Updates across many templates for clarity, spelling, and grammar.
sullo
parent
1f403d4ddb
commit
ef1f7c5e92
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: PhpMyAdmin Scripts/setup.php Deserialization Vulnerability
|
||||
author: princechaddha
|
||||
severity: high
|
||||
description: Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
|
||||
description: Setup script used to create PhpMyAdmin configurations can be fooled by using a crafted POST request to include arbitrary PHP code in the generated configuration file. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
|
||||
reference:
|
||||
- https://www.phpmyadmin.net/security/PMASA-2009-3/
|
||||
- https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433
|
||||
|
|
@ -33,4 +33,4 @@ requests:
|
|||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- "root:.*:0:0:"
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ id: CVE-2009-4223
|
|||
|
||||
info:
|
||||
name: KR-Web <= 1.1b2 RFI
|
||||
description: KR is a web content-server based on Apache-PHP-MySql technology who gives to internet programmers some PHP classes semplifying database content access. Elsewere, it gives some admin and user tools to write, hyerarchize and authorize contents.
|
||||
description: KR is a web content-server based on Apache-PHP-MySql technology which gives to programmers some PHP classes simplifying database content access. Additionally, it gives some admin and user tools to write, hierarchize, and authorize contents.
|
||||
reference:
|
||||
- https://sourceforge.net/projects/krw/
|
||||
- https://www.exploit-db.com/exploits/10216
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
|
||||
author: exploitation,dwisiswant0,alex
|
||||
severity: critical
|
||||
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
|
||||
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:", or "redirectAction:" is not properly sanitized. Since said information will be evaluated as an OGNL expression against the value stack, this introduces the possibility to inject server side code.
|
||||
reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html
|
||||
tags: cve,cve2013,rce,struts,apache
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: NETGEAR DGN2200 / DGND3700 - Admin Password Disclosure
|
||||
author: suman_kar
|
||||
severity: critical
|
||||
description: Vulnerability exists within the page 'BSW_cxttongr.htm' which can allow a remote attacker to access this page without any authentication. Attacker can use this password to gain administrator access of the targeted routers web interface.
|
||||
description: A vulnerability exists within the page 'BSW_cxttongr.htm' which can allow a remote attacker to access this page without any authentication. The attacker can then use this password to gain administrator access of the targeted router's web interface.
|
||||
tags: cve,cve2016,iot,netgear,router
|
||||
reference: https://nvd.nist.gov/vuln/detail/CVE-2016-5649
|
||||
|
||||
|
|
@ -32,4 +32,4 @@ requests:
|
|||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '<b>Success "([a-z]+)"'
|
||||
- '<b>Success "([a-z]+)"'
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ id: CVE-2017-15715
|
|||
info:
|
||||
name: Apache Arbitrary File Upload
|
||||
author: geeknik
|
||||
description: In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
|
||||
description: In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are externally blocked, but only by matching the trailing portion of the filename.
|
||||
reference: https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2017-15715
|
||||
severity: high
|
||||
tags: cve,cve2017,apache,httpd,fileupload
|
||||
|
|
@ -42,4 +42,4 @@ requests:
|
|||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body_2, "{{randstr_1}}")'
|
||||
- 'contains(body_2, "{{randstr_1}}")'
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Graphite 'graphite.composer.views.send_email' SSRF
|
||||
author: huowuzhao
|
||||
severity: high
|
||||
description: send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
|
||||
description: Graphite's send_email in graphite-web/webapp/graphite/composer/views.py in versions up to 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an email address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information.
|
||||
reference:
|
||||
- http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
|
||||
- https://github.com/graphite-project/graphite-web/issues/2008
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: divya_mudgal
|
||||
severity: critical
|
||||
reference: https://www.nccgroup.com/ae/our-research/technical-advisory-unauthenticated-sql-injection-in-lansweeper/
|
||||
description: Lansweeper web application through 7.1.115.4 allows unauthenticated SQL injection via the "row" and "column" GET parameter to the /WidgetHandler.ashx?MethodName=Sort&ID=1&column=INJECTION&row=INJECTION URI.
|
||||
description: Lansweeper web application through 7.1.115.4 allows unauthenticated SQL injection via the "row" and "column" GET parameters to /WidgetHandler.ashx?MethodName=Sort&ID=1&column=INJECTION&row=INJECTION URI.
|
||||
tags: cve,cve2019,sqli,lansweeper
|
||||
|
||||
requests:
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Webmin <= 1.920 Unauthenticated Remote Command Execution
|
||||
author: bp0lr
|
||||
severity: high
|
||||
description: An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
|
||||
description: An issue was discovered in Webmin <=1.920. The 'old' parameter in password_change.cgi contains a command injection vulnerability.
|
||||
reference: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
|
||||
tags: cve,cve2019,webmin,rce
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Oracle Business Intelligence - Publisher XXE
|
||||
author: madrobot
|
||||
severity: high
|
||||
description: Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher).
|
||||
description: There is an XXE vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-2767
|
||||
- https://www.exploit-db.com/exploits/46729
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: YouPHPTube Encoder RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack.
|
||||
description: A command injection vulnerability has been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3, a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack.
|
||||
reference: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0917
|
||||
tags: cve,cve2019,rce
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: File Content Disclosure on Rails
|
||||
author: omarkurt
|
||||
severity: medium
|
||||
description: There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
|
||||
description: There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's file system to be exposed.
|
||||
reference:
|
||||
- https://github.com/omarkurt/CVE-2019-5418
|
||||
- https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: GLPI v.9.4.6 - Open redirect
|
||||
author: pikpikcu
|
||||
severity: low
|
||||
description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
|
||||
description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection, which is based on a regexp. This is fixed in version 9.4.6.
|
||||
reference:
|
||||
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
|
||||
- https://github.com/glpi-project/glpi/archive/9.4.6.zip
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Oracle WebLogic Server Administration Console Handle RCE
|
||||
author: pdteam
|
||||
severity: critical
|
||||
description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
|
||||
description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attackers with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
|
||||
reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14883
|
||||
tags: cve,cve2020,oracle,rce,weblogic
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: WP File Manager RCE
|
||||
author: foulenzer
|
||||
severity: critical
|
||||
description: The vulnerability allows unauthenticated remote attackers to upload .php files. This templates only detects the plugin, not its vulnerability.
|
||||
description: The vulnerability allows unauthenticated remote attackers to upload .php files. This template only detects the plugin, not its vulnerability.
|
||||
reference:
|
||||
- https://plugins.trac.wordpress.org/changeset/2373068
|
||||
- https://github.com/w4fz5uck5/wp-file-manager-0day
|
||||
|
|
@ -61,4 +61,4 @@ requests:
|
|||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 200
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: ThinkAdmin 6 - Arbitrarily File Read (CVE-2020-25540)
|
||||
author: geeknik
|
||||
severity: medium
|
||||
description: ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.
|
||||
description: ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrary files on a remote server via GET request encode parameter.
|
||||
reference: https://www.exploit-db.com/exploits/48812
|
||||
tags: cve,cve2020,thinkadmin,lfi
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: NETGEAR ProSAFE Plus - Unauthenticated Remote Code Execution
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.
|
||||
description: NETGEAR ProSAFE Plus was found to allow any HTML page as a valid endpoint to submit POST requests, allowing debug action via the submitId and debugCmd parameters. The problem is publicly exposed in the login.html webpage, which has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow attackers to execute system commands.
|
||||
reference:
|
||||
- https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
|
||||
- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Monitorr 1.7.6m - Unauthenticated Remote Code Execution
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: This template detects an Monitorr 1.7.6m a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in web application. An unauthorized attacker with web access to could upload and execute a specially crafted file leading to remote code execution within the Monitorr.
|
||||
description: This template detects a remote code execution (RCE) vulnerability in Monitorr 1.7.6m. Improper input validation and lack of authorization leads to arbitrary file uploads in the web application. An unauthorized attacker with web access to could upload and execute a specially crafted file, leading to remote code execution within the Monitorr.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-28871
|
||||
- https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
|
||||
author: LogicalHunter
|
||||
severity: high
|
||||
description: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF.
|
||||
description: The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker to make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/49189
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-28976
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ info:
|
|||
name: UnRaid Remote Code Execution
|
||||
author: madrobot
|
||||
severity: high
|
||||
description: A vulnerability in UnRaid allows remote unauthenticated attackers to execute arbirary code.
|
||||
description: A vulnerability in UnRaid allows remote unauthenticated attackers to execute arbitrary code.
|
||||
reference: https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/
|
||||
tags: cve,cve2020,rce
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: dwisiswant0
|
||||
severity: critical
|
||||
tags: cve,cve2020,rce
|
||||
description: LinuxKI v6.0-1 and earlier is vulnerable to an remote code execution which is resolved in release 6.0-2.
|
||||
description: LinuxKI v6.0-1 and earlier are vulnerable to a remote code execution. This is resolved in release 6.0-2.
|
||||
reference:
|
||||
- http://packetstormsecurity.com/files/157739/HP-LinuxKI-6.01-Remote-Command-Injection.html
|
||||
- http://packetstormsecurity.com/files/158025/LinuxKI-Toolset-6.01-Remote-Command-Execution.html
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ id: CVE-2020-9402
|
|||
|
||||
info:
|
||||
name: Django SQL Injection
|
||||
description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
|
||||
description: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.
|
||||
reference:
|
||||
- https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402
|
||||
- https://docs.djangoproject.com/en/3.0/releases/security/
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ info:
|
|||
name: rConfig Unauthenticated Sensitive Information Disclosure
|
||||
author: madrobot
|
||||
severity: high
|
||||
description: An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application was not exiting after a redirect is applied, the rest of the page still executed, resulting in the disclosure of cleartext credentials in the response.
|
||||
description: An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application does not exit after a redirect is applied, the rest of the page still executed, resulting in the disclosure of cleartext credentials in the response.
|
||||
reference:
|
||||
- https://blog.hivint.com/rconfig-3-9-3-unauthenticated-sensitive-information-disclosure-ead4ed88f153
|
||||
- https://github.com/rconfig/rconfig/commit/20f4e3d87e84663d922b937842fddd9af1b68dd9
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: dwisiswant0
|
||||
severity: critical
|
||||
reference: https://swarm.ptsecurity.com/unauth-rce-vmware/
|
||||
description: The vulnerability allows unauthenticated remote attackers to upload file leading to remote code execution (RCE). This templates only detects the plugin.
|
||||
description: The vulnerability allows unauthenticated remote attackers to upload files leading to remote code execution (RCE). This templates only detects the plugin.
|
||||
tags: cve,cve2021,vmware,rce
|
||||
|
||||
requests:
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: VICIdial - Multiple sensitive Information disclosure
|
||||
author: pdteam
|
||||
severity: high
|
||||
description: VICIdial's Web Client contains many sensitive files that can be access from the client side. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP's, User-Agents, credentials and much more. This information can be leveraged by an attacker to gain further access to VICIdial systems. This vulnerability affects all versions as of 20/5/21
|
||||
description: VICIdial's Web Client contains many sensitive files that can be accessed from the client side. These files contain mysqli logs, auth logs, debug information, successful and unsuccessful login attempts with their corresponding IP's, User-Agents, credentials and much more. This information can be leveraged by an attacker to gain further access to VICIdial systems. This vulnerability affects all versions as of 20/5/2021.
|
||||
reference: https://github.com/JHHAX/VICIdial
|
||||
tags: cve,cve2021
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ id: CVE-2021-33221
|
|||
info:
|
||||
name: CommScope Ruckus IoT Controller Unauthenticated Service Details
|
||||
author: geeknik
|
||||
description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices uses for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
|
||||
description: A 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).
|
||||
reference: https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
|
||||
severity: medium
|
||||
tags: cve,cve2021,commscope,ruckus,debug
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
author: andysvints
|
||||
severity: high
|
||||
tags: glpi,default-login
|
||||
description: GLPI is an ITSM software tool that helps you plan and manage IT changes. Checking is default super admin account(glpi/glpi) is enabled.
|
||||
description: GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled.
|
||||
reference: https://glpi-project.org/
|
||||
|
||||
requests:
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: E-mail service detector
|
||||
author: binaryfigments
|
||||
severity: info
|
||||
description: Check the email service or spamfilter that is used for a domain.
|
||||
description: Check the email service or spam filter that is used for a domain.
|
||||
tags: dns
|
||||
|
||||
dns:
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: yarn lock file disclosure
|
||||
author: oppsec
|
||||
severity: info
|
||||
description: yarn.lock is a file which store all exactly versions of each dependency were installed.
|
||||
description: The yarn.lock file stores the versions of each Yarn dependency installed.
|
||||
tags: exposure
|
||||
|
||||
requests:
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ info:
|
|||
name: iis-shortname
|
||||
author: nodauf
|
||||
severity: info
|
||||
description: If IIS use old .Net Framwork it's possible to enumeration folder with the symbol ~.
|
||||
description: When IIS uses an old .Net Framwork it's possible to enumeration folder with the symbol ~.
|
||||
tags: fuzz
|
||||
|
||||
reference:
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ id: kevinlab-device-detect
|
|||
|
||||
info:
|
||||
name: KevinLAB Devices Detection
|
||||
description: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control.
|
||||
description: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings by collecting and analyzing various information of energy usage and facilities as well as efficiency and indoor environment control.
|
||||
author: gy741
|
||||
severity: info
|
||||
tags: iot
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: XP Webcam Viewer Page
|
||||
author: aashiq
|
||||
severity: medium
|
||||
description: Searches for exposed webcams by querying the /mobile.html endpoint and existance of webcamXP in the body
|
||||
description: Searches for exposed webcams by querying the /mobile.html endpoint and the existence of webcamXP in the body.
|
||||
tags: webcam,iot
|
||||
|
||||
requests:
|
||||
|
|
@ -23,4 +23,4 @@ requests:
|
|||
words:
|
||||
- "Please provide a valid username/password to access this server."
|
||||
part: body
|
||||
negative: true
|
||||
negative: true
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ id: google-floc-disabled
|
|||
info:
|
||||
name: Google FLoC Disabled
|
||||
author: geeknik
|
||||
description: The detected website has decided to explicity exclude itself from Google FLoC tracking.
|
||||
description: The detected website has decided to explicilty exclude itself from Google FLoC tracking.
|
||||
reference: https://www.bleepingcomputer.com/news/security/github-disables-google-floc-user-tracking-on-its-website/
|
||||
severity: info
|
||||
tags: google,floc,misc
|
||||
|
|
|
|||
|
|
@ -4,8 +4,8 @@ info:
|
|||
name: Joomla htaccess file disclosure
|
||||
author: oppsec
|
||||
severity: info
|
||||
description: Joomla have a htaccess file to store some configuration about HTTP Config, Directory Listening etc...
|
||||
tags: misc
|
||||
description: Joomla has an htaccess file to store configurations about HTTP config, directory listing, etc.
|
||||
tags: misc,joomla
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
|||
|
|
@ -4,8 +4,8 @@ info:
|
|||
name: Joomla manifest file disclosure
|
||||
author: oppsec
|
||||
severity: info
|
||||
description: joomla.xml is a xml file which stores some informations about installed Joomla, like version, files and paths.
|
||||
tags: misc
|
||||
description: joomla.xml is a file which stores information about installed Joomla, such as version, files, and paths.
|
||||
tags: misc,joomla
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Moodle Changelog File
|
||||
author: oppsec
|
||||
severity: info
|
||||
description: Moodle have a file which describes API changes in core libraries and APIs, can be used to discover Moodle version.
|
||||
description: Moodle has a file which describes API changes in core libraries and APIs, and can be used to discover Moodle version.
|
||||
tags: misc
|
||||
|
||||
requests:
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
author: DhiyaneshDk
|
||||
name: AEM UserInfo Servlet
|
||||
severity: info
|
||||
description: UserInfoServlet is exposed, it allows to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node.
|
||||
description: UserInfoServlet is exposed which allows an attacker to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node.
|
||||
tags: aem
|
||||
|
||||
|
||||
|
|
@ -28,4 +28,4 @@ requests:
|
|||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'application/json'
|
||||
- 'application/json'
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: ITMS-Misconfigured
|
||||
author: dhiyaneshDK
|
||||
severity: info
|
||||
description: detectes misconfigured Service-now ITSM instances
|
||||
description: Detection of misconfigured ServiceNow ITSM instances.
|
||||
reference:
|
||||
- https://medium.com/@th3g3nt3l/multiple-information-exposed-due-to-misconfigured-service-now-itsm-instances-de7a303ebd56
|
||||
- https://github.com/leo-hildegarde/SnowDownKB/
|
||||
|
|
@ -24,4 +24,4 @@ requests:
|
|||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 200
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: HTTP Missing Security Headers
|
||||
author: socketz,geeknik,G4L1T0,convisoappsec,kurohost,dawid-czarnecki
|
||||
severity: info
|
||||
description: It searches missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
|
||||
description: It searches for missing security headers, but obviously, could be so less generic and could be useless for Bug Bounty.
|
||||
tags: misconfig,generic
|
||||
|
||||
requests:
|
||||
|
|
@ -124,4 +124,4 @@ requests:
|
|||
- type: regex
|
||||
name: access-control-allow-headers
|
||||
regex:
|
||||
- "(?i)access-control-allow-headers"
|
||||
- "(?i)access-control-allow-headers"
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ id: laravel-debug-enabled
|
|||
info:
|
||||
name: Laravel Debug Enabled
|
||||
author: notsoevilweasel
|
||||
description: Laravel with APP_DEBUG set to true prone to showing verbose errors.
|
||||
description: Laravel with APP_DEBUG set to true is prone to show verbose errors.
|
||||
severity: medium
|
||||
tags: debug,laravel,misconfig
|
||||
|
||||
|
|
@ -19,4 +19,4 @@ requests:
|
|||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 200
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: iamthefrogy
|
||||
severity: medium
|
||||
tags: network,ssh,openssh
|
||||
description: SSHv1 is a deprecated and have known cryptographic issues.
|
||||
description: SSHv1 is deprecated and has known cryptographic issues.
|
||||
reference:
|
||||
- https://www.kb.cert.org/vuls/id/684820
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2001-1473
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: iamthefrogy
|
||||
severity: info
|
||||
tags: network,mysql,bruteforce,db
|
||||
description: MySQL instance with enabled native password support prone vulnerable for password brute-force attack.
|
||||
description: MySQL instance with enabled native password support is prone to password brute-force attacks.
|
||||
|
||||
network:
|
||||
- host:
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: iamthefrogy
|
||||
severity: low
|
||||
tags: network,openssh
|
||||
description: OpenSSH 5.3 is vulnerable to username enumeraiton and DoS vulnerabilities.
|
||||
description: OpenSSH 5.3 is vulnerable to username enumeration and DoS vulnerabilities.
|
||||
reference:
|
||||
- http://seclists.org/fulldisclosure/2016/Jul/51
|
||||
- https://security-tracker.debian.org/tracker/CVE-2016-6210
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Open URL redirect detection
|
||||
author: afaq,melbadry9,Elmahdi,pxmme1337,Regala_,andirrahmani1,geeknik
|
||||
severity: low
|
||||
description: A user-controlled input redirect users to an external website.
|
||||
description: A user-controlled input redirects users to an external website.
|
||||
tags: redirect,generic
|
||||
|
||||
requests:
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: CouchDB Admin Party
|
||||
author: organiccrap
|
||||
severity: high
|
||||
description: Requests made against CouchDB is done in the context of an admin user.
|
||||
description: Requests made against CouchDB are done in the context of an admin user.
|
||||
tags: couchdb
|
||||
|
||||
requests:
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: EyeLock nano NXT 3.5 - Local File Disclosure
|
||||
author: geeknik
|
||||
severity: high
|
||||
description: nano NXT suffers from a file disclosure vulnerability when input passed thru the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.
|
||||
description: nano NXT suffers from a file disclosure vulnerability when input passed through the 'path' parameter to 'logdownload.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.
|
||||
reference: https://www.zeroscience.mk/codes/eyelock_lfd.txt
|
||||
tags: iot,lfi,eyelock
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: KevinLAB BEMS (Building Energy Management System) Undocumented Backdoor Account
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: The BEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
|
||||
description: The BEMS solution has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
|
||||
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
|
||||
tags: kevinlab
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: KevinLAB HEMS Undocumented Backdoor Account
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely.
|
||||
description: The HEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the HEMS is offering remotely.
|
||||
reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
|
||||
tags: kevinlab,default-login,backdoor
|
||||
|
||||
|
|
@ -38,4 +38,4 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- 'PHPSESSID'
|
||||
part: header
|
||||
part: header
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: NETGEAR DGN2200v1 Router Authentication Bypass
|
||||
author: gy741
|
||||
severity: high
|
||||
description: NETGEAR decided to use to check if a page has “.jpg”, “.gif” or “ess_” substrings, trying to match the entire URL. We can therefore access any page on the device, including those that require authentication, by appending a GET variable with the relevant substring (like “?.gif”).
|
||||
description: NETGEAR DGN2200v1 Router does not require authentication if a page has “.jpg”, “.gif”, or “ess_” substrings, however matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring (e.g., “?.gif”).
|
||||
reference:
|
||||
- https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
|
||||
- https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: sar2html 3.2.1 - 'plot' Remote Code Execution
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: SAR2HTML could allow a remote attacker to execute arbitrary commands on the system, caused by a commend injection flaw in the index.php script. By sending specially-crafted commands, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
|
||||
description: SAR2HTML could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection flaw in the index.php script. By sending specially-crafted commands, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/49344
|
||||
tags: sar2html,rce,oob
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Spring Boot Actuators (Jolokia) XXE
|
||||
author: dwisiswant0,ipanda
|
||||
severity: high
|
||||
description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to preform an XML External Entities attack, include content stored on a remote server as if it was its own - this has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine.
|
||||
description: A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to perform an XML External Entities (XXE) attack and include content stored on a remote server as if it was its own. This has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine.
|
||||
reference:
|
||||
- https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
|
||||
- https://github.com/mpgn/Spring-Boot-Actuator-Exploit
|
||||
|
|
@ -31,4 +31,4 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- "X-Application-Context"
|
||||
part: header
|
||||
part: header
|
||||
|
|
|
|||
|
|
@ -3,11 +3,11 @@ id: azkaban-workflow
|
|||
info:
|
||||
name: Azkaban Security Checks
|
||||
author: pdteam
|
||||
description: A simple workflow that runs all azkaban related nuclei templates on a given target.
|
||||
description: A simple workflow that runs all Azkaban related nuclei templates on a given target.
|
||||
tags: workflow
|
||||
|
||||
workflows:
|
||||
|
||||
- template: exposed-panels/azkaban-web-client.yaml
|
||||
subtemplates:
|
||||
- template: default-logins/azkaban/azkaban-web-client-default-creds.yaml
|
||||
- template: default-logins/azkaban/azkaban-web-client-default-creds.yaml
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ id: bigip-workflow
|
|||
info:
|
||||
name: F5 BIG-IP Security Checks
|
||||
author: dwisiswant0
|
||||
description: A simple workflow that runs all Bigip related nuclei templates on a given target.
|
||||
description: A simple workflow that runs all BigIP related nuclei templates on a given target.
|
||||
tags: workflow
|
||||
|
||||
# Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)
|
||||
|
|
@ -14,4 +14,4 @@ workflows:
|
|||
- template: technologies/bigip-config-utility-detect.yaml
|
||||
|
||||
subtemplates:
|
||||
- template: cves/2020/CVE-2020-5902.yaml
|
||||
- template: cves/2020/CVE-2020-5902.yaml
|
||||
|
|
|
|||
|
|
@ -3,10 +3,10 @@ id: lucee-workflow
|
|||
info:
|
||||
name: Lucee Detection Workflow
|
||||
author: geeknik,dhiyaneshDk
|
||||
description: A simple workflow that runs all Lucee related nuclei templates on given target.
|
||||
description: A simple workflow that runs all Lucee related nuclei templates on a given target.
|
||||
tags: workflow
|
||||
|
||||
workflows:
|
||||
- template: technologies/lucee-detect.yaml
|
||||
subtemplates:
|
||||
- tags: lucee
|
||||
- tags: lucee
|
||||
|
|
|
|||
|
|
@ -1,9 +1,9 @@
|
|||
id: springboot-workflow
|
||||
|
||||
info:
|
||||
name: Springboot Security Checks
|
||||
name: Spring Boot Security Checks
|
||||
author: dwisiswant0
|
||||
description: A simple workflow that runs all springboot related nuclei templates on a given target.
|
||||
description: A simple workflow that runs all Spring Boot related nuclei templates on a given target.
|
||||
tags: workflow
|
||||
|
||||
# Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)
|
||||
|
|
@ -13,4 +13,4 @@ workflows:
|
|||
|
||||
- template: technologies/springboot-actuator.yaml
|
||||
subtemplates:
|
||||
- tags: springboot
|
||||
- tags: springboot
|
||||
|
|
|
|||
|
|
@ -3,10 +3,10 @@ id: worksite-takeover-workflow
|
|||
info:
|
||||
name: Worksite Takeover Workflow
|
||||
author: pdteam
|
||||
description: A simple workflow that runs DNS based detection to filter hosts runnng worksite and do further HTTP based check to confirm takeover.
|
||||
description: A simple workflow that runs DNS based detection to filter hosts running Worksite and do further HTTP based check to confirm takeover.
|
||||
reference: https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites
|
||||
|
||||
workflows:
|
||||
- template: dns/worksites-detection.yaml
|
||||
subtemplates:
|
||||
- template: takeovers/worksites-takeover.yaml
|
||||
- template: takeovers/worksites-takeover.yaml
|
||||
|
|
|
|||
Loading…
Reference in New Issue