From 8927253cb3f1e16f6164b4b92a2c6cfeadcd81a9 Mon Sep 17 00:00:00 2001 From: ganoes Date: Thu, 25 Feb 2021 11:13:01 +0100 Subject: [PATCH 01/29] Improvement of the regex in open redirection template --- vulnerabilities/generic/open-redirect.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/generic/open-redirect.yaml b/vulnerabilities/generic/open-redirect.yaml index 662007159c..a1c0961a85 100644 --- a/vulnerabilities/generic/open-redirect.yaml +++ b/vulnerabilities/generic/open-redirect.yaml @@ -46,5 +46,5 @@ requests: matchers: - type: regex regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com(?:\s*?)$' part: header From 5c87671a004c769763b759aaa4c7e16536c52dbc Mon Sep 17 00:00:00 2001 From: Joan Bono Date: Thu, 25 Feb 2021 16:18:05 +0100 Subject: [PATCH 02/29] Create gunicorn-detect.yml --- technologies/gunicorn-detect.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 technologies/gunicorn-detect.yml diff --git a/technologies/gunicorn-detect.yml b/technologies/gunicorn-detect.yml new file mode 100644 index 0000000000..69f286e77b --- /dev/null +++ b/technologies/gunicorn-detect.yml @@ -0,0 +1,25 @@ +id: gunicorn-detect +info: + name: Detect Gunicorn Server + author: joanbono + description: Gunicorn Python WSGI HTTP Server for UNIX - https://github.com/benoitc/gunicorn + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + + - type: regex + part: header + regex: + - gunicorn+ + + extractors: + - type: kval + part: header + kval: + - Server From 56557666fbcc4f8935ee4eaf47eba93831344c4a Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 25 Feb 2021 19:06:24 +0000 Subject: [PATCH 03/29] Auto Update README [Thu Feb 25 19:06:24 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0fbb83b7e5..70dc8daaba 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 206 | vulnerabilities | 98 | exposed-panels | 74 | +| cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | | exposures | 55 | technologies | 46 | misconfiguration | 48 | | workflows | 21 | miscellaneous | 14 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 604 files**. +**62 directories, 605 files**. From dfc59f32afe8780d523d6daa96e9a88ac678c923 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 00:40:01 +0530 Subject: [PATCH 04/29] ext update --- technologies/{gunicorn-detect.yml => gunicorn-detect.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename technologies/{gunicorn-detect.yml => gunicorn-detect.yaml} (100%) diff --git a/technologies/gunicorn-detect.yml b/technologies/gunicorn-detect.yaml similarity index 100% rename from technologies/gunicorn-detect.yml rename to technologies/gunicorn-detect.yaml From 633499e27baecc594fb3ff47131789ab7fc57064 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 25 Feb 2021 19:10:35 +0000 Subject: [PATCH 05/29] Auto Update README [Thu Feb 25 19:10:35 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 70dc8daaba..05d10da0c3 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | -| exposures | 55 | technologies | 46 | misconfiguration | 48 | +| exposures | 55 | technologies | 47 | misconfiguration | 48 | | workflows | 21 | miscellaneous | 14 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 605 files**. +**62 directories, 606 files**. From 5241e0f9607fba74f25157dfe1c1374e30a18551 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 01:16:45 +0530 Subject: [PATCH 06/29] Update open-redirect.yaml --- vulnerabilities/generic/open-redirect.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/vulnerabilities/generic/open-redirect.yaml b/vulnerabilities/generic/open-redirect.yaml index a1c0961a85..74cb0945be 100644 --- a/vulnerabilities/generic/open-redirect.yaml +++ b/vulnerabilities/generic/open-redirect.yaml @@ -20,7 +20,6 @@ requests: - '{{BaseURL}}//example.com/..;/css' - '{{BaseURL}}/example%E3%80%82com' - '{{BaseURL}}/%5Cexample.com' - - '{{BaseURL}}example.com' - '{{BaseURL}}/example.com' - '{{BaseURL}}\example.com' - '{{BaseURL}}//example.com/' From 81e6c97c65bedf1347013ec6a3139109fd0ce264 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 04:01:38 +0530 Subject: [PATCH 07/29] Adding templates for dell-idrac --- .../dell/dell-idrac-default-login.yaml | 24 +++++++++++ technologies/dell-idrac-detect.yaml | 42 +++++++++++++++++++ workflows/dell-idrac-workflow.yaml | 11 +++++ 3 files changed, 77 insertions(+) create mode 100644 default-logins/dell/dell-idrac-default-login.yaml create mode 100644 technologies/dell-idrac-detect.yaml create mode 100644 workflows/dell-idrac-workflow.yaml diff --git a/default-logins/dell/dell-idrac-default-login.yaml b/default-logins/dell/dell-idrac-default-login.yaml new file mode 100644 index 0000000000..05cd6e1cb6 --- /dev/null +++ b/default-logins/dell/dell-idrac-default-login.yaml @@ -0,0 +1,24 @@ +id: dell-idrac-default-login +info: + name: dell-idrac-default-login + author: kophjager007 + severity: high + tags: dell,idrac,dlogin + +requests: + - method: POST + cookie-reuse: true + path: + - "{{BaseURL}}/data/login" + body: "user=root&password=calvin" + headers: + Host: "{{Hostname}}" + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 + Content-Type: application/x-www-form-urlencode + Referer: "{{BaseURL}}/login.html" + + matchers-condition: and + matchers: + - type: status + status: + - 200 \ No newline at end of file diff --git a/technologies/dell-idrac-detect.yaml b/technologies/dell-idrac-detect.yaml new file mode 100644 index 0000000000..31618b85bf --- /dev/null +++ b/technologies/dell-idrac-detect.yaml @@ -0,0 +1,42 @@ +id: dell-idrac-detect +info: + name: Detect Dell iDRAC + author: kophjager007 + description: The Integrated Dell Remote Access Controller (iDRAC) is designed for secure local and remote server management and helps IT administrators deploy, update and monitor Dell EMC PowerEdge servers. + severity: info + +requests: + - method: GET + headers: + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 + path: + - "{{BaseURL}}/sysmgmt/2015/bmc/info" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + condition: and + words: + - "iDRACName" + - "BuildVersion" + + extractors: + - type: regex + part: header + regex: + - iDRAC/[0-9]{1,2} + - type: regex + part: body + regex: + - iDRAC[0-9]{1,2} + - type: regex + part: body + name: fwver + group: 1 + regex: + - '"FwVer" *: *"([^"]+)"' \ No newline at end of file diff --git a/workflows/dell-idrac-workflow.yaml b/workflows/dell-idrac-workflow.yaml new file mode 100644 index 0000000000..fef179d8a6 --- /dev/null +++ b/workflows/dell-idrac-workflow.yaml @@ -0,0 +1,11 @@ +id: dell-idrac-workflow +info: + name: Dell iDRAC Security Checks + author: kophjager007 + description: A workflow to identify Dell iDRAC instances and run all related nuclei templates. + tags: workflow + +workflows: + - template: technologies/dell-idrac-detect.yaml + subtemplates: + - template: default-logins/dell/dell-idrac-default-login.yaml \ No newline at end of file From 82fa1598cf3ccec4bd7483cdcead964e983a1c55 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Fri, 26 Feb 2021 00:47:11 +0000 Subject: [PATCH 08/29] Update unauthenticated-airflow.yaml --- misconfiguration/unauthenticated-airflow.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/misconfiguration/unauthenticated-airflow.yaml b/misconfiguration/unauthenticated-airflow.yaml index 4db232a58f..1c14b4f895 100644 --- a/misconfiguration/unauthenticated-airflow.yaml +++ b/misconfiguration/unauthenticated-airflow.yaml @@ -14,9 +14,15 @@ requests: matchers: - type: word words: - - Airflow - DAGs + - "Content-Type: text/html" + part: header + + - type: word + words: + - "Airflow - DAGs" part: body + condition: and - type: status status: - - 200 \ No newline at end of file + - 200 From 1f3b10549000d6b6c3bba10b0de08fe082489d72 Mon Sep 17 00:00:00 2001 From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com> Date: Fri, 26 Feb 2021 08:36:34 +0700 Subject: [PATCH 09/29] Update wordpress-user-enumeration.yaml --- vulnerabilities/wordpress/wordpress-user-enumeration.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vulnerabilities/wordpress/wordpress-user-enumeration.yaml b/vulnerabilities/wordpress/wordpress-user-enumeration.yaml index f109bebade..c06644e07a 100644 --- a/vulnerabilities/wordpress/wordpress-user-enumeration.yaml +++ b/vulnerabilities/wordpress/wordpress-user-enumeration.yaml @@ -2,7 +2,7 @@ id: wordpress-user-enumeration info: name: Wordpress user enumeration - author: Manas_Harsh + author: Manas_Harsh & daffainfo severity: info tags: wordpress @@ -10,6 +10,7 @@ requests: - method: GET path: - "{{BaseURL}}/wp-json/wp/v2/users/" + - "{{BaseURL}}/?rest_route=/wp/v2/users/" matchers-condition: and matchers: - type: status From b05c058a569519e0e17d47fd4df0183dabb5dcd9 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Fri, 26 Feb 2021 01:56:25 +0000 Subject: [PATCH 10/29] Update unauthenticated-nacos-access.yaml --- .../unauthenticated-nacos-access.yaml | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/misconfiguration/unauthenticated-nacos-access.yaml b/misconfiguration/unauthenticated-nacos-access.yaml index 516f1b6254..f9f82b3b6d 100644 --- a/misconfiguration/unauthenticated-nacos-access.yaml +++ b/misconfiguration/unauthenticated-nacos-access.yaml @@ -1,30 +1,32 @@ id: unauthenticated-nacos-access info: - name: Unauthenticated Nacos access - author: taielab + name: Unauthenticated Nacos access v1.x + author: taielab & @pikpikcu severity: critical - - # References: - # - https://github.com/alibaba/nacos/issues/4593 + issues: https://github.com/alibaba/nacos/issues/4593 requests: - - raw: - - | - GET /nacos/v1/auth/users?pageNo=1&pageSize=9 HTTP/1.1 - Host: {{Hostname}} - User-Agent: Nacos-Server - Content-Length: 2 + - method: GET + path: + - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9" + - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9" matchers-condition: and matchers: + + - type: word + words: + - "Content-Type: application/json" + part: header + - type: regex regex: - '"username":' - '"password":' - - '"totalCount":' - condition: and part: body + condition: and + - type: status status: - 200 From 6908df0aafa19913b9d47be11783ac32191ca9bc Mon Sep 17 00:00:00 2001 From: oppsec <50470310+oppsec@users.noreply.github.com> Date: Thu, 25 Feb 2021 23:08:24 -0300 Subject: [PATCH 11/29] Create joomla-manifest-file.yaml --- exposures/files/joomla-manifest-file.yaml | 29 +++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 exposures/files/joomla-manifest-file.yaml diff --git a/exposures/files/joomla-manifest-file.yaml b/exposures/files/joomla-manifest-file.yaml new file mode 100644 index 0000000000..20f6322e99 --- /dev/null +++ b/exposures/files/joomla-manifest-file.yaml @@ -0,0 +1,29 @@ +id: joomla-manifest-file + +info: + name: joomla manifest file disclosure + author: oppsec + severity: low + description: joomla.xml is a xml file which stores some informations about installed Joomla, like version, files and paths. + +requests: + - method: GET + path: + - "{{BaseURL}}/administrator/manifests/files/joomla.xml" + + matchers-condition: and + matchers: + - type: word + words: + - "admin@joomla.org" + - "www.joomla.org" + condition: and + + - type: word + words: + - "application/xml" + part: header + + - type: status + status: + - 200 From 1fbe09c16f69d9226ad2c5c35a65ebc93d2bba03 Mon Sep 17 00:00:00 2001 From: oppsec <50470310+oppsec@users.noreply.github.com> Date: Thu, 25 Feb 2021 23:19:22 -0300 Subject: [PATCH 12/29] Create joomla-htaccess.yaml --- exposures/files/joomla-htaccess.yaml | 29 ++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 exposures/files/joomla-htaccess.yaml diff --git a/exposures/files/joomla-htaccess.yaml b/exposures/files/joomla-htaccess.yaml new file mode 100644 index 0000000000..4c88101d8e --- /dev/null +++ b/exposures/files/joomla-htaccess.yaml @@ -0,0 +1,29 @@ +id: joomla-htaccess-file + +info: + name: Joomla htacces file disclosure + author: oppsec + severity: info + description: Joomla have a htaccess file to store some configuration about HTTP Config, Directory Listening etc... + +requests: + - method: GET + path: + - "{{BaseURL}}/htaccess.txt" + + matchers-condition: and + matchers: + - type: word + words: + - "# @package Joomla" + - "# @copyright Copyright (C) 2005 - 2017 Open Source Matters. All rights reserved.g" + condition: and + + - type: word + words: + - "text/plain" + part: header + + - type: status + status: + - 200 From c6e856fe1b2863cef7af99efb0d7bcee279dc0f1 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Fri, 26 Feb 2021 03:30:51 +0000 Subject: [PATCH 13/29] Update directory-traversal.yaml --- fuzzing/directory-traversal.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fuzzing/directory-traversal.yaml b/fuzzing/directory-traversal.yaml index df2f9d7d23..7c44cee4cc 100644 --- a/fuzzing/directory-traversal.yaml +++ b/fuzzing/directory-traversal.yaml @@ -24,6 +24,13 @@ requests: - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd" - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd" - "{{BaseURL}}/./../../../../../../../../../../etc/passwd" + - "{{BaseURL}}/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd" + - "{{BaseURL}}/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd" + - "{{BaseURL}}/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd" + - "{{BaseURL}}/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd" + - "{{BaseURL}}/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd" + - "{{BaseURL}}/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd" + matchers-condition: and matchers: - type: status From 2731d48192f074797e8c1e58e7d4ec452876b15f Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:57:35 +0530 Subject: [PATCH 14/29] misc changes --- {exposures/files => miscellaneous}/joomla-htaccess.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {exposures/files => miscellaneous}/joomla-htaccess.yaml (100%) diff --git a/exposures/files/joomla-htaccess.yaml b/miscellaneous/joomla-htaccess.yaml similarity index 100% rename from exposures/files/joomla-htaccess.yaml rename to miscellaneous/joomla-htaccess.yaml From 1ffadb03d5387a166530575e0b9af0bc92b9abd6 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:58:24 +0530 Subject: [PATCH 15/29] Update joomla-htaccess.yaml --- miscellaneous/joomla-htaccess.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/miscellaneous/joomla-htaccess.yaml b/miscellaneous/joomla-htaccess.yaml index 4c88101d8e..379cb579c1 100644 --- a/miscellaneous/joomla-htaccess.yaml +++ b/miscellaneous/joomla-htaccess.yaml @@ -16,7 +16,7 @@ requests: - type: word words: - "# @package Joomla" - - "# @copyright Copyright (C) 2005 - 2017 Open Source Matters. All rights reserved.g" + - "Open Source Matters. All rights reserved" condition: and - type: word From f749429a7952f62360d5fb9e40a976df374ec3e2 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Feb 2021 05:29:21 +0000 Subject: [PATCH 16/29] Auto Update README [Fri Feb 26 05:29:21 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 05d10da0c3..e1b43d53ba 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | | exposures | 55 | technologies | 47 | misconfiguration | 48 | -| workflows | 21 | miscellaneous | 14 | default-logins | 11 | +| workflows | 21 | miscellaneous | 15 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 606 files**. +**62 directories, 607 files**. From 641b2464555e222678b17ecefd7be000148ba055 Mon Sep 17 00:00:00 2001 From: YashGoti <39102999+YashGoti@users.noreply.github.com> Date: Fri, 26 Feb 2021 11:00:21 +0530 Subject: [PATCH 17/29] Create wp-uploads.yaml --- miscellaneous/wp-uploads.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 miscellaneous/wp-uploads.yaml diff --git a/miscellaneous/wp-uploads.yaml b/miscellaneous/wp-uploads.yaml new file mode 100644 index 0000000000..084e959ee2 --- /dev/null +++ b/miscellaneous/wp-uploads.yaml @@ -0,0 +1,29 @@ +id: wp-uploads + +info: + name: WordPress Upload Directory Listing Enable + author: yashgoti + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/uploads/" + - "{{BaseURL}}/wp-content/uploads/2015/" + - "{{BaseURL}}/wp-content/uploads/2016/" + - "{{BaseURL}}/wp-content/uploads/2017/" + - "{{BaseURL}}/wp-content/uploads/2018/" + - "{{BaseURL}}/wp-content/uploads/2019/" + - "{{BaseURL}}/wp-content/uploads/2020/" + - "{{BaseURL}}/wp-content/uploads/2021/" + - "{BaseURL}/wp-content/uploads/cfdb7_uploads/" + matchers: + - type: word + words: + - "Directory listing for" + - "Index of /" + - "[To Parent Directory]" + - "Directory: /" + - type: status + status: + - 200 From fb0116549001cab1ff21948cfed9486e4b5971ca Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 11:00:36 +0530 Subject: [PATCH 18/29] moving folders around --- {exposures/files => miscellaneous}/joomla-manifest-file.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename {exposures/files => miscellaneous}/joomla-manifest-file.yaml (90%) diff --git a/exposures/files/joomla-manifest-file.yaml b/miscellaneous/joomla-manifest-file.yaml similarity index 90% rename from exposures/files/joomla-manifest-file.yaml rename to miscellaneous/joomla-manifest-file.yaml index 20f6322e99..6195def552 100644 --- a/exposures/files/joomla-manifest-file.yaml +++ b/miscellaneous/joomla-manifest-file.yaml @@ -1,9 +1,9 @@ id: joomla-manifest-file info: - name: joomla manifest file disclosure + name: Joomla manifest file disclosure author: oppsec - severity: low + severity: info description: joomla.xml is a xml file which stores some informations about installed Joomla, like version, files and paths. requests: From 465ddcec4b54b17a276a0e5f65296a6d9836a06f Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Feb 2021 05:31:32 +0000 Subject: [PATCH 19/29] Auto Update README [Fri Feb 26 05:31:32 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e1b43d53ba..456c4b8e8a 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | | exposures | 55 | technologies | 47 | misconfiguration | 48 | -| workflows | 21 | miscellaneous | 15 | default-logins | 11 | +| workflows | 21 | miscellaneous | 16 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 607 files**. +**62 directories, 608 files**. From 9d0bf90c62284d9cc5401bbe478ce9317bfcfdc3 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 11:04:18 +0530 Subject: [PATCH 20/29] misc changes --- miscellaneous/{wp-uploads.yaml => wp-uploads-listing.yaml} | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) rename miscellaneous/{wp-uploads.yaml => wp-uploads-listing.yaml} (91%) diff --git a/miscellaneous/wp-uploads.yaml b/miscellaneous/wp-uploads-listing.yaml similarity index 91% rename from miscellaneous/wp-uploads.yaml rename to miscellaneous/wp-uploads-listing.yaml index 084e959ee2..90aa73e290 100644 --- a/miscellaneous/wp-uploads.yaml +++ b/miscellaneous/wp-uploads-listing.yaml @@ -1,4 +1,4 @@ -id: wp-uploads +id: wp-uploads-listing info: name: WordPress Upload Directory Listing Enable @@ -16,7 +16,8 @@ requests: - "{{BaseURL}}/wp-content/uploads/2019/" - "{{BaseURL}}/wp-content/uploads/2020/" - "{{BaseURL}}/wp-content/uploads/2021/" - - "{BaseURL}/wp-content/uploads/cfdb7_uploads/" + + matchers-condition: and matchers: - type: word words: @@ -24,6 +25,7 @@ requests: - "Index of /" - "[To Parent Directory]" - "Directory: /" + - type: status status: - 200 From 00b8f5a12eb5724e23a867f97e0d1261a53f90be Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Feb 2021 05:36:05 +0000 Subject: [PATCH 21/29] Auto Update README [Fri Feb 26 05:36:05 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 456c4b8e8a..15f5671301 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | | exposures | 55 | technologies | 47 | misconfiguration | 48 | -| workflows | 21 | miscellaneous | 16 | default-logins | 11 | +| workflows | 21 | miscellaneous | 17 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 608 files**. +**62 directories, 609 files**. From 892c25e4d0e280feb9a52dbc0039e5f84cfa4881 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 11:14:18 +0530 Subject: [PATCH 22/29] Update unauthenticated-nacos-access.yaml --- misconfiguration/unauthenticated-nacos-access.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/misconfiguration/unauthenticated-nacos-access.yaml b/misconfiguration/unauthenticated-nacos-access.yaml index f9f82b3b6d..35e0b30cdc 100644 --- a/misconfiguration/unauthenticated-nacos-access.yaml +++ b/misconfiguration/unauthenticated-nacos-access.yaml @@ -11,6 +11,8 @@ requests: path: - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9" - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9" + headers: + User-Agent: Nacos-Server matchers-condition: and matchers: From 36694ceec90adf56c5e5acba7093c8f4d1060bbf Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 11:21:15 +0530 Subject: [PATCH 23/29] wp workflow update --- .../wordpress/wp-license-file.yaml | 2 +- .../wordpress}/wp-uploads-listing.yaml | 2 +- workflows/wordpress-workflow.yaml | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) rename miscellaneous/wp-license.yaml => vulnerabilities/wordpress/wp-license-file.yaml (94%) rename {miscellaneous => vulnerabilities/wordpress}/wp-uploads-listing.yaml (93%) diff --git a/miscellaneous/wp-license.yaml b/vulnerabilities/wordpress/wp-license-file.yaml similarity index 94% rename from miscellaneous/wp-license.yaml rename to vulnerabilities/wordpress/wp-license-file.yaml index 35ab078af8..f2ee4bbc05 100644 --- a/miscellaneous/wp-license.yaml +++ b/vulnerabilities/wordpress/wp-license-file.yaml @@ -1,4 +1,4 @@ -id: wp-license +id: wp-license-file info: name: WordPress license file disclosure diff --git a/miscellaneous/wp-uploads-listing.yaml b/vulnerabilities/wordpress/wp-uploads-listing.yaml similarity index 93% rename from miscellaneous/wp-uploads-listing.yaml rename to vulnerabilities/wordpress/wp-uploads-listing.yaml index 90aa73e290..bc2f614fd8 100644 --- a/miscellaneous/wp-uploads-listing.yaml +++ b/vulnerabilities/wordpress/wp-uploads-listing.yaml @@ -16,7 +16,7 @@ requests: - "{{BaseURL}}/wp-content/uploads/2019/" - "{{BaseURL}}/wp-content/uploads/2020/" - "{{BaseURL}}/wp-content/uploads/2021/" - + - "{{BaseURL}}/wp-content/uploads/cfdb7_uploads/" matchers-condition: and matchers: - type: word diff --git a/workflows/wordpress-workflow.yaml b/workflows/wordpress-workflow.yaml index 71d5dc5a5e..36be8a7c7b 100644 --- a/workflows/wordpress-workflow.yaml +++ b/workflows/wordpress-workflow.yaml @@ -44,3 +44,5 @@ workflows: - template: vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml - template: vulnerabilities/wordpress/wp-enabled-registration.yaml - template: vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml + - template: vulnerabilities/wordpress/wp-uploads-listing.yaml + - template: vulnerabilities/wordpress/wp-license-file.yaml From 594c657b7d3712b198c9c895c20406a99042e1cb Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Feb 2021 05:51:37 +0000 Subject: [PATCH 24/29] Auto Update README [Fri Feb 26 05:51:37 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 15f5671301..aeee504408 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,9 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | +| cves | 206 | vulnerabilities | 101 | exposed-panels | 74 | | exposures | 55 | technologies | 47 | misconfiguration | 48 | -| workflows | 21 | miscellaneous | 17 | default-logins | 11 | +| workflows | 21 | miscellaneous | 15 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | From 19b0fd818afc59e765ea5ced2d836f817189de94 Mon Sep 17 00:00:00 2001 From: oppsec <50470310+oppsec@users.noreply.github.com> Date: Fri, 26 Feb 2021 08:24:16 -0300 Subject: [PATCH 25/29] Update joomla-htaccess.yaml --- miscellaneous/joomla-htaccess.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/miscellaneous/joomla-htaccess.yaml b/miscellaneous/joomla-htaccess.yaml index 379cb579c1..cbaf0cf796 100644 --- a/miscellaneous/joomla-htaccess.yaml +++ b/miscellaneous/joomla-htaccess.yaml @@ -1,7 +1,7 @@ id: joomla-htaccess-file info: - name: Joomla htacces file disclosure + name: Joomla htaccess file disclosure author: oppsec severity: info description: Joomla have a htaccess file to store some configuration about HTTP Config, Directory Listening etc... From 80ab50a9f0fecdf658f2b6efe68572ae661535b0 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 18:41:33 +0530 Subject: [PATCH 26/29] misc changes --- .../dell/dell-idrac-default-login.yaml | 10 +++++-- technologies/dell-idrac-detect.yaml | 28 ++----------------- 2 files changed, 9 insertions(+), 29 deletions(-) diff --git a/default-logins/dell/dell-idrac-default-login.yaml b/default-logins/dell/dell-idrac-default-login.yaml index 05cd6e1cb6..8a2eee2710 100644 --- a/default-logins/dell/dell-idrac-default-login.yaml +++ b/default-logins/dell/dell-idrac-default-login.yaml @@ -1,6 +1,6 @@ id: dell-idrac-default-login info: - name: dell-idrac-default-login + name: Dll iDRAC Default login author: kophjager007 severity: high tags: dell,idrac,dlogin @@ -12,7 +12,6 @@ requests: - "{{BaseURL}}/data/login" body: "user=root&password=calvin" headers: - Host: "{{Hostname}}" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Content-Type: application/x-www-form-urlencode Referer: "{{BaseURL}}/login.html" @@ -21,4 +20,9 @@ requests: matchers: - type: status status: - - 200 \ No newline at end of file + - 200 + + matchers: + - type: word + words: + - 0 \ No newline at end of file diff --git a/technologies/dell-idrac-detect.yaml b/technologies/dell-idrac-detect.yaml index 31618b85bf..ae59631f5c 100644 --- a/technologies/dell-idrac-detect.yaml +++ b/technologies/dell-idrac-detect.yaml @@ -10,33 +10,9 @@ requests: headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 path: - - "{{BaseURL}}/sysmgmt/2015/bmc/info" + - "{{BaseURL}}/login.html" - matchers-condition: and matchers: - - type: status - status: - - 200 - - type: word - part: body - condition: and words: - - "iDRACName" - - "BuildVersion" - - extractors: - - type: regex - part: header - regex: - - iDRAC/[0-9]{1,2} - - type: regex - part: body - regex: - - iDRAC[0-9]{1,2} - - type: regex - part: body - name: fwver - group: 1 - regex: - - '"FwVer" *: *"([^"]+)"' \ No newline at end of file + - 'Integrated Dell Remote Access Controller' \ No newline at end of file From 367a1117f6305e047ab7f3672705614748f92b9a Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Feb 2021 13:12:14 +0000 Subject: [PATCH 27/29] Auto Update README [Fri Feb 26 13:12:14 UTC 2021] :robot: --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 05d10da0c3..c7838f77a8 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | -| exposures | 55 | technologies | 47 | misconfiguration | 48 | -| workflows | 21 | miscellaneous | 14 | default-logins | 11 | +| exposures | 55 | technologies | 48 | misconfiguration | 48 | +| workflows | 22 | miscellaneous | 14 | default-logins | 12 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 606 files**. +**63 directories, 609 files**. From a7ec2e79b00efaf2b4fa236b249092d683316183 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Feb 2021 13:14:20 +0000 Subject: [PATCH 28/29] Auto Update README [Fri Feb 26 13:14:20 UTC 2021] :robot: --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9cedaad55e..91686dc216 100644 --- a/README.md +++ b/README.md @@ -37,14 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | +| cves | 206 | vulnerabilities | 101 | exposed-panels | 74 | | exposures | 55 | technologies | 48 | misconfiguration | 48 | -| workflows | 22 | miscellaneous | 14 | default-logins | 12 | +| workflows | 22 | miscellaneous | 15 | default-logins | 12 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**63 directories, 609 files**. - +**63 directories, 612 files**. From 1ba9f0d33dc24bb7eca3a61046f9a8e93189d6d5 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 20:04:38 +0530 Subject: [PATCH 29/29] syntax update and added additional endpoints --- .../dell/dell-idrac-default-login.yaml | 1 - technologies/dell-idrac-detect.yaml | 28 ++++++++++++++++++- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/default-logins/dell/dell-idrac-default-login.yaml b/default-logins/dell/dell-idrac-default-login.yaml index 8a2eee2710..f0e9139351 100644 --- a/default-logins/dell/dell-idrac-default-login.yaml +++ b/default-logins/dell/dell-idrac-default-login.yaml @@ -22,7 +22,6 @@ requests: status: - 200 - matchers: - type: word words: - 0 \ No newline at end of file diff --git a/technologies/dell-idrac-detect.yaml b/technologies/dell-idrac-detect.yaml index ae59631f5c..8e86f218e7 100644 --- a/technologies/dell-idrac-detect.yaml +++ b/technologies/dell-idrac-detect.yaml @@ -10,9 +10,35 @@ requests: headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 path: + - "{{BaseURL}}/restgui/start.html" + - "{{BaseURL}}/sysmgmt/2015/bmc/info" # Firmware Version and other info (iDRAC9) - "{{BaseURL}}/login.html" + matchers-condition: and matchers: + - type: status + status: + - 200 - type: word + part: body words: - - 'Integrated Dell Remote Access Controller' \ No newline at end of file + - "Dell Integrated Remote Access Controller " + - "Integrated Dell Remote Access Controller" + - "iDRAC" + - "PowerEdge" + + extractors: + - type: regex + part: header + regex: + - iDRAC/[0-9]{1,2} + - type: regex + part: body + regex: + - iDRAC[0-9]{1,2} + - type: regex + part: body + name: fwver + group: 1 + regex: + - '"FwVer" *: *"([^"]+)"' \ No newline at end of file