaseURL}}/ws/v1/cluster/apps/new-application' + matchers: + - type: word + words: + - 'application-id' + - type: status + status: + - 200 + matchers-condition: and \ No newline at end of file