Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates

README.md

@@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
 
 | Templates        | Counts                         | Templates       | Counts                          | Templates      | Counts                       |
 | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
-| cves             | 282           | vulnerabilities | 127 | exposed-panels | 118 |
+| cves             | 282           | vulnerabilities | 128 | exposed-panels | 120 |
-| takeovers        | 67        | exposures       | 74       | technologies   | 61   |
+| takeovers        | 67        | exposures       | 78       | technologies   | 63   |
 | misconfiguration | 55 | workflows       | 30         | miscellaneous  | 20  |
 | default-logins   | 22 | exposed-tokens  | 0  | dns            | 8            |
-| fuzzing          | 7          | helpers         | 6         | iot            | 11            |
+| fuzzing          | 8          | helpers         | 7         | iot            | 11            |
 
-**99 directories, 964 files**.
+**99 directories, 975 files**.
 
 </td>
 </tr>

cves/2017/CVE-2017-12635.yaml

@@ -1,12 +1,12 @@
 id: CVE-2017-12635
 
 info:
-  name: Apache CouchDB 1.7.0 / 2.x < 2.1.1 RCE
+  name: Apache CouchDB 1.7.0 / 2.x < 2.1.1 Remote Privilege Escalation
   author: pikpikcu
   severity: high
   description: Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.
   reference: https://github.com/assalielmehdi/CVE-2017-12635
-  tags: cve,cve2017,couchdb,rce
+  tags: cve,cve2017,couchdb
 
 requests:
   - raw:

exposed-panels/polycom-login.yaml

@@ -0,0 +1,24 @@
+id: polycom-login
+
+info:
+  name: Polycom Login
+  author: DhiyaneshDk
+  severity: info
+  reference: https://www.exploit-db.com/ghdb/6863
+  tags: panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/login.html"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<title>Polycom Login</title>"
+        part: body
+
+      - type: status
+        status:
+          - 200

exposed-panels/sauter-login.yaml

@@ -0,0 +1,24 @@
+id: sauter-login
+
+info:
+  name: Sauter moduWeb - Login
+  author: DhiyaneshDk
+  severity: info
+  reference: https://www.exploit-db.com/ghdb/6883
+  tags: panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/?locale=en"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - <title>Sauter moduWeb - Login</title>
+        part: body
+
+      - type: status
+        status:
+          - 200

exposures/configs/exposed-authentication-asmx.yaml

@@ -0,0 +1,24 @@
+id: exposed-authentication.asmx
+
+info:
+  name: Exposed Authentication.asmx
+  author: DhiyaneshDk
+  severity: low
+  reference: https://www.exploit-db.com/ghdb/6604
+  tags: config,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/_vti_bin/Authentication.asmx?op=Mode"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Authentication Web Service"
+        part: body
+
+      - type: status
+        status:
+          - 200

exposures/configs/kyan-network-credentials-disclosure.yaml

@@ -0,0 +1,32 @@
+id: kyan-network-credential-exposure
+
+info:
+  name: Kyan network monitoring device account and password exposure
+  author: pikpikcu
+  severity: medium
+  reference: |
+    - https://mp.weixin.qq.com/s/6phWjDrGG0pCpGuCdLusIg
+  tags: kyan,exposure,config
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/hosts"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "UserName="
+          - "Password="
+        condition: and
+
+      - type: word
+        words:
+          - "text/plain"
+        part: header
+
+      - type: status
+        status:
+          - 200

exposures/configs/saia-web-server-info.yaml

@@ -0,0 +1,24 @@
+id: saia-web-server
+
+info:
+  name: Saia PCD Web-Server
+  author: DhiyaneshDk
+  severity: low
+  reference: https://www.exploit-db.com/ghdb/6865
+  tags: config,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/loadtextfile.htm#programinfo"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<title>Saia PCD Web Server</title>"
+        part: body
+
+      - type: status
+        status:
+          - 200

exposures/files/phpunit.yaml

@@ -0,0 +1,24 @@
+id: phpunit
+
+info:
+  name: phpunit.xml file disclosure
+  author: pikpikcu
+  severity: info
+  tags: file,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/phpunit.xml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<phpunit"
+          - "</phpunit>"
+        condition: and
+
+      - type: status
+        status:
+          - 200

fuzzing/generic-lfi-fuzzing.yaml

@@ -1,7 +1,7 @@
 id: generic-lfi-fuzzing
 info:
   name: Generic LFI Test
-  author: geeknik
+  author: geeknik & unstabl3
   severity: high
   description: A generic test for Local File Inclusion
   tags: fuzz,lfi
@@ -18,6 +18,7 @@ requests:
       - "{{BaseURL}}/?q=..///////..////..//////etc/passwd&s=..///////..////..//////etc/passwd&search=..///////..////..//////etc/passwd&id=..///////..////..//////etc/passwd&action=..///////..////..//////etc/passwd&keyword=..///////..////..//////etc/passwd&query=..///////..////..//////etc/passwd&page=..///////..////..//////etc/passwd&keywords=..///////..////..//////etc/passwd&url=..///////..////..//////etc/passwd&view=..///////..////..//////etc/passwd&cat=..///////..////..//////etc/passwd&name=..///////..////..//////etc/passwd&key=..///////..////..//////etc/passwd&p=..///////..////..//////etc/passwd"
       - "{{BaseURL}}/?q=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&s=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&search=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&id=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&action=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&keyword=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&query=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&keywords=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&url=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&view=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&cat=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&name=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&key=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&p=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd"
       - "{{BaseURL}}/?q=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&s=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&search=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&id=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&action=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&keyword=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&query=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&keywords=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&url=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&view=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&cat=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&name=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&key=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&p=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd"
+      - "{{BaseURL}}/etc/passwd"
     matchers:
       - type: regex
         words:

fuzzing/wordpress-plugins-detect.yaml

@@ -0,0 +1,30 @@
+id: wordpress-plugins-detect
+info:
+  name: WordPress Plugins Detection
+  author: 0xcrypto
+  severity: info
+  tags: fuzz
+
+requests:
+  - payloads:
+      pluginSlug: helpers/wordlists/wordpress-plugins.txt
+
+    attack: sniper
+    threads: 50
+
+    raw:
+      - |
+        GET /wp-content/plugins/{{pluginSlug}}/readme.txt HTTP/1.1
+        Host: {{Hostname}}
+
+    redirects: true
+    max-redirects: 1
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "== Description =="

fuzzing/wordpress-themes-detect.yaml

@@ -0,0 +1,30 @@
+id: wordpress-themes-detect
+info:
+  name: WordPress Theme Detection
+  author: 0xcrypto
+  severity: info
+  tags: fuzz
+
+requests:
+  - payloads:
+      themeSlug: helpers/wordlists/wordpress-themes.txt
+
+    attack: sniper
+    threads: 50
+
+    raw:
+      - |
+        GET /wp-content/themes/{{themeSlug}}/readme.txt HTTP/1.1
+        Host: {{Hostname}}
+
+    redirects: true
+    max-redirects: 1
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "== Description =="

fuzzing/wp-plugin-scan.yaml

@@ -1,34 +0,0 @@
-id: wp-plugin-scan
-info:
-  name: Wordpress Plugin Scanner
-  author: pdteam
-  severity: info
-  description: Wordlist based wordpress plugin scanner.
-  reference: https://github.com/RandomRobbieBF/wordpress-plugin-list
-  tags: fuzz
-
-requests:
-
-  - payloads:
-      plugin_wordlist: helpers/wordlists/wp-plugins.txt
-
-    attack: sniper
-    threads: 50
-
-    raw:
-      - |
-        GET {{plugin_wordlist}} HTTP/1.1
-        Host: {{Hostname}}
-        Accept: application/json, text/plain, */*
-        Accept-Language: en-US,en;q=0.5
-        Referer: {{BaseURL}}
-
-    matchers-condition: and
-    matchers:
-      - type: status
-        status:
-          - 200
-
-      - type: word
-        words:
-          - "== Description =="

technologies/mautic-crm-detect.yaml

@@ -0,0 +1,31 @@
+id: mautic-crm-detect
+
+info:
+  name: mautic crm detect
+  author: cyllective
+  severity: info
+  description: Detects Mautic CRM
+  tags: tech,mautic,crm
+  references:
+    - https://github.com/mautic/mautic
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/s/login"
+
+    matcherscondition: or
+    matchers:
+      - type: word
+        part: body
+        condition: or
+        words:
+          - '<title>Mautic</title>'
+          - '<div class="mautic-logo'
+
+      - type: regex
+        part: body
+        condition: or
+        regex:
+          - 'var\s+?mautic(?:BasePath|BaseUrl|AjaxUrl|AjaxCsrf|AssetPrefix|Content|Env|Lang)\s+?='
+          - 'Copyright \d{4} Mautic\. All Rights Reserved\.'

technologies/plone-cms-detect.yaml

@@ -0,0 +1,26 @@
+id: plone-cms-detect
+
+info:
+  name: Plone CMS detect
+  author: cyllective
+  severity: info
+  description: Detects Plone CMS
+  tags: tech,plone,cms
+  references:
+    - https://github.com/plone/Products.CMFPlone
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: word
+        part: body
+        condition: or
+        words:
+          - '<meta name="generator" content="Plone - '
+          - '<div xmlns:css="http://namespaces.plone.org/diazo/css"'
+          - '/++plone++static/plone-compiled.css'
+          - '/++plone++static/tinymce-styles.css'
+          - '>Powered by Plone &amp; Python</a>'

vulnerabilities/wordpress/wordpress-wordfence-waf-bypass-xss.yaml

@@ -0,0 +1,29 @@
+id: wordpress-wordfence-waf-bypass-xss
+
+info:
+  author: hackergautam
+  name: Wordfence WAF Bypass WordPress XSS
+  reference: https://twitter.com/naglinagli/status/1382082473744564226
+  severity: medium
+  tags: wordpress,wordfence,xss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/?s=ax6zt%2522%253e%253cscript%253ealert%2528document.domain%2529%253c%252fscript%253ey6uu6"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - <script>alert(document.domain)</script>
+        part: body
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200