Merge pull request #19 from projectdiscovery/master

Updation
2021-02-26 23:54:55 +05:30 · 2021-02-26 23:54:55 +05:30 · cbf9e05e26
parent acd1ab4735 1ba9f0d33d
commit cbf9e05e26
15 changed files with 238 additions and 23 deletions
--- a/README.md
+++ b/README.md
@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
 | Templates      | Counts                         | Templates       | Counts                          | Templates        | Counts                         |
 | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
-| cves           | 206            | vulnerabilities | 98 | exposed-panels   | 74   |
+| cves           | 206            | vulnerabilities | 101 | exposed-panels   | 74   |
-| exposures      | 55      | technologies    | 46      | misconfiguration | 48 |
+| exposures      | 55      | technologies    | 48      | misconfiguration | 48 |
-| workflows      | 21        | miscellaneous   | 14     | default-logins   | 11 |
+| workflows      | 22        | miscellaneous   | 15     | default-logins   | 12 |
 | exposed-tokens | 9 | dns             | 6               | fuzzing          | 4          |
 | helpers        | 2        | takeovers       | 1         | -                | -                              |
-**62 directories, 604 files**.
+**63 directories, 612 files**.
 </td>
 </tr>
--- a/default-logins/dell/dell-idrac-default-login.yaml
+++ b/default-logins/dell/dell-idrac-default-login.yaml
@ -0,0 +1,27 @@
 id: dell-idrac-default-login
 info:
  name: Dll iDRAC Default login
  author: kophjager007
  severity: high
  tags: dell,idrac,dlogin
 requests:
  - method: POST
    cookie-reuse: true
    path:
      - "{{BaseURL}}/data/login"
    body: "user=root&password=calvin"
    headers:
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
      Content-Type: application/x-www-form-urlencode
      Referer: "{{BaseURL}}/login.html"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - <authResult>0</authResult>
--- a/fuzzing/directory-traversal.yaml
+++ b/fuzzing/directory-traversal.yaml
@ -24,6 +24,13 @@ requests:
      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
      - "{{BaseURL}}/./../../../../../../../../../../etc/passwd"
      - "{{BaseURL}}/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd"
      - "{{BaseURL}}/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd"
      - "{{BaseURL}}/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd"
      - "{{BaseURL}}/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd"
      - "{{BaseURL}}/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
      - "{{BaseURL}}/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd"
    matchers-condition: and
    matchers:
      - type: status
--- a/miscellaneous/joomla-htaccess.yaml
+++ b/miscellaneous/joomla-htaccess.yaml
@ -0,0 +1,29 @@
 id: joomla-htaccess-file
 info:
  name: Joomla htaccess file disclosure
  author: oppsec
  severity: info
  description: Joomla have a htaccess file to store some configuration about HTTP Config, Directory Listening etc...
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/htaccess.txt"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "# @package    Joomla"
          - "Open Source Matters. All rights reserved"
        condition: and
      - type: word
        words:
          - "text/plain"
        part: header
      - type: status
        status:
          - 200
--- a/miscellaneous/joomla-manifest-file.yaml
+++ b/miscellaneous/joomla-manifest-file.yaml
@ -0,0 +1,29 @@
 id: joomla-manifest-file
 info:
  name: Joomla manifest file disclosure
  author: oppsec
  severity: info
  description: joomla.xml is a xml file which stores some informations about installed Joomla, like version, files and paths.
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/administrator/manifests/files/joomla.xml"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "admin@joomla.org"
          - "www.joomla.org"
        condition: and
      - type: word
        words:
          - "application/xml"
        part: header
      - type: status
        status:
          - 200
--- a/misconfiguration/unauthenticated-airflow.yaml
+++ b/misconfiguration/unauthenticated-airflow.yaml
@ -14,8 +14,14 @@ requests:
    matchers:
      - type: word
        words:
-          - Airflow - DAGs
+          - "Content-Type: text/html"
        part: header
      - type: word
        words:
          - "<title>Airflow - DAGs</title>"
        part: body
        condition: and
      - type: status
        status:
--- a/misconfiguration/unauthenticated-nacos-access.yaml
+++ b/misconfiguration/unauthenticated-nacos-access.yaml
@ -1,30 +1,34 @@
 id: unauthenticated-nacos-access
 info:
-  name: Unauthenticated Nacos access
+  name: Unauthenticated Nacos access v1.x
-  author: taielab
+  author: taielab & @pikpikcu
  severity: critical
-
+  issues: https://github.com/alibaba/nacos/issues/4593
  # References:
  # - https://github.com/alibaba/nacos/issues/4593
 requests:
-  - raw:
+  - method: GET
-      - |
+    path:
-        GET /nacos/v1/auth/users?pageNo=1&pageSize=9 HTTP/1.1
+      - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9"
-        Host: {{Hostname}}
+      - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9"
    headers:
      User-Agent: Nacos-Server
        Content-Length: 2
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Content-Type: application/json"
        part: header
      - type: regex
        regex:
          - '"username":'
          - '"password":'
          - '"totalCount":'
        condition: and
        part: body
        condition: and
      - type: status
        status:
          - 200
--- a/technologies/dell-idrac-detect.yaml
+++ b/technologies/dell-idrac-detect.yaml
@ -0,0 +1,44 @@
 id: dell-idrac-detect
 info:
  name: Detect Dell iDRAC
  author: kophjager007
  description: The Integrated Dell Remote Access Controller (iDRAC) is designed for secure local and remote server management and helps IT administrators deploy, update and monitor Dell EMC PowerEdge servers.
  severity: info
 requests:
  - method: GET
    headers:
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    path:
      - "{{BaseURL}}/restgui/start.html"
      - "{{BaseURL}}/sysmgmt/2015/bmc/info" # Firmware Version and other info (iDRAC9)
      - "{{BaseURL}}/login.html"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: body
        words:
          - "Dell Integrated Remote Access Controller "
          - "Integrated Dell Remote Access Controller"
          - "iDRAC"
          - "PowerEdge"
    extractors:
      - type: regex
        part: header
        regex:
          - iDRAC/[0-9]{1,2}
      - type: regex
        part: body
        regex:
          - iDRAC[0-9]{1,2}
      - type: regex
        part: body
        name: fwver
        group: 1
        regex:
          - '"FwVer" *: *"([^"]+)"'
--- a/technologies/gunicorn-detect.yaml
+++ b/technologies/gunicorn-detect.yaml
@ -0,0 +1,25 @@
 id: gunicorn-detect
 info:
  name: Detect Gunicorn Server
  author: joanbono
  description: Gunicorn Python WSGI HTTP Server for UNIX - https://github.com/benoitc/gunicorn
  severity: info
 requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - gunicorn+
    extractors:
      - type: kval
        part: header
        kval:
          - Server
--- a/vulnerabilities/generic/open-redirect.yaml
+++ b/vulnerabilities/generic/open-redirect.yaml
@ -20,7 +20,6 @@ requests:
      - '{{BaseURL}}//example.com/..;/css'
      - '{{BaseURL}}/example%E3%80%82com'
      - '{{BaseURL}}/%5Cexample.com'
      - '{{BaseURL}}example.com'
      - '{{BaseURL}}/example.com'
      - '{{BaseURL}}\example.com'
      - '{{BaseURL}}//example.com/'
@ -46,5 +45,5 @@ requests:
    matchers:
      - type: regex
        regex:
-          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com(?:\s*?)$'
        part: header
--- a/vulnerabilities/wordpress/wordpress-user-enumeration.yaml
+++ b/vulnerabilities/wordpress/wordpress-user-enumeration.yaml
@ -2,7 +2,7 @@ id: wordpress-user-enumeration
 info:
  name: Wordpress user enumeration
-  author: Manas_Harsh
+  author: Manas_Harsh & daffainfo
  severity: info
  tags: wordpress
@ -10,6 +10,7 @@ requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-json/wp/v2/users/"
      - "{{BaseURL}}/?rest_route=/wp/v2/users/"
    matchers-condition: and
    matchers:
      - type: status
--- a/vulnerabilities/wordpress/wp-license-file.yaml
+++ b/vulnerabilities/wordpress/wp-license-file.yaml
@ -1,4 +1,4 @@
-id: wp-license
+id: wp-license-file
 info:
  name: WordPress license file disclosure
--- a/vulnerabilities/wordpress/wp-uploads-listing.yaml
+++ b/vulnerabilities/wordpress/wp-uploads-listing.yaml
@ -0,0 +1,31 @@
 id: wp-uploads-listing
 info:
  name: WordPress Upload Directory Listing Enable
  author: yashgoti
  severity: info
 requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/uploads/"
      - "{{BaseURL}}/wp-content/uploads/2015/"
      - "{{BaseURL}}/wp-content/uploads/2016/"
      - "{{BaseURL}}/wp-content/uploads/2017/"
      - "{{BaseURL}}/wp-content/uploads/2018/"
      - "{{BaseURL}}/wp-content/uploads/2019/"
      - "{{BaseURL}}/wp-content/uploads/2020/"
      - "{{BaseURL}}/wp-content/uploads/2021/"
      - "{{BaseURL}}/wp-content/uploads/cfdb7_uploads/"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Directory listing for"
          - "Index of /"
          - "[To Parent Directory]"
          - "Directory: /"
      - type: status
        status:
          - 200
--- a/workflows/dell-idrac-workflow.yaml
+++ b/workflows/dell-idrac-workflow.yaml
@ -0,0 +1,11 @@
 id: dell-idrac-workflow
 info:
  name: Dell iDRAC Security Checks
  author: kophjager007
  description: A workflow to identify Dell iDRAC instances and run all related nuclei templates.
  tags: workflow
 workflows:
  - template: technologies/dell-idrac-detect.yaml
    subtemplates:
      - template: default-logins/dell/dell-idrac-default-login.yaml
--- a/workflows/wordpress-workflow.yaml
+++ b/workflows/wordpress-workflow.yaml
@ -44,3 +44,5 @@ workflows:
          - template: vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml
          - template: vulnerabilities/wordpress/wp-enabled-registration.yaml
          - template: vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml
          - template: vulnerabilities/wordpress/wp-uploads-listing.yaml
          - template: vulnerabilities/wordpress/wp-license-file.yaml