daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Dashboard Text Enhancement (#3798) 

Dashboard text enhancements
patch-1
MostInterestingBotInTheWorld 2022-02-28 09:09:26 -05:00 committed by GitHub
parent 7cd7940f8e
commit f18404302a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 79 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
cves/2010/CVE-2010-1657.yaml
View File

@ -5,10 +5,9 @@ info:
author: daffainfo
severity: high
description: A directory traversal vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2010-1657
- https://www.exploit-db.com/exploits/12428
- https://www.cvedetails.com/cve/CVE-2010-1657
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1657
@ -26,4 +25,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/02/27

6
cves/2010/CVE-2010-1658.yaml
View File

@ -1,16 +1,17 @@
id: CVE-2010-1658
info:
name: Joomla! Component NoticeBoard 1.3 - Local File Inclusion
author: daffainfo
severity: high
description: A directory traversal vulnerability in the Code-Garage NoticeBoard (com_noticeboard) component 1.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
remediation: Upgrade to a supported version.
reference:
- https://www.exploit-db.com/exploits/12427
- https://www.cvedetails.com/cve/CVE-2010-1658
tags: cve,cve2010,joomla,lfi
classification:
cve-id: CVE-2010-1658
requests:
- method: GET
path:
@ -23,4 +24,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/15
# Enhanced by mp on 2022/02/27

4
cves/2014/CVE-2014-9094.yaml
View File

@ -30,6 +30,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/02/25
# Enhanced by mp on 2022/02/25
# Enhanced by mp on 2022/02/25

2
cves/2016/CVE-2016-3978.yaml
View File

@ -24,4 +24,4 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

2
cves/2019/CVE-2019-2767.yaml
View File

@ -22,6 +22,6 @@ requests:
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"

8
cves/2021/CVE-2021-41653.yaml
View File

@ -2,12 +2,14 @@ id: CVE-2021-41653
info:
name: TP-Link - OS Command Injection
description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a specially crafted payload in an IP address input field.
author: gy741
severity: critical
remediation: Upgrade the firmware to at least version "TL-WR840N(EU)_V5_211109".
reference:
- https://k4m1ll0.com/cve-2021-41653.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-41653
- https://www.tp-link.com/us/press/security-advisory/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
@ -43,6 +45,8 @@ requests:
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/02/27

6
cves/2021/CVE-2021-41773.yaml
View File

@ -4,10 +4,12 @@ info:
name: Apache 2.4.49 - Path Traversal and Remote Code Execution
author: daffainfo
severity: high
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
remediation: Update to Apache HTTP Server 2.4.50 or later.
reference:
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
- https://twitter.com/ptswarm/status/1445376079548624899
- https://twitter.com/h4x0r_dz/status/1445401960371429381
- https://github.com/blasty/CVE-2021-41773
@ -45,3 +47,5 @@ requests:
name: RCE
words:
- "CVE-2021-41773-POC"
# Enhanced by mp on 2022/02/27

4
cves/2021/CVE-2021-41826.yaml
View File

@ -4,7 +4,7 @@ info:
name: PlaceOS 1.2109.1 - Open Redirection
author: geeknik
severity: medium
description: PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect
description: PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect.
reference:
- https://github.com/PlaceOS/auth/issues/36
- https://www.exploit-db.com/exploits/50359
@ -34,3 +34,5 @@ requests:
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
# Enhanced by mp on 2022/02/27

7
cves/2021/CVE-2021-41878.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2021-41878
info:
name: i-Panel Administration System - Reflected XSS
name: i-Panel Administration System - Reflected Cross-Site Scripting
author: madrobot
severity: medium
description: A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.
description: A reflected cross-site scripting vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41878
- https://cybergroot.com/cve_submission/2021-1/XSS_i-Panel_2.0.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41878
classification:
@ -35,3 +36,5 @@ requests:
words:
- "text/html"
part: header
# Enhanced by mp on 2022/02/27

8
cves/2021/CVE-2021-41951.yaml
View File

@ -1,9 +1,9 @@
id: CVE-2021-41951
info:
name: Resourcespace - Reflected XSS
name: Resourcespace - Reflected Cross-Site Scripting
author: coldfish
description: ResourceSpace before 9.6 rev 18290 is affected by a reflected Cross-Site Scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter.
description: ResourceSpace before 9.6 rev 18290 is affected by a reflected cross-site scripting vulnerability in plugins/wordpress_sso/pages/index.php via the wordpress_user parameter.
severity: medium
tags: cve,cve2021,xss,resourcespace
reference:
@ -33,4 +33,6 @@ requests:
- type: status
status:
- 200
- 200
# Enhanced by mp on 2022/02/27

6
cves/2021/CVE-2021-42013.yaml
View File

@ -4,8 +4,10 @@ info:
name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
author: nvn1729,0xd0ff9
severity: critical
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
remediation: Upgrade to Apache HTTP Server 2.4.51 or later.
reference:
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://github.com/apache/httpd/commit/5c385f2b6c8352e2ca0665e66af022d6e936db6d
- https://nvd.nist.gov/vuln/detail/CVE-2021-42013
- https://twitter.com/itsecurityco/status/1446136957117943815
@ -44,3 +46,5 @@ requests:
name: RCE
words:
- "CVE-2021-42013"
# Enhanced by mp on 2022/02/27

2
cves/2021/CVE-2021-42237.yaml
View File

@ -119,3 +119,5 @@ requests:
- "System.ArgumentNullException"
# Enhanced by mp on 2022/02/08
# Enhanced by mp on 2022/02/27

14
cves/2021/CVE-2021-42258.yaml
View File

@ -1,17 +1,11 @@
id: CVE-2021-42258
info:
name: BillQuick Web Suite SQLi
name: BillQuick Web Suite SQL Injection
author: dwisiswant0
severity: critical
tags: cve,cve2021,sqli,billquick
description: |
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1
allows SQL injection for unauthenticated remote code execution,
as exploited in the wild in October 2021 for ransomware installation.
SQL injection can, for example, use the txtID (aka username) parameter.
Successful exploitation can include the ability to execute
arbitrary code as MSSQLSERVER$ via xp_cmdshell.
description: BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
reference:
- https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
- https://nvd.nist.gov/vuln/detail/CVE-2021-42258
@ -34,7 +28,7 @@ requests:
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
__EVENTTARGET=cmdOK&__EVENTARGUMENT=&__VIEWSTATE={{url_encode("§VS§")}}&__VIEWSTATEGENERATOR={{url_encode("§VSG§")}}&__EVENTVALIDATION={{url_encode("§EV§")}}&txtID=uname%27&txtPW=passwd&hdnClientDPI=96
cookie-reuse: true
extractors:
@ -67,3 +61,5 @@ requests:
- "System.Data.SqlClient.SqlException"
- "Incorrect syntax near"
- "_ACCOUNTLOCKED"
# Enhanced by mp on 2022/02/27

8
cves/2021/CVE-2021-42551.yaml
View File

@ -1,13 +1,13 @@
id: CVE-2021-42551
info:
name: NetBiblio WebOPAC - Reflected XSS
name: NetBiblio WebOPAC - Reflected Cross-Site Scripting
author: compr00t
severity: medium
description: NetBiblio WebOPAC before 4.0.0.320 is affected by a reflected Cross-Site Scripting vulnerability in its Wikipedia modul through /NetBiblio/search/shortview via the searchTerm parameter.
description: NetBiblio WebOPAC before 4.0.0.320 is affected by a reflected cross-site scripting vulnerability in its Wikipedia modul through /NetBiblio/search/shortview via the searchTerm parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-42551
- https://www.redguard.ch/advisories/netbiblio_webopac.txt
- https://www.cve.org/CVERecord?id=CVE-2021-42551
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
@ -45,3 +45,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/02/27

8
cves/2021/CVE-2021-42565.yaml
View File

@ -2,11 +2,11 @@ id: CVE-2021-42565
info:
author: madrobot
name: myfactory FMS - Reflected XSS
name: myfactory FMS - Reflected Cross-Site Scripting
severity: medium
description: myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
description: myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-42566
- https://nvd.nist.gov/vuln/detail/CVE-2021-42565
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
@ -37,3 +37,5 @@ requests:
part: header
words:
- "text/html"
# Enhanced by mp on 2022/02/27

6
default-logins/grafana/grafana-default-login.yaml
View File

@ -35,14 +35,14 @@ requests:
matchers:
- type: word
words:
- "grafana_session" # Login cookie
- "grafana_session" # Login cookie
part: header
- type: word
part: body
words:
- "Logged in" # Logged in keyword
- "Logged in" # Logged in keyword
- type: status
status:
- 200
- 200

2
default-logins/szhe/szhe-default-login.yaml
View File

@ -6,7 +6,7 @@ info:
severity: low
tags: szhe,default-login
reference:
- https://github.com/Cl0udG0d/SZhe_Scan # vendor homepage
- https://github.com/Cl0udG0d/SZhe_Scan # vendor homepage
requests:
- raw:

2
exposures/backups/sql-dump.yaml
View File

@ -31,7 +31,7 @@ requests:
headers:
Range: "bytes=0-3000"
max-size: 2000 # Size in bytes - Max Size to read from server response
max-size: 2000 # Size in bytes - Max Size to read from server response
matchers-condition: and
matchers:
- type: regex

4
exposures/backups/zip-backup-files.yaml
View File

@ -40,7 +40,7 @@ requests:
- "sql.z"
- "sql.tar.z"
max-size: 500 # Size in bytes - Max Size to read from server response
max-size: 500 # Size in bytes - Max Size to read from server response
matchers-condition: and
matchers:
- type: binary
@ -66,4 +66,4 @@ requests:
- type: status
status:
- 200
- 200

10
file/perl/perl-scanner.yaml
View File

@ -8,11 +8,11 @@ info:
file:
- extensions:
- pl # default
- perl # uncommon
- pod # plain old documentation
- pm # perl module
- cgi # common gateway interface
- pl # default
- perl # uncommon
- pod # plain old documentation
- pm # perl module
- cgi # common gateway interface
extractors:
- type: regex

4
fuzzing/mdb-database-file.yaml
View File

@ -19,7 +19,7 @@ requests:
mdbPaths: helpers/wordlists/mdb-paths.txt
threads: 50
max-size: 500 # Size in bytes - Max Size to read from server response
max-size: 500 # Size in bytes - Max Size to read from server response
stop-at-first-match: true
matchers-condition: and
matchers:
@ -35,4 +35,4 @@ requests:
- type: status
status:
- 200
- 200

2
network/exposed-adb.yaml
View File

@ -9,7 +9,7 @@ info:
network:
- inputs:
- data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # Generated using https://github.com/projectdiscovery/network-fingerprint
- data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # Generated using https://github.com/projectdiscovery/network-fingerprint
type: hex
- data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73"

2
network/tidb-unauth.yaml
View File

@ -11,7 +11,7 @@ info:
network:
- inputs:
- read: 1024 # skip handshake packet
- data: b200000185a6ff0900000001ff0000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f72640075045f70696406313337353030095f706c6174666f726d067838365f3634035f6f73054c696e75780c5f636c69656e745f6e616d65086c69626d7973716c076f735f757365720578787878780f5f636c69656e745f76657273696f6e06382e302e32360c70726f6772616d5f6e616d65056d7973716c # authentication
- data: b200000185a6ff0900000001ff0000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f72640075045f70696406313337353030095f706c6174666f726d067838365f3634035f6f73054c696e75780c5f636c69656e745f6e616d65086c69626d7973716c076f735f757365720578787878780f5f636c69656e745f76657273696f6e06382e302e32360c70726f6772616d5f6e616d65056d7973716c # authentication
type: hex
host:

6
technologies/apache/default-apache-test-all.yaml
View File

@ -15,8 +15,8 @@ requests:
- '{{BaseURL}}'
matchers:
- type: regex # type of the extractor
part: body # part of the response (header,body,all)
- type: regex # type of the extractor
part: body # part of the response (header,body,all)
condition: or
regex:
- "<title>.*?Apache(|\\d+) .*?(Default|Test).*?</title>"
@ -26,4 +26,4 @@ requests:
- type: kval
part: header
kval:
- server
- server

2
technologies/dell/dell-idrac9-detect.yaml
View File

@ -10,7 +10,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/sysmgmt/2015/bmc/info" # Firmware Version and other info (iDRAC9)
- "{{BaseURL}}/sysmgmt/2015/bmc/info" # Firmware Version and other info (iDRAC9)
matchers-condition: and
matchers:

2
technologies/liferay-portal-detect.yaml
View File

@ -4,7 +4,7 @@ info:
name: Liferay Portal Detection
author: organiccrap,dwisiswant0
severity: info
reference: https://github.com/mzer0one/CVE-2020-7961-POC # CVE-2020-7961: Liferay Portal Unauthenticated RCE
reference: https://github.com/mzer0one/CVE-2020-7961-POC # CVE-2020-7961: Liferay Portal Unauthenticated RCE
tags: tech,liferay
requests:

2
vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml
View File

@ -28,7 +28,7 @@ requests:
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
extractors:
- type: regex

2
vulnerabilities/wordpress/wp-xmlrpc-brute-force.yaml
View File

@ -4,7 +4,7 @@ info:
name: Wordpress XMLRPC.php username and password Bruteforcer
author: Exid
severity: high
description: Ths template bruteforces username and passwords through xmlrpc.php being available.
description: This template bruteforces username and passwords through xmlrpc.php being available.
reference:
- https://bugdasht.ir/reports/3c6841c0-ae4c-11eb-a510-517171a9198c
- https://www.acunetix.com/vulnerabilities/web/wordpress-xml-rpc-authentication-brute-force/

2
workflows/sap-netweaver-workflow.yaml
View File

@ -17,6 +17,6 @@ workflows:
- template: exposed-panels/sap-hana-xsengine-panel.yaml
- template: misconfiguration/sap/
- template: network/sap-router.yaml # Network Templates
- template: network/sap-router.yaml # Network Templates
subtemplates:
- template: network/sap-router-info-leak.yaml